Charlie Russel's Blog

First, an apology. I usually try to be conscientious about adding new nuggets of PowerShell fun on a regular basis, but this winter, LIFE has intruded, and it simply hasn’t happened. I won’t promise it won’t happen again, but I will try to do better.

Today’s post looks at a problem we’ve been dealing with at work — how to pre-configure new laptops with the VPN access they’ll need for users to get logged in, even when they’re not ever in an office to set themselves up. There are lots of different workarounds and solutions, but what  we came up with was a PowerShell script that would create one or more VPNs programmatically. We take advantage of the Invoke-WebRequest cmdlet I discussed earlier to pull down an updated set of parameters for the available VPNs, allowing us to separate the code from the data, useful for providing some protection against changes — we only have to update one file.

The command to create a new VPN connection is: Add-VPNConnection,  and it comes with a plethora of parameters, most of which you’ll never need. But as always, good to have them when you need them. For our purposes, we needed to specify the VPN type (-TunnelType), the authentication method, and an initial pre-shared key for L2TP. We also wanted the ability to use the same script for individual user profile VPNs, and to control whether the VPN used a split tunnel. (Normally, we configure for split tunneling.) The basic command is:

Add-VpnConnection -Name <ConnectionName> `
                  -ServerAddress <IP Address of VPN Server> `
                  -TunnelType L2TP `
                  -L2tpPsk <somereallylongandoddstring> `
                  -AuthenticationMethod MSChapv2 `
                  -AllUserConnection `
                  -SplitTunneling `
                  -PassThru

So, we know we’re going to need a name for the connection, and IP address, and the L2TP PSK for each connection. The easy way is to stuff that into a CSV file and store it up in the cloud where all the IT staff can get at it from whatever location we’re in. So we need to read the contents of a file, probably stored in the cloud, and, using a foreach statement, iterate the Add-VPNConnection command once for each line of the CSV file to create VPNs to all of the VPNs listed in the CSV file. Pretty simple, really. The annoying part is that we have to repeat ourselves doing this to handle the values of the AllUserConnection and SplitTunneling switches in the Add-VPNConnection command. If they were Booleans, it would be a bit less messy.

<#
.Synopsis
Creates one or more VPNs. Uses a CSV file stored in OneDrive for Business
.Description
New-myVPN reads a list of VPNs and their parameters from a CSV file stored 
in OneDrive for Business, and creates one or more VPNs based on that list.

The created VPNs can be configured as AllUser VPNs, or only for the current
user (the default). The VPNs are created as Split-Tunnel VPNs unless the 
NoSplitVPN parameter is specified. 
.Example
New-myVPN 

Reads the default VPN.csv file and creates vpns using the details in that file
to create VPNs as split-Tunnel VPNs available to all users.
.Example
New-myVPN -NoSplitVPN -AllUserConnection $False

Reads the default VPN.csv file and creates new VPNs using the details in that file. 
The VPNs are created in the current user's profile, and are not created as split VPNs
.Parameter Path
Path to CSV file. The CSV file is in the format: Name,ServerAddress,L2tpPsk. The 
default path is to a file called VPN.csv, stored in a folder called Private, in 
the current user's OneDrive for Business. 
.Parameter AllUserConnection
Boolean -- default is $True. When True, VPNs are created as an AllUserConnection and
are available to all users on the computer. When False, VPNs are created in the 
current user's profile and are only available to the user after logon. 
.Parameter NoSplitTunnel
Switch -- VPNs are created as SplitTunnel VPNs unless this switch is enabled. A 
SplitTunnel VPN sends all regular traffic to the main network interface, but 
sends traffic to hosts connected via the VPN to the VPN. 

When this switch is set, all traffic outside of the local subnet is sent over the 
VPN connection. 

