Building a Lab in Hyper-V with PowerShell, Part 4
Published 9 March, 2017Creating a new forest
In the previous sections of this series, I've covered how to build VMs using PowerShell, but labs aren't much good if they don't actually have any structure. So, let's create a new forest and domain to manage our labs. I'm going to assume for this post that you've gotten started already and created a new Windows Server 2012R2 or Windows Server 2016 virtual machine. For this, it can be a graphical install or a Server Core installation and either Server Standard or Datacenter. Since we're going to be using only PowerShell to create the forest, there's no need for a GUI.
The things we'll need to have identified before we start are:
- Server IP address
- Server name
- DNS namespace for the root domain of the forest
- Domain name for the root domain of the forest
- DNS Server type (AD-integrated or standalone)
Set Server IP Address
We need set our server to a fixed IP address. While not absolutely required, I think it's a really bad idea to not do this. And, since our lab doesn't yet have DHCP in it, you need to anyway. (We'll add a DHCP server in the next installment. )
To configure the network adapter for a static IP address, I need to know either the interface alias (name) or the interface index. To get those, use Get-NetAdapter from a PowerShell window. (Note: if you're doing this on a new Windows Server Core installation, you can open a PowerShell window with Start PowerShell.exe at the command prompt. To start a PowerShell window automatically for this user, at logon, see my May post. )
Get-NetAdapter | Format-Table -AutoSize Name,Status,IFIndex,MacAddress Name Status ifIndex MacAddress ---- ------ ------- ---------- Ethernet 2 Up 3 00-15-5D-32-0A-02 Ethernet Up 5 00-15-5D-32-CE-02
Which tells us that the DC has two network adapters, and the one that is on the Local-10 switch (from New-myVM.ps1) is at an ifIndex of 3, while the one on the "199 Network" switch has an ifIndex of 5. Now, we'll set the static IP addresses for these two adapters. First, the NIC on Local-10:
# Set IPv4
$NIC2 = Get-NetAdapter -ifIndex 3
$NIC2 | Set-NetIPInterface -DHCP Disabled
$NIC2 | New-NetIPAddress -AddressFamily IPv4 `
-IPAddress 192.168.10.2 `
-PrefixLength 24 `
-Type Unicast `
-DefaultGateway 192.168.10.1
# Set IPv6
$NIC2 | New-NetIPAddress -AddressFamily IPv6 `
-IPAddress 2001:db8:0:10::2 `
-PrefixLength 64 `
-Type Unicast `
-DefaultGateway 2001:db8:0:10::1
# Set DNS Server Addresses to self
Set-DnsClientServerAddress -InterfaceIndex $NIC2.ifIndex `
-ServerAddresses 192.168.10.2,2001:db8:0:10::2
#Now, for the 199 Network, which I use for internal communications between lab hosts, I want to set a pure IPv4 address with no IPv6, so instead of setting an IPv6 address for the NIC, I'll disable it with Disable-NetAdapterBinding.
$NIC = Get-NetAdapter -ifIndex 5
# Disable IPv6
Disable-NetAdapterBinding -Name $NIC.Name -ComponentID ms_tcpip6
# Set IPv4 to 192.168.199.2
$NIC | Set-NetIPInterface -Dhcp Disabled
$NIC | New-NetIPAddress -AddressFamily IPv4 `
-IPAddress 192.168.199.2 `
-PrefixLength 24 `
-Type Unicast
# Set DNS to self
Set-DnsClientServerAddress -InterfaceIndex $NIC.ifIndex `
-ServerAddresses 192.168.199.2
(Note: Set-NetAdapterBinding is not available on Windows 7/Server 2008 R2)
Set Server Name
Next, let's set the name of the server to match our naming conventions for this lab. We do this now, knowing it will force a reboot before we go any further.
Rename-Computer -NewName trey-dc-02 -Restart -Force
This will give the computer a new name and restart it.
Create Forest and Install AD-integrated DNS
Now that we have static IP addresses for our network adapters, and we've set the name of the server, we can go ahead and create our AD forest. First, we install Active Directory and update the PowerShell Help files with:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Update-Help -SourcePath \\labhost\PSHelp
This installs the ActiveDirectory and ADDSDeployment modules that we'll need to create the forest. Now, we promote the server to be the first domain controller in the new forest. Before we do the actual install, we test to make sure we don't have any issues with Test-ADDSForestInstallation:
Test-ADDSForestInstallation `
-DomainName 'TreyResearch.net' `
-DomainNetBiosName 'TREYRESEARCH' `
-DomainMode 6 `
-ForestMode 6 `
-NoDnsOnNetwork `
-SafeModeAdministratorPassword (ConvertTo-SecureString `
-String 'P@ssw0rd' `
-AsPlainText `
-Force) `
-NoRebootOnCompletion
Even though this is a brand new forest in an isolated lab setting, it's still a good practice to test before you actually deploy. And it doesn't cost all that much time or annoyance. I've included the SafeModeAdministratorPassword parameter to avoid the prompts for it. This is a lab, not real life. :) Also note that we're setting the forest and domain modes to Server2012R2. If you need earlier versions of domain controllers in your lab, you can set the mode accordingly.
