Pages

fredag 14. juni 2013

Windows Server 2012 Core: Install first Domain Controller

Assuming you have installed the Operating System and are ready with the command line... this is example on how to setup Active Directory with DNS and DHCP on Windows Server 2012 Core... All text in red should be modified to your environment.

Start PowerShell by typing:
powershell

# Set IP address:
$NetIPIF = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | ? InterfaceAlias -ne 'Loopback Pseudo-Interface 1'
If ($NetIPIF) {
  $NetIPIF | Set-NetIPInterface -Dhcp Disabled
  New-NetIPAddress -InterfaceAlias $NetIPIF.InterfaceAlias -IPAddress 192.168.160.10 -DefaultGateway 192.168.160.5 -AddressFamily IPv4 -PrefixLength 24
  Set-DnsClientServerAddress -InterfaceAlias $NetIPIF.InterfaceAlias -ServerAddresses ('192.168.160.10','127.0.0.1')
}

# Install Windows Features
Install-WindowsFeature -name AD-Domain-Services,DNS,DHCP

# If Windows Features have been removed, insert installation media and specify source
Install-WindowsFeature -name AD-Domain-Services,DNS,DHCP -Source:wim:E:\Sources\install.wim:1

# When all features have been successfully installed, create ADDS Forest
Install-ADDSForest -CreateDNSDelegation:$false -DatabasePath 'C:\Windows\NTDS' -DomainMode Win2012 -DomainName 'lab.domain' -DomainNetBIOSName 'LAB' -ForestMode Win2012 -InstallDNS:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SYSVOLPath "C:\Windows\SYSVOL" -Force:$true -SafeModeAdministratorPassword (Read-Host -AsSecureString -Prompt "Enter Password")

Read all warnings (can mostly be ignored) and errors (if any). Computer will reboot after creating ADDS Forest.

After reboot, change user to domain administrator (e.g. LAB\Administrator) and start PowerShell:
powershell

# Now you can create some structure and configure your AD. Example:
$DomainFQDN = 'lab.domain'
$DomainNETBIOS = 'LAB'
$ADPath = 'DC=lab,DC=domain'
# Create some OU structure in AD
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name HQ -Path "$ADPath" -Description 'Only place other OUs in here'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Users -Path "OU=HQ,$ADPath" -Description 'Users in HQ'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Resources -Path "OU=HQ,$ADPath" -Description 'Users that are Resources in HQ, e.g meeting rooms, equipment'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Contacts -Path "OU=HQ,$ADPath" -Description 'Contacts in HQ'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name DistributionLists -Path "OU=HQ,$ADPath" -Description 'Groups that are Distribution Lists in HQ'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Computers -Path "OU=HQ,$ADPath" -Description 'Only place other OUs in here, new Computers may be placed here but they should be moved as soon as possible to a sub OU'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Desktops -Path "OU=Computers,OU=HQ,$ADPath" -Description 'Desktop Computers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Laptops -Path "OU=Computers,OU=HQ,$ADPath" -Description 'Laptop Computers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name ThinClients -Path "OU=Computers,OU=HQ,$ADPath" -Description 'Thin Client Computers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name ComputerAccess -Path "OU=Computers,OU=HQ,$ADPath" -Description 'Groups that define access to Computers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Servers -Path "OU=HQ,$ADPath" -Description 'Only place other OUs in here'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name SQL -Path "OU=Servers,OU=HQ,$ADPath" -Description 'SQL Servers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Exchange -Path "OU=Servers,OU=HQ,$ADPath" -Description 'Exchange Servers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Print -Path "OU=Servers,OU=HQ,$ADPath" -Description 'Print Servers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name File -Path "OU=Servers,OU=HQ,$ADPath" -Description 'File Servers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name RD -Path "OU=Servers,OU=HQ,$ADPath" -Description 'Remote Desktop Servers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name SC -Path "OU=Servers,OU=HQ,$ADPath" -Description 'System Center Servers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name ServerAccess -Path "OU=Servers,OU=HQ,$ADPath" -Description 'Groups that define access to Servers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Groups -Path "OU=HQ,$ADPath" -Description 'Only place other OUs in here'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Roles -Path "OU=Groups,OU=HQ,$ADPath" -Description 'Groups that define a Role, e.g Staff'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Resources -Path "OU=Groups,OU=HQ,$ADPath" -Description 'Groups that define a Resource, e.g Printers'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Administrators -Path "OU=HQ,$ADPath" -Description 'Only place other OUs in here'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Users -Path "OU=Administrators,OU=HQ,$ADPath" -Description 'Administrators in HQ'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name Groups -Path "OU=Administrators,OU=HQ,$ADPath" -Description 'Groups that define Administrative Roles, e.g. DesktopSupport'
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True -Name ServiceAccounts -Path "OU=HQ,$ADPath" -Description 'Accounts used by services and applications'

