Skip to main content

Spinning up a new Domain Controller with Server 2016 Server Core, PowerShell, and DSC

** Prerequisites**
1) Preferably a test environment away from your production domain.
2) A VM for testing.
3) Preferably, a virtualization environment. You don't need Hyper-V or ESXi for this. VMWare Player or Workstation on a machine with 8GB of RAM and preferably an I7 will work just fine
4) xPSDesiredStateConfiguration, xActiveDirectory, and xNetworking Modules installed on your VM running the DC. For installing a module, please use the Install-Module cmdlet.
5) Running all of these cmdlets/remoting in PowerShell ISE.


Spinning up a Domain Controller can take some time, especially with all of the pointing and clicking. Instead of that, let's utilize PowerShell and DSC (Desired State Configuration) which is free Configuration Manager built into PowerShell. Let's get started.

First, we want to spin up a VM for our domain controller. In my case, I'm using Server 2016 Datacenter Server Core. For help in spinning up a VM with PowerShell, please visit my GitHub on automating a VM spin-up: https://github.com/WindowsAdmin92/HyperVClusteredEnvBuildout/blob/master/New-HyperVM.ps1


If your VM and Hyper-V host are NOT on the same domain, like in my case because Hyper-V is not bound to any domain, you will need to add your VM as a trusted host. Please use this command;

winrm s winrm/config/client '@{TrustedHosts="VM_IP_Address"}'

Please Note: You will have to use the IP address of the VM for the trusted host and connecting to the machine. Reason being is because you aren't on the same domain, so there is no DNS resolution. Also, please make note of the ports you see in the below screenshot. These are the ports that are used for PSRemoting/WinRM.



Now to the fun part. Let's connect to our VM.

PowerShell Code:
$user = 'Administrator'
$Creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,('YourPassword' | ConvertTo-SecureString -AsPlainText -Force)
enter-pssession 192.168.1.4 -Credential $Creds


As you can see from the above, I am using a PowerShell session to connect to my Server Core VM. I'm using the .NET class System.Management.Automation.PSCredential, and adding my password in as ConverTo-SecureString. This allows my password to be encrypted in-transit vs just passing it in at a prompt. Remember, security isn't about mitigating ALL risks, it's about preventing as much as you can. However, that's a topic for another day. Let's continue.

Now that we're in, we're going to run our DSC config. For more information on DSC, please review this link: https://docs.microsoft.com/en-us/powershell/dsc/overview
DSC is just like Chef or Puppet. Both have been around much longer, but DSC is catching up. Also, it's free and you can do local MOF configurations. Our code below will configure the DSC without any clicks.

Configuration NewDomain
{

param(

    [parameter(Mandatory=$true)]
    [pscredential]$domainCred,

    [parameter(Mandatory=$true)]
    [pscredential]$safemodeAdministratorCred

)

Import-Module PSDesiredStateConfiguration
Import-DscResource -ModuleName xActiveDirectory
Import-DscResource –ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName xNetworking

Node $AllNodes.Where{$_.Role -eq "Primary DC"}.NodeName
    {
     
        LocalConfigurationManager
        {
            ActionAfterReboot = 'ContinueConfiguration'
            ConfigurationMode = 'ApplyOnly'
            RebootNodeIfNeeded = $true
        }

        File ADFiles
        {
            DestinationPath = 'C:\NTDS'
            Type = 'Directory'
            Ensure = 'Present'
        }
     
        WindowsFeature ADDSInstall
        {
            Ensure = "Present"
            Name = "AD-Domain-Services"
        }

        WindowsFeature ADDSTools
        {
            Ensure='Present'
            Name = 'RSAT-ADDS'
        }

        xADDomain FirstDomain
        {
            DomainName = "TESTDOMAIN.local"
            DomainNETBIOSName = "TESTDOMAIN"
            DomainAdministratorCredential = $domainCred
            SafemodeAdministratorPassword = $safemodeAdministratorCred
            DatabasePath = 'C:\NTDS'         
            LogPath = 'C:\NTDS' 
            DependsOn = "[WindowsFeature]ADDSInstall"
        }

