Archive

Archive for the ‘Directory Service’ Category

Installing Active Directory Domain Services on Windows Server 2012 (Powershell ADDSDeployment)

July 30th, 2012 1 comment

  Its been few weeks we have got Windows Server 2012 RC. I have been trying to make some time to have a first look at it.  When i say first look, i dont mean feature by feature comparison simply because i am not a Windows Server Geek, instead i like to look at it by performing a defined task.  So here my idea is to set up Domain Controller for a new AD Forest.  I wanted to check out PowerShell v3 also, hence i decided to explore options from PowerShell to perform each steps.  so lets get started.

 

First thing i wanted to do is to just keep a nice title for my Powershell console, so i did run the below one liner:

$host.ui.RawUI.WindowTitle = "[www.get-exchange.info] The Power Of Shell"

Now lets get started, assume that i have just created a new Windows 2012 Hyper-V Virtual Machine, so below are the list of tasks i did perform to get this machine as a First DC in my AD forest

1) Rename Computer: Run the below cmdlet and the server will be restarted within few seconds

Rename-Computer -ComputerName WIN-S2PN5NMBMD -NewName WIN2012DC -Force -Restart

-ComputerName is not required if you are renaming the local machine, i just wanted to let you know that this parameter allows you to rename remote computers also and restart them.  That makes it a powerfull one, and this cmdlet is new in v3

2) Assign IP Address:

While configuring newtork adapter and IP Addresses what i normally do first is to disable unnecessary components which are not used in my setup.

2.a) Disable IPv6 and QoS

List Network Adapters and identify which adapter needs to be modified, you can use either IfIndex, IfAlias, Name to identify an Adapter. Once you know which adapter to modify, then list the binding components and Identify the components you want want disable.  Finally make the changes to the adapter and verify:

#Listing Adapters
Get-NetAdapter

#List Binding components
Get-NetAdapterBinding -IfIndex 12 | Format-Table Name,DisplayName,ComponentID,Enabled -AutoSize

#Disabling Components
Set-NetAdapterBinding -Name EtherNet -ComponentID ms_pacer,ms_tcpip6 -Enabled:$false

#Verify Changes
Get-NetAdapterBinding -IfAlias EtherNet | Format-Table Name,DisplayName,Enabled,ComponentID -AutoSize

 

2.b) Set IP Address and DNS Server Address

The steps involved in assigning an IP address are listing existing IP interfaces, this will include listing the IP Enabled Interfaces, then remove any existing IP Addresses on this network, assign a new IPAddress and Gateway, futher assign a DNS Server IP Address.

#List IP Network Interfaces
Get-NetIPInterface

#Disable DHCP
if((Get-NetIPInterface -ifIndex 12).Dhcp -eq "Enabled"){Set-NetIPInterface -ifIndex 12 -Dhcp Disabled}

#Remove Existing IP Address on this adapter if there is any
Get-NetIPAddress -ifIndex 12 | Remove-NetIPAddress -Confirm:$false

#Remove Default Gateway entries for the Adapter
if(Get-NetRoute -ifIndex 12 -ErrorAction 'SilentlyContinue'){Remove-NetRoute -ifIndex 12 -Confirm:$false}

#Set New IPAddress
New-NetIPAddress -ifIndex 12 -IPAddress 10.10.10.10 -PrefixLength 24 -DefaultGateway 10.10.10.1 -Confirm:$false | Out-Null

#Set DNS IP Addresses
Get-DnsClientServerAddress -InterfaceIndex 12 -AddressFamily IPv4 | Set-DnsClientServerAddress -ServerAddresses 10.10.10.10,10.10.10.20

#Verify Settings
Get-NetIPInterface

First Getting the IP Interfaces and, note down the InterfaceIndex number to modify the settings

Disable DHCP to set the static IP (the radio button in GUI)

Remove Existing IPs assigned to this interface, if you adding additional address dont do this.

Remove any default gateway entries attached to this Interface (not required if there are other IP address configuraion existing and need to be preserved

Assign new IP Address and Gateway

Verify the new IP Address and Default Gateway

Set DNS Server IP Address

Finally, Review using good old ipconfig (Just Kidding, we have a Cmdlet for that too)

 

3) Install Active Directory Domain Services

3.1) Install Windows Feature  AD-Domain-Services

# Installing Features required for AD DS
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

#List all the cmdlets available for DS Deployment:
Get-Command -Module ADDSDeployment
# Use Test-ADDSForestInstallation to check the pre-requisites

