2014 Automated Construction of an Active Directory Test
29 Slides1.51 MB
2014 Automated Construction of an Active Directory Test Environment Gil Kirkpatrick Directory Services MVP CTO, ViewDS Identity Solutions
Agenda Introduction Fast provisioning of virtual machine images using Hyper-V and PowerShell Parsing LDIF files with PowerShell Building DCs with Remote PowerShell Extracting domain data from LDIF and populating AD using PowerShell
Automated Creation of an AD Forest Populate Provision Hyper-V VMs Add Empty Groups Configure Networking Add Users and Computers Promote DCs Build Container Hierarchy Group Membership s Populate Group Policy
Hyper-V Differencing Disks SYSPREP Windows Image VM1 VM2 Create VM Install Windows Configure Install other software 5. SYSPREP 6. Save base image 1. 2. 3. 4. VM3
SYSPREP Processing SYSPRE P Windows PE Offline Servicing OOBE Specializ e (Audit / Reseal) Save image Generaliz e Shutdow n
SYSPREP Notes Add Domain Controller Role Full unattended OOBE http://technet.microsoft.com/en-us/library/cc766135(v ws.10).aspx Use Auto-Logon SynchronousCommand /MODE:VM Make sure any snapshots are merged before saving base image Mark base image readonly
UNATTEND.XML First Run PowerShell component Script name "Microsoft-Windows-Shell-Setup" FirstLogonCommands SynchronousCommand wcm:action "add" CommandLine C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -WindowStyle Hidden -File C:\Setup\Setup.ps1 /CommandLine Description Last configuration step /Description Order 1 /Order /SynchronousCommand /FirstLogonCommands /component
Clone-VM PowerShell Script Param VMName, BaseVHD (abstracted) vhdFolder " VMPath\ VMName\Virtual Hard Disks" vm New-VM -Name VMName -MemoryStartupBytes 2048mb Generation 2 -BootDevice VHD -NoVHD -Path VMPath New-Item vhdFolder -Type Directory Out-Null New-VHD -Path VHDPath -Differencing -ParentPath BaseVHD Out-Null vhd Add-VMHardDiskDrive -VM vm -Path VHDPath ControllerType SCSI -PassThru Set-VMFirmware -VM vm -FirstBootDevice vhd -WhatIf: WhatIf Enable-VMIntegrationService -Name "Guest Service Interface" -VM
Demo Cloning a Hyper-V VM Using PowerShell
Machine Name and Networking How do you configure the networking before the networking is configured?
Prepare-DC (abstracted) beforeVols Get-Volume # Get current mounted volumes on host Mount-VHD vhdPath Out-Null afterVols Get-Volume folder " ((compare beforeVols afterVols).InputObject[0].DriveLetter):\Setup“ # Write startup script files to folder Dismount-VHD vhdPath Out-Null
Demo Updating Startup Script in VHDX
LDIF File Format dn: CN DC2,CN Servers,CN HQ,CN Sites,CN Configuration,DC testforest,DC com changetype: add objectClass: top objectClass: server cn: DC2 distinguishedName: CN DC2,CN Servers,CN Default-First-SiteName,CN Sites,CN Configuration,DC test forest,DC com uSNCreated: 16459 objectGUID:: VV/CO/ZXL0mUeY6YHOvVKQ systemFlags: 1375731712 serverReference: CN DC2,OU Domain Controllers,DC childdomain,DC testforest,DC com dNSHostName: DC2.childdomain.testforest.com objectCategory: CN Server,CN Schema,CN Configuration,DC testforest,DC com
Extracting DCs from Config LDIF Get-LDIFRecords https://github.com/GilKirkpatrick/LDIFPowerShell Consumes LDIF and produces PowerShell pipeline items PS Get-LDIFRecords config.ldif Where { .objectClass –eq “server”} Select dnsHostName
Demo Consuming LDIF Records with PowerShell
The LDIFDistinguishedName Class DN :: Returns DN as string RDN :: CN Smith\, Roger, CN Users, DC megacorp, DC com Parent :: CN Smith\, Roger, CN User, DC megacorp, DC com NameType :: CN Smith\, Roger, CN User, DC megacorp, DC com Name :: CN Smith\, Roger, CN User, DC megacorp, DC com Depth :: 4 ParentHierarchy :: {
Demo Using the LDIFDistinguishedName Class
Promoting DCs with Remote PowerShell Setup WinRM on client and target VMs Set-WSManQuickConfig –Force Configure security PS set-item wsman:\localhost\client\TrustedHosts “ IP1 , IP2 , “ Much simpler that using winrm command Invoke-Command Variables are from remote machine scope using: prefix to reference local scope variables Install-ADDSForest, Install- ADDSDomain, Install-
DCPROMO with Remote Invoke-Command -Credential serverCreds -ComputerName PowerShell firstDC.IPAddress { Install-ADDSForest -DomainMode "Win2012R2" -DomainName Using:firstDC.domainDNS -DomainNetbiosName Using:firstDC.Domain -ForestMode "Win2012R2" -NoDnsOnNetwork -SkipPreChecks -SafeModeAdministratorPassword Using:safeModePWD -Force: true -Confirm: false }
Demo Promoting Domain Controllers with Remote PowerShell
OUs, containers and GPOs Build Container Hierarchy Parse domain LDIF for container structure Have to make sure parent exists before creating child LDIFDistinguishedName.Depth New-ADContainer New-ADOrganizationalUnit
Adding Containers and OUs Get-LDIFRecords LDIFPath -AsScalar uSNCreated Where {[int]( .uSNCreated) -gt 16500 -and ( .objectClass -eq "organizationalUnit" -or objectClass -eq "container") } Select dn, @{name "Depth";expression { .dn.Depth}} Sort Depth ForEach-Object { if( .objectClass -eq "container") { New-ADContainer –Path .dn.Parent } else { New-ADOrganizationalUnit –Path .dn.Parent } } }
Demo Add Containers and OUs with PowerShell
Adding Users and Groups Parsing domain LDIF for users Anonymizing user data Adding users Adding empty groups Adding group memberships
Demo Add Users, Computers, and Groups
Copying Group Policy Can’t use LDIF PS Get-GPO –all Backup-GPO
Future Work Finish anonymisation Azure Domain and site abstracts GPOs ACLs
Summary SYSPREP Cloning Hyper-V VMs Using Get-LDIFRecords DCPROMO with Remote PowerShell Populating AD with Get-LDIFRecords and the AD Cmdlets
2014 Sponsors