    }#Node

}#Config Closing

#AD Config

$ADConfig = @{
    AllNodes = @(
        @{
            NodeName = "localhost"
            Role = "Primary DC"
            DomainName = "TESTDOMAIN.local"
            RetryCount = 20
            RetryIntervalSec = 30
            PsDscAllowPlainTextPassword = $true
        }

    )
}

NewDomain -ConfigurationData $ADConfig `
    -safemodeAdministratorCred (Get-Credential -UserName '(Password Only)' `
        -Message "New Domain Safe Mode Administrator Password") `
    -domainCred (Get-Credential -UserName MCSADOMAIN\administrator `
        -Message "New Domain Admin Credential") `



Set-DscLocalConfigurationManager -Path .\NewDomain -Verbose -Force

#Build your domain
Start-DscConfiguration -Wait -Force -Path .\NewDomain -Verbose


As you can see, we're storing NTDS on the C: drive. This is just for testing purposes. I advice to store this database-like component on a separate drive other than C:. Also, as you can see, you will need to put in your password and admin creds in the parameter block.

That's it! Your VM will reboot, and your DC will be up and running. As you can see, the BIGGEST part of this was the pre-prep. After that, it's a breeze. Imagine having to do this same thing on 20 servers the manual way? With this, you can do a PSSession to 20 servers and run a DSC config to not only spin up a DC, but also add secondary DC's to your environment. This is what automation is all about!

Comments

Popular posts from this blog

Run PowerShell code with Ansible on a Windows Host

Ansible is one of the Configuration Manager kings in the game. With it's easy-to-understand syntax and even easier to use modules, Ansible is certainly a go-to when you're picking what Configuration Management you want to use for your organization. Your question may be "but Ansible is typically on Linux and what happens when I'm in a Windows environment?". Luckily I'm here to tell you that Ansible will still work! I was pleasantly surprised with how easy it is to use Ansible on Windows with a little WinRM magic. Let's get started.

Pre-requisites for this post:
1) WinRM set up to connect to your Windows host from Ansible
2) Ansible set up for Windows Remote Management
3) SSH access to the Ansible host
4) Proper firewall rules to allow WinRM (port 5985) access from your Ansible host to your Windows host
5) Hosts file set up in Ansible that has your IP or hostname of your Windows Server.
6) At least one Linux host running Ansible and one Windows Server host …

Running PowerShell commands in a Dockerfile

As Docker continues to grow we are starting to see the containerization engine more and more on Windows. With the need for containers on Windows, we also need the same automation we get in Linux with Dockerfiles. Today we're going to create a Dockerfile that runs PowerShell cmdlets.
Prerequisites; 1. Docker for Windows
2. A code editor (VSCode preferred)

Let's go ahead and get our Dockerfile set up. Below is the Dockerfile I used for this post.

from mcr.microsoft.com/windows/servercore:1903 MAINTAINER Michael Levan RUN powershell -Command Install-WindowsFeature -Name Web-Server RUN powershell -Command New-Item -Type File -Path C:\ -Name config
As you can see from the above, this is a tiny Dockerfile. What this will do is install the IIS Windows 

Feature and create a new file in C:\ called "config".
You should see something very similar to the below screenshot;

Next let's create a running container out of our image. First we'll need to run docker container ls to

 get o…

DevOps tooling in the Microsoft realm

When I really started to dive into automation and practicing DevOps with specific tooling, there were a few key players. At the time Microsoft was not one of them. They were just starting to embrace the open source world, including the art and practice of DevOps. Since then Microsoft has went all in and the tech giant has made some incredible tooling. Recently I switched to a Microsoft-heavy environment and I love it. I went from AWS/Python/Ansible/Jenkins to Azure/PowerShell/ARM/Azure DevOps. My first programming language was PowerShell so being back in the saddle allowed me to do a full circle between all of the different types of tooling in both worlds. Today I want to share some of that tooling with you.

The first thing I want to talk about is ARM. What is ARM? ARM is a configuration management tool that allows you to perform software-defined-infrastructure. Much like Ansible and Terraform, ARM allows you to define what you want your environment to look like at scale. With ARM, yo…