Wednesday, November 13, 2013

How to build a System Center Virtual Machine Manager 2012 R2 lab - part 3

In the previous post you saw how to deploy a basic Windows 2012 R2 virtual machine. Now you have to install Active Directory Directory Services on it. This has become easy and risk free since the arrival of the Active Directory cmdlets (...our good old friend DCPROMO has long gone and won't be missed). Let's see how that's done:
Install-WindowsFeature AD-Domain-Services
You will see following information after finishing the install of the AD DS feature:
Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Active Directory Domain Services, Rem...
WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is automatically updated, turn on Windows Update.
Once you have installed the AD DS feature, you have to find out which module you need to setup your Active Directory Forest. You can achieve that with Get-Help because nowadays this basic Powershell cmdlet is able to check inside modules that have not been imported yet:
man forest

Name                              Category  Module                    Synopsis
----                              --------  ------                    --------
Get-ADForest                      Cmdlet    ActiveDirectory           Get-AD...
Set-ADForest                      Cmdlet    ActiveDirectory           Set-AD...
Set-ADForestMode                  Cmdlet    ActiveDirectory           Set-AD...
Install-ADDSForest                Cmdlet    ADDSDeployment            Instal...
Test-ADDSForestInstallation       Cmdlet    ADDSDeployment            Test-A...
As you can see the module we need is ADDSDeployment and importing it is a breeze:
Import-Module ADDSDeployment
Now, before you proceed, use the following brand new cmdlet to check that all the important prerequisites are met:
cmdlet Test-ADDSForestInstallation at command pipeline position 1
Supply values for the following parameters:
DomainName: lab2013.local
SafeModeAdministratorPassword: ********************
Confirm SafeModeAdministratorPassword: ********************
WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.

For more information about this setting, see Knowledge Base article 942564

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "lab2013.local". Otherwise, no action is required.

Message             Context                  RebootRequired              Status
-------             -------                  --------------              ------
Operation comple... Test.VerifyDcPro...               False             Success
The last warning you get it’s not really an issue because this is the first DNS server you're installing. Now get to install the forest for real:
Install-ADDSForest -CreateDnsDelegation:$false -DomainName "lab2013.local" -InstallDns:$true -NoRebootOnCompletion:$false -Force:$true –SafeModeAdministratorPassword (Get-Credential).Password
Powershell beginners, remark here the smart use of (Get-Credential).Password.

As you can see from the previous screenshot, the installation of the DNS role is automatically managed by Install-ADDSForest. After the reboot, you have a brand new DC for your new forest lab2013.local. Straightforward, right?
I like adding -NoRebootOnCompletion:$false to Install-ADDSForest (don't do that in a Production environment!). After the server has rebooted, you can quickly make a verification using this improved Powershell V4 syntax:
Get-WindowsFeature | ? installed
Display Name                                            Name
------------                                            ----
[X] Active Directory Domain Services                    AD-Domain-Services
[X] DNS Server                                          DNS
[X] File and Storage Services                           FileAndStorage-Services
    [X] File and iSCSI Services                         File-Services
        [X] File Server                                 FS-FileServer
    [X] Storage Services                                Storage-Services
[X] .NET Framework 4.5 Features                         NET-Framework-45-Fea...
    [X] .NET Framework 4.5                              NET-Framework-45-Core
    [X] WCF Services                                    NET-WCF-Services45
        [X] TCP Port Sharing                            NET-WCF-TCP-PortShar...
[X] Remote Server Administration Tools                  RSAT
    [X] Role Administration Tools                       RSAT-Role-Tools
        [X] AD DS and AD LDS Tools                      RSAT-AD-Tools
            [X] Active Directory module for Windows ... RSAT-AD-PowerShell
[X] SMB 1.0/CIFS File Sharing Support                   FS-SMB1
[X] User Interfaces and Infrastructure                  User-Interfaces-Infra
[X] Windows PowerShell                                  PowerShellRoot
    [X] Windows PowerShell 4.0                          PowerShell
[X] WoW64 Support                                       WoW64-Support
If you want to check the log of the upgrade, it's named %systemroot%\debug\dcpromo.log. The Get-ADDomain is also an interesting cmdlet to dump your domain configuration:

AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=lab2013,DC=local
DeletedObjectsContainer            : CN=Deleted Objects,DC=lab2013,DC=local
DistinguishedName                  : DC=lab2013,DC=local
DNSRoot                            : lab2013.local
DomainControllersContainer         : OU=Domain Controllers,DC=lab2013,DC=local
DomainMode                         : Windows2012R2Domain
DomainSID                          : S-1-5-21-3144066328-731786587-829956889
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=lab2013,DC
Forest                             : lab2013.local
InfrastructureMaster               : LAB2013DC01.lab2013.local
LastLogonReplicationInterval       :
LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9}
LostAndFoundContainer              : CN=LostAndFound,DC=lab2013,DC=local
ManagedBy                          :
Name                               : lab2013
NetBIOSName                        : LAB2013
ObjectClass                        : domainDNS
ObjectGUID                         : 0e2f8e5f-8e4a-421d-92f7-a83856460e63
ParentDomain                       :
PDCEmulator                        : LAB2013DC01.lab2013.local
QuotasContainer                    : CN=NTDS Quotas,DC=lab2013,DC=local
ReadOnlyReplicaDirectoryServers    : {}
ReplicaDirectoryServers            : {LAB2013DC01.lab2013.local}
RIDMaster                          : LAB2013DC01.lab2013.local
SubordinateReferences              : {DC=ForestDnsZones,DC=lab2013,DC=local,
SystemsContainer                   : CN=System,DC=lab2013,DC=local
UsersContainer                     : CN=Users,DC=lab2013,DC=local
Now stop-computer (man, I start talking verb-cmdlet!) and reduce RAM to 512 MB (since you don't need 2GB on this Core install).
After the virtual machine has restarted, check that the new RAM configuration has been applied:
gwmi win32_computersystem

Domain              : lab2013.local
Manufacturer        : VMware, Inc.
Model               : VMware Virtual Platform
Name                : LAB2013DC01
PrimaryOwnerName    : Windows User
TotalPhysicalMemory : 536330240
gwmi win32_operatingsystem | select caption

Microsoft Windows Server 2012 R2 Datacenter
The two last steps are enabling Remote Desktop (RDP) connections and fully disabling the firewall (since we are in a test environment).
There is one simple way of disabling firewall:
netsh advfirewall set allprofiles state off
There are many ways to enable RDP. The simplest of all is to run:
cscript C:\Windows\System32\Scregedit.wsf /ar 0
Now you should be able to RDP inside the new VM.
Oh, I almost forgot to tell: later on you will need internet access (and therefore name resolution) to download the Windows ADK (which is a prerequisite for SCVMM), and since your DNS can’t resolve names residing on any external network (read: Internet), you must add a DNS forwarder: use the VMWare DNS you noted before: x.x.x.2
To add the DNS forwarder, Powershell 4.0 comes once again to the rescue:
Add-DnsServerForwarder -IPAddress -PassThru
UseRootHint        : True
Timeout(s)         : 3
EnableReordering   : True
IPAddress          : {, fec0:0:0:ffff::1, fec0:0:0:ffff::2,
ReorderedIPAddress : {, fec0:0:0:ffff::1, fec0:0:0:ffff::2,
Once you have your first virtual machine running a Windows 2012 R2 Domain Controller, move on to the deployment of the Hyper-V servers.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...