The results of the test are as expected:
WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions. For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751). WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "TreyResearch.net". Otherwise, no action is required. Message Context RebootRequired Status ------- ------- -------------- ------ Operation completed successfully Test.VerifyDcPromoCore.DCPromo.General.3 False Success
With that confirmation, we can go ahead and finish creating the forest and configuring DNS with the command:
Install-ADDSForest `
-DomainName 'TreyResearch.net' `
-DomainNetBiosName 'TREYRESEARCH' `
-DomainMode 6 `
-ForestMode 6 `
-NoDnsOnNetwork `
-SkipPreChecks `
-SafeModeAdministratorPassword (ConvertTo-SecureString `
-String 'P@ssw0rd' `
-AsPlainText `
-Force) `
-Force
You'll notice that the options here match our test pass, except I chose to bypass a second test. If you want to keep your SafeMode Administrator password private you can eliminate that parameter and you'll be prompted at the command line. When this finishes and the server has rebooted, you can log in with the TREYRESEARCH\Administrator account and the local Administrator password you had before you promoted the VM to be a domain controller. This may or may not be the same as the SafeModeAdministratorPassword you set during the installation.
Posted in Active Directory, Building Labs, DHCP, Networking, PowerShell, Windows Server Core | 
Active Diretory, AD DS, IP Address, PowerShell | 
Leave a commentNested Hyper-V Networking
Published 19 February, 2017As I was trying to configure a new lab setup that takes advantage of nested Hyper-V so that I can build a lab to do Hyper-V host clustering, I ran into a problem with networking. Everything looked good on the "host1" virtual machine, but the domain controller I created for TreyResearch.net that runs as a nested VM on host1 couldn't connect to anything outside of host1. Which would end up being a pain fairly quickly. But after a good bit of poking around, I found the solution - either enable MAC Address Spoofing on host1, or configure a NAT switch on host1. For most of us, the MAC Address Spoofing is the simplest solution and works just fine. But if you're in a public cloud scenario, you'll likely have to go the NAT route.
To enable Nested Hyper-V, shutdown host1 and then run the following command on the top level host:
Set-VMProcessor -VMName host1 -ExposeVirtualizationExtensions $True
Start host1 and install the Hyper-V role with:
Install-WindowsFeature -Name Hyper-V -IncludeAllSubFeature -IncludeManagementTools
Once the reboots finish on host1, enable MAC Address Spoofing on the network adapter(s) of host1:
Get-VMNetworkAdapter -VMName host1 | Set-VMNetworkAdapter -MacAddressSpoofing On
And you're done.
Configuring Windows Server 2016 core as a DHCP Server with PowerShell
Published 15 February, 2017As I mentioned last time, I'm setting up a new domain controller and DHCP server for my internal domain on Windows Server 2016 Core, and I'm exclusively using PowerShell to do it. For both the DHCP Server and AD DS roles, we need to configure a fixed IP address on the server, so let's do that first. From my Deploying and Managing Active Directory with Windows PowerShell book from Microsoft Press, here's my little very quick and dirty script to set a fixed IP address:
# Quick and dirty IP address setter
[CmdletBinding()]
Param ([Parameter(Mandatory=$True)][string]$IP4,
[Parameter(Mandatory=$True)][string]$IP6
)
$Network = "192.168.10."
$Network6 = "2001:db8:0:10::"
$IPv4 = $Network + "$IP4"
$IPv6 = $Network6 + "$IP6"
$Gateway4 = $Network + "1"
$Gateway6 = $Network6 + "1"
Write-Verbose "$network,$network6,$IP4,$IP6,$IPv4,$IPv6,$gateway4, $gateway6"
$Nic = Get-NetAdapter -name Ethernet
$Nic | Set-NetIPInterface -DHCP Disabled
$Nic | New-NetIPAddress -AddressFamily IPv4 `
-IPAddress $IPv4 `
-PrefixLength 24 `
-type Unicast `
-DefaultGateway $Gateway4
Set-DnsClientServerAddress -InterfaceAlias $Nic.Name `
-ServerAddresses 192.168.10.2,2001:db8:0:10::2
$Nic | New-NetIPAddress -AddressFamily IPv6 `
-IPAddress $IPv6 `
-PrefixLength 64 `
-type Unicast `
-DefaultGateway $Gateway6
ipconfig /all
I warned you it was a quick and dirty script. But let's quickly look at what it does. First, we get the network adapter into a variable, $Nic. Then we turn off DHCP with Set-NetIPInterface, and configure the IPv4 and IPv6 addresses with New-NetIPAddress. Finally, we use Set-DnsClientServerAddress to configure the DNS Servers for this server.
Next, let's join the server to the TreyResearch.net domain with another little script. OK, I admit, you could do this all as a simple one-liner, but I do it so often that I scripted it.
<#
.Synopsis
Joins a computer to the domain
.Description
Joins a new computer to the domain. If the computer hasn't been renamed yet,
it renames it as well.
