Scripting the Build of a Server 2008 R2 Test Domain

This information is probably a bit old, since Server 2012 is out. I haven’t played around with 2012 too much yet; ‘been focusing on SCCM instead. Server 2012 task sequences are the first thing I’m going to play with next week once we have SP1 installed though :).

Anyways, here we go. This post is about scripting the set-up of a test domain with the following services in the shortest number of steps possible. This post assumes that you want to separate routing out to it’s own VM.

  • Routing with NAT
  • DNS
  • DHCP
  • ADDS

Step 1 – Routing

Network Configuration

You need an IP boundary for your test domain. The easiest way to do this is to create a private network behind a NAT router. For this to work, you need a private network that is not connected to the internet. On a single host in VMWare ESX, this can be accomplished by creating a vSwitch with no physical adapters, then creating a VMWare Virtual Machine network inside the vSwitch.

Build the VM

Routing is a way of bridging two or more networks. Your virtual server needs to have two network interfaces: one on the private network, and one on a network that can access the internet. Build a VM and configure it this way.

Install and Configure Routing

The following procedure will configure the RRAS service to be a NAT’ing router.

  1. Start -> Run -> ‘control netconnections’
  2. Rename the interface connected to the internet so that it reads ‘Public Interface’.
  3. Rename the interface connected to the private network so that it reads ‘Private Network’
  4. Configure the Private Interface so that it uses the following IP information:
    IP: 192.168.1.1
    Netmask: 255.255.255.0
    Gateway: <none>
    DNS: <none>
  5. Open PowerShell as administrator, and run the following command.
    Import-Module ServerManager
    Add-WindowsFeature NPAS-RRAS, NPAS-Routing
  6. Save the following code as C:\Install_Files\config-rras-nat.txt :
    #========================
    # Interface configuration
    #========================
    pushd interface
    popd
    # End of interface configuration
    
    # ----------------------------------
    # IPHTTPS Configuration
    # ----------------------------------
    pushd interface httpstunnel
    reset
    popd
    # End of IPHTTPS configuration
    
    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4
    reset
    set global icmpredirects=disabled
    popd
    # End of IPv4 configuration
    
    # ----------------------------------
    # IPv6 Configuration
    # ----------------------------------
    pushd interface ipv6
    reset
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ----------------------------------
    # ISATAP Configuration
    # ----------------------------------
    pushd interface isatap
    popd
    # End of ISATAP configuration
    
    #========================
    # Port Proxy configuration
    #========================
    pushd interface portproxy
    reset
    popd
    # End of Port Proxy configuration
    
    # ----------------------------------
    # TCP Configuration
    # ----------------------------------
    pushd interface tcp
    reset
    set global rss=enabled chimney=automatic autotuninglevel=normal congestionprovider=ctcp ecncapability=disabled timestamps=disabled netdma=disabled dca=enabled
    popd
    # End of TCP configuration
    
    # ----------------------------------
    # Teredo Configuration
    # ----------------------------------
    pushd interface teredo
    set state type=client servername=teredo.ipv6.microsoft.com. servervirtualip=0.0.0.0
    popd
    # End of Teredo configuration
    
    # ----------------------------------
    # 6to4 Configuration
    # ----------------------------------
    pushd interface 6to4
    reset
    popd
    # End of 6to4 configuration
    
    # ------------------------------------
    # End of Bridge configuration
    # ------------------------------------
    pushd ipsecdosprotection
    reset
    popd
    
    # ----------------------------------------
    # Wired LAN Configuration
    # ----------------------------------------
    pushd lan
    popd
    # End of Wired LAN Configuration.
    
