Installs and removes Active Directory Domain Services (AD DS).

For examples of how to use dcpromo, see Examples.

Syntax

dcpromo [/answer[:<filename>] | /unattend[:<filename>] | /unattend | /adv] /uninstallBinaries [/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion | CreateDCAccount | UseExistingAccount | Demotion}]

Dcpromo.exe parameters

Parameter Description

/answer[:<filename>]

Specifies an answer file that contains installation parameters and values.

/unattend[:<filename>]

Specifies an answer file that contains installation parameters and values. This command provides the same function as /answer[:<filename>].

/unattend

Specifies an unattended installation in which you provide installation parameters and values at the command line.

/adv

Performs an install from media (IFM) operation.

/UninstallBinaries

Uninstalls AD DS binaries.

/CreateDCAccount

Creates a read-only domain controller (RODC) account. Only a member of the Domain Admins group or the Enterprise Admins group can run this command.

/UseExistingAccount:Attach

Attaches a server to an existing RODC account. A member of the Domain Admins group or a delegated user can run this command.

/?

Displays Help for Dcpromo parameters.

/?[:{Promotion | CreateDCAccount | UseExistingAccount | Demotion}]

Displays parameters that apply to the dcpromo operation. For example, dcpromo /?:Promotion displays all of the parameters that you can use for a promotion operation.

dcpromo Promotion operation parameters

The following table shows the parameters that you can specify at a command prompt as part of an unattended installation of a domain controller that runs Windows Server 2008.

Parameter:value Description and default

AllowDomainControllerReinstall:{Yes | <No> | NoAndNoPromptEither}

Specifies whether to continue installing this domain controller, despite the fact that another domain controller account with the same name is detected.

Use Yes only if you are sure that the account is not currently used by another domain controller.

The default is No.

AllowDomainReinstall:{Yes | <No> | NoAndNoPromptEither}

Specifies whether an existing domain is recreated.

The default is No.

ApplicationPartitionsToReplicate:""

Specifies the application directory partitions that dcpromo will replicate. Use the following format:

"partition1" "partition2" "partitionN"

Use * to replicate all application directory partitions.

AutoConfigDNS:{Yes | No}

This parameter has been renamed to InstallDNS.

Specifies whether the DNS Server service should be installed. The default is automatically computed based on the environment.

ChildName:"child_domain_name"

Specifies the single-label Domain Name System (DNS) name of the child domain.

ConfirmGc:{Yes | No}

Specifies whether you want the domain controller to be a global catalog server.

CreateDNSDelegation: { Yes | No}

Indicates whether to create a DNS delegation that references the new DNS server that you are installing along with the domain controller. Valid for Active Directory–integrated DNS only.

The default is computed automatically based on the environment.

CriticalReplicationOnly:{Yes | <No>}

Specifies whether the AD DS installation operation performs only critical replication before reboot and then continues, skipping the noncritical (and potentially lengthy) portion of replication. The noncritical replication happens after the installation finishes and the computer reboots.

The default is No.

DatabasePath:"path_to_database_files"

Specifies the fully qualified, non–Universal Naming Convention (UNC) path to a directory on a fixed disk of the local computer that contains the domain database, for example, C:\Windows\NTDS.

The default is %SYSTEMROOT%\NTDS.

DelegatedAdmin:"name of user or group"

Specifies the name of the user or group that will install and administer the RODC.

DNSDelegationPassword:"password"

Specifies the password for the user name (account credentials) for creating DNS delegation.

DNSDelegationUserName:"user_name"

Specifies the user name (account credentials) for creating DNS delegation.

DNSOnNetwork:{<Yes> | No}

Specifies whether DNS service is available on the network. This parameter is used only when the IP setting of the network adapter for this computer is not configured with the name of a DNS server for name resolution. No indicates that a DNS server will be installed on this computer for name resolution. Otherwise, the IP settings of the network adapter must be configured with a DNS server name first.

The default is Yes.

DomainLevel:{0|2|3}

Specifies the domain functional level during the creation of a new domain. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008.

The domain functional level cannot be lower than the forest functional level.

The default is automatically computed and set to the existing forest functional level or the value that is set for /ForestLevel.

DomainNetBiosName:"domain_NetBIOS_name"

Assigns a NetBIOS name to the new domain.

ForestLevel:{<0>|2|3}

Specifies the forest functional level when you create a new forest. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008.

The default forest functional level when you create a new forest is Windows 2000 (0).

Do not use this parameter when you install a domain controller in an existing forest.

