locked
Powershell create RODC account RRS feed

  • Question

  • I have a script that creates RODC account in AD and it should add some groups to the allowed list for PRP. The script goes like this:

    Param (
        [string] $SiteName,
        [string] $SiteServerI
    )
    $allowed = Get-ADGroup "Allowed RODC Password Replication Group"
    $users = Get-ADGroup "$SiteName_Allowed_PasswordReplication_USERS"
    $comps = Get-ADGroup "$SiteName_Allowed_Password_Replication_COMPUTERS"
    $groups = "$allowed","$users","$comps"
    #$groups

    Add-ADDSReadOnlyDomainControllerAccount -DomainName "TEST" -DomainControllerAccountName $SiteServerI -Sitename $SiteName -AllowPasswordReplicationAccountName $groups -DelegatedAdministratorAccountName "$SiteName-Administration" -DenyPasswordReplicationAccountName "$SiteName_Denied_Password_Replication,BUILTIN\Administrators,BUILTIN\Server Operators,BUILTIN\Backup Operators,BUILTIN\Account Operators,BUILTIN\Account Operators,Denied RODC Password Replication Group"

    The thing that is not working is with adding default groups to the parameters -AllowPasswordReplicationAccountName and -DenyPasswordReplicationAccountName. The error I get is:

    Add-ADDSReadOnlyDomainControllerAccount : Verification of prerequisites for Domain Controller promotion failed. The
    security groups that you specified for the Password Replication Policy for this read-only domain controller are not
    valid. The parameter is incorrect.

    When I remove the default groups Allowed RODC Password Replication Group, BUILTIN\Administrators,BUILTIN\Server Operators,BUILTIN\Backup Operators,BUILTIN\Account Operators,BUILTIN\Account Operators,Denied RODC Password Replication Group the script works as expected. When I open Password Replication Policy tab in RODC computer account object properties only groups that were added from script are present, no default groups.

    I need to add new groups to Password Replication Policy allowed and denied list while keeping the default ones. One option is to add groups using repadmin /prp add but I am hoping to do this purely in powershell.

    Hope someone can help me with this.

    Regards,

    Marjan

    • Moved by Hello_2018 Tuesday, July 25, 2017 6:49 AM PowerShell Related
    Monday, July 24, 2017 11:50 AM

Answers

  • Hi andonovski,

    >>For parameter AllowPasswordReplicationAccountName I have only one built in group. For parameter DenyPasswordReplicationAccountName I have two groups, one built in and one that I have created. If I remove one group for parameter DenyPasswordReplicationAccountName the command works.

    I did not get the error when I test in my lab. Here is the result:

    PS C:\Users\Administrator> Add-ADDSReadOnlyDomainControllerAccount -DomainName 'test.local' -DomainControllerAccountName
     'bella' -SiteName 'Default-First-Site-Name' -AllowPasswordReplicationAccountName 'test1','Account Operators' -DenyPassw
    ordReplicationAccountName 'Backup Operators','test123' -Verbose
    VERBOSE: Create a new Read Only Domain Controller Account with the name 'bella' in the domain 'test.local'.
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: bella.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Deny:  Backup Operators
      Deny:  test123
    
    VERBOSE: ----------------------------------------
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: bella.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Deny:  Backup Operators
      Deny:  test123
    
    VERBOSE: ----------------------------------------
    VERBOSE: You have successfully created an account for a read-only domain controller (RODC). You will be able to attach
    the server that you want to be the RODC to this account by running the Add Roles Wizard in Server Manager on that
    server.
    
    An account for the read-only domain controller "bella" is now created in the domain "test.local".
    
    The domain controller account is assigned to the site "Default-First-Site-Name". You can manage sites with the Active
    Directory Sites and Services administrative tool.
    
