Windows PowerShell-based domain controller deployment repeats warnings


When you install Acrive Directory Domain Services (AD DS) on Windows Server 2012 domain controllers by using the Windows PowerShell AddsDeployment module, you receive the following message:

WARNING: Windows Server 2012 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.

For more information about this setting, see Knowledge Base article 942564

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "". Otherwise, no action is required.

Then, this messages is displayed again.


You first receive this message because of the domain controller deployment prerequisite validation process that was added in Windows Server 2012. Then, you receive this message again during the actual installation. 

When you install AD DS by using Windows Server 2012 Server Manager, you receive this message together with dialog boxes that make the message more understandable. 


To resolve this issue, ignore the message.

If you use the -SkipPreChecks:$true argument, you receive the message only one time. However, we do not recomment that you use this argument, because the prerequisite checks prevent you from trying a domain controller installation that will fail.

More Information

Both messages are expected when you create a new AD DS forest. For more information about the DNS delegation warning, go to the following Microsoft TechNet website: 

Article ID: 2737416 - Last Review: 19 Sep 2012 - Revision: 1