InstallDNS:{Yes | No}

Specifies whether the DNS Server service should be installed. The default is automatically computed based on the environment. This parameter replaces AutoConfigDNS.

LogPath:"path_to_log_files"

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files, for example, C:\Windows\Logs.

The default is %SYSTEMROOT%\NTDS.

NewDomain:{Tree | Child | <Forest>}

Indicates the type of domain that you want to create: a new domain tree in an existing forest, a child of an existing domain, or a new forest.

The default is new forest.

NewDomainDNSName:"DNS_name_of_domain"

Specifies the fully qualified domain name (FQDN) for the new domain.

ParentDomainDNSName:"DNS_name_of_domain"

Specifies the FQDN of an existing parent domain. You use this parameter when you install a child domain.

Password:"password"

Specifies the password that corresponds to the user name (account credentials) that is used to install the domain controller. Use this parameter in conjunction with the UserName parameter.

Use * to prompt the user to supply a password.

PasswordReplicationAllowed:{"security_principal" | None}

Specifies the names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this RODC. Use None if you want to keep the value empty. By default, only the Allowed RODC Password Replication Group is allowed, and it is originally created empty.

PasswordReplicationDenied:{"security_principal" | None}

Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this RODC. Use None if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt account, and Schema Admins.

RebootOnCompletion:{<Yes> | No}

Specifies whether to restart the computer upon completion of the command, regardless of success.

The default is Yes.

RebootOnSuccess:{<Yes> | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion of the command.

The default is Yes.

ReplicaDomainDNSName:"DNS_name_of_domain"

Specifies the FQDN of the domain in which you want to install an additional domain controller.

ReplicaOrNewDomain:{<Replica> | ReadOnlyReplica | Domain}

Specifies whether to install an additional domain controller (a writable domain controller or an RODC) or to create a new domain.

The default is to install an additional writable domain controller.

ReplicationSourceDC:"DNS_name_of_DC"

Indicates the FQDN of the partner domain controller from which you replicate the domain information.

ReplicationSourcePath:"replication_source_path"

Indicates the location of the installation media that will be used to install a new domain controller.

SafeModeAdminPassword:"password"

Supplies the password for the administrator account when the computer is started in Safe Mode or a variant of Safe Mode, such as Directory Services Restore Mode.

The default is an empty password. You must supply a password.

SiteName:"site_name"

Specifies the name of an existing site where you can place the new domain controller.

The default value depends on the type of installation. For a new forest, the default is Default-First-Site-Name. For all other installations, the default is the site that is associated with the subnet that includes the IP address of this server. If no such site exists, the default is the site of the replication source domain controller.

SkipAutoConfigDns

Skips automatic configuration of DNS client settings, forwarders, and root hints. This parameter is in effect only if the DNS Server service is already installed.

Syskey:{<none> | system key}

Specifies the system key for the media from which you replicate the data.

The default is none.

SysVolPath:"path_to_database_file"

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer, for example, C:\Windows\SYSVOL.

The default is %SYSTEMROOT%\SYSVOL.

TransferIMRoleIfNecessary:{Yes | <No>}

Specifies whether to transfer the infrastructure master operations master role (also known as flexible single master operations or FSMO) to the domain controller that you are creating—in case it is currently hosted on a global catalog server—and you do not plan to make the domain controller that you are creating a global catalog server. Use Yes to transfer the infrastructure master role to the domain controller that you are creating in case the transfer is needed; in this case, make sure to use /ConfirmGC:No. Use No if you want the infrastructure master role to remain where it currently is.

The default is No.

UserDomain:"domain_name"

Specifies the domain name for the user name (account credentials) for installing a domain controller.

Use this parameter in conjunction with the UserName parameter.

UserName:"user_name"

Specifies the user name (account credentials) for the operation. If no value is specified, the credentials of the current user are used for the operation.

dcpromo /CreateDCAccount operation parameters

The following table shows the parameters that you can use when you create an RODC account.

Parameter:value Description and default

AutoConfigDNS:{Yes | No}

This parameter has been renamed to InstallDNS.

Specifies whether the DNS Server service should be installed. The default is computed automatically based on the environment.

ConfirmGc:{Yes | No}

Specifies whether the domain controller will be a global catalog server.

DCAccountName:"name of the domain controller to create"

Specifies the name of the RODC account that you are creating.

DelegatedAdmin:"name of user or group"

Specifies the name of the user or group that will install and administer the RODC.

InstallDNS:{Yes | No}

Specifies whether the DNS Server service should be installed. The default is computed automatically based on the environment. This parameter replaces /AutoConfigDNS.

