Scripting the Build of a Server 2008 R2 Test Domain

This information is probably a bit old, since Server 2012 is out. I haven’t played around with 2012 too much yet; ‘been focusing on SCCM instead. Server 2012 task sequences are the first thing I’m going to play with next week once we have SP1 installed though :).

Anyways, here we go. This post is about scripting the set-up of a test domain with the following services in the shortest number of steps possible. This post assumes that you want to separate routing out to it’s own VM.

  • Routing with NAT
  • DNS
  • DHCP
  • ADDS

Step 1 – Routing

Network Configuration

You need an IP boundary for your test domain. The easiest way to do this is to create a private network behind a NAT router. For this to work, you need a private network that is not connected to the internet. On a single host in VMWare ESX, this can be accomplished by creating a vSwitch with no physical adapters, then creating a VMWare Virtual Machine network inside the vSwitch.

Build the VM

Routing is a way of bridging two or more networks. Your virtual server needs to have two network interfaces: one on the private network, and one on a network that can access the internet. Build a VM and configure it this way.

Install and Configure Routing

The following procedure will configure the RRAS service to be a NAT’ing router.

  1. Start -> Run -> ‘control netconnections’
  2. Rename the interface connected to the internet so that it reads ‘Public Interface’.
  3. Rename the interface connected to the private network so that it reads ‘Private Network’
  4. Configure the Private Interface so that it uses the following IP information:
    IP: 192.168.1.1
    Netmask: 255.255.255.0
    Gateway: <none>
    DNS: <none>
  5. Open PowerShell as administrator, and run the following command.
    Import-Module ServerManager
    Add-WindowsFeature NPAS-RRAS, NPAS-Routing
  6. Save the following code as C:\Install_Files\config-rras-nat.txt :
    #========================
    # Interface configuration
    #========================
    pushd interface
    popd
    # End of interface configuration
    
    # ----------------------------------
    # IPHTTPS Configuration
    # ----------------------------------
    pushd interface httpstunnel
    reset
    popd
    # End of IPHTTPS configuration
    
    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4
    reset
    set global icmpredirects=disabled
    popd
    # End of IPv4 configuration
    
    # ----------------------------------
    # IPv6 Configuration
    # ----------------------------------
    pushd interface ipv6
    reset
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    #========================
    # Port Proxy configuration
    #========================
    pushd interface portproxy
    reset
    popd
    # End of Port Proxy configuration
    
    # ----------------------------------
    # TCP Configuration
    # ----------------------------------
    pushd interface tcp
    reset
    set global rss=enabled chimney=automatic autotuninglevel=normal congestionprovider=ctcp ecncapability=disabled timestamps=disabled netdma=disabled dca=enabled
    popd
    # End of TCP configuration
    
    # ----------------------------------
    # Teredo Configuration
    # ----------------------------------
    pushd interface teredo
    set state type=client servername=teredo.ipv6.microsoft.com. servervirtualip=0.0.0.0
    popd
    # End of Teredo configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ------------------------------------
    # End of Bridge configuration
    # ------------------------------------
    pushd ipsecdosprotection
    reset
    popd
    
    # ----------------------------------------
    # Wired LAN Configuration
    # ----------------------------------------
    pushd lan
    popd
    # End of Wired LAN Configuration.
    
    # ==========================================================
    # Health Registration Authority configuration
    # ==========================================================
    pushd nap hra
    popd
    # End of NAP HRA configuration
    
    # ==========================================================
    # Network Access Protection client configuration
    # ==========================================================
    pushd nap client
    
    # ----------------------------------------------------------
    # Trusted server group configuration
    # ----------------------------------------------------------
    reset trustedservergroup
    
    # ----------------------------------------------------------
    # Cryptographic service provider (CSP) configuration
    # ----------------------------------------------------------
    set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"
    
    # ----------------------------------------------------------
    # Hash algorithm configuration
    # ----------------------------------------------------------
    set hash oid = "1.3.14.3.2.29"
    
    # ----------------------------------------------------------
    # Enforcement configuration
    # ----------------------------------------------------------
    set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id = "79623" admin = "disable"
    
    # ----------------------------------------------------------
    # Tracing configuration
    # ----------------------------------------------------------
    set tracing state = "disable" level = "basic"
    
    # ----------------------------------------------------------
    # User interface configuration
    # ----------------------------------------------------------
    reset userinterface
    popd
    # End of NAP client configuration
    
