Active Directory

For Active Directory AutomatedLab provides three roles: RootDC, FirstChildDC and DC. AL knows about standard parameters for all roles but allows a fair amount of customization. AL supports multi-forest and / or multi-domain environments in a single lab. AL will try to get the number of domains to add from the definition of domain controllers. AL auto-detects domains in a simple environment. If your lab is more complex, it is recommended to define the domains manually using the cmdlet Add-LabDomainDefinition. Some more documentation on the parameters is down below.

Root Domain Controllers (RootDC)

Each forest starts with a Root Domain Controller. The number of forests in your lab is defined by the number of machines with the role RootDC and by the domains you are assigning these machines to. Having two Root Domain Controllers in a domain results in an error. The role RootDC supports the following parameters for customizations: SiteName, SiteSubnet, DomainFunctionalLevel and ForestFunctionalLevel.

Role Assignment

The simple assignment that takes the default settings:

Add-LabMachineDefinition -Name DC1 -OperatingSystem 'Windows 2016 SERVERDATACENTER' -Roles RootDC

The next example demonstrates the usage of all available parameters:

$role = Get-LabMachineRoleDefinition -Role RootDC @{
    ForestFunctionalLevel = 'Win2012R2'
    DomainFunctionalLevel = 'Win2012R2'
    SiteName = 'Frankfurt'
    SiteSubnet = ''
Add-LabMachineDefinition -Name T3RDC1 -IpAddress -DomainName -Roles $role

First Child Domain Controller (FirstChildDC)

If you need a child domain or a new tree in your forest, you start with assigning this role to a machine. Like for the RootDC role AL tries to auto-detect missing data, like the root domain. If you assign a role FirstChildDC to a machine which is in the domain, AL take as the parent domain. If you are running more than one forest in a lab, this cannot work anymore and some more data is required. This role needs to know about the name of the new child domain or domain tree and the parent domain name. If this cannot be retrieved automatically, an error is thrown.

Role Assignment

The simple example for this role looks identical with the one for the role RootDC. The next example demonstrates all available parameters:

$role = Get-LabMachineRoleDefinition -Role FirstChildDC @{
    ParentDomain = ''
    NewDomain = 'emea'
    DomainFunctionalLevel = 'Win2012R2'
    SiteName = 'London'
    SiteSubnet = ''

Add-LabMachineDefinition -Name LDC1 -IpAddress -DomainName -Roles $role

Domain Controller (DC)

This role can be assigned to a machine to become an additional domain controller in a root or child domain defined earlier. You cannot have the role DC without having also the role RootDC or FirstChildDC. This role supports the parameters SiteName, SiteSubnet and ReadOnly

Role Assignment

Using all these parameters looks like this:

$role = Get-LabMachineRoleDefinition -Role DC @{
    SiteName = 'Milano'
    SiteSubnet = ''
    IsReadOnly = 'true'
Add-LabMachineDefinition -Name RODC1 -IpAddress -DomainName -Roles $role

Installation Process

The installation is done when calling 'Install-Lab' without using additional parameters. To start only the Active Directory installation, you can use 'Install-Lab -Domains’.


This role cannot be assigned to a client OS. The only additional requirement is to provide the correct data if AL cannot discover your intended setup automatically.


ForestFunctionalLevel (RootDC)

This value is only available for the RootDC role and takes the Forest Functional Level. Valid values are - Win2008R2 - Win2012 - Win2012R2 - WinThreshold (Win2016)

DomainFunctionalLevel (RootDC and FirstChildDC)

This value is available on the roles RootDC and FirstChildDC and controls the Domain Functional Level. Valid values are - Win2008R2 - Win2012 - Win2012R2 - WinThreshold (Win2016)


When defined, AL creates the given site after promoting the domain controller and moves the domain controller into that site.


Stores the AD database files in the given folder.


Stores the AD log files in the given folder.


Stores the Sysvol folder in the given folder


When defined, set the Directory Services Restore Mode password to something different than the lab's install user's password.


When defined, AL creates a new Active Directory Replication subnet and assigns it to the site creates previously. The parameter SiteSubnet requires SiteName to be defined.

IsReadOnly (DC)

This string parameter makes the domain controller a read-only domain controller. Use 'true' to enable the ReadOnly DC role.

NewDomain (FirstChildDC)

Defines the new domain name for the FirstChildDC. If this value is a FQDN, AL creates a new domain tree, in case of a short name a child domain is created.

ParentDomain (FirstChildDC)

This specifies the root domain the new domain should be located in. The parameter takes the full FQDN.