.Inputs
[string]
[Boolean]
[Switch]
.Notes
    Author: Charlie Russel
 Copyright: 2018 by Charlie Russel
          : Permission to use is granted but attribution is appreciated
   Initial: 13 March, 2018 (cpr)
   ModHist:
          :
#>
[CmdletBinding()]
Param(
     [Parameter(Mandatory=$False,Position=0)]
     [string]
     $Path = (Get-ItemProperty 'HKCU:\Software\Microsoft\OneDrive\Accounts\Business1').UserFolder + "\private\vpn.csv",
     [Parameter(Mandatory=$true)]
     [Boolean]
     $AllUserConnection,
     [Parameter(Mandatory=$False)]
     [Switch]
     $NoSplitTunnel
     )


if ($Path -match "http") { # We're connecting to the web to get the parameters
   Write-Verbose "Found a match against $Matches[0], so using WebRequest"
   $vpnParams = ConvertFrom-CSV (Invoke-WebRequest -Uri $Path ).ToString() 
} else { # We're going against a local path
   Write-Verbose "Reading from a local file $path"
   $vpnParams = ConvertFrom-CSV (Get-Content $Path)
}

$vpncount = $vpnParams.count
if (($AllUserConnection) -AND (! $NoSplitTunnel)) {
   Write-Verbose "Creating $vpn.count AllUser VPNs using parameters in $path and split-tunneling"
   ForEach ($param in $vpnParams) {
      Add-VpnConnection -Name $param.Name `
                        -ServerAddress $param.ServerAddress `
                        -TunnelType L2TP `
                        -L2tpPsk $param.L2tpPsk `
                        -AuthenticationMethod MSChapv2 `
                        -EncryptionLevel Optional `
                        -AllUserConnection `
                        -SplitTunneling `
                        -Force `
                        -PassThru
   }
} elseif (($AllUserConnection) -AND ($NoSplitTunnel)) {
   Write-Verbose "Creating $vpncount AllUser VPNs using parameters in $path and no split-tunneling"
   ForEach ($param in $vpnParams) {
      Add-VpnConnection -Name $param.Name `
                        -ServerAddress $param.ServerAddress `
                        -TunnelType L2TP `
                        -L2tpPsk $param.L2tpPsk `
                        -AuthenticationMethod MSChapv2 `
                        -EncryptionLevel Optional `
                        -AllUserConnection `
                        -Force `
                        -PassThru
   }
} elseif ($NoSplitTunnel) {
   Write-Verbose "Creating $vpncount current user VPNs using parameters in $path and no split-tunneling"
   ForEach ($param in $vpnParams) {
      Add-VpnConnection -Name $param.Name `
                        -ServerAddress $param.ServerAddress `
                        -TunnelType L2TP `
                        -L2tpPsk $param.L2tpPsk `
                        -AuthenticationMethod MSChapv2 `
                        -EncryptionLevel Optional `
                        -Force `
                        -PassThru
   }
} else { 
   Write-Verbose "Creating $vpncount current user VPNs using parameters in $path and split-tunneling"
   ForEach ($param in $vpnParams) {
      Add-VpnConnection -Name $param.Name `
                        -ServerAddress $param.ServerAddress `
                        -TunnelType L2TP `
                        -L2tpPsk $param.L2tpPsk `
                        -AuthenticationMethod MSChapv2 `
                        -EncryptionLevel Optional `
                        -SplitTunneling `
                        -Force `
                        -PassThru
   }
}

