Install the Domain Controller.
In this first part we start with installing the Domain Controller. Ill could have showed you all the GUI pictures, but I am sure you all know this already. After all those years the GUI starts to get boring, so let’s do this using some Powershell commands.
The script below will add the Active Directory Domain Services role and promotes the server to Domain Controller. You can either run the script as a ps1 file in an administrative Powershell window or paste it in an administrative Powershell ISE window and run it, just as I did.
#Install AD Role: Install-WindowsFeature -Name AD-Domain-Services, GPMC, RSAT, RSAT-AD-AdminCenter, ` RSAT-AD-PowerShell, RSAT-AD-Tools, RSAT-ADDS, RSAT-ADDS-Tools, RSAT-Role-Tools #Promote to domain controller. $DirectoryServiceRestoreModePassword = Convertto-securestring "P@ssw0rd" -asplaintext -force #Restore Mode Password Import-Module ADDSDeployment Install-ADDSForest ` -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "DEV.lab" ` -DomainNetbiosName "DEV" ` -ForestMode "Win2012R2" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true ` -SafeModeAdministratorPassword $DirectoryServiceRestoreModePassword
After the script finishes, the server will be rebooted and the server will be a Domain Controller.Image may be NSFW.
Clik here to view.
After creating a new Domain, I always create the same OU structure with some service accounts which I need later on. Just to keep it tidy.
We also need a special Container for Virtual Machine Manager to store the Distributed Key Management information in Active Directory (info). I name this Container DKMVMM and place it in the root of the domain (but you can place it anywhere). Also the Service Account for VMM needs to have full rights on this Container so that VMM can write information in it.
The picture below shows the objects we will create.Image may be NSFW.
Clik here to view.
Again, clicking trough the Active Directory Users and Computers got boring Image may be NSFW.
Clik here to view.
. So here’s the Powershell script that will create the OU structure, Service Accounts, DKMVMM Container and set its security rights.
import-module ActiveDirectory
#Create the OU structure:
$DomainName = "DC=DEV, DC=lab"
$OUOrganization = New-ADOrganizationalUnit -Name "Organization" -Path $DomainName -PassThru
New-ADOrganizationalUnit -Name "Servers" -Path $OUOrganization
New-ADOrganizationalUnit -Name "Workstations" -Path $OUOrganization
New-ADOrganizationalUnit -Name "Users" -Path $OUOrganization
New-ADOrganizationalUnit -Name "Groups" -Path $OUOrganization
$OUServiceAccounts = New-ADOrganizationalUnit -Name "ServiceAccounts" -Path $OUOrganization -PassThru
#Set the password for the service accounts (used for all service accounts):
$ServiceAccountPassword = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
#Create Service accounts:
New-ADUser -Name "sa_vmm" -Description "VMM Service Account" -Path $OUServiceAccounts -AccountPassword $ServiceAccountPassword -Enabled $true
New-ADUser -Name "sa_host_admin" -Description "Hyper-V Host Admin Account" -Path $OUServiceAccounts -AccountPassword $ServiceAccountPassword -Enabled $true
New-ADUser -Name "sa_sql" -Description "SQL Service Account" -Path $OUServiceAccounts -AccountPassword $ServiceAccountPassword -Enabled $true
#Create the DKMVMM container:
New-ADObject -Type Container -Name "DKMVMM" -Path $DomainName.ToString()
#Grant the sa_vmm full rights on the DKMVMM container:
$DkmVmmObj = [ADSI]("LDAP://CN=DKMVMM,$DomainName")
$Account = New-Object System.Security.Principal.NTAccount("dev\sa_vmm")
$ActiveDirectoryRights = "GenericAll"
$AccessControlType = "Allow"
$Inherit = "SelfAndChildren"
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$ACL = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Account, $ActiveDirectoryRights, $AccessControlType, $Inherit, $nullGUID
$DkmVmmObj.psbase.ObjectSecurity.AddAccessRule($ACL)
$DkmVmmObj.psbase.commitchanges()This is the end of part 1.
Coming up next next: Install the SQL Server.