Password:"password"

Specifies the password that corresponds to the user name (account credentials) that is used to install the domain controller. Use this parameter in conjunction with the UserName parameter.

Specify * to prompt the user to supply a password.

PasswordReplicationAllowed:{"security_principal" | None}

Specifies the names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this RODC. Use None if you want to keep this value empty. By default, only the Allowed RODC Password Replication Group is allowed, and it is originally created empty.

PasswordReplicationDenied:{"security_principal" | None}

Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this RODC. Use None if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt account, and Schema Admins.

ReplicaDomainDNSName:"DNS_name_of_domain"

Specifies the FQDN of the domain in which you want to install an additional domain controller.

ReplicationSourceDC:"DNS_name_of_DC"

Indicates the FQDN of the partner domain controller from which you replicate the domain information.

SiteName:"site_name"

Specifies the name of an existing site where you can place the new domain controller.

The default value depends on the type of installation. For a new forest, the default is Default-First-Site-Name. For all other installations, the default is the site that is associated with the subnet that includes the IP address of this server. If no such site exists, the default is the site of the replication source domain controller.

UserDomain:"domain_name"

Specifies the domain name for the user name (account credentials) for the operation. This parameter also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer is used.

UserName:"user_name"

Specifies the user name (account credentials) for the operation. If no value is specified, the credentials of the current user are used for the operation.

dcpromo /UseExistingAccount operation parameters

You can use parameters in the following list when you attach a server to an RODC account.

Parameter:value Description and default

ApplicationPartitionsToReplicate:""

Specifies the application directory partitions that dcpromo will replicate. Use the following format:

"partition1" "partition2" "partitionN"

Use * to replicate all application directory partitions.

CriticalReplicationOnly:{Yes | <No>}

Specifies whether the installation performs only critical replication before reboot and then continues, skipping the noncritical (and potentially lengthy) portion of replication. The noncritical replication happens after the role installation finishes and the computer reboots.

The default is No.

DatabasePath:"path_to_database_files"

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain database, for example, C:\Windows\NTDS.

The default is %SYSTEMROOT%\NTDS.

DNSDelegation:{Yes | No}

Specifies whether to create a DNS delegation for this domain in the parent DNS zone.

The default is computed automatically based on the environment.

DNSDelegationUserName:"user_name"

Specifies the user name (account credentials) for creating DNS delegation.

DNSDelegationPassword:"password"

Specifies the password for the user name (account credentials) for creating DNS delegation.

DNSOnNetwork:{<Yes> | No}

Specifies whether the DNS Server service is available on the network. This parameter is used only when the IP setting of the network adapter for this computer is not configured with the name of a DNS server for name resolution. No indicates that DNS server will be installed on this computer for name resolution. Otherwise, the IP settings of network adapter must be configured with a DNS server name first.

The default is Yes.

LogPath:"path_to_log_files"

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files, for example, C:\Windows\Logs.

The default is %SYSTEMROOT%\NTDS.

Password:"password"

Specifies the password that corresponds to the user name (account credentials) that is used to install the domain controller. Use this parameter in conjunction with the UserName parameter.

Use * to prompt the user to supply a password.

RebootOnCompletion:{<Yes> | No}

Specifies whether to restart the computer upon completion, regardless of success.

The default is Yes.

RebootOnSuccess:{<Yes> | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion.

The default is Yes.

ReplicaDomainDNSName:"DNS_name_of_domain"

Specifies the FQDN of the domain in which you want to install an additional domain controller.

ReplicationSourceDC:"DNS_name_of_DC"

Indicates the FQDN of the partner domain controller from which you replicate the domain information.

ReplicationSourcePath:"replication_source_path"

Indicates the location of the installation media that will be used to install a new domain controller.

SafeModeAdminPassword:"password"

Supplies the password for the administrator account when the computer is started in Safe Mode or a variant of Safe Mode, such as Directory Service Restore Mode.

The default is an empty password. You must supply a password.

SkipAutoConfigDns

Skips automatic configuration of DNS client settings, forwarders, and root hints. This parameter is in effect only if the DNS Server service is already installed.

Syskey:{<none> | system key}

Specifies the system key for the media from which you replicate the data.

The default is none.

SysVolPath:"path_to_database_file"

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer, for example, C:\Windows\SYSVOL.

The default is %SYSTEMROOT%\SYSVOL.