An interesting problem came up recently where we needed to standardize the creation of VPNs on new user laptops. To do that, I knew I needed to use the Add-VPNConnection cmdlet (more on that in a another post, soon.) But in order to populate the parameters of Add-VPNConnection, I needed to store the values somewhere. The easy answer was on my desktop, but that’s not terribly portable, especially since I routinely work on any of 3 or 4 different computers. The answer was to store the parameters in a file on my OneDrive for Business (ODB) site, and suck the contents of the file down to whatever machine I happened to be on with Invoke-WebRequest. The file needed to be a CSV file with three fields for each VPN–Name, IP Address, and the L2TP Pre-Shared Key. Easy enough, I know how to parse a CSV file. (If you want a useful example, see Importing Users into Active Directory). But first, I have to get the contents of that CSV file. The answer was a cmdlet I hadn’t had occasion to use before — Invoke-WebRequest. To make this work, you’ll need a link to the document in your OneDrive for Business site. (This will work identically with consumer OneDrive, but since these are business assets, they belong in ODB.) That link will look something like:

https://example-my.sharepoint.com/personal/charlie_example_com/_layouts/15/guestaccess.aspx?docid=123456789abcdef0123456789abcdef01&authkey=ABcDEFGH01IJkl2MnopQRSt your code here

To download the file with Invoke-WebRequest, and save it to a file on your local hard drive, use:

Invoke-WebRequest -Uri 'https://example-my.sharepoint.com/personal/charlie_example_com/_layouts/15/guestaccess.aspx?docid=123456789abcdef0123456789abcdef01&authkey=ABcDEFGH01IJkl2MnopQRSt' -Credential (Get-Credential) -Outfile 'C:\Temp\Content.txt'

That’s one ugly long command line, but mostly that’s because ODB creates seriously long links to documents! However, it’s really pretty simple — only 3 parameters: The link to the document (-Uri), a Credential parameter, and the location to save the content to (-OutFile).

An important caveat here — by using -OutFile, we’ve forced Invoke-WebRequest to just give us the content of the file. But if you’re running this in a script where you’re not saving to a file, but want to use it directly with ConvertFrom-CSV, for example, you need to access the Content property ToString method of the file. So, you might have something like this:

$BaseURI = 'https://example-my.sharepoint.com/personal/charlie_example_com/_layouts/15/guestaccess.aspx?'
$DocID = '123456789abcdef0123456789abcdef01'
$authKey = 'ABcDEFGH01IJkl2MnopQRSt'
$FullUri = $BaseURI + "DocID=$DocID" + "&AuthKey=$authKey"
# $VPNParams = ConvertFrom-CSV (Invoke-WebRequest -Uri $FullUri -Credential $cred).Content
$VPNParams = ConvertFrom-CSV (Invoke-WebRequest -Uri $FullUri -Credential $Cred).ToString()

(Thanks to Ricardo Heredero for the initial suggestion!)

ETA: It appears Microsoft, in their infinite wisdom, have changed the link format for OneDrive for Business links. You’ll want to adjust accordingly, of course. Sigh.

ETA2: OK, so there’s a bug in this! If you use the .Content property, it gives you the byte string. NOT what you want. The cleanest solution is to use the ToString method. This means you need:

$VPNParams = ConvertFrom-CSV (Invoke-WebRequest -Uri $FullUri -Credential $Cred).ToString()

Sorry about that!

Creating a new forest

In the previous sections of this series, I’ve covered how to build VMs using PowerShell, but labs aren’t much good if they don’t actually have any structure. So, let’s create a new forest and domain to manage our labs. I’m going to assume for this post that you’ve gotten started already and created a new Windows Server 2012R2 or Windows Server 2016 virtual machine. For this, it can be a graphical install or a Server Core installation and either Server Standard or Datacenter. Since we’re going to be using only PowerShell to create the forest, there’s no need for a GUI.

