Test lab setup

Post TechNet test lab: Part 6 (PS Script to install and configure AD)

By Chris Gibson 10 November 2014
Post TechNet test lab: Part 6 (PS Script to install and configure AD)

In the last post I shared the script that I use as a base for all of my test lab VMs. In this post I’ll share the PowerShell I use for configuring my Domain Controller (and the domain in general). The contents of which has evolved over time and will continue to do so as I add more and more roles and features to my lab. I could just post all my scripts, but you would just have to wade through it and pick the bits you need. instead I will split it into tasks.

Installing Active Directory Domain Services role

This is a nice one liner, as you can see it installs the AD DS role with the management tools

Add-Windowsfeature -name ad-domain-services -includemanagementtools

Creating AD Forest and Domain

This is another quick command that creates a forest/domain called “test.lab”. you’ll be prompted for the restore mode password, but apart from that its just this line.

Install-ADDSForest -domainname "Test.Lab"

Creating Organisational Units (OUs)

These two examples show how to create an OU and sub OU

New-ADOrganizationalUnit -Name "ORG" -Description "ORG" -DisplayName "ORG"

New-ADOrganizationalUnit -Name "Computers" -Path "OU=ORG,DC=Test,DC=Lab" -Description "Computers" -DisplayName "Computers"

Creating a default location for new machine accounts

I didn’t find out about this little gem until recently (Thanks Dave!!), but it specifies which OU you would like all new computer accounts to be created in. At work this OU is a horrible place that wont even allow you to log on until you move the account to another OU and reboot the machine (FU Dave!!). However I have used this apply the GPO settings I would like as soon as the machine joins the domain.Saving me the step of moving the accounts and rebooting each VM I create. It sounds lazy, but is really handy when your working with Service Templates, scaling out tiers etc.

redircmp "OU=Staging,OU=Computers,OU=ORG,DC=Test,DC=Lab"

You can specify any OU you want, Staging just seemed logical

Creating Users

When I first did this i was surprised how much code is needed to create a user account, but then its been a while since I’ve created anything more than a service account. There are 5 lines to this, the first creates the account, the set sets the password, the third enables the account, the fourth and fifth set account properties (there easy to see what props)

$thePassword = ConvertTo-SecureString "Password1" -AsPlainText -Force
New-ADUser -DisplayName:"Gene Hunt" -GivenName:"Gene" -Name:"Gene Hunt" -Path:"OU=Users,OU=ORG,DC=Test,DC=Lab" -SamAccountName:"Gene.Hunt" -Server:"DC01.Test.Lab" -Surname:"Hunt" -Type:"user" -UserPrincipalName:"Gene.Hunt@Test.Lab"

Set-ADAccountPassword -Identity:"CN=Gene Hunt,OU=Users,OU=ORG,DC=Test,DC=Lab" -NewPassword:$thePassword -Reset:$null -Server:"DC01.Test.Lab"

Enable-ADAccount -Identity:"CN=Gene Hunt,OU=Users,OU=ORG,DC=Test,DC=Lab" -Server:"DC01.Test.Lab"

Add-ADPrincipalGroupMembership -Identity:"CN=Gene Hunt,OU=Users,OU=ORG,DC=Test,DC=Lab" -MemberOf:"CN=Domain Admins,CN=Users,DC=Test,DC=Lab" -Server:"DC01.Test.Lab"

et-ADAccountControl -AccountNotDelegated:$false -AllowReversiblePasswordEncryption:$false -CannotChangePassword:$false -DoesNotRequirePreAuth:$false -Identity:"CN=Gene Hunt,OU=Users,OU=ORG,DC=Test,DC=Lab" -PasswordNeverExpires:$true -Server:"DC01.Test.Lab" -UseDESKeyOnly:$false

Set-ADUser -ChangePasswordAtLogon:$false -Identity:"CN=Gene Hunt,OU=Users,OU=ORG,DC=Test,DC=Lab" -Server:"DC01.Test.Lab" -SmartcardLogonRequired:$false

Creating Groups

Unlike user accounts, creating groups is a one liner

New-ADGroup -Name "Shadow Admins" -SamAccountName ShadowAdmins -GroupCategory Security -GroupScope Global -DisplayName "Shadow Administrators" -Path "CN=Users,DC=Test,DC=Lab" -Description "Members of this group are Shadow Administrators"

Add Users to Groups

Adding users to groups is also a one liner and I tend to couple the adding users command straight after creating the group as it makes it easier to add more users I.e. find the group create, copy the add user line, find and replace.

Set-ADGroup -Add:@{'Member'="CN=Shadow.Admin,OU=Users,OU=ORG,DC=Test,DC=Lab"} -Identity:"CN=Shadow Admins,CN=Users,DC=Test,DC=Lab" -Server:"DC01.Test.Lab"

Creating DNS Entries

I only have one DC in my lab, so I create the DNS entries that I need for other servers as part of its creation scripts. The below example is from my 2008 RDS farm. I might not deploy a 2008 farm each time I rebuild my lab, but having the entries there make it easier

$dnsServer = "DC01"
$dnsZone = "test.lab"
$domainName2008 = "W2K8RDSFarm.Test.Lab"
$class = 1
$ttl = 300
$ipaddress0 = "172.16.0.190"
$ipaddress1 = "172.16.0.191"
$ipaddress2 = "172.16.0.192"

$dnsAType = [wmiclass]"root\MicrosoftDNS:MicrosoftDNS_AType"
$dnsAType.CreateInstanceFromPropertyData($dnsServer, $dnsZone, $domainName2008, $class, $ttl, $ipaddress0)
$dnsAType.CreateInstanceFromPropertyData($dnsServer, $dnsZone, $domainName2008, $class, $ttl, $ipaddress1)
$dnsAType.CreateInstanceFromPropertyData($dnsServer, $dnsZone, $domainName2008, $class, $ttl, $ipaddress2)

When I reach this point, my lab is ready to test 🙂

Post 1: Post TechNet test lab

Post 2: Hyper-V Host Configuration

Post 3 Creating the VM templates

Post 4 PS Script to deploy VMs

Post 5 Configure deployed VMs General

Post 6 PS Script to install and configure AD

Post 7 Antivirus

Post 8 SSDs, ISCSI and a new layout