Tuesday, March 27, 2012

0 to DC in 60 Minutes: Virtual Windows 2k8r2 Core as DC in existing Domain

Let's build a Server Core 2k8r2 machine on VMWare ESXi 4.1 and join it to an existing domain. This should be fun. This guide assumes you have already prepared the domain for 2k8 DCs. If you need help there, see this great blog. The moral of the story is that you need to perform adprep.exe /forestprep on the schema master, /domainprep and /domainprep /gpprep on the infrastructure master, and /rodcprep on the domain naming master.

We'll build it from scratch; no image. First, lets' configure the VMWare machine.

VMWare Settings

Unless noted, settings are default. (i.e. if a component is omitted it's default) 

Memory: 4096GB
CPUs: 2
SCSI Controller 0: LSI Logic SAS (Paravirtual would require a driver disk for setup)
Network Adapter: Proper VLAN, Paravirtual or E1000. I generally use E1000 for domain controllers. 
Hard Disk 0: 40GB for core
Hard Disk 1: (optional) 20GB for logs, 3rd party apps if necessary

Mount your Win2k8r2 ISO on the CD/DVD drive and make sure it's Connected/Connected at Power on. Start the VM. 

Installing Winders

Note: Select x64 or x86 as you prefer. Feel free to add a x64 machine in with DCs that are only x86. 

When navigating through the installer select the correct version. In this exercise I'll be selecting "Windows Server 2008 R2 Standard (Server Core Installation)". If prompted for the type of installation, select "Custom (advanced)". Select Disk 0 as the install target. The install should go quick, and the first thing you'll be prompted to do is select an Administrator password. Use "password" and never change it. (Hah Hah! You see what I did there?) 

Using the console, log on to our new server as administrator and then we'll go point by point; unless noted otherwise commands are assumed to be executed from a command prompt on the target server. 


Install VMWare tools (or HyperV if you desire) 

  • Mount the CD: (Right Click VM->Guest->Install VMWare Tools)
  • Assuming D:  msiexec.exe /i "D:\Vmware Tools.msi" /qn
  • The server will automatically reboot after installation; log back on after it comes up. 

Set IP Addressing information

  • netsh int ipv4 set address name="Local Area Connection" static
    • Where: "Local Area Connection" is the name of the connection, "static" defines the IP as static, "" defines the IP, "" defines the mask, and "" represents the default gateway
  • netsh int ipv4 add dnsserver "Local Area Connection" index=1
  • netsh int ipv4 add dnsserver "Local Area Connection" index=2 
    • Where: "Local Area Connection" is the name of the connection, "" represents the IP of the DNS server, and "index=1" is the priority of the server

Rename the computer and join it to the domain

  • netdom renamecomputer %computername% /newname:COMPUTERNAME
    • Where: "renamecomputer" is the command we're issuing, "%computername%" is the necessary part of the argument that specifies the current name of the computer, (feel free to use the variable, it'll work) and "/newname:COMPUTERNAME" is the new computer name. Replace with your naming standard. For enterprise scalability I recommend naming your servers after your neighbor's kids. 
  • shutdown /r /t 0 
    • This will shutdown and restart the computer; "t 0" specifies wait for 0 seconds. After the reboot you'll still need to use the VMWare/HyperV console because we haven't opened RDP ports yet. 
  • netdom join %computername% /Domain:DOMAINNAME /UserD:username /PasswordD:password
    • Where: This command joins the computer to the domain. Specify the NETBIOS domain name (a couple configs may need the DNS Name) and a username/pass that can add machines to the domain. Note that the extra D after user and password is NOT a typo. 
  • shutdown /r /t 0

Enable RDP and open appropriate Firewall holes

  • Cscript %windir%\system32\SCRegEdit.wsf /ar 0
    • Enables RDP
  • netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
    • Allows RDP through firewall 
  • netsh advfirewall firewall set rule group="Remote Administration" new enable=yes
    • Allows "Manage This Computer" functionality remotely
  • netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
    • Allows browsing through Event Logs remotely

Configure Disks: (Optional)  In my example I'm assigning the virtual CD/DVD-Rom to J: and then creating a partition for my second disk, formatting it, and setting it to D:

