Required limited permissions for Mixed Deployments

This new feature aims to offer the possibility of performing the deployment correctly with minimum Active Directory permissions. Keep in mind that some actions must be performed manually both before and after deployment. 


There are a few things you need to set up deployment. Before you start the deployment, we recommend that you review this topic to ensure you meet the requirements. The following actions must be executed in your Active Directory Domain Controller.

The required permissions are the following:

  • Domain user account:

    • With permissions to read Active Directory forest
    • Allow adding computers to the domain (at least 10 computers)
  • Delegate full control permissions only in provided base OU

Next and Finish.

  • Domain user account must be a member of 'Remote Management Users' during deployment. If not, adding only the user with the following command (this command must be launched in Domain Controller):

    Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force

  • Configure DNS forwarders:

Type active Directory domain name (FQDN), IP address of Domain Controller(s) and mark checkbox 'Store this conditional forwarder in Active Directory, and replicate is as follows: 

Deploy Quick Config Setup (QCS):

Follow Quick Config Setup guide here and remember to uncheck Provided user has administrative rights in AD Integration section.

Please, remember a trust relationship should be created after the first Resource domain controller exists. This is required to create a relationship because both domains are contacted. The first domain controller is created 1h after deployment is started (about 20 deployment % progress). If this procedure is not applied or not applied correctly, deployment will stop when validate connectivity between both Active Directory domains. 

Create trust relationship following next steps:

  • Automatically:
  $targetForestName = "resource_domain_name"
   $trustPassword = "YourPassword" #Same password that you typed in QCS
   $trustDirection = "BiDirectional"
   $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
  • Manually:

Click on 'New Trust...' button

Was this article helpful?