    # -----------------------------------------
    # Remote Access Configuration
    # -----------------------------------------
    pushd ras
    set authmode mode = standard
    delete authtype type = PAP
    delete authtype type = MD5CHAP
    delete authtype type = MSCHAPv2
    delete authtype type = EAP
    delete authtype type = CERT
    add authtype type = MSCHAPv2
    add authtype type = EAP
    delete link type = SWC
    delete link type = LCP
    add link type = SWC
    add link type = LCP
    delete multilink type = MULTI
    add multilink type = MULTI
    set conf confstate = enabled
    set type ipv4rtrtype = lanonly ipv6rtrtype = none rastype = none
    set wanports device = "WAN Miniport (SSTP)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPTP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPPOE)" ddoutonly = enabled
    set wanports device = "WAN Miniport (L2TP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (IKEv2)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set user name = Administrator dialin = policy cbpolicy = none
    set user name = Guest dialin = policy cbpolicy = none
    set ikev2connection idletimeout = 5 nwoutagetime = 30
    set ikev2saexpiry saexpirytime = 480 sadatasizelimit = 100
    popd
    
    # End of Remote Access configuration.
    
    # -----------------------------------------
    # Remote Access Diagnostics Configuration
    # -----------------------------------------
    pushd ras diagnostics
    set rastracing component = * state = disabled
    set modemtracing state = disabled
    set cmtracing state = disabled
    set securityeventlog state = disabled
    set loglevel events = warn
    popd
    # End of Remote Access Diagnostics Configuration.
    
    # -----------------------------------------
    # Remote Access IP Configuration
    # -----------------------------------------
    pushd ras ip
    delete pool
    set negotiation mode = allow
    set access mode = all
    set addrreq mode = deny
    set broadcastnameresolution mode = enabled
    set addrassign method = auto
    set preferredadapter
    popd
    
    # End of Remote Access IP configuration.
    
    # -----------------------------------------
    # Remote Access IPv6 Configuration
    # -----------------------------------------
    pushd ras ipv6
    
    set negotiation mode = deny
    set access mode = all
    set routeradvertise mode = enabled
    set prefix prefix = ::
    popd
    # End of Remote Access IPv6 configuration.
    
    # -----------------------------------------
    # Remote Access AAAA Configuration
    # -----------------------------------------
    pushd ras aaaa
    set authentication provider = windows
    set accounting provider = windows
    delete authserver name = *
    delete acctserver name = *
    popd
    # End of Remote Access AAAA configuration.
    
    # Routing Configuration
    pushd routing
    reset
    popd
    # IP Configuration
    pushd routing ip
    reset
    set loglevel error
    add preferenceforprotocol proto=LOCAL preflevel=1
    add preferenceforprotocol proto=STATIC preflevel=3
    add preferenceforprotocol proto=NONDOD preflevel=5
    add preferenceforprotocol proto=AUTOSTATIC preflevel=7
    add preferenceforprotocol proto=NetMgmt preflevel=10
    add preferenceforprotocol proto=RIP preflevel=120
    add interface name="Private Network" state=enable
    set filter name="Private Network" fragcheck=disable
    add interface name="Public Interface" state=enable
    set filter name="Public Interface" fragcheck=disable
    add interface name="Internal" state=enable
    add interface name="Loopback" state=enable
    popd
    # End of IP configuration
    
    # ----------------------------------
    # DNS Proxy configuration
    # ----------------------------------
    pushd routing ip dnsproxy
    uninstall
    popd
    # End of DNS proxy configuration
    
    # ----------------------------------
    # IGMP Configuration
    # ----------------------------------
    pushd routing ip igmp
    uninstall
    install
    set global loglevel = ERROR
    # IGMP configuration for interface "Private Network"
    delete interface name="Private Network"
    add interface name="Private Network" igmpprototype=IGMPRTRV3 ifenabled=enable robustvar=2 startupquerycount=2 startupqueryinterval=31 genqueryinterval=125 genqueryresptime=10 lastmemquerycount=2 lastmemqueryinterval=1000 accnonrtralertpkts=YES
    # IGMP configuration for interface "Public Interface"
    delete interface name="Public Interface"
    add interface name="Public Interface" igmpprototype=IGMPPROXY ifenabled=enable
    popd
    # End of IGMP configuration
    