# Enable AD Recycle BIN:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target $DomainFQDN -Confirm:$False

# Redirect Users to be placed in correct Organizational Unit for users when created
Set-ADObject -Identity "$ADPath" -Add @{wellKnownObjects="B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=Users,OU=HQ,$ADPath"} -Remove @{wellKnownObjects="B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,$ADPath"}

# Redirect Computers to be placed in correct Organizational Unit for computers when created
Set-ADObject -Identity "$ADPath" -Add @{wellKnownObjects="B:32:AA312825768811D1ADED00C04FD8D5CD:OU=Computers,OU=HQ,$ADPath"} -Remove @{wellKnownObjects="B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,$ADPath"}

# Make all AD OUs protected from accidental deletion
Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

# Set Password never expires on Administrator
Set-ADUser -Identity Administrator -PasswordNeverExpires $True

Configure DNS Server:
# DNS configuration: Add a reverse zone for internal network IPv4
Add-DnsServerPrimaryZone 160.168.192.in-addr.arpa -DynamicUpdate Secure -ReplicationScope Domain -DirectoryPartitionName DomainDnsZones.$DomainFQDN
# DNS configuration: Turn on scavenging on all Zones
Set-DnsServerScavenging -ApplyOnAllZones -ScavengingState $True -ScavengingInterval 7.00:00:00
# DNS configuration: Forward external requests to OpenDNS servers (to avoid bothering root servers)
Set-DnsServerForwarder 208.67.222.222, 208.67.220.220

Configure time sync:
# If using Hyper-V, Disable aspects of time synchronization from Hyper-V with:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider' -Name 'Enabled' -Value 0

# PS! Never disable Hyper-V Time Synchronization, it's important when the virtual machine boots and resumes saved states. Hyper-V Integration Services synchronizes the time of virtual machines with the physical host because virtual machines tend to experience time drift over time.

# Sync this PDC emulator with a remote time source
& C:\Windows\System32\w32tm.exe /config /manualpeerlist:"0.no.pool.ntp.org,0×1 1.no.pool.ntp.org,0×1 3.no.pool.ntp.org,0×1 4.no.pool.ntp.org,0×1" /syncfromflags:manual /reliable:YES /update
Restart-Service w32time
& C:\Windows\System32\w32tm.exe /resync /rediscover

