Using PowerShell Desired State Configuration to build the first domain controller in your Active Directory forest

If you’re a frequent reader of the blog articles on this site, then you know that I’ve been working on using Desired State Configuration to build my test lab environment that runs as Hyper-V VM’s on my Windows 8.1 computer.

If you would like to know the current state of my test environment, see the previous blog article: “Creating a Desired State Configuration Resource for Self Signed Certificates“.

The certificate created in last week’s blog has been exported and copied to the Windows 8.1 computer that I’m using to author and apply the DSC configuration from. This is a step that I’ll need to revisit at some point in the future and take a look at automating it.


Today I’ll be changing the name of the VM to Test01, changing the IP address from DHCP to a statically assigned one, and turning it into the first domain controller in my test Active Directory forest.

My initialization script contains all the values instead of hard coding them into the actual DSC configuration itself:

A fairly simple DSC configuration is used to accomplish the tasks. As you can see, there are three DSC resources that are being used that don’t ship in the box. Those were downloaded in another previous blog article: “Automate the installation of DSC Resource Kit Wave 9 resources with PowerShell Desired State Configuration“.

The configuration is run which loads it into memory like a function, and then it is called with the necessary parameters and their values to create the MOF files:


We need to tell the test01 VM what the thumbprint of the certificate is that will be used to encrypt the passwords in the MOF file so it will know which one to use to decrypt them. We’ll also change the RebootNodeIfNeeded to tell it to restart if needed. These changes are applied to the DSC LCM (Local Configuration Manager) on test01:


Now to apply (push) the actual configuration to test01:


Notice that in the previous set of results, the computer name was changed and the machine rebooted before making the other configuration changes.

You might be wondering how your interactive session is going to reconnect and apply the remainder of the configuration? especially when you consider that both the computer name and IP address are going to be changed. How’s it going to know what to connect back to? It’s not. The MOF file was sent to the destination node and it will finish the configuration on its own. You won’t see that in your interactive window and you’ll need to give the machine a few minutes to change the IP address, and turn itself into a domain controller. Once those steps are complete, the machine will reboot again and it will be a domain controller:



1 Comment

  1. Tamil

    Is their an possibility to add replication source DC through powershell DSC? I dont see that argument in xADDomain module


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: