Skip to main content

Spinning up a new Domain Controller with Server 2016 Server Core, PowerShell, and DSC

** Prerequisites**
1) Preferably a test environment away from your production domain.
2) A VM for testing.
3) Preferably, a virtualization environment. You don't need Hyper-V or ESXi for this. VMWare Player or Workstation on a machine with 8GB of RAM and preferably an I7 will work just fine
4) xPSDesiredStateConfiguration, xActiveDirectory, and xNetworking Modules installed on your VM running the DC. For installing a module, please use the Install-Module cmdlet.
5) Running all of these cmdlets/remoting in PowerShell ISE.

Spinning up a Domain Controller can take some time, especially with all of the pointing and clicking. Instead of that, let's utilize PowerShell and DSC (Desired State Configuration) which is free Configuration Manager built into PowerShell. Let's get started.

First, we want to spin up a VM for our domain controller. In my case, I'm using Server 2016 Datacenter Server Core. For help in spinning up a VM with PowerShell, please visit my GitHub on automating a VM spin-up:

If your VM and Hyper-V host are NOT on the same domain, like in my case because Hyper-V is not bound to any domain, you will need to add your VM as a trusted host. Please use this command;

winrm s winrm/config/client '@{TrustedHosts="VM_IP_Address"}'

Please Note: You will have to use the IP address of the VM for the trusted host and connecting to the machine. Reason being is because you aren't on the same domain, so there is no DNS resolution. Also, please make note of the ports you see in the below screenshot. These are the ports that are used for PSRemoting/WinRM.

Now to the fun part. Let's connect to our VM.

PowerShell Code:
$user = 'Administrator'
$Creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,('YourPassword' | ConvertTo-SecureString -AsPlainText -Force)
enter-pssession -Credential $Creds

As you can see from the above, I am using a PowerShell session to connect to my Server Core VM. I'm using the .NET class System.Management.Automation.PSCredential, and adding my password in as ConverTo-SecureString. This allows my password to be encrypted in-transit vs just passing it in at a prompt. Remember, security isn't about mitigating ALL risks, it's about preventing as much as you can. However, that's a topic for another day. Let's continue.

Now that we're in, we're going to run our DSC config. For more information on DSC, please review this link:
DSC is just like Chef or Puppet. Both have been around much longer, but DSC is catching up. Also, it's free and you can do local MOF configurations. Our code below will configure the DSC without any clicks.

Configuration NewDomain





Import-Module PSDesiredStateConfiguration
Import-DscResource -ModuleName xActiveDirectory
Import-DscResource –ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName xNetworking

Node $AllNodes.Where{$_.Role -eq "Primary DC"}.NodeName
            ActionAfterReboot = 'ContinueConfiguration'
            ConfigurationMode = 'ApplyOnly'
            RebootNodeIfNeeded = $true

        File ADFiles
            DestinationPath = 'C:\NTDS'
            Type = 'Directory'
            Ensure = 'Present'
        WindowsFeature ADDSInstall
            Ensure = "Present"
            Name = "AD-Domain-Services"

        WindowsFeature ADDSTools
            Name = 'RSAT-ADDS'

        xADDomain FirstDomain
            DomainName = "TESTDOMAIN.local"
            DomainNETBIOSName = "TESTDOMAIN"
            DomainAdministratorCredential = $domainCred
            SafemodeAdministratorPassword = $safemodeAdministratorCred
            DatabasePath = 'C:\NTDS'         
            LogPath = 'C:\NTDS' 
            DependsOn = "[WindowsFeature]ADDSInstall"


}#Config Closing

#AD Config

$ADConfig = @{
    AllNodes = @(
            NodeName = "localhost"
            Role = "Primary DC"
            DomainName = "TESTDOMAIN.local"
            RetryCount = 20
            RetryIntervalSec = 30
            PsDscAllowPlainTextPassword = $true


NewDomain -ConfigurationData $ADConfig `
    -safemodeAdministratorCred (Get-Credential -UserName '(Password Only)' `
        -Message "New Domain Safe Mode Administrator Password") `
    -domainCred (Get-Credential -UserName MCSADOMAIN\administrator `
        -Message "New Domain Admin Credential") `

Set-DscLocalConfigurationManager -Path .\NewDomain -Verbose -Force

#Build your domain
Start-DscConfiguration -Wait -Force -Path .\NewDomain -Verbose

As you can see, we're storing NTDS on the C: drive. This is just for testing purposes. I advice to store this database-like component on a separate drive other than C:. Also, as you can see, you will need to put in your password and admin creds in the parameter block.

That's it! Your VM will reboot, and your DC will be up and running. As you can see, the BIGGEST part of this was the pre-prep. After that, it's a breeze. Imagine having to do this same thing on 20 servers the manual way? With this, you can do a PSSession to 20 servers and run a DSC config to not only spin up a DC, but also add secondary DC's to your environment. This is what automation is all about!


Popular posts from this blog

So, you want to be a Cloud Engineer?

In 2019 one of the biggest pieces of tech is the cloud. Whether it be public cloud or private cloud, cloud technologies are here to stay (for now). I predict that Cloud Engineering will be a very big part of IT (and development) for another 5-10 years. Today I want to share with you my journey in becoming a Cloud Engineer and some helpful tips. A career timeline to be a Cloud Engineer can go like so;

Desktop Support > Junior Sysadmin > Sysadmin > Sysadmin/Technical Lead > Engineer >  Cloud Engineer.

Although our career paths may not align, I believe that this progression is very import. Let me tell you why.

Helpdesk/Desktop Support Helpdesk and desktop support get your feet wet. It allows you to understand technology and how it's used in the workplace from a business perspective. It shows you what technologies may be best in the current environment your in and how to support those technologies. It also teaches you soft skills and how to support people from a technic…

Monitoring your containers in an AKS cluster with Prometheus

Monitoring and alerting is arguably one of the most important thing in Cloud Engineering and DevOps. It's the difference between your clients stack being up and a client being down. Most of us have SLA's to abide by (for good reason). Today we're going to learn how to spin up Prometheus in an AKS cluster to monitor our applications.

1. Intermediate knowledge of Kubernetes
2. An AKS cluster spun up in Azure

Recently AKS supports Prometheus via Helm, so we'll use that for an automated solution to spin this up. This installs kube-prometheus, which is a containerized version of the application. With raw Prometheus, there are a few things that are needed for the operator;

1. Prometheus: Defines a desired deployment.
2. ServiceMonitor: Specifies how groups of services should be monitored
3. Alertmanager: Defines the operator to ensure services and deployments are running by matching the resource

With kube-prometheus, it is all packaged for you. This means configuri…

Spinning up a Kubernetes cluster with Kubeadm

In today's world, we have several public cloud technologies that will ultimately help us with spinning up these infrastructures. This however comes with a price. Because a public cloud provider (like AWS or Azure) handles the API/master server and networking, you'll get something up quick, but miss some key lessons of spinning up a Kubernetes cluster. Today, I'll help you with that.

There are some pre-reqs for this blog:
1. At least 3 VM's. In my case, I'm using my ESXi 6.7 server at home.
2. Basic knowledge/understanding of what Kubernetes is utilized for.
3. Windows, Mac, or Linux desktop. For this blog, I am using Windows 10.

The first thing you want to do is spin up three virtual machines running Ubuntu18.04. You can use a RHEL based system, but the commands I show and run (including the repos I'm using) will be different.

I have already set up my 3 virtual machines. I gave them static IP addresses as I have found API/configuration issues if the VM shuts do…