    Message                       Context                                      RebootRequired                        Status
    -------                       -------                                      --------------                        ------
    Operation completed succes... DCPromo.General.1                                     False                       Success
    
    
    PS C:\Users\Administrator> Add-ADDSReadOnlyDomainControllerAccount -DomainName 'test.local' -DomainControllerAccountName
     'diago' -SiteName 'Default-First-Site-Name' -AllowPasswordReplicationAccountName 'test1','Account Operators','Cert Publ
    ishers' -DenyPasswordReplicationAccountName 'Backup Operators','Administrators','Denied RODC Password Replication Group'
     -Verbose
    VERBOSE: Create a new Read Only Domain Controller Account with the name 'diago' in the domain 'test.local'.
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: diago.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Allow: Cert Publishers
      Deny:  Backup Operators
      Deny:  Administrators
      Deny:  Denied RODC Password Replication Group
    
    VERBOSE: ----------------------------------------
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: diago.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Allow: Cert Publishers
      Deny:  Backup Operators
      Deny:  Administrators
      Deny:  Denied RODC Password Replication Group
    
    VERBOSE: ----------------------------------------
    VERBOSE: You have successfully created an account for a read-only domain controller (RODC). You will be able to attach
    the server that you want to be the RODC to this account by running the Add Roles Wizard in Server Manager on that
    server.
    
    An account for the read-only domain controller "diago" is now created in the domain "test.local".
    
    The domain controller account is assigned to the site "Default-First-Site-Name". You can manage sites with the Active
    Directory Sites and Services administrative tool.
    
    Message                       Context                                      RebootRequired                        Status
    -------                       -------                                      --------------                        ------
    Operation completed succes... DCPromo.General.1                                     False                       Success
    
    
    PS C:\Users\Administrator>
    
    
    Warning:
    
    -DenyPasswordReplicationAccountName<String[]>
    Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this RODC.
     Use "None" if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, 
    Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group 
    includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator 
    Owners, the krbtgt account, and Schema Admins.
    
    https://technet.microsoft.com/en-us/library/hh974718(v=wps.630).aspx.

    If you want to get a more satisfying explanation and solution to this issue, I suggest you could open a case with Microsoft, more in-depth investigation can be done.

    Here is the link:

    https://support.microsoft.com/en-us/gp/support-options-for-business


    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, July 28, 2017 9:57 AM
  • Hi Candy

    I solved my problem. I wasn't thinking straight, looks likemy brain was on a vacation :D. Here are the problems:

    - I copied groups from VB script BUILT\xxxx, which is not working of course. Removing BUILTIN\ helped

    - Variable $groups was malformed. I removed it completelly

    - Variables with Get-ADGroup maybe should have at the end | select expand property samaccountname

    So this part of code is now good:

    $allowed = Get-ADGroup "Allowed RODC Password Replication Group" | select expandproperty samaccountname
    $users = Get-ADGroup "$SiteName_Allowed_PasswordReplication_USERS"| select expandproperty samaccountname
    $comps = Get-ADGroup "$SiteName_Allowed_Password_Replication_COMPUTERS"| select expandproperty samaccountname

    Add-ADDSReadOnlyDomainControllerAccount -DomainName "TEST" -DomainControllerAccountName $SiteServerI -Sitename $SiteName -AllowPasswordReplicationAccountName $allowed,$users,$comps -DelegatedAdministratorAccountName "$SiteName-Administration" -DenyPasswordReplicationAccountName "$SiteName_Denied_Password_Replication","Administrators,"Server Operators,"Backup Operators,"Account Operators","Account Operators","Denied RODC Password Replication Group"

    Thank you Candy for the effort. You really helped me finding where I was making mistakes.

    Best regards,

    Marjan

    Saturday, July 29, 2017 8:15 AM

All replies

  • Hi andonovski

    Based on  the specific situation, we need do more researches in my lab. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated.

    Sorry for the inconvenience and thank you for your understanding and patience.

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 25, 2017 9:03 AM
  • Hi andonovski

    What version of PowerShell is installed on your local Windows machines?

    I have test in my lab with PowerShell 4.0 and there is no such problem.

    You may debug more details in the verbose mode. In addition, you could check the dcpromoui.log in C:\Windows\Debug.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 26, 2017 7:28 AM
  • Hi Candy,

    Everything is done on Windows Server 2012R2 and powershell version is 4.0. Server is fully updated.