The things we’ll need to have identified before we start are:

• Server IP address
• Server name
• DNS namespace for the root domain of the forest
• Domain name for the root domain of the forest
• DNS Server type (AD-integrated or standalone)

Set Server IP Address

We need set our server to a fixed IP address. While not absolutely required, I think it’s a really bad idea to not do this. And, since our lab doesn’t yet have DHCP in it, you need to anyway. (We’ll add a DHCP server in the next installment. )

To configure the network adapter for a static IP address, I need to know either the interface alias (name) or the interface index. To get those, use Get-NetAdapter from a PowerShell window. (Note: if you’re doing this on a new Windows Server Core installation, you can open a PowerShell window with Start PowerShell.exe at the command prompt. To start a PowerShell window automatically for this user, at logon, see my May post. )

Get-NetAdapter | Format-Table -AutoSize Name,Status,IFIndex,MacAddress

Name       Status ifIndex MacAddress
----       ------ ------- ----------
Ethernet 2 Up           3 00-15-5D-32-0A-02
Ethernet   Up           5 00-15-5D-32-CE-02

Which tells us that the DC has two network adapters, and the one that is on the Local-10 switch (from New-myVM.ps1) is at an ifIndex of 3, while the one on the “199 Network” switch has an ifIndex of 5. Now, we’ll set the static IP addresses for these two adapters. First, the NIC on Local-10:

# Set IPv4
$NIC2 = Get-NetAdapter -ifIndex 3
$NIC2 | Set-NetIPInterface -DHCP Disabled
$NIC2 | New-NetIPAddress -AddressFamily  IPv4 `
                         -IPAddress      192.168.10.2 `
                         -PrefixLength   24 `
                         -Type Unicast `
                         -DefaultGateway 192.168.10.1
# Set IPv6
$NIC2 | New-NetIPAddress -AddressFamily  IPv6 `
                         -IPAddress      2001:db8:0:10::2 `
                         -PrefixLength   64 `
                         -Type Unicast `
                         -DefaultGateway 2001:db8:0:10::1

# Set DNS Server Addresses to self
Set-DnsClientServerAddress -InterfaceIndex  $NIC2.ifIndex `
                           -ServerAddresses 192.168.10.2,2001:db8:0:10::2

#Now, for the 199 Network, which I use for internal communications between lab hosts, I want to set a pure IPv4 address with no IPv6, so instead of setting an IPv6 address for the NIC, I’ll disable it with Disable-NetAdapterBinding.

$NIC = Get-NetAdapter -ifIndex 5

# Disable IPv6
Disable-NetAdapterBinding -Name $NIC.Name -ComponentID ms_tcpip6

# Set IPv4 to 192.168.199.2
$NIC | Set-NetIPInterface -Dhcp Disabled
$NIC | New-NetIPAddress -AddressFamily IPv4 `
                        -IPAddress     192.168.199.2 `
                        -PrefixLength  24 `
                        -Type Unicast
# Set DNS to self
Set-DnsClientServerAddress -InterfaceIndex  $NIC.ifIndex `
                           -ServerAddresses 192.168.199.2

(Note: Set-NetAdapterBinding is not available on Windows 7/Server 2008 R2)

Set Server Name

Next, let’s set the name of the server to match our naming conventions for this lab. We do this now, knowing it will force a reboot before we go any further.

Rename-Computer -NewName trey-dc-02 -Restart -Force

This will give the computer a new name and restart it.

Create Forest and Install AD-integrated DNS

Now that we have static IP addresses for our network adapters, and we’ve set the name of the server, we can go ahead and create our AD forest. First, we install Active Directory and update the PowerShell Help files with:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Update-Help -SourcePath \\labhost\PSHelp

This installs the ActiveDirectory and ADDSDeployment modules that we’ll need to create the forest. Now, we promote the server to be the first domain controller in the new forest. Before we do the actual install, we test to make sure we don’t have any issues with Test-ADDSForestInstallation:

Test-ADDSForestInstallation `
         -DomainName 'TreyResearch.net' `
         -DomainNetBiosName 'TREYRESEARCH' `
         -DomainMode 6 `
         -ForestMode 6 `
         -NoDnsOnNetwork `
         -SafeModeAdministratorPassword (ConvertTo-SecureString `
                                                  -String 'P@ssw0rd' `
                                                  -AsPlainText `
                                                  -Force) `
         -NoRebootOnCompletion

Even though this is a brand new forest in an isolated lab setting, it’s still a good practice to test before you actually deploy. And it doesn’t cost all that much time or annoyance. I’ve included the SafeModeAdministratorPassword parameter to avoid the prompts for it. This is a lab, not real life. :) Also note that we’re setting the forest and domain modes to Server2012R2. If you need earlier versions of domain controllers in your lab, you can set the mode accordingly.