.Parameter NewName
The new name of the computer
.Parameter Domain
The domain to join the computer to. Default value is TreyResearch.net
.Example
Join-myDomain -NewName trey-wds-11
.Example
Join-myDomain dc-contoso-04 -Domain Contoso.com
.Notes
Name: Join-myDomain
Author: Charlie Russel
Copyright: 2017 by Charlie Russel
: Permission to use is granted but attribution is appreciated
ModHist: 9 Apr, 2014 -- Initial
: 25 Feb, 2015 -- Updated to allow name already matches
:
#>
[CmdletBinding()]
Param ( [Parameter(Mandatory=$true,Position=0)]
[String]$NewName,
[Parameter(Mandatory=$false,Position=1)]
[String]$Domain = "TreyResearch.net"
)
$myCred = Get-Credential -UserName "$Domain\Charlie" `
-Message "Enter the Domain password for Charlie."
if ($ENV:COMPUTERNAME -ne $NewName ) {
Add-Computer -DomainName $Domain -Credential $myCred -NewName $NewName -restart
} else {
Add-Computer -DomainName $Domain -Credential $myCred -Restart
}
After the server restarts, log in with your domain credentials, not as "Administrator". The account you logon with should be at least Domain Admin or equivalent, since you're going to be adding DHCP to the server and promoting it to be a domain controller.
To add the necessary roles to the server, use:
Install-WindowsFeature -Name DHCP,AD-Domain-Services `
-IncludeAllSubFeature `
-IncludeManagementTools
Next, download updated Get-Help files with Update-Help. Once you've got those, go ahead and restart the server, and when it comes back up, we'll do the base configuration for DHCP to enable it in the domain, and create the necessary accounts. Creating scopes, etc., is the topic of another day. Probably as part of my Lab series.
First, enable the DHCP server in AD (this assumes the $NewName from earlier was 'trey-core-03'. )
Add-DhcpServerInDC -DnsName 'trey-core-03' -PassThru
And, finally, create the necessary local groups:
# Create local groups for DHCP
# The WinNT in the following IS CASE SENSITIVE
$connection = [ADSI]"WinNT://trey-core-03"
$lGroup = $connection.Create("Group","DHCP Administrators")
$lGroup.SetInfo()
$lGroup = $connection.Create("Group","DHCP Users")
$lGroup.SetInfo()
This uses ADSI to create a local group, since there's no good way built into base PowerShell to do it except through ADSI.
Finally, we'll use my Promote-myDC.ps1 script to promote the server to domain controller. Again, I could easily do this by hand, but I'm building and rebuilding labs often enough that I scripted it. I'm lazy! Do it once, use the PowerShell interactive command line. Do it twice? Write a script!
<#
.Synopsis
Tests a candidate domain controller, and then promotes it to DC.
.Description
Promote-myDC first tests if a domain controller can be successfully promoted,
and, if the user confirms that the test was successful, completes the
promotion and restarts the new domain controller.
.Example
Promote-myDC -Domain TreyResearch.net
Tests if the local server can be promoted to domain controller for the
domain TreyResearch.net. The user is prompted after the test completes
and must press the Y key to continue the promotion.
.Parameter Domain
The domain to which the server will be promoted to domain controller.
.Inputs
[string]
.Notes
Author: Charlie Russel
Copyright: 2017 by Charlie Russel
: Permission to use is granted but attribution is appreciated
Initial: 05/14/2016 (cpr)
ModHist: 02/14/2017 (cpr) Default the domain name for standard lab builds
:
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$False,Position=0)]
[string]$Domain = 'TreyResearch.net'
)
Write-Verbose "Testing if ADDSDeployment module is available"
If ( (Get-WindowsFeature -Name AD-Domain-Services).InstallState -ne "Installed" ) {
Write-Verbose "Installing the ActiveDirectory Windows Feature, since you seem to have forgotten that."
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Write-Host ""
}
If ( (Get-WindowsFeature -Name AD-Domain-Services).InstallState -ne "Installed" ) {
throw "Failed to install the ActiveDirectory Windows Feature."
}
Write-Verbose "Testing if server $env:computername can be promoted to DC in the $Domain domain"
Write-Host ""
Test-ADDSDomainControllerInstallation `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName $Domain `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-InstallDns:$true `
-Force
Write-Host ""
Write-Host ""
Write-Host ""
Write-Host -NoNewLine "If the above looks correct, press Y to continue... "
$Key = [console]::ReadKey($true)
$sKey = $key.key
Write-Verbose "The $sKey key was pressed."
Write-Host ""
Write-Host ""
If ( $sKey -eq "Y" ) {
Write-Host "The $sKey key was pressed, so proceeding with promotion of $env:computername to domain controller."
Write-Host ""
sleep 5
Install-ADDSDomainController `
-SkipPreChecks `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName $Domain `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
} else {
Write-Host "The $sKey key was pressed, exiting to allow you to fix the problem."
Write-Host ""
Write-Host ""
}
This uses a little trick I haven't talked about before -
$Key = [console]::ReadKey($true) $sKey = $key.key
This reads in a single keystroke and gets the value of the key. Because of the way this works, "Y" and "y" are equivalent. Useful to give yourself a last chance out if something doesn't look right, though obviously you'll want to remove those bits if you're creating a script that needs to run without interactive input.