A domain controller can be installed with a pre created unattended answer file. This is also useful for installing an Active Directory domain controller on Server Core editions of Windows Server 2008.

In this example a read only domain controller will be deployed using the unattend file below.
1. Create an unattend file.

; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
;   dcpromo.exe /unattend:C:\Users\Administrator\Documents\lon-dc2-rodc.txt
; You may need to fill in password fields prior to using the unattend file.
; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
; Read-Only Replica DC promotion
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="CONTOSO\Denied RODC Password Replication Group"
PasswordReplicationAllowed="CONTOSO\Allowed RODC Password Replication Group"
DelegatedAdmin="CONTOSO\RODC Administrators"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
; Run-time flags (optional)
; CriticalReplicationOnly=Yes

2. Run DCPROMO with the unattend file.
dcpromo /unattend:c:\lon-dc2-rodc.txt


3. Check the output as DCPROMO runs.

Checking if Active Directory Domain Services binaries are installed...
Active Directory Domain Services Setup

Validating environment and parameters...

The following actions will be performed:
Configure this server as an additional Active Directory domain controller for th
e domain contoso.com.

Site: Default-First-Site-Name

Additional Options:
Read-only domain controller: Yes
Global catalog: Yes
DNS Server: Yes

Update DNS Delegation: No

Source DC: lon-dc1.contoso.com

Password Replication Policy:
Allow: CONTOSO\Allowed RODC Password Replication Group
Deny:  BUILTIN\Administrators
Deny:  BUILTIN\Server Operators
Deny:  BUILTIN\Backup Operators
Deny:  BUILTIN\Account Operators
Deny:  CONTOSO\Denied RODC Password Replication Group

Delegation for RODC Installation and Administration:
CONTOSO\RODC Administrators

Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL

The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS ser


Checking if Group Policy Management Console needs to be installed...

Press CTRL-C to: Cancel
Stopping service NETLOGON

Copying initial Directory Service database file C:\Windows\system32\ntds.dit to

Installing the Directory Service

Configuring the local computer to host Active Directory Domain Services
Replicating the schema directory partition
Replicating CN=Schema,CN=Configuration,DC=contoso,DC=com: received 401 out of ap
proximately 1578 objects

Replicating CN=Schema,CN=Configuration,DC=contoso,DC=com: received 801 out of ap
proximately 1578 objects
Replicating CN=Schema,CN=Configuration,DC=contoso,DC=com: received 1201 out of a
pproximately 1578 objects
Replicated the schema container.

Replicating the configuration directory partition
Replicating CN=Configuration,DC=contoso,DC=com: received 400 out of approximatel
y 3193 objects

Replicating CN=Configuration,DC=contoso,DC=com: received 801 out of approximatel
y 3193 objects
Replicating CN=Configuration,DC=contoso,DC=com: received 1202 out of approximate
ly 3193 objects

Replicating critical domain information...
Replicating secrets for Read-only Domain Controller.
Configuring service IsmServ

Setting the computer's DNS computer name root to contoso.com

Setting security on the domain controller and Directory Service files and regist
ry keys

Securing S-1-5-11

Securing machine\software\microsoft\windows
Securing machine\system\currentcontrolset\services

Securing c:\windows\system32\spool
Securing SamSs

Securing Kerberos Policy
Replicating data DC=contoso,DC=com: Received 3845 out of approximately 3845 obje
cts and 52 out of approximately 52 distinguished name (DN) values...

Press CTRL-C to: Finish Replication Later
The attempted domain controller operation has completed

Configuring the DNS Server service on this computer...
Active Directory Domain Services is now installed on this computer for the domai
n contoso.com.

This Active Directory domain controller is assigned to the site Default-First-Si
te-Name. You can manage sites with the Active Directory Sites and Services admin
istrative tool.

Windows Server 2008 domain controllers have a new more secure default for the se
curity setting named "Allow cryptography algorithms compatible with Windows NT 4
.0." This setting prevents Microsoft Windows and non-Microsoft SMB "clients" fro
m using weaker NT 4.0 style cryptography algorithms when establishing security c
hannel sessions against Windows Server 2008 domain controllers. As a result of t
his new default, operations or applications that require a security channel serv
iced by Windows Server 2008 domain controllers might fail.

Platforms impacted by this change include Windows NT 4.0, as well as non-Microso
ft SMB "clients" and network-attached storage (NAS) devices that do not support
stronger cryptography algorithms. Some operations on clients running versions of
Windows earlier than Vista with Service Pack 1 are also impacted, including dom
ain join operations performed by the Active Directory Migration Tool or Windows
Deployment Services.

For more information about this setting, see Knowledge Base article 942564 (http

You must restart this computer to complete the operation.


4. Restart the server to complete installation.

shutdown -r -t 0




Share this blog post on social media:

Social Links


All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.

Copyright ©2008-2021 Andy Barnes - Please do not copy any content including images without prior consent!

Designed and Hosted by Andy Barnes

We use cookies

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.