The results of the test are as expected:

WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography
algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
channel sessions.

For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
 does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
"TreyResearch.net". Otherwise, no action is required.


Message                          Context                                  RebootRequired  Status
-------                          -------                                  --------------  ------
Operation completed successfully Test.VerifyDcPromoCore.DCPromo.General.3          False Success

With that confirmation, we can go ahead and finish creating the forest and configuring DNS with the command:

Install-ADDSForest `
    -DomainName 'TreyResearch.net' `
    -DomainNetBiosName 'TREYRESEARCH' `
    -DomainMode 6 `
    -ForestMode 6 `
    -NoDnsOnNetwork `
    -SkipPreChecks `
    -SafeModeAdministratorPassword (ConvertTo-SecureString `
                                                  -String 'P@ssw0rd' `
                                                  -AsPlainText `
                                                  -Force) `
    -Force

You’ll notice that the options here match our test pass, except I chose to bypass a second test. If you want to keep your SafeMode Administrator password private you can eliminate that parameter and you’ll be prompted at the command line. When this finishes and the server has rebooted, you can log in with the TREYRESEARCH\Administrator account and the local Administrator password you had before you promoted the VM to be a domain controller.  This may or may not be the same as the SafeModeAdministratorPassword you set during the installation.

As I was trying to configure a new lab setup that takes advantage of nested Hyper-V so that I can build a lab to do Hyper-V host clustering, I ran into a problem with networking. Everything looked good on the “host1” virtual machine, but the domain controller I created for TreyResearch.net that runs as a nested VM on host1 couldn’t connect to anything outside of host1. Which would end up being a pain fairly quickly. But after a good bit of poking around, I found the solution – either enable MAC Address Spoofing on host1, or configure a NAT switch on host1. For most of us, the MAC Address Spoofing is the simplest solution and works just fine. But if you’re in a public cloud scenario, you’ll likely have to go the NAT route.

To enable Nested Hyper-V, shutdown host1 and then run the following command on the top level host:

Set-VMProcessor -VMName host1 -ExposeVirtualizationExtensions $True

Start host1 and install the Hyper-V role with:

Install-WindowsFeature -Name Hyper-V -IncludeAllSubFeature -IncludeManagementTools

Once the reboots finish on host1, enable MAC Address Spoofing on the network adapter(s) of  host1:

Get-VMNetworkAdapter -VMName host1 | Set-VMNetworkAdapter -MacAddressSpoofing On

And you’re done.

As I mentioned last time, I’m setting up a new domain controller and DHCP server for my internal domain on Windows Server 2016 Core, and I’m exclusively using PowerShell to do it. For both the DHCP Server and AD DS roles, we need to configure a fixed IP address on the server, so let’s do that first. From my Deploying and Managing Active Directory with Windows PowerShell book from Microsoft Press, here’s my little very quick and dirty script to set a fixed IP address:

# Quick and dirty IP address setter

[CmdletBinding()]
Param ([Parameter(Mandatory=$True)][string]$IP4,
       [Parameter(Mandatory=$True)][string]$IP6 
      )
$Network = "192.168.10."
$Network6 = "2001:db8:0:10::"
$IPv4 = $Network + "$IP4"
$IPv6 = $Network6 + "$IP6"
$Gateway4 = $Network + "1"
$Gateway6 = $Network6 + "1"

Write-Verbose "$network,$network6,$IP4,$IP6,$IPv4,$IPv6,$gateway4, $gateway6"

