Automated PowerShell scripts for complete Active Directory infrastructure deployment on Windows Server 2025.
- Overview
- Prerequisites
- Architecture
- Available Scripts
- Installation Guide
- Detailed Features
- Domain Structure
- Author
This project provides two PowerShell scripts to automatically deploy:
- A primary domain controller (SRV1) for the
adatum.frdomain - A replica domain controller (SRV2) for high availability
The scripts handle the entire process: network configuration, AD-DS installation, advanced DNS configuration, DHCP deployment, OU creation, user import, and security policies.
- 2 Windows Server 2025 VMs (Standard or Datacenter)
- RAM: 4 GB minimum per server (8 GB recommended)
- Disk: 60 GB minimum per server
- CPU: 2 vCPU minimum
- Isolated network with
10.75.0.0/16subnet - No existing DHCP/DNS server on the network
- Internet connectivity for updates (optional)
Script_Server1.ps1- Script for primary DC server (SRV1)Script_Server2.ps1- Script for replica DC server (SRV2)usersadatum.csv- CSV file containing users to import (optional)
+-----------------------------------------------------+
| Domain adatum.fr |
+-----------------------------------------------------+
| |
| +------------------+ +------------------+ |
| | SERVERDC1 | | SERVERDC2 | |
| | 10.75.0.10 |<---->| 10.75.0.11 | |
| | | | | |
| | - Primary DC | | - Replica DC | |
| | - Global Catalog | | - Global Catalog | |
| | - DNS Server | | - DNS Server | |
| | - DHCP Server | | | |
| +------------------+ +------------------+ |
| |
| DNS Zones: |
| - adatum.fr |
| - fabrikam.fr |
| - liteware.fr |
| - woodgrovebank.com (on SRV2) |
| |
| DHCP Scope: 10.75.0.0/16 - |
+-----------------------------------------------------+
Deployment script for the primary domain controller with full configuration.
Automatic configuration:
- Server name:
SERVERDC1 - IP address:
10.75.0.10/16 - Roles: DC, DNS, DHCP, Global Catalog
Deployment script for the secondary domain controller for high availability.
Automatic configuration:
- Server name:
SERVERDC2 - IP address:
10.75.0.11/16 - Roles: DC Replica, DNS, Global Catalog
- Install Windows Server 2025 on both VMs
- Download the scripts to each server
- Prepare CSV file (optional):
C:\usersadatum.csv
# Allow script execution
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force
# Run the script
.\Script_Server1.ps1Required interaction:
- DSRM password (Directory Services Restore Mode) at first reboot
- Script restarts 3 times
- Rerun the script after each reboot
Total duration: ~15-20 minutes
Warning: Wait until SRV1 is fully configured before starting SRV2
# Allow script execution
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force
# Run the script
.\Script_Server2.ps1Required interaction:
- Domain credentials during domain join (Phase 2)
- Domain credentials + DSRM password during promotion (Phase 3)
- Script restarts 3 times
- Rerun the script after each reboot
Total duration: ~20-25 minutes
IP Address : 10.75.0.10/16
Gateway : 10.75.0.1
DNS Primary : 127.0.0.1 (localhost)
DNS Secondary : 10.75.0.11 (SRV2)
IP Address : 10.75.0.11/16
Gateway : 10.75.0.1
DNS Primary : 10.75.0.10 (SRV1)
On SRV1:
adatum.fr- Primary domain zone10.75.0.0/16- Reverse lookup zonefabrikam.fr- Secondary zone with records:- A record:
web.fabrikam.fr→10.75.0.50 - AAAA record:
web.fabrikam.fr→2001:db8::50 - CNAME record:
www.fabrikam.fr→web.liteware.fr
- A record:
liteware.fr- Zone with MX records:- MX (priority 10):
liteware.fr→web.liteware.fr - MX (priority 20):
liteware.fr→srv2.adatum.fr
- MX (priority 10):
On SRV2:
woodgrovebank.com- Standalone zone with:- A record:
www.woodgrovebank.com→10.75.0.11
- A record:
Cloudflare for Families (malware + adult content filtering):
- Primary:
1.1.1.3 - Secondary:
1.0.0.3
SRV1 automatically redirects queries for woodgrovebank.com to SRV2 (10.75.0.11)
Automatic configuration to clean obsolete records:
- Scavenging interval: 7 days
- No-refresh period: 7 days
- Refresh period: 7 days
DHCP Server: SRV1 only
Name : Scope_TESTDOMAIN
Network : 10.75.0.0/16
IP Range : 10.75.0.1 - 10.75.0.200
Subnet Mask : 255.255.0.0
Gateway : 10.75.0.1
DNS Server : 10.75.0.10
DNS Domain : adatum.fr
IP Conflict Detection:
- Number of attempts: 3 pings before IP assignment
- Prevents conflicts with static IP machines
Static Route (Option 121):
- Network:
192.168.21.0/24 - Gateway:
10.75.255.254 - Allows DHCP clients to access remote network
Automatically created structure:
adatum.fr
└── Managed Objects
├── Users (Permanent users)
└── Contractors (Contractors/Interns)
Protection against accidental deletion enabled on all OUs.
Method: CSVDE (CSV Directory Exchange)
File location: C:\usersadatum.csv
Expected CSV format:
"DN","objectClass","samAccountName","userPrincipalName","displayName","l","department","title","description","telephoneNumber","company","Name","givenName","sn","physicalDeliveryOfficeName","mail"User configuration:
- Initial password:
P@ssw0rd123456! - Accounts automatically enabled
- Password change not forced at first logon
Domain-level configuration:
| Parameter | Value |
|---|---|
| Maximum password age | 180 days |
| Minimum password age | 0 days |
| Minimum password length | 8 characters |
| Complexity required | Enabled |
| Password history | Default (24) |
| Parameter | Value |
|---|---|
| Lockout threshold | 5 attempts |
| Lockout duration | 10 minutes |
| Reset counter after | 10 minutes |
Primary server (SRV1) only:
- NTP Server 1:
0.au.pool.ntp.org - NTP Server 2:
1.au.pool.ntp.org - Mode: MANUAL (reliable time source)
SRV2 automatically synchronizes its clock with SRV1.
| Parameter | Value |
|---|---|
| Site name | ParisHQ |
| Subnet | 10.75.0.0/16 |
| Location | Paris |
The default site Default-First-Site-Name is automatically renamed to ParisHQ.
Domain name : adatum.fr
Global Catalog : SRV1 + SRV2
SRV1:
C:\Windows-2025-AD-Deployment-log.txt
SRV2:
C:\Windows-2025-AD-Replica-log.txt
1-Basic-Server-Config-Complete- Network and hostname configuration2-Build-Active-Directory-Complete- AD-DS installation3-Finalize-AD-Config-Complete- DNS, DHCP, Sites4-OU-Users-GPO-Complete- OUs, users, policies
1-Basic-Server-Config-Complete- Network and hostname configuration2-Domain-Join-Complete- Domain join3-DC-Promotion-Complete- DC promotion4-Post-Config-Complete- DNS configuration5-DNS-Zone-Woodgrove-Complete- woodgrovebank.com zone
Project developed as part of Windows Server 2025 practical work
Contact: benjamin@voyager3.fr School: IPSSI Date: November 2025
This project is provided for educational purposes only.
- Do not use in production without additional adaptation and security hardening
- Default passwords must be changed
- Test in an isolated environment before any deployment
- Backup your data before execution
If this project was helpful, feel free to star it!