Scripting RODC Account Creation with Windows PowerShell

  • Article

Applies To: Windows Server 2008

This topic provides an example of how you can automate RODC account creation by using Windows PowerShell™ commands. Windows PowerShell is available as a free download. For more information about downloading and installing Windows PowerShell, see How to Get Windows PowerShell 1.0 (https://go.microsoft.com/fwlink/?LinkId=123796). For more information about how to use Windows PowerShell, see Scripting with Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=110413).

Create a comma-separated-value (CSV) file. You can use Microsoft Excel to create a CSV file. For example, create the following file and save it as test.csv. You can use this file to create three read-only domain controller (RODC) accounts. Each RODC account specifies a delegated RODC administration account, a designated replication partner to use during the installation, and a site name.

domainFQDN;RODCName;DelegatedAdmin;ReplicationPartner;SiteName corp.contoso.com;RODC1;corp\RODC1AdminGroup;DC1.corp.contoso.com;Branch1 corp.contoso.com;RODC2;corp\RODC2AdminGroup;DC2.corp.contoso.com;Branch2 corp.contoso.com;RODC3;corp\RODC3AdminGroup;DC3.corp.contoso.com;Branch3

In a Windows PowerShell command window, run the following command to create the three RODC accounts:

Import-csv test.csv -Delimiter ';'  | foreach -process { $domainFQDN = $_.domainFQDN; $RODCName = $_.RODCName ; $delegatedAdmin  = $_.delegatedAdmin ; $ReplicationPartner = $_.ReplicationPartner; $SiteName  = $_.SiteName ; Dcpromo /unattend /createDCaccount /ReplicaDomainDNSName:$domainFQDN /DCAccountName:$RODCName /InstallDNS:Yes /ConfirmGC:Yes /delegatedAdmin:$delegatedAdmin  /ReplicationSourceDC:$ReplicationPartner /SiteName:$SiteName }

You can customize the commands to do additional tasks, such as create site links, configure site link properties, and so on. For example, you can specify the Password Replication Policy (PRP) so that the delegated RODC administrator account is cacheable:

/PasswordReplicationAllowed {TO DO} /PasswordReplicationDenied {TO DO}