$Nic = Get-NetAdapter -name Ethernet
$Nic | Set-NetIPInterface -DHCP Disabled
$Nic | New-NetIPAddress -AddressFamily IPv4 `
                        -IPAddress $IPv4 `
                        -PrefixLength 24 `
                        -type Unicast `
                        -DefaultGateway $Gateway4
Set-DnsClientServerAddress -InterfaceAlias $Nic.Name `
                           -ServerAddresses 192.168.10.2,2001:db8:0:10::2
$Nic |  New-NetIPAddress -AddressFamily IPv6 `
                         -IPAddress $IPv6 `
                         -PrefixLength 64 `
                         -type Unicast `
                          -DefaultGateway $Gateway6

ipconfig /all

I warned you it was a quick and dirty script. But let’s quickly look at what it does. First, we get the network adapter into a variable, $Nic. Then we turn off DHCP with Set-NetIPInterface, and configure the IPv4 and IPv6 addresses with New-NetIPAddress. Finally, we use Set-DnsClientServerAddress to configure the DNS Servers for this server.

Next, let’s join the server to the TreyResearch.net domain with another little script. OK, I admit, you could do this all as a simple one-liner, but I do it so often that I scripted it.

<#
.Synopsis
Joins a computer to the domain
.Description
Joins a new computer to the domain. If the computer hasn't been renamed yet, 
it renames it as well.
.Parameter NewName
The new name of the computer
.Parameter Domain
The domain to join the computer to. Default value is TreyResearch.net
.Example
Join-myDomain -NewName trey-wds-11
.Example
Join-myDomain dc-contoso-04 -Domain Contoso.com
.Notes
     Name: Join-myDomain
   Author: Charlie Russel
Copyright: 2017 by Charlie Russel
         : Permission to use is granted but attribution is appreciated
  ModHist:  9 Apr, 2014 -- Initial
         : 25 Feb, 2015 -- Updated to allow name already matches
         :
#>
[CmdletBinding()]
Param ( [Parameter(Mandatory=$true,Position=0)]
        [String]$NewName,
        [Parameter(Mandatory=$false,Position=1)]
        [String]$Domain = "TreyResearch.net"
       )

$myCred = Get-Credential -UserName "$Domain\Charlie" `
                         -Message "Enter the Domain password for Charlie."

if ($ENV:COMPUTERNAME -ne $NewName ) {
   Add-Computer -DomainName $Domain -Credential $myCred -NewName $NewName -restart
} else {
   Add-Computer -DomainName $Domain -Credential $myCred -Restart
}

After the server restarts, log in with your domain credentials, not as “Administrator”.  The account you logon with should be at least Domain Admin or equivalent, since you’re going to be adding DHCP to the server and promoting it to be a domain controller.

To add the necessary roles to the server, use:

Install-WindowsFeature -Name DHCP,AD-Domain-Services `
                       -IncludeAllSubFeature `
                       -IncludeManagementTools

Next, download updated Get-Help files with Update-Help. Once you’ve got those, go ahead and restart the server, and when it comes back up, we’ll do the base configuration for DHCP to enable it in the domain, and create the necessary accounts. Creating scopes, etc., is the topic of another day. Probably as part of my Lab series.

First, enable the DHCP server in AD (this assumes the $NewName from earlier was ‘trey-core-03’. )

Add-DhcpServerInDC -DnsName 'trey-core-03' -PassThru

And, finally, create the necessary local groups:

# Create local groups for DHCP
# The WinNT in the following IS CASE SENSITIVE
$connection = [ADSI]"WinNT://trey-core-03"
$lGroup = $connection.Create("Group","DHCP Administrators")
$lGroup.SetInfo()
$lGroup = $connection.Create("Group","DHCP Users")
$lGroup.SetInfo()

This uses ADSI to create a local group, since there’s no good way built into base PowerShell to do it except through ADSI.