    # ==========================================================
    # Health Registration Authority configuration
    # ==========================================================
    pushd nap hra
    popd
    # End of NAP HRA configuration
    
    # ==========================================================
    # Network Access Protection client configuration
    # ==========================================================
    pushd nap client
    
    # ----------------------------------------------------------
    # Trusted server group configuration
    # ----------------------------------------------------------
    reset trustedservergroup
    
    # ----------------------------------------------------------
    # Cryptographic service provider (CSP) configuration
    # ----------------------------------------------------------
    set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"
    
    # ----------------------------------------------------------
    # Hash algorithm configuration
    # ----------------------------------------------------------
    set hash oid = "1.3.14.3.2.29"
    
    # ----------------------------------------------------------
    # Enforcement configuration
    # ----------------------------------------------------------
    set enforcement id = "79617" admin = "disable" id = "79619" admin = "disable" id = "79621" admin = "disable" id = "79623" admin = "disable"
    
    # ----------------------------------------------------------
    # Tracing configuration
    # ----------------------------------------------------------
    set tracing state = "disable" level = "basic"
    
    # ----------------------------------------------------------
    # User interface configuration
    # ----------------------------------------------------------
    reset userinterface
    popd
    # End of NAP client configuration
    
    # -----------------------------------------
    # Remote Access Configuration
    # -----------------------------------------
    pushd ras
    set authmode mode = standard
    delete authtype type = PAP
    delete authtype type = MD5CHAP
    delete authtype type = MSCHAPv2
    delete authtype type = EAP
    delete authtype type = CERT
    add authtype type = MSCHAPv2
    add authtype type = EAP
    delete link type = SWC
    delete link type = LCP
    add link type = SWC
    add link type = LCP
    delete multilink type = MULTI
    add multilink type = MULTI
    set conf confstate = enabled
    set type ipv4rtrtype = lanonly ipv6rtrtype = none rastype = none
    set wanports device = "WAN Miniport (SSTP)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPTP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (PPPOE)" ddoutonly = enabled
    set wanports device = "WAN Miniport (L2TP)" rasinonly = disabled ddinout = enabled ddoutonly = disabled maxports = 5
    set wanports device = "WAN Miniport (IKEv2)" rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 5
    set user name = Administrator dialin = policy cbpolicy = none
    set user name = Guest dialin = policy cbpolicy = none
    set ikev2connection idletimeout = 5 nwoutagetime = 30
    set ikev2saexpiry saexpirytime = 480 sadatasizelimit = 100
    popd
    
    # End of Remote Access configuration.
    
    # -----------------------------------------
    # Remote Access Diagnostics Configuration
    # -----------------------------------------
    pushd ras diagnostics
    set rastracing component = * state = disabled
    set modemtracing state = disabled
    set cmtracing state = disabled
    set securityeventlog state = disabled
    set loglevel events = warn
    popd
    # End of Remote Access Diagnostics Configuration.
    
    # -----------------------------------------
    # Remote Access IP Configuration
    # -----------------------------------------
    pushd ras ip
    delete pool
    set negotiation mode = allow
    set access mode = all
    set addrreq mode = deny
    set broadcastnameresolution mode = enabled
    set addrassign method = auto
    set preferredadapter
    popd
    
    # End of Remote Access IP configuration.
    
    # -----------------------------------------
    # Remote Access IPv6 Configuration
    # -----------------------------------------
    pushd ras ipv6
    
    set negotiation mode = deny
    set access mode = all
    set routeradvertise mode = enabled
    set prefix prefix = ::
    popd
    # End of Remote Access IPv6 configuration.
    
    # -----------------------------------------
    # Remote Access AAAA Configuration
    # -----------------------------------------
    pushd ras aaaa
    set authentication provider = windows
    set accounting provider = windows
    delete authserver name = *
    delete acctserver name = *
    popd
    # End of Remote Access AAAA configuration.
    
