The DCPROMO (Domain Controller Promoter) console utility is used on Windows Server to install the Active Directory Domain Services (ADDS) role, promoting a member server to the AD domain controller or demoting it.
dcpromo /unattend[:filename] /adv /uninstallBinaries /CreateDCAccount /UseExistingAccount:Attach [:{Promotion | CreateDcAccount | UseExistingAccount | Demotion}] /?:Promotion, /?:CreateDCAccount, /?:UseExistingAccount, and /?:Demotion
Dcpromo Command Line Arguments:
| /unattend[:filename] | Used to specify the unattended AD installation mode and path to the script file. |
| /adv | Enables advanced user options. |
| /uninstallBinaries | Used to uninstall Active Directory Domain Services binaries from current server. |
| /CreateDCAccount | Creates an RODC (Read-only Domain Controller) account. |
| /UseExistingAccount:Attach | Attaches the current server to the RODC account. |
| /forceRemoval | Uninstalls Active Directory Services on this domain controller. The account for the domain controller will not be deleted in the directory, and any changes made to this domain controller since it last replicated with a partner will be lost. |
| [:{Promotion | CreateDcAccount | UseExistingAccount | Demotion}] /?:Promotion, /?:CreateDCAccount, /?:UseExistingAccount, and /?:Demotion | Displays the unattended parameters applicable to the specified task. /CreateDCAccount and /UseExistingAccount:Attach are mutually exclusive. |
Unattended Promotion Domain Controller Using DCpromo Answer File
You can use the dcpromo tool for unattended installation of the first DC on the non-domain joined Windows Server. Create a new text file c:\dcpromo_unattend.txt with the following text.
[DCInstall] ReplicaOrNewDomain=Domain NewDomain=Forest NewDomainDNSName=theitbros.com ForestLevel=3 DomainNetbiosName= theitbros DomainLevel=3 InstallDNS=Yes ConfirmGc=Yes CreateDNSDelegation=No DatabasePath="C:\Windows\NTDS" LogPath="C:\Windows\NTDS" SYSVOLPath="C:\Windows\SYSVOL" SafeModeAdminPassword=Pa##w0rd11s RebootOnCompletion=Yes
ForestLevel and DomainLevel allow to set the functional levels of the AD domain and forest:
- 2 = Windows Server 2003,
- 3 = WS 2008,
- 4 = WS 2008R2,
- 5 = WS 2012,
- 6 = WS 2012R2,
- 7 = WS 2016
Open the elevated command prompt and run the following command to promote current server to the first domain controller in a new domain forest theitbros.com.
dcpromo.exe /unattend:C:\dcpromo_unattend.txt
After the script finishes, you will get a fully functional domain controller with the ADDS role installed.
Use the following response file (dcpromo_unattend.txt), to install an additional domain controller in an existing Active Directory forest:
[DCInstall] SiteName=Default-First-Site-Name ReplicaOrNewDomain=replica ReplicaDomainDNSName=theitbros.com DatabasePath="C:\Windows\NTDS" LogPath="C:\Windows\NTDS" SYSVOLPath="C:\Windows\SYSVOL" InstallDNS=Yes ConfirmGC=Yes SafeModeAdminPassword=DSRM local administrator password RebootOnCompletion=yes UserName=adm_bjackson UserDomain=theitbros.com Password=user_password ReplicaOrNewDomain=Domain NewDomain=Forest NewDomainDNSName=theitbros.com ForestLevel=3 DomainNetbiosName= theitbros DomainLevel=3 CreateDNSDelegation=No
In order to deploy a RODC, add the following options to the dcpromo_unattend.txt:
- PasswordReplicationDenied = specify a list of users, groups and computer accounts whose passwords won’t be replicated to this read-only DC.
- PasswordReplicationAllowed = list of objects whose passwords are allowed to replicate to this RODC.
- DelegatedAdmin = User account that will be used for the administration of the RODC.
Demoting a Domain Controller with DCPromo
With the dcpromo /forceremoval command, you can demote the domain controller to the member server. If one of the FSMO roles is found on the domain controller, you will be asked to transfer FSMO roles to another DC first. If this server is a Global catalog, a warning will also appeared.
You can use an answer file for unattended removal of the Active Directory Domain Services role. Create the dcpromo_unattend_removal.txt file:
[DCINSTALL] UserName= adm_bjackson UserDomain= theitbros.com Password= adm_bjackson_password AdministratorPassword=set the password for the local administrator account on Windows Server RemoveApplicationPartitions=yes RemoveDNSDelegation=yes RebootOnCompletion=yes
Then apply this unattended file on the DC as follows:
dcpromo /answer:dcpromo_unattend_removal.txt
How to Promote AD Domain Controller with PowerShell?
Dcpromo was used to promote member servers to the domain controllers in Windows Server 2000, 2003, 2008, 2008 R2, but the Dcpromo command is deprecated in Windows Server 2012 and later.
When you try to run the dcpromo command on Windows Server 2012 R2, a warning will appear:
The Active Directory Domain Services Installation Wizard is relocated in Server Manager.
Thus, in Windows Server 2012 R2, 2016 and 2019, you can promote the Windows Server to the domain controller using the Server Manager or ADDSDeployment PowerShell module (which actually runs in the wizard “Promote this server to a domain controller” during installing the ADDS role when you specify the settings for the new DC.
In order to deploy an additional domain controller in the THEITBROS.COM domain using the ADDSDeployment module, you can use the following PowerShell script:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools Import-Module ADDSDeployment Install-ADDSDomainController ` -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -CriticalReplicationOnly:$false ` -DatabasePath “C:\Windows\NTDS” ` -DomainName “theitbros.com” ` -InstallDns:$true ` -LogPath “C:\Windows\NTDS” ` -NoRebootOnCompletion:$false ` -SiteName “Default-First-Site-Name” ` -SysvolPath “C:\Windows\SYSVOL” ` -Force:$true
However, the syntax of the dcpromo answer file format has not changed since Windows Server 2003, and you can still use this tool for unattended domain controller promotion on the latest versions of Windows Server 2022/2019/2016/2012R. You can also use the dcpromo /unattend command in various scripts to automatically deploy and configure a new DC on Windows Server Core (it doesn’t contain a GUI). In most cases, all Domain Controllers in the enterprise are configured identically, so you can reuse an answer file for multiple promotions.
