Automated Active Directory Test Environment Construction
This content highlights the automated process for constructing an Active Directory test environment, covering aspects such as fast provisioning of virtual machines, parsing LDIF files, building domain controllers, populating Active Directory, creating an AD forest, configuring networking, and utilizing Hyper-V differencing disks. The process includes steps like installing Windows, customizing and saving base images, utilizing SYSPREP for image processing, and adding domain controller roles with full unattended configurations. PowerShell scripts are employed for various automation tasks throughout the setup.
Uploaded on | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
2014 Automated Construction of an Active Directory Test Environment Gil Kirkpatrick Directory Services MVP CTO, ViewDS Identity Solutions
Agenda Introduction Fast provisioning of virtual machine images using Hyper-V and PowerShell Parsing LDIF files with PowerShell Building DCs with Remote PowerShell Extracting domain data from LDIF and populating AD using PowerShell
Automated Creation of an AD Forest Populate Group Memberships Provision Hyper-V VMs Add Empty Groups Configure Networking Add Users and Computers Populate Group Policy Build Container Hierarchy Promote DCs
Hyper-V Differencing Disks Create VM Install Windows Configure Install other software SYSPREP Save base image SYSPREP Windows Image VM1 VM2 VM3
SYSPREP Processing SYSPREP OOBE Windows PE Offline Servicing Save image (Audit / Reseal) Generalize Shutdown Specialize
SYSPREP Notes Add Domain Controller Role Full unattended OOBE http://technet.microsoft.com/en-us/library/cc766135(v=ws.10).aspx Use Auto-Logon + <SynchronousCommand> /MODE:VM Make sure any snapshots are merged before saving base image Mark base image readonly
UNATTEND.XML First Run PowerShell Script <component name="Microsoft-Windows-Shell-Setup" > <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <CommandLine> C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -WindowStyle Hidden -File C:\Setup\Setup.ps1 </CommandLine> <Description>Last configuration step</Description> <Order>1</Order> </SynchronousCommand> </FirstLogonCommands> </component
Clone-VM PowerShell Script (abstracted) Param $VMName, $BaseVHD $vhdFolder = "$VMPath\$VMName\Virtual Hard Disks" $vm = New-VM -Name $VMName -MemoryStartupBytes 2048mb -Generation 2 -BootDevice VHD -NoVHD -Path $VMPath New-Item $vhdFolder -Type Directory | Out-Null New-VHD -Path $VHDPath -Differencing -ParentPath $BaseVHD | Out-Null $vhd = Add-VMHardDiskDrive -VM $vm -Path $VHDPath -ControllerType SCSI -PassThru Set-VMFirmware -VM $vm -FirstBootDevice $vhd -WhatIf:$WhatIf Enable-VMIntegrationService -Name "Guest Service Interface" -VM $vm
Demo Cloning a Hyper-V VM Using PowerShell
Machine Name and Networking How do you configure the networking before the networking is configured?
Prepare-DC (abstracted) $beforeVols = Get-Volume # Get current mounted volumes on host Mount-VHD $vhdPath | Out-Null $afterVols = Get-Volume $folder = "$((compare $beforeVols $afterVols).InputObject[0].DriveLetter):\Setup # Write startup script files to $folder Dismount-VHD $vhdPath | Out-Null
Demo Updating Startup Script in VHDX
LDIF File Format dn: CN=DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=testforest,DC=com changetype: add objectClass: top objectClass: server cn: DC2 distinguishedName: CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test forest,DC=com uSNCreated: 16459 objectGUID:: VV/CO/ZXL0mUeY6YHOvVKQ== systemFlags: 1375731712 serverReference: CN=DC2,OU=Domain Controllers,DC=childdomain,DC=testforest,DC=com dNSHostName: DC2.childdomain.testforest.com objectCategory: CN=Server,CN=Schema,CN=Configuration,DC=testforest,DC=com
Extracting DCs from Config LDIF Get-LDIFRecords https://github.com/GilKirkpatrick/LDIFPowerShell Consumes LDIF and produces PowerShell pipeline items PS> Get-LDIFRecords config.ldif | >> Where {$_.objectClass eq server } | >> Select dnsHostName
Demo Consuming LDIF Records with PowerShell
The LDIFDistinguishedName Class DN :: Returns DN as string RDN :: CN=Smith\, Roger, CN=Users, DC=megacorp, DC=com Parent :: CN=Smith\, Roger, CN=User, DC=megacorp, DC=com NameType :: CN=Smith\, Roger, CN=User, DC=megacorp, DC=com Name :: CN=Smith\, Roger, CN=User, DC=megacorp, DC=com Depth :: 4 ParentHierarchy :: { CN=Users CN=Users, DC=megacorp CN=Users, DC=megacorp,DC=com }
Demo Using the LDIFDistinguishedName Class
Promoting DCs with Remote PowerShell Setup WinRM on client and target VMs Set-WSManQuickConfig Force Configure security PS> set-item wsman:\localhost\client\TrustedHosts <IP1>,<IP2>, Much simpler that using winrm command Invoke-Command Variables are from remote machine scope $using: prefix to reference local scope variables Install-ADDSForest, Install-ADDSDomain, Install-ADDSDomainController
DCPROMO with Remote PowerShell Invoke-Command -Credential $serverCreds -ComputerName $firstDC.IPAddress { Install-ADDSForest ` -DomainMode "Win2012R2" ` -DomainName $Using:firstDC.domainDNS ` -DomainNetbiosName $Using:firstDC.Domain ` -ForestMode "Win2012R2" ` -NoDnsOnNetwork ` -SkipPreChecks ` -SafeModeAdministratorPassword $Using:safeModePWD ` -Force:$true ` -Confirm:$false }
Demo Promoting Domain Controllers with Remote PowerShell
OUs, containers and GPOs Build Container Hierarchy Parse domain LDIF for container structure Have to make sure parent exists before creating child LDIFDistinguishedName.Depth New-ADContainer New-ADOrganizationalUnit
Adding Containers and OUs Get-LDIFRecords $LDIFPath -AsScalar uSNCreated | Where {[int]($_.uSNCreated) -gt 16500 -and ($_.objectClass -eq "organizationalUnit" -or $_objectClass -eq "container") } | Select dn, @{name="Depth";expression={$_.dn.Depth}} | Sort Depth | ForEach-Object { if($_.objectClass -eq "container") { New-ADContainer Path $_.dn.Parent } else { New-ADOrganizationalUnit Path $_.dn.Parent } } }
Demo Add Containers and OUs with PowerShell
Adding Users and Groups Parsing domain LDIF for users Anonymizing user data Adding users Adding empty groups Adding group memberships
Demo Add Users, Computers, and Groups
Copying Group Policy Can t use LDIF PS> Get-GPO all | Backup-GPO
Future Work Finish anonymisation Azure Domain and site abstracts GPOs ACLs
Summary SYSPREP Cloning Hyper-V VMs Using Get-LDIFRecords DCPROMO with Remote PowerShell Populating AD with Get-LDIFRecords and the AD Cmdlets
2014 Sponsors