    When I try your command, it works without problems. But, doing it like that there are few groups missing from deny list. It should look like this:

    Aside from these default groups I need to add few others to deny and allow list. As soon as I add some other default group to allow or deny I get that error for group validation. Example:

    Add-ADDSReadOnlyDomainControllerAccount -DomainName "test" -DomainControllerAccountName ccci01 -SiteName ccc -AllowPasswordReplicationAccountName "Allowed RODC Password Replication Group" -DenyPasswordReplicationAccountName "RODC_Denied_Password_Replication,Denied RODC Password Replication Group"

    For parameter AllowPasswordReplicationAccountName I have only one built in group. For parameter DenyPasswordReplicationAccountName I have two groups, one built in and one that I have created. If I remove one group for parameter DenyPasswordReplicationAccountName the command works.

    If I have more than one group for any of those two parameters that aren't built in groups there is no error, works without problem. I don't mind to create new prepopulated RODC account with default groups and add more groups later, but the only way I found out is to use repadmin. Is there some native powershell cmdlet that I just couldn't find?

    Regards,

    Marjan

    P.S. I hope I am clear enough, some times I can be confusing.

    Thursday, July 27, 2017 10:32 AM
  • Hi andonovski,

    >>For parameter AllowPasswordReplicationAccountName I have only one built in group. For parameter DenyPasswordReplicationAccountName I have two groups, one built in and one that I have created. If I remove one group for parameter DenyPasswordReplicationAccountName the command works.

    I did not get the error when I test in my lab. Here is the result:

    PS C:\Users\Administrator> Add-ADDSReadOnlyDomainControllerAccount -DomainName 'test.local' -DomainControllerAccountName
     'bella' -SiteName 'Default-First-Site-Name' -AllowPasswordReplicationAccountName 'test1','Account Operators' -DenyPassw
    ordReplicationAccountName 'Backup Operators','test123' -Verbose
    VERBOSE: Create a new Read Only Domain Controller Account with the name 'bella' in the domain 'test.local'.
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: bella.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Deny:  Backup Operators
      Deny:  test123
    
    VERBOSE: ----------------------------------------
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: bella.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Deny:  Backup Operators
      Deny:  test123
    
    VERBOSE: ----------------------------------------
    VERBOSE: You have successfully created an account for a read-only domain controller (RODC). You will be able to attach
    the server that you want to be the RODC to this account by running the Add Roles Wizard in Server Manager on that
    server.
    
    An account for the read-only domain controller "bella" is now created in the domain "test.local".
    
    The domain controller account is assigned to the site "Default-First-Site-Name". You can manage sites with the Active
    Directory Sites and Services administrative tool.
    
    Message                       Context                                      RebootRequired                        Status
    -------                       -------                                      --------------                        ------
    Operation completed succes... DCPromo.General.1                                     False                       Success
    
    
    PS C:\Users\Administrator> Add-ADDSReadOnlyDomainControllerAccount -DomainName 'test.local' -DomainControllerAccountName
     'diago' -SiteName 'Default-First-Site-Name' -AllowPasswordReplicationAccountName 'test1','Account Operators','Cert Publ
    ishers' -DenyPasswordReplicationAccountName 'Backup Operators','Administrators','Denied RODC Password Replication Group'
     -Verbose
    VERBOSE: Create a new Read Only Domain Controller Account with the name 'diago' in the domain 'test.local'.
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: diago.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Allow: Cert Publishers
      Deny:  Backup Operators
      Deny:  Administrators
      Deny:  Denied RODC Password Replication Group
    
    VERBOSE: ----------------------------------------
    VERBOSE: Active Directory Domain Services Setup
    VERBOSE: Validating environment and parameters...
    WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography
    algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
    channel sessions.
    
    For more information about this setting, see Knowledge Base article 942564
    (http://go.microsoft.com/fwlink/?LinkId=104751).
    
    VERBOSE: ----------------------------------------
    VERBOSE: The following actions will be performed:
    VERBOSE: Create a computer account for a new read-only domain controller for the domain "test.local".
    
    Computer name: diago.test.local
    Site: Default-First-Site-Name
    
    Additional Options:
      Read-only domain controller: "Yes"
      Global catalog: Yes
      DNS Server: Yes
    
    Source domain controller: any writable domain controller
    
    Password Replication Policy:
      Allow: test1
      Allow: Account Operators
      Allow: Cert Publishers
      Deny:  Backup Operators
      Deny:  Administrators
      Deny:  Denied RODC Password Replication Group
    
    VERBOSE: ----------------------------------------
    VERBOSE: You have successfully created an account for a read-only domain controller (RODC). You will be able to attach
    the server that you want to be the RODC to this account by running the Add Roles Wizard in Server Manager on that
    server.
    