    # ----------------------------------
    # NAT configuration
    # ----------------------------------
    pushd routing ip nat
    uninstall
    install
    set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR
    #NAT Configuration For Interface Private Network
    add interface name="Private Network" mode=PRIVATE
    #NAT Configuration For Interface Public Interface
    add interface name="Public Interface" mode=FULL
    #NAT Configuration For Interface Internal
    add interface name="Internal" mode=PRIVATE
    popd
    
    # ----------------------------------
    # DHCP Relay Agent configuration
    # ----------------------------------
    pushd routing ip relay
    uninstall
    popd
    # End of DHCP Relay configuration
    
    # ----------------------------------
    # RIP configuration
    # ----------------------------------
    pushd routing ip rip
    uninstall
    popd
    # End of RIP configuration
    
    # ----------------------------------
    # Router Discovery Configuration
    # ----------------------------------
    pushd routing ip routerdiscovery
    uninstall
    add interface name="Private Network" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Public Interface" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Internal" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Loopback" disc=disable minint=7 maxint=10 life=30 level=0
    popd
    
    # ----------------------------------
    # DHCP Allocator Configuration
    # ----------------------------------
    pushd routing ip autodhcp
    uninstall
    popd
    # End of DHCP Allocator Configuration
    
    # IPv6 Configuration
    pushd routing ipv6
    set filter name="Private Network" fragcheck=disable
    set filter name="Public Interface" fragcheck=disable
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # DHCPv6 Relay Agent configuration
    # ----------------------------------
    pushd routing ipv6 relayv6
    uninstall
    popd
    # End of DHCPv6 Relay configuration
    
    # -----------------------------------------------------------------------
    # Remote Access Demand Dial Configuration
    # -----------------------------------------------------------------------
    pushd ro demanddial
    
    # -----------------------------------------
    # WinHTTP Proxy Configuration
    # -----------------------------------------
    pushd winhttp
    reset proxy
    popd
    
    # End of WinHTTP Proxy Configuration
    popd
    
    popd
    exit
  7. Run the following commands to configure RRAS.
    sc config remoteaccess start= auto
    netsh -f C:\Install_Files\config-rras-nat.txt
    net start remoteaccess
    netsh -f C:\Install_Files\config-rras-nat.txt

For some reason, I can’t figure out how to configure RRAS NAT’ting from the command line without having to import the configuration, then start the service, then import the same configuration again. If I skip the second import, then RRAS doesn’t actually pass traffic. I should really spend more time on this, but meh — it works.

Installing ADDS

Next, we’ll install a server to run ADDS, DHCP, and DNS. This should provide all the basic network services needed for clients to easily access the internet.

  1. Build a VM with a single network interface, connected to the Private Network.
  2. Configure the IP information as follows:
    IP: 192.168.1.10
    Netmask: 255.255.255.0
    Gateway: 192.168.1.1
    DNS: 192.168.1.10
  3. Open PowerShell and run the following commands:
    Import-Module ServerManager
    Add-WindowsFeature ADDS-Domain-Controller
  4. Save the following code to C:\Install_Files\ADDS-Unattend.txt. Reference: Server 2008 R2 dcpromo.
    [DCINSTALL]
    InstallDNS=yes
    NewDomain=forest
    NewDomainDNSName=devdomain.local
    DomainNetBiosName=devdomain
    SiteName=Default-First-Site-Name
    ReplicaOrNewDomain=domain
    ForestLevel=4
    DomainLevel=4
    DatabasePath="%systemroot%\NTDS"
    LogPath="%systemroot%\NTDS"
    SYSVOLPath="%systemroot%\SYSVOL"
    RebootOnCompletion=yes
    SafeModeAdminPassword=P@ssw0rd
    
