3. Verifying domain-controller deployment
You can also use Windows PowerShell to verify the results of
installing AD DS on remote servers and promoting them as domain
controllers. For example, you can use the cmdlets of the BestPractices
module to perform BPA scans on remote servers. To illustrate this and
continue with the preceding scenario, begin by using Invoke-Command on
local server SEA-HOST-2 to execute the Invoke-BPAModule cmdlet on
remote server SEA-SRV-1:
PS C:\> Invoke-Command -ComputerName SEA-SRV-1 -ScriptBlock `
{Invoke-BpaModel -ModelId Microsoft/Windows/DirectoryServices}
ModelId : Microsoft/Windows/DirectoryServices
SubModelId :
Success : True
ScanTime : 6/20/2012 9:30:05 PM
ScanTimeUtcOffset : -07:00:00
Detail : {SEA-SRV-1, SEA-SRV-1}
You can then execute the Get-BPAResult cmdlet on the remote
server to display the results of the scan you performed using this
command:
PS C:\> Invoke-Command -ComputerName SEA-SRV-1 -ScriptBlock `
{Get-BpaResult Microsoft/Windows/DirectoryServices}
The output from this command will be quite extensive, so you
might try piping it into the Where-Object cmdlet to display only
results whose severity level is Error:
PS C:\Users\Administrator> Invoke-Command -ComputerName SEA-SRV-1 -ScriptBlock `
{Get-BpaResult Microsoft/Windows/DirectoyServices} | Where-Object Severity -eq Error
ResultNumber : 28
ResultId : 513979436
ModelId : Microsoft/Windows/DirectoryServices
SubModelId :
RuleId : 36
ComputerName : SEA-SRV-1
Context :
Source : SEA-SRV-1
Severity : Error
Category : Configuration
Title : The PDC emulator master SEA-SRV-1.corp.adatum.com in this forest should
be configured to correctly synchronize time from a valid time source
Problem : The primary domain controller (PDC) emulator operations master in this
forest is not configured to correctly synchronize time from a valid
time source.
Impact : If the PDC emulator master in this forest is not configured to
correctly synchronize time from a valid time source, it might use its
internal clock for time synchronization. If the PDC emulator master in
this forest fails or otherwise becomes unavailable (and if you have not
configured a reliable time server (GTIMESERV) in the forest root
domain), other member computers and domain controllers in the forest
will not be able to synchronize their time.
Resolution : Set the PDC emulator master in this forest to synchronize time with a
reliable external time source. If you have not configured a reliable
time server (GTIMESERV) in the forest root domain, set the PDC emulator
master in this forest to synchronize time with a hardware clock that is
installed on the network (the recommended approach). You can also set
the PDC emulator master in this forest to synchronize time with an
external time server by running the w32tm /config /computer:SEA-SRV-
1.corp.adatum.com /manualpeerlist:time.windows.com
/syncfromflags:manual /update command. If you have configured a
reliable time server (GTIMESERV) in the forest root domain, set the PDC
emulator master in this forest to synchronize time from the forest root
domain hierarchy by running w32tm /config
/computer:SEA-SRV-1.corp.adatum.com /syncfromflags:domhier /update.
Compliance :
Help : http://go.microsoft.com/fwlink/?LinkId=142195
Excluded : False
PSComputerName : SEA-SRV-1
Finally, you can use the Uninstall-ADDSDomainController cmdlet
to remove the AD DS role and demote a domain controller to a member
server in the domain. You will be prompted to set and confirm the
local Administrator password before the completion of the removal
process. For more information on using this cmdlet, use the Get-Help
cmdlet.