    An account for the read-only domain controller "diago" is now created in the domain "test.local".
    
    The domain controller account is assigned to the site "Default-First-Site-Name". You can manage sites with the Active
    Directory Sites and Services administrative tool.
    
    Message                       Context                                      RebootRequired                        Status
    -------                       -------                                      --------------                        ------
    Operation completed succes... DCPromo.General.1                                     False                       Success
    
    
    PS C:\Users\Administrator>
    
    
    Warning:
    
    -DenyPasswordReplicationAccountName<String[]>
    Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this RODC.
     Use "None" if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, 
    Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group 
    includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator 
    Owners, the krbtgt account, and Schema Admins.
    
    https://technet.microsoft.com/en-us/library/hh974718(v=wps.630).aspx.

    If you want to get a more satisfying explanation and solution to this issue, I suggest you could open a case with Microsoft, more in-depth investigation can be done.

    Here is the link:

    https://support.microsoft.com/en-us/gp/support-options-for-business


    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, July 28, 2017 9:57 AM
  • Hi Candy

    I solved my problem. I wasn't thinking straight, looks likemy brain was on a vacation :D. Here are the problems:

    - I copied groups from VB script BUILT\xxxx, which is not working of course. Removing BUILTIN\ helped

    - Variable $groups was malformed. I removed it completelly

    - Variables with Get-ADGroup maybe should have at the end | select expand property samaccountname

    So this part of code is now good:

    $allowed = Get-ADGroup "Allowed RODC Password Replication Group" | select expandproperty samaccountname
    $users = Get-ADGroup "$SiteName_Allowed_PasswordReplication_USERS"| select expandproperty samaccountname
    $comps = Get-ADGroup "$SiteName_Allowed_Password_Replication_COMPUTERS"| select expandproperty samaccountname

    Add-ADDSReadOnlyDomainControllerAccount -DomainName "TEST" -DomainControllerAccountName $SiteServerI -Sitename $SiteName -AllowPasswordReplicationAccountName $allowed,$users,$comps -DelegatedAdministratorAccountName "$SiteName-Administration" -DenyPasswordReplicationAccountName "$SiteName_Denied_Password_Replication","Administrators,"Server Operators,"Backup Operators,"Account Operators","Account Operators","Denied RODC Password Replication Group"

    Thank you Candy for the effort. You really helped me finding where I was making mistakes.

    Best regards,

    Marjan

    Saturday, July 29, 2017 8:15 AM
  • Hi Candy

    I solved my problem. I wasn't thinking straight, looks likemy brain was on a vacation :D. Here are the problems:

    - I copied groups from VB script BUILT\xxxx, which is not working of course. Removing BUILTIN\ helped

    - Variable $groups was malformed. I removed it completelly

    - Variables with Get-ADGroup maybe should have at the end | select expand property samaccountname

    So this part of code is now good:

    $allowed = Get-ADGroup "Allowed RODC Password Replication Group" | select expandproperty samaccountname
    $users = Get-ADGroup "$SiteName_Allowed_PasswordReplication_USERS"| select expandproperty samaccountname
    $comps = Get-ADGroup "$SiteName_Allowed_Password_Replication_COMPUTERS"| select expandproperty samaccountname

    Add-ADDSReadOnlyDomainControllerAccount -DomainName "TEST" -DomainControllerAccountName $SiteServerI -Sitename $SiteName -AllowPasswordReplicationAccountName $allowed,$users,$comps -DelegatedAdministratorAccountName "$SiteName-Administration" -DenyPasswordReplicationAccountName "$SiteName_Denied_Password_Replication","Administrators,"Server Operators,"Backup Operators,"Account Operators","Account Operators","Denied RODC Password Replication Group"

    Thank you Candy for the effort. You really helped me finding where I was making mistakes.

    Best regards,

    Marjan

    glad to hear that you solved this.

    so, next time, i suppose the more info you provided the more helps you'll get.

    Have a nice day!

    Monday, July 31, 2017 1:28 AM
  • Hi andonovski,

    Just checking in to see if the information provided was helpful. 

    You may "mark it as answer" to help other community members find the helpful reply quickly.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 4, 2017 3:49 AM