Configure DHCP for IPv4:
# DHCP configuration: Add DHCP securitygroups to AD
& C:\Windows\System32\netsh.exe dhcp add securitygroups
# DHCP configuration: Set the path to DHCP Audit Log and limit its size to 100 MB
Set-DhcpServerAuditLog -ComputerName DC1.$DomainFQDN -Enable $True -Path C:\Windows\system32\dhcp -MaxMBFileSize 100
# DHCP configuration: Set the path to DHCP database and backup, change intervalls from 1 hour to 2 hours
Set-DhcpServerDatabase -ComputerName DC1.$DomainFQDN -FileName C:\Windows\system32\dhcp\dhcp.mdb -BackupPath C:\Windows\system32\dhcp\backup -BackupInterval 120 -CleanupInterval 120
# DHCP configuration: Restart the service to make it take effect
Restart-Service DHCPServer
# DHCP configuration: Bind Dhcpv4 to interface
Set-DhcpServerv4Binding -BindingState $true -InterfaceAlias Ethernet
# DHCP configuration: Authorize this server as DHCP server in this AD
Add-DhcpServerInDC -DnsName "DC1.$DomainFQDN" -IPAddress 192.168.160.10
# DHCP configuration: Add a Dhcpv4 Scope for the clients
Add-DhcpServerv4Scope -Name "IPv4 CORP Network" -StartRange 192.168.160.1 -EndRange 192.168.160.254 -SubnetMask 255.255.255.0
# DHCP configuration: Set Exclusions for the Dhcpv4 scope
Add-Dhcpserverv4ExclusionRange -ScopeId 192.168.160.0 -StartRange 192.168.160.1 -EndRange 192.168.160.99
Add-Dhcpserverv4ExclusionRange -ScopeId 192.168.160.0 -StartRange 192.168.160.200 -EndRange 192.168.160.254
# DHCP configuration: Set Dhcpv4 Scope Option for Gateway (to satisfy BPA for DHCP)
Set-DhcpServerv4OptionValue -OptionId 3 -Value 192.168.160.5 -ScopeId 192.168.160.0
# DHCP configuration: Set Dhcpv4 Option for DNS
Set-DhcpServerv4OptionValue -OptionId 6 -Value 192.168.160.10
# DHCP configuration: Set Dhcpv4 Option for DNS Server prefix
Set-DhcpServerv4OptionValue -OptionId 15 -Value $DomainFQDN
# DHCP configuration: Create DHCP application account for DNS dynamic update registration credentials
New-ADUser app-DC1-DNSupd -AccountPassword (Read-Host -AsSecureString -Prompt "Enter Password") -ChangePasswordAtLogon $False -PasswordNeverExpires $True -Path "OU=ServiceAccounts,OU=HQ,$ADPath" -Description "DNS dynamic update registration credentials" -Enabled $True
# DHCP configuration: Add this account to DnsUpdateProxy group so it will be allowed to register records in DNS
Add-ADGroupMember DnsUpdateProxy app-DC1-DNSupd
# DHCP configuration: Register this account with the DHCP server
& C:\Windows\System32\netsh.exe dhcp server \\DC1.$DomainFQDN set dnscredentials app-DC1-DNSupd $DomainFQDN (Read-Host -AsSecureString -Prompt 'Enter Password for app-DC1-DNSupd')
# DHCP configuration: Because the DHCP Post-Deployment Configuration wizard will complain that it has not been run, we must update the registry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12" -Name "ConfigurationState" -Value 2
# DHCP configuration: The groups for DHCP has been placed in the Users group under HQ, we want only users there so we move to Users under domain root
Move-ADObject -Identity "CN=DHCP Administrators,OU=Users,OU=HQ,$ADPath" -TargetPath "CN=Users,$ADPath"
Move-ADObject -Identity "CN=DHCP Users,OU=Users,OU=HQ,$ADPath" -TargetPath "CN=Users,$ADPath"

# Configure extra disks, if any
# Change Drive Letter on DVD Drive to X
gwmi Win32_Volume -Filter "DriveType = '5'" | swmi -Arguments @{DriveLetter = 'X:'}

# Make all offline disks online:
Get-Disk | ? IsOffline –eq $true | Set-Disk –IsOffline $false -IsReadOnly $false

# Initialize all disks with RAW partition
Get-Disk | Where-Object PartitionStyle –eq 'RAW' | Initialize-Disk –PartitionStyle MBR

# List all disks without any partitions
Get-Disk | Where-Object NumberOfPartitions -eq 0

# Create partition on the disks, change DiskNumber and other paramters, examples
New-Partition –DiskNumber 2 -UseMaximumSize -AssignDriveLetter | Format-Volume -NewFileSystemLabel 'AppDisk' -FileSystem NTFS -Confirm:$false
New-Partition –DiskNumber 3 -UseMaximumSize -AssignDriveLetter | Format-Volume -NewFileSystemLabel 'sqldb' -FileSystem NTFS -AllocationUnitSize 65536 -Confirm:$false

# Set filesystem label on C disk
Set-Volume -NewFileSystemLabel 'os' -DriveLetter C

# Verify volumes
Get-Volume

# To log off you can simply type:
LOGOFF