Deploy Your First Active Directory Forest and Domain

  • 6/29/2015
In this chapter from Deploying and Managing Active Directory with Windows PowerShell: Tools for cloud-based and hybrid environments, Charlie Russel covers how to create a new Active Directory Domain Services (AD DS) forest where one has never existed before. This is, in some ways, the easiest task you're likely to face, but it's also one where getting it right is really important. The decisions you make here will affect the entire organization for the life of this deployment.

Active Directory Windows PowerShell nouns used in this chapter:

  • ADDSDomainController
  • ADDSForestInstallation
  • ADDSForest
  • ADRootDSE
  • ADObject

Other Windows PowerShell commands used in this chapter:

  • Get-NetAdapter
  • Get-Member
  • Set-NetIPAddress
  • New-NetIPAddress
  • Set-DnsClientServerAddress
  • Get-NetIPAddress
  • Rename-Computer
  • Install-WindowsFeature
  • Get-Command
  • Format-Table
  • Update-Help
  • ConvertTo-SecureString

Before you start

This section sets some expectations. And yes, much of this has been covered in the introduction of the book, but in my experience most people don’t read that. So I’ll take a bit of liberty and do it again.


This book assumes that you know the basics of both Active Directory and Windows PowerShell. I won’t attempt to teach you how to use either. But, that being said, I hope and expect you’ll learn something about both of them.


This book is being written against Windows Server Technical Preview, Build 9841. This includes Windows PowerShell 5.0, but no changes to Active Directory Domain Services (AD DS) beyond those in Windows Server 2012 R2 that affect the examples in the book. If I use a feature beyond that built into Windows 8.1 and Windows Server 2012 R2, I’ll call it out explicitly. Most examples will work with Windows Server 2008 R2 and Windows Server 2012.


By its nature, this book includes a lot of code. Most is fairly basic—one or two lines of code, because most actions you need to do in AD DS are ones that lend themselves to a few commands in Windows PowerShell. Where the task requires a bit more, I give you a full script, complete with built-in comment-based help, as shown later in the Get-myADVersion script. Other scripts are a bit more casual and might not include full comment-based help. These scripts tend to be the kind of simple, one-off scripts that all Windows PowerShell users create to simplify their work. I don’t include full and complex error-handling routines as part of the scripts—not that I don’t think they’re useful, but when performing actions against Active Directory, I really would prefer to have errors be errors and have the script fail, rather than hide any of that or try to recover and continue.