My Lab Environment v2.0 (Part 4 - Creating Active Directory)

Part 1 – Introduction

Part 2 – Router & Firewall

Part 3 – Virtual Machines & Templates

Part 4 – Creating Active Directory (This Article)

Our network is ready, our virtual machine templates are ready. Let’s do some real work now and start building our domain!

Creating the virtual machine

Start off by copying the virtual disk file of your Windows Server based template to the virtual hard disks directory of your Hyper-V installation. Rename the disk to the hostname of your virtual machine to-be, in my case “DC01”:

Copy the sysprepped virtual disk file

Next, create your virtual machine and point to the virtual hard disk file we just copied. Also connect your domain controller to the PROD network:

Use the virtual disk file for your VM

I also add a separate Data disk to my virtual machine:

Add a data disk to your VM

Next, power on! Choose your administrator password, disable the Server Manager from starting everytime and logout/login to enable enhanced session mode. Don’t forget to power on your VyOS router or you won’t be able to access the internet.

Configuring your domain controller

On each virtual machine I create, I make a “C:\Provisioning” folder to hold the scripts that I need to configure the machine. I have a different PowerShell script for every server. I usually begin be some general variables:

$lanSegment = "PROD" # the name of the network connection
$domainName = "THVO" # netbios domain name
$domainNameFull = "" # fully qualified domain name
$domainNameFullPath = "dc=thvo,dc=net" # ldap path for my domain
$hostName = "dc01" # hostname for the server
$hostIP = "" # IP address for the server
$hostGateway = "" # IP address of the router
$networkId = "" # subnet mask of the network connection
$rootCaName = "CorpRootCA" # name for my certificat authority
$dirpath = "C:\Provisioning" # directory for additional provisioning assets

Then I proceed to changing some system settings, like the drive letter for the DVD player and the label of the system drive:

# Change label on System disk
$drive = Get-WmiObject -Class win32_volume -Filter "DriveLetter = 'C:'"
Set-WmiInstance -input $drive -Arguments @{Label="System"}

# Change DVD to X
$drive = Get-WmiObject -Class win32_volume -Filter "DriveLetter = 'd:'"
Set-WmiInstance -input $drive -Arguments @{DriveLetter="x:"}

If the virtual machine involves a separate data disk, I configure that as follows:

# Add Data Disk
Get-Disk | ?{$_.OperationalStatus -eq "Offline"} | Initialize-Disk -PartitionStyle MBR
New-Partition -DiskNumber 1 -UseMaximumSize -DriveLetter "d" | Format-Volume -NewFileSystemLabel "Data" -FileSystem "NTFS" -Confirm:$false

For SQL Server data disks, I also include the “-AllocationUnitSize 65536” parameter to create a volume with a 64K cluster size.

The network is configured like this:

# Rename Network Adapters
Get-NetAdapter -Name "Ethernet" | Rename-NetAdapter -NewName $lanSegment

# Configure IP Addressing
New-NetIPAddress -InterfaceAlias $lanSegment -IPAddress $hostIP -PrefixLength 24 -DefaultGateway $hostGateway

I then end the basic configuration by renaming the machine:

# Rename Computer
Rename-Computer -NewName $hostName -Restart

When it concerns a member server, I use this in stead:

# Join Computer to the Domain
$PWord = ConvertTo-SecureString –String "[email protected]" –AsPlainText -Force
$Credential = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $adminUser, $PWord
Add-Computer -DomainName $domainNameFull -Credential $Credential -NewName $hostName
Restart-Computer -Force

Because this server will be a domain controller, we have to include some additional actions:

#Create the domain
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-addsforest -domainname $domainNameFull -safemodeadministratorpassword (convertto-securestring "[email protected]" -asplaintext -force) -domainmode win2012r2 -domainnetbiosname $domainName -forestmode win2012r2 -DatabasePath "D:\NTDS\Data" -LogPath "D:\NTDS\Logs" -Confirm:$false
# After reboot change the password policy
Set-ADDefaultDomainPasswordPolicy $domainNameFull -ComplexityEnabled $false -MaxPasswordAge "3650" -PasswordHistoryCount 0 -MinPasswordAge 0

# Add OpenDNS forwarders to our DNS Server

# Add reverse lookup zone
Add-DnsServerPrimaryZone -DynamicUpdate "Secure" -NetworkId $networkId -ReplicationScope "Domain"

# Add AD Site
New-ADReplicationSubnet -Name $networkId -Site Default-First-Site-Name

# Create some OU's
New-ADOrganizationalUnit -Name "Staff" -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name "Service Accounts" -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name "Admin Accounts" -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name "Admin Groups" -ProtectedFromAccidentalDeletion $true

No domain is complete without a certificate authority. This is how this gets created (with a SHA2 algorithm):

# Certificate Services
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools -IncludeAllSubFeature

# Configure Certificate Services
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 5 -CADistinguishedNameSuffix "CN=$rootCAName,$domainNameFullPath" -CACommonName $rootCAName -Confirm:$false -DatabaseDirectory "D:\CertSrv\Data" -LogDirectory "D:\CertSrv\Logs"

That's it!