In the previous post you saw how to deploy a basic Windows 2012 R2 virtual machine. Now you have to install Active Directory Directory Services on it. This has become easy and risk free since the arrival of the Active Directory cmdlets (...our good old friend DCPROMO has long gone and won't be missed). Let's see how that's done:
Install-WindowsFeature AD-Domain-Services
You will see following information after finishing the install of the AD DS feature:
Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Active Directory Domain Services, Rem... WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is automatically updated, turn on Windows Update.
Once you have installed the AD DS feature, you have to find out which module you need to setup your Active Directory Forest. You can achieve that with Get-Help because nowadays this basic Powershell cmdlet is able to check inside modules that have not been imported yet:
man forest Name Category Module Synopsis ---- -------- ------ -------- Get-ADForest Cmdlet ActiveDirectory Get-AD... Set-ADForest Cmdlet ActiveDirectory Set-AD... Set-ADForestMode Cmdlet ActiveDirectory Set-AD... Install-ADDSForest Cmdlet ADDSDeployment Instal... Test-ADDSForestInstallation Cmdlet ADDSDeployment Test-A...
As you can see the module we need is ADDSDeployment and importing it is a breeze:
Import-Module ADDSDeployment
Now, before you proceed, use the following brand new cmdlet to check that all the important prerequisites are met:
Test-ADDSForestInstallation cmdlet Test-ADDSForestInstallation at command pipeline position 1 Supply values for the following parameters: DomainName: lab2013.local SafeModeAdministratorPassword: ******************** Confirm SafeModeAdministratorPassword: ******************** WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions. For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751). WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "lab2013.local". Otherwise, no action is required. Message Context RebootRequired Status ------- ------- -------------- ------ Operation comple... Test.VerifyDcPro... False Success
The last warning you get it’s not really an issue because this is the first DNS server you're installing. Now get to install the forest for real:
Install-ADDSForest -CreateDnsDelegation:$false -DomainName "lab2013.local" -InstallDns:$true -NoRebootOnCompletion:$false -Force:$true –SafeModeAdministratorPassword (Get-Credential).Password
Powershell beginners, remark here the smart use of (Get-Credential).Password.
As you can see from the previous screenshot, the installation of the DNS role is automatically managed by Install-ADDSForest. After the reboot, you have a brand new DC for your new forest lab2013.local. Straightforward, right?
I like adding -NoRebootOnCompletion:$false to Install-ADDSForest (don't do that in a Production environment!). After the server has rebooted, you can quickly make a verification using this improved Powershell V4 syntax:
Get-WindowsFeature | ? installed Display Name Name ------------ ---- [X] Active Directory Domain Services AD-Domain-Services [X] DNS Server DNS [X] File and Storage Services FileAndStorage-Services [X] File and iSCSI Services File-Services [X] File Server FS-FileServer [X] Storage Services Storage-Services [X] .NET Framework 4.5 Features NET-Framework-45-Fea... [X] .NET Framework 4.5 NET-Framework-45-Core [X] WCF Services NET-WCF-Services45 [X] TCP Port Sharing NET-WCF-TCP-PortShar... [X] Remote Server Administration Tools RSAT [X] Role Administration Tools RSAT-Role-Tools [X] AD DS and AD LDS Tools RSAT-AD-Tools [X] Active Directory module for Windows ... RSAT-AD-PowerShell [X] SMB 1.0/CIFS File Sharing Support FS-SMB1 [X] User Interfaces and Infrastructure User-Interfaces-Infra [X] Windows PowerShell PowerShellRoot [X] Windows PowerShell 4.0 PowerShell [X] WoW64 Support WoW64-Support
If you want to check the log of the upgrade, it's named %systemroot%\debug\dcpromo.log. The Get-ADDomain is also an interesting cmdlet to dump your domain configuration:
Get-ADDomain AllowedDNSSuffixes : {} ChildDomains : {} ComputersContainer : CN=Computers,DC=lab2013,DC=local DeletedObjectsContainer : CN=Deleted Objects,DC=lab2013,DC=local DistinguishedName : DC=lab2013,DC=local DNSRoot : lab2013.local DomainControllersContainer : OU=Domain Controllers,DC=lab2013,DC=local DomainMode : Windows2012R2Domain DomainSID : S-1-5-21-3144066328-731786587-829956889 ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=lab2013,DC =local Forest : lab2013.local InfrastructureMaster : LAB2013DC01.lab2013.local LastLogonReplicationInterval : LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-00C04FB984F9} ,CN=Policies,CN=System,DC=lab2013,DC=local } LostAndFoundContainer : CN=LostAndFound,DC=lab2013,DC=local ManagedBy : Name : lab2013 NetBIOSName : LAB2013 ObjectClass : domainDNS ObjectGUID : 0e2f8e5f-8e4a-421d-92f7-a83856460e63 ParentDomain : PDCEmulator : LAB2013DC01.lab2013.local QuotasContainer : CN=NTDS Quotas,DC=lab2013,DC=local ReadOnlyReplicaDirectoryServers : {} ReplicaDirectoryServers : {LAB2013DC01.lab2013.local} RIDMaster : LAB2013DC01.lab2013.local SubordinateReferences : {DC=ForestDnsZones,DC=lab2013,DC=local, DC=DomainDnsZones,DC=lab2013,DC=local, CN=Configuration,DC=lab2013,DC=local} SystemsContainer : CN=System,DC=lab2013,DC=local UsersContainer : CN=Users,DC=lab2013,DC=local
Now stop-computer (man, I start talking verb-cmdlet!) and reduce RAM to 512 MB (since you don't need 2GB on this Core install).
After the virtual machine has restarted, check that the new RAM configuration has been applied:
gwmi win32_computersystem Domain : lab2013.local Manufacturer : VMware, Inc. Model : VMware Virtual Platform Name : LAB2013DC01 PrimaryOwnerName : Windows User TotalPhysicalMemory : 536330240and
gwmi win32_operatingsystem | select caption caption ------- Microsoft Windows Server 2012 R2 Datacenter
The two last steps are enabling Remote Desktop (RDP) connections and fully disabling the firewall (since we are in a test environment).
There is one simple way of disabling firewall:
netsh advfirewall set allprofiles state off
There are many ways to enable RDP. The simplest of all is to run:
cscript C:\Windows\System32\Scregedit.wsf /ar 0
Now you should be able to RDP inside the new VM.
Oh, I almost forgot to tell: later on you will need internet access (and therefore name resolution) to download the Windows ADK (which is a prerequisite for SCVMM), and since your DNS can’t resolve names residing on any external network (read: Internet), you must add a DNS forwarder: use the VMWare DNS you noted before: x.x.x.2
To add the DNS forwarder, Powershell 4.0 comes once again to the rescue:
Add-DnsServerForwarder -IPAddress 192.168.134.2 -PassThru UseRootHint : True Timeout(s) : 3 EnableReordering : True IPAddress : {192.168.134.2, fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3} ReorderedIPAddress : {192.168.134.2, fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
Once you have your first virtual machine running a Windows 2012 R2 Domain Controller, move on to the deployment of the Hyper-V servers.
No comments:
Post a Comment