TransferIMRoleIfNecessary:{Yes | <No>}

Specifies whether to transfer the infrastructure master role to the domain controller that you are creating—in case it is currently hosted on a global catalog server—and you do not plan to make the domain controller that you are creating a global catalog server. Use Yes to transfer the infrastructure master role to the domain controller that you are creating in case the transfer is needed; in this case, make sure to use /ConfirmGC:No. Use No if you want the infrastructure master role to remain where it currently is.

The default is No.

UserDomain:"domain_name"

Specifies the domain name for the user name (account credentials) for the operation. This parameter also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer will be used.

UserName:"user_name"

Specifies the user name (account credentials) for the operation. If no value is specified, the credentials of the current user are used for the operation.

dcpromo Demotion operation parameters

You can use parameters in the following list when you remove AD Ds from a domain controller that runs Windows Server 2008.

Parameter:value Description and default

AdministratorPassword:"administrator password"

Specifies a local administrator account password when AD DS is removed from a domain controller. The default is an empty password.

DemoteFSMO:{Yes | <No>}

Indicates that (forced) demotion should continue even if an operations master role is discovered on domain controller from which AD DS is being removed.

The default is No.

DNSDelegationPassword {Password | *}

Specifies the password to use for the user name (the account credentials) when you create or remove the DNS delegation. Specify * to prompt the user to enter credentials.

DNSDelegationUserName: "user_name"

Specifies the user name to use when you create or remove the DNS delegation. If you do not specify a value, then the account credentials that you specify for the AD DS installation or removal are used to for the DNS delegation.

IgnoreIsLastDcInDomainMismatch:{Yes | <No>}

Used in conjunction with /IsLastDCInDomain. This parameter specifies whether Dcpromo.exe ignores any inconsistency that it detects with the value that you specify for /IsLastDCInDomain. For example, if you specify /IsLastDCInDomain:Yes but dcpromo detects that there is actually another active domain controller in the domain, you can specify /IgnoreIsLastDcInDomainMismatch:Yes to have dcpromo continue the removal of AD DS from the domain controller despite the inconsistency that it has detected. Similarly, if you specify /IsLastDCInDomain:No but dcpromo cannot detect that another domain controller is in the domain, you can specify /IgnoreIsLastDcInDomainMismatch:Yes to have dcpromo continue to remove AD DS from the domain controller.

The default is No. The default causes the wizard to prompt the user to continue, and it causes the command-line tool to exit with an error.

IgnoreIsLastDNSServerForZone:{Yes | <No>}

Specifies whether to continue the removal of AD DS despite the fact that the domain controller is the last DNS server for one or more of the Active Directory–integrated DNS zones that it hosts.

The default is No.

IsLastDCInDomain:{Yes | <No>}

Specifies whether the computer from which AD DS is being removed is the last domain controller in the domain.

The default is No.

Password:"password"

Specifies the password that corresponds to the user name (account credentials) that is used to install the domain controller. Use this parameter in conjunction with the UserName parameter.

Specify * to prompt the user to supply a password.

RebootOnCompletion:{<Yes> | No}

Specifies whether to restart the computer upon completion, regardless of success.

The default is Yes.

RebootOnSuccess:{<Yes> | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion.

The default is Yes.

RemoveApplicationPartitions:{Yes | <No>}

Specifies whether to remove application partitions during the removal of AD DS from a domain controller.

The default is No.

RemoveDNSDelegation:{<Yes> | No}

Specifies whether to remove DNS delegations that point to this DNS server from the parent DNS zone.

The default is Yes.

RetainDCMetadata:{Yes | <No>}

Retains domain controller metadata in the domain after AD DS removal to allow a delegated administrator to remove AD DS from an RODC.

The default is No.

UserDomain:"domain_name"

Specifies the domain name for the user name (account credentials) for the operation. This parameter also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer will be used.

UserName:"user_name"

Specifies the user name (account credentials) for the operation. If no value is specified, the credentials of the current user are used for the operation.

Examples

The following example supplies an answer file named NewForestInstallation:

dcpromo /answer:NewForestInstallation

The following example creates the first domain controller in a new child domain where you expect to install at least some Windows Server 2003 domain controllers:

dcpromo /unattend /InstallDns:yes /ParentDomainDNSName:contoso.com /replicaOrNewDomain:domain /newDomain:child /newDomainDnsName:east.contoso.com /childName:east /DomainNetbiosName:east /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:FH#3573.cK /forestLevel:2 /domainLevel:2 /rebootOnCompletion:yes

The following example creates an additional domain controller with the global catalog, and it installs and configures the DNS Server service:

dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaOrNewDomain:replica /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:M6$,U8Gvx4 /rebootOnCompletion:yes