deploy rodc

1. # Prepare RODC with prepopulated passwords for DSInternals testing
2. # Powered by Evgeniy Berendyaev
3.  
4. # Assume that we have a virtual machine Windows Server 2012 or higher installed
5.  
6. Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
7.  
8. # Constants:
9. $DC1IPAddress = '10.0.0.10'
10. $RODC1IPAddress = '10.0.0.15'
11. $DC1Gateway = '10.0.0.1'
12. $DC1Name = 'LAB-DC1'
13. $RODC1Name = 'LAB-RODC1'
14. $PwdString = 'Blabla123'
15. $ForestName = 'LAB.LOCAL'
16. $DomainName = 'LAB'
17.  
18. # Change IP and server name:
19.  
20. $NetAdapterIndex = (Get-NetAdapter).ifIndex
21. New-NetIPAddress -InterfaceIndex $NetAdapterIndex -IPAddress $DC1IPAddress -PrefixLength 24 -DefaultGateway $DC1Gateway
22. $ComputerInfo = Get-WmiObject -Class Win32_ComputerSystem
23. $ComputerInfo.Rename($DC1Name)
24. Restart-Computer
25.  
26. # Promote DC:
27.  
28. $Pwd = ConvertTo-SecureString $PwdString -AsPlainText -Force
29. # I have Windows 2016 so I've specified WinThreshold domain level
30. Install-ADDSForest -DomainName $ForestName -SafeModeAdministratorPassword $Pwd -DomainMode WinThreshold -InstallDns -NoRebootOnCompletion -Confirm:$false
31. Restart-Computer
32.  
33. # Create some users:
34.  
35. $i = 0;
36. $acctPwd = ConvertTo-SecureString $PwdString -AsPlainText -Force
37. for($i = 0; $i -lt 10; $i++)
38. {
39.     New-ADUser -Name "test$i" -AccountPassword $acctPwd -Enabled $true
40. }
41.  
42. # Clone the DC
43.  
44. $dc = Get-ADComputer $DC1Name
45. Add-ADGroupMember  "Cloneable Domain Controllers" $dc.SamAccountName
46. Get-ADDCCloningExcludedApplicationList -GenerateXml
47. New-ADDCCloneConfigFile -CloneComputerName $RODC1Name -IPv4Address $RODC1IPAddress -IPv4SubnetMask 255.255.255.0 -IPv4DefaultGateway $DC1Gateway  -IPv4DNSResolver $DC1IPAddress  –Static
48.  
49. # From GUI: export the VM, import it again with the new identificator and run.
50.  
51. # Uninstall DC, then install a RODC
52.  
53. $Pwd = ConvertTo-SecureString $PwdString -AsPlainText -Force
54. Uninstall-ADDSDomainController -LocalAdministratorPassword $Pwd -Confirm:$False
55. Remove-WindowsFeature DNS
56. Restart-Computer
57.  
58. $Pwd = ConvertTo-SecureString $PwdString -AsPlainText -Force
59. Install-ADDSDomainController -DomainName $DomainName  -SiteName Default-First-Site-Name -SafeModeAdministratorPassword $Pwd -InstallDns -ReplicationSourceDC $DC1Name$ForestName -ReadOnlyReplica -Confirm:$False
60.  
61. # Edit password replication policy (add test* users to allowed list)
62.  
63. $users = Get-ADUser -Filter {SamAccountName -like 'test*'}
64. Add-ADDomainControllerPasswordReplicationPolicy -Identity $RODC1Name -AllowedList $users -Confirm:$false
65.  
66. # Force replicate passwords
67.  
68. foreach ($user in $users)
69. {
70.     repadmin /rodcpwdrepl $RODC1Name $DC1Name $user
71. }