3.2) Install AD Forest

#Installing AD DS the below in single line
Install-ADDSForest -DomainMode Win2008R2 -DomainName "get-exchange.local" -DomainNetBiosName "GetExchange" -ForestMode Win2008R2
-InstallDns -NoDnsOnNetwork -NoRebootOnCompletion -SafeModeAdministratorPassword $("P@ssw0rd123" | 
Convertto-SecureString -AsPlainText -Force) -Confirm:$false -force -Whatif
#
#

IMPORTANT: I did use -whatif, but due to whatever reason, it was not respected, so note it

Reboot the server now and then test forest installation using below cmdlet

#Testing Forest Installation
Test-ADDSForestInstallation

Check the status detail and correct, Run again and check the status, it shows error on above, but trust me, i got confused with this cmdlet. Read about it here, this cmdlet is actually for checking your pre-requisites before the actual installation of the ADForest. In my opinion wront naming for this cmdlet.

3.3) Configure DNS

a) Reset DNS Server IP Address as it will go to loop back address during installation

Get-DnsClientServerAddress -InterfaceIndex 12 -AddressFamily IPv4 | 
Set-DnsClientServerAddress -ServerAddresses 10.10.10.10,10.10.10.20

b) Create Reverse lookup zone

 

#10.10.10 is the subnet mast for the IP range
Add-DnsServerPrimaryZone -Name 10.10.10.in-addr.arpa -ReplicationScope Forest -DynamicUpdate Secure
#
#

Check DNS (Launch)

NSLOOKUP (yes, i couldnt yet find a replacement for this guy in powershell)

So, what wer are still missing is  ptr record for the DNS server

c) Create PTR Record to DC

#
Add-DnsServerResourceRecordPtr -ZoneName 10.10.10.in-addr.arpa -PtrDomainName win2012dc.get-exchange.local -Name 10
#

Verify now, by using nslookup, it should work

3.4) Verifying the forest and domain modes: 

(Get-ADForest).ForestMode
(Get-ADDomain).DomainMode

 

4) Basic Configuration and setting up the environment

4.1) Create Two OUs

First i would create an OU for the accounts i will be creating in this domain to seperate them from other inbuilt accounts.  Then one OU for Test Account and another for Service Accounts or special purpose accounts.

#Creating an OU in Domain Root
New-ADOrganizationalUnit "MyObjects"

#Creating two OUs under MyObjects OU
New-ADOrganizationalUnit "Test-Accounts"  -Path "ou=MyObjects,dc=get-exchange,dc=local"

New-ADOrganizationalUnit "Special-Accounts"  -Path "ou=MyObjects,dc=get-exchange,dc=local"

 

4.1) Creating User Accounts

#Creating a test account
New-ADUser -Name TestUser01 -SamAccountName TestUser01 -GivenName Test -Surname User01 -DisplayName "Test User 01" -Enabled:$true -AccountPassword $("P@ssw0rd1" | ConvertTo-SecureString -AsPlainText -Force) -Path "ou=Test-Accounts,ou=MyObjects,dc=get-exchange,dc=local"

#Creating a special account
New-ADUser -Name ExAdmin -SamAccountName ExAdmin -DisplayName "ExAdmin (Exchange Service Account)" -Enabled:$true -AccountPassword $("P@ssw0rd1" | ConvertTo-SecureString -AsPlainText -Force) -Path "ou=Special-Accounts,ou=MyObjects,dc=get-exchange,dc=local"

 

4.3) Adding special account to required Groups:

#Add Service Account to the Full Previlege Groups
Add-ADGroupMember -Identity "Enterprise Admins" -Members ExAdmin

#Add Service Account to the Full Previlege Groups
Add-ADGroupMember -Identity "Domain Admins" -Members ExAdmin

#Add Service Account to the Full Previlege Groups
Add-ADGroupMember -Identity "Schema Admins" -Members ExAdmin

How does it loook now from the Active Directory Users and Computers

 

5) Now, in case you want to Uninstall DC ( old demotion using dcpromo.exe )

-LastDomainControllerInDomain is only required if the domain is completely getting removed and this is the last DC.

 

Thats all  on Installing  AD Domain Services.

Quick Summary on Cmdlets from AD and Network:

If you want to see the cmdlets available in winsrv8 for Network related configuration, you can run below cmdlets:

As you see there are about 8 Modules related to Network, from Adapter, to Security to QoS, in total there is about 238 cmdlets and NetConnection remains the small one with just two cmdlets.

finally if you check the cmdlets on ActiveDirectory Module on Win8RP you would see 135 cmdlets where as in Windows Server 2008 R2 you would see 76 Cmdlets.

Whats Next Post? Of cause Exchange 2013 First Server..

Cheers!