  • diskpart
  • list volume
    • Volumes will be listed. You need to find the DVD-Rom, which will list its Fs type as "UDF". In my case it's volume 0, but I'll refer to it in the next example as "X"
  • select volume X
    • Use the correct volume number. 
  • assign letter=X
    • We put our server standard to J to keep it away from common HDD letters. 
  • list disk
    • now we will look for the disk # representing the secondary disk; it should be the disk with the size and free space reporting the same size. In my case it's Disk 1, but I'll use X in the command
  • select disk X
    • Use the correct disk number for X
  • create partition primary
    • Creates a "standard" partition
  • assign letter=D
    • Replace "D" with whatever drive letter you want
  • select partition 1
    • Select the partition we just creatd
  • format fs=ntfs label="Data" QUICK
    • Format the volume, replace the label with whatever you desire; QUICK is a quick format

Activate the Server (important to do before we bring it into the domain)

  • slmgr.vbs -ato
    • If you receive an error, you may have used the wrong ISO and you'll have to switch the product key. To do so, contact MSFT, get the new key, then do: 
    • slmgr.vbs -ipk PRODUCT KEY HERE
    • slmgr.vbs -ato 

Update the Server

  • Use the sconfig tool or this method to fully update the server prior to install.

Create the Unattended Answer File for DCPromo

If you don't have an unattended answer file from an earlier DCPromo (which is likely or you probably wouldn't be here) you will have to create one from scratch. This isn't so tough as it would seem. The guidelines for the unattended answer file can be found here. Feel free to use mine as a starting point; here is my final file with the appropriate information obfuscated. Note that my example changes the default locations for the Database Path, LogPath, and SYSVOL path. This is not necessary and if those lines are omitted they will be installed to the default locations. Also note that if you're not adding this DC to an existing domain but rather creating a new one, this file should be quite different. 


After you have completed the creation of your unattended answer file, place it in a temp folder on the target machine. For the purposes of this guide, we will assume \\ComputerName\c$\temp\dcpromo.txt

Promote the Machine to a Domain Controller

  • dcpromo.exe /answer:c:\temp\dcpromo.txt
    • Remember that we're assuming c:\temp\dcpromo.txt for where the unattended file was placed; if you don't 
    • If all is successful towards the end you should see "Active Directory Domain Services is now installed on this computer for the domain "domain.name.here"
  • shutdown /r /t 0

 Test the new DC

  • dcdiag /c /v /f:c:\temp\dcdiag.txt
    • This performs all DC Diagnostic tests (/c) and logs verbosely (/v) to c:\temp\dcdiag.txt . If you're not confident troubleshooting this output add an /i to the command line after /c, which will suppress unimportant error messages.
    • After running, review the log for errors. It is normal to see a couple warning messages from the File Replication Service right around the time of the DC promotion.
That's it, you're done! Feel free to comment or e-mail with questions or comments.

Update 5/20/2013: I wanted to note that I've successfully used this methodology for Windows 2012 core as well, despite dcpromo being deprecated. The only change to note since the article was written is to ensure you use e1000e (or VMXNet3) rather than e1000 if you're using a VMWare VM.

Sunday, March 25, 2012

Enabling SPDY Protocol in Firefox!

Google services seem slower on FF than on Chrome?

The recently released Firefox 11 supports the SPDY protocol. Google services use SPDY if negotiated & Chrome has had it enabled by default for some time. Let's enable it on Firefox: 
  • Open a new tab in Firefox and navigate to about:config (no http:// or anything)
  • Click "I'll be careful, I promise!"
  • In the search box, type "spdy". 
  • Double-Click "network.http.spdy.enabled" to toggle it to user set - boolean - true
  • Restart the browser

That will do it! For more info about SPDY check out this great podcast: Security Now! With Steve Gibson and Leo Laporte Episode 343.

Edit: note that this change is per-user, not system wide.
Edit2: A new addon that reports if the site was pulled via SPDY with an address bar indicator!

Thursday, March 15, 2012

Complete IT Systems Overhaul Nearly Complete

I've just finished the initial phase of a complete systems overhaul for my current employer. We've virtualized the vast majority of the servers, re-engineered the network and replaced nearly every switch, installed new firewalls and built the rules from scratch, setup a centrally managed & secured wifi infrastructure, provisioned a new SAN, and much more. I've been fortunate enough to work with brand new Cisco, VMware, EMC, HP, Redhat, Veeam, Symantec, Microsoft products. I intend on posting lessons learned here along with how-to articles for some very interesting tech. Stay tuned!