  5. Run the following command from the command prompt, then wait for the PC to reboot. If it doesn’t seem like things are working, type “Echo %errorlevel%” and cross-reference the number returned with the table here: dcpromo exit codes.
    start /wait dcpromo /unattend:C:\Install_Files\ADDS-Unattend.txt
  6. Run the following commands to configure your DNS service to forward queries to upstream DNS servers. In the code below, I’m using the Google public DNS service. You may have to use the upstream DNS server of your ISP or organization instead. Ref: Server 2008 R2 dnscmd.
    dnscmd %computername% /resetforwarders 8.8.8.8 8.8.4.4 /timeout 3 /noslave
  7. Next, run the following commands from PowerShell to install the DHCP service:
    Import-Module ServerManager
    Add-WindowsFeature DHCP
  8. Run the following commands from the command prompt to configure DHCP. Reference: Installing DHCP in Server Core.
    sc config dhcpserver start= auto
    net start dhcpserver
    netsh dhcp add server %computername% 192.168.1.10
    netsh dhcp server 192.168.1.10 add scope 192.168.1.0 255.255.255.0 DevDomainScope
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 add iprange 192.168.1.100 192.168.1.200
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 003 IPADDRESS 192.168.1.1
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 006 IPADDRESS 192.168.1.10
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set state 1

Now, any machines connected to your private network should get a DHCP address containing a working DNS server and gateway. You can test this by deploying a new windows VM and seeing if you can surf the internets.

Advertisements

Dell Bios Updates in SCCM Task Sequences with Powershell (revisited)

[Update] I updated the script on 01/16/13 because it had some bugs. Sorry! Make sure to re-download the latest version from my Github repo below.


We started seeing a lot of task sequence actions dedicated to Dell Bios updates in our task sequences, so I wrote a powershell script to make things a bit more manageable.

Download the script here: John Puskar’s Github Repo.

The script looks up the system model, and looks for a subfolder in the script’s working directory that matches the model name. Then, it reads the last few digits of any exe files in the subfolder and considers them to be bios version updates available. Then, it compares those available versions against the current system bios.

If the script decides that an update is available in it’s repository, it will pick the next highest update in line above the currently running Bios version, and install it. For example, say there are 3 updates files in a directory: A03, A05, and A07. Your system is running A04. The script will update the system to A05.

If you need to run multiple updates, you must run the script multiple times with a reboot between runs.

Task Sequence Integration

To integrate the script into your task sequence, do the following

  1. Download the script and place it in a folder.
  2. Create a package for the script with no program.
  3. Create folders for your models with the exact model name of your system (ex: “Optiplex 990” or “Optiplex 9010”). You can get model numbers by running the following PowerShell command:
    (gwmi win32_computersystem).model
  4. Download BIOS updates from support.dell.com for the target models. Save the .exe BIOS updates in their respective folders.
  5. Create a ‘Run Command Line’ TS action with the following command. Make sure to link the package. You can replace <BiosPassword> with your BIOS password.
    powershell.exe -ExecutionPolicy Bypass -File .\Dell-BiosUpdates.ps1 <BiosPassword>

If necessary for your environment, copy and paste this task sequence action so that it runs multiple times, but add a reboot action in between. Future versions of the script should detect WinPE and set a TS action to skip successive runs. I’ll do that eventually.

Thanks and good luck!

Powershell – Adding all Computers from an OU into a Group

This is a pretty simple script. It searches an OU for all computer objects, and adds them to a group. I needed to restrict certificate auto-enrollment permissions on the SCCM Certificate Templates to all computers in an OU and sub-OU’s. It runs every 5mins on our SCCM server.

Download

It’s named ‘Add-OUComputersToGroup.ps1′ and is available on my Github repo here: Jpuskar’s Github Page.

Usage

Change the variables at the top.

$rootOU – the DN of the root where you want to start searching.
$tgtGroupCN – the group you want computer objects to be placed into.

Good luck!

Revoking and Superseding Duplicate Configuration Manager Client Certificates

I noticed that every time we reimaged a workstation, it would be issued a new certificate from our Certificate Authority. Since we only have 1 CA issuing SCCM Client certificates, one of  my coworkers and I threw together the following script. His name is Robert, and he did most of the work on this one. He’s awesome; you should hire him.

Download

It’s named ‘Revoke-DuplicateSCCMClientCerts.ps1’ and is available on my Github repo here: Jpuskar’s Github Page.

Usage

Run the powershell script with the /force argument. By default, it’s read-only and will run in ‘what-if’ mode.

Known Issues

It’s really only designed for a Single-CA environment. If you’ve got multiple CA’s, but only one issues SCCM certs, that’s fine. However, if you’re load-balancing your SCCM certificate issuing across multiple CA’s, the script will only look at a single CA’s certificate database for duplicates. It’s probably possible for it to be modified to work across multiple CA’s, but you’d need to key off of issue date instead of request ID like we’re doing now.

Enjoy!