Finally, we’ll use my Promote-myDC.ps1 script to promote the server to domain controller. Again, I could easily do this by hand, but I’m building and rebuilding labs often enough that I scripted it. I’m lazy! Do it once, use the PowerShell interactive command line. Do it twice? Write a script!

<#
.Synopsis
Tests a candidate domain controller, and then promotes it to DC.
.Description
Promote-myDC first tests if a domain controller can be successfully promoted,
and, if the user confirms that the test was successful, completes the
promotion and restarts the new domain controller.
.Example
Promote-myDC -Domain TreyResearch.net

Tests if the local server can be promoted to domain controller for the
domain TreyResearch.net. The user is prompted after the test completes
and must press the Y key to continue the promotion.
.Parameter Domain
The domain to which the server will be promoted to domain controller.
.Inputs
[string]
.Notes
    Author: Charlie Russel
 Copyright: 2017 by Charlie Russel
          : Permission to use is granted but attribution is appreciated
   Initial: 05/14/2016 (cpr)
   ModHist: 02/14/2017 (cpr) Default the domain name for standard lab builds
          :
#>
[CmdletBinding()]
Param(
     [Parameter(Mandatory=$False,Position=0)]
     [string]$Domain = 'TreyResearch.net'
     )

Write-Verbose "Testing if ADDSDeployment module is available"
If ( (Get-WindowsFeature -Name AD-Domain-Services).InstallState -ne "Installed" ) {
   Write-Verbose "Installing the ActiveDirectory Windows Feature, since you seem to have forgotten that."
   Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
   Write-Host ""
}

If ( (Get-WindowsFeature -Name AD-Domain-Services).InstallState -ne "Installed" ) {
   throw "Failed to install the ActiveDirectory Windows Feature."
}

Write-Verbose "Testing if server $env:computername can be promoted to DC in the $Domain domain"
Write-Host ""
Test-ADDSDomainControllerInstallation `
         -NoGlobalCatalog:$false `
         -CreateDnsDelegation:$false `
         -CriticalReplicationOnly:$false `
         -DatabasePath "C:\Windows\NTDS" `
         -DomainName $Domain `
         -LogPath "C:\Windows\NTDS" `
         -NoRebootOnCompletion:$false `
         -SiteName "Default-First-Site-Name" `
         -SysvolPath "C:\Windows\SYSVOL" `
         -InstallDns:$true `
         -Force
Write-Host ""
Write-Host ""
Write-Host ""

Write-Host -NoNewLine "If the above looks correct, press Y to continue...  "
$Key = [console]::ReadKey($true)
$sKey = $key.key

Write-Verbose "The $sKey key was pressed."
Write-Host ""
Write-Host ""
If ( $sKey -eq "Y" ) {
   Write-Host "The $sKey key was pressed, so proceeding with promotion of $env:computername to domain controller."
   Write-Host ""
   sleep 5
   Install-ADDSDomainController `
              -SkipPreChecks `
              -NoGlobalCatalog:$false `
              -CreateDnsDelegation:$false `
              -CriticalReplicationOnly:$false `
              -DatabasePath "C:\Windows\NTDS" `
              -DomainName $Domain `
              -InstallDns:$true `
              -LogPath "C:\Windows\NTDS" `
              -NoRebootOnCompletion:$false `
              -SiteName "Default-First-Site-Name" `
              -SysvolPath "C:\Windows\SYSVOL" `
              -Force:$true
} else {
   Write-Host "The $sKey key was pressed, exiting to allow you to fix the problem."
   Write-Host ""
   Write-Host ""
}

This uses a little trick I haven’t talked about before –

$Key = [console]::ReadKey($true)
$sKey = $key.key

This reads in a single keystroke and gets the value of the key. Because of the way this works, “Y” and “y” are equivalent. Useful to give yourself a last chance out if something doesn’t look right, though obviously you’ll want to remove those bits if you’re creating a script that needs to run without interactive input.