    # Routing Configuration
    pushd routing
    reset
    popd
    # IP Configuration
    pushd routing ip
    reset
    set loglevel error
    add preferenceforprotocol proto=LOCAL preflevel=1
    add preferenceforprotocol proto=STATIC preflevel=3
    add preferenceforprotocol proto=NONDOD preflevel=5
    add preferenceforprotocol proto=AUTOSTATIC preflevel=7
    add preferenceforprotocol proto=NetMgmt preflevel=10
    add preferenceforprotocol proto=RIP preflevel=120
    add interface name="Private Network" state=enable
    set filter name="Private Network" fragcheck=disable
    add interface name="Public Interface" state=enable
    set filter name="Public Interface" fragcheck=disable
    add interface name="Internal" state=enable
    add interface name="Loopback" state=enable
    popd
    # End of IP configuration
    
    # ----------------------------------
    # DNS Proxy configuration
    # ----------------------------------
    pushd routing ip dnsproxy
    uninstall
    popd
    # End of DNS proxy configuration
    
    # ----------------------------------
    # IGMP Configuration
    # ----------------------------------
    pushd routing ip igmp
    uninstall
    install
    set global loglevel = ERROR
    # IGMP configuration for interface "Private Network"
    delete interface name="Private Network"
    add interface name="Private Network" igmpprototype=IGMPRTRV3 ifenabled=enable robustvar=2 startupquerycount=2 startupqueryinterval=31 genqueryinterval=125 genqueryresptime=10 lastmemquerycount=2 lastmemqueryinterval=1000 accnonrtralertpkts=YES
    # IGMP configuration for interface "Public Interface"
    delete interface name="Public Interface"
    add interface name="Public Interface" igmpprototype=IGMPPROXY ifenabled=enable
    popd
    # End of IGMP configuration
    
    # ----------------------------------
    # NAT configuration
    # ----------------------------------
    pushd routing ip nat
    uninstall
    install
    set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR
    #NAT Configuration For Interface Private Network
    add interface name="Private Network" mode=PRIVATE
    #NAT Configuration For Interface Public Interface
    add interface name="Public Interface" mode=FULL
    #NAT Configuration For Interface Internal
    add interface name="Internal" mode=PRIVATE
    popd
    
    # ----------------------------------
    # DHCP Relay Agent configuration
    # ----------------------------------
    pushd routing ip relay
    uninstall
    popd
    # End of DHCP Relay configuration
    
    # ----------------------------------
    # RIP configuration
    # ----------------------------------
    pushd routing ip rip
    uninstall
    popd
    # End of RIP configuration
    
    # ----------------------------------
    # Router Discovery Configuration
    # ----------------------------------
    pushd routing ip routerdiscovery
    uninstall
    add interface name="Private Network" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Public Interface" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Internal" disc=disable minint=7 maxint=10 life=30 level=0
    add interface name="Loopback" disc=disable minint=7 maxint=10 life=30 level=0
    popd
    
    # ----------------------------------
    # DHCP Allocator Configuration
    # ----------------------------------
    pushd routing ip autodhcp
    uninstall
    popd
    # End of DHCP Allocator Configuration
    
    # IPv6 Configuration
    pushd routing ipv6
    set filter name="Private Network" fragcheck=disable
    set filter name="Public Interface" fragcheck=disable
    popd
    # End of IPv6 configuration
    
    # ----------------------------------
    # DHCPv6 Relay Agent configuration
    # ----------------------------------
    pushd routing ipv6 relayv6
    uninstall
    popd
    # End of DHCPv6 Relay configuration
    
    # -----------------------------------------------------------------------
    # Remote Access Demand Dial Configuration
    # -----------------------------------------------------------------------
    pushd ro demanddial
    
    # -----------------------------------------
    # WinHTTP Proxy Configuration
    # -----------------------------------------
    pushd winhttp
    reset proxy
    popd
    
    # End of WinHTTP Proxy Configuration
    popd
    
    popd
    exit
  7. Run the following commands to configure RRAS.
    sc config remoteaccess start= auto
    netsh -f C:\Install_Files\config-rras-nat.txt
    net start remoteaccess
    netsh -f C:\Install_Files\config-rras-nat.txt

For some reason, I can’t figure out how to configure RRAS NAT’ting from the command line without having to import the configuration, then start the service, then import the same configuration again. If I skip the second import, then RRAS doesn’t actually pass traffic. I should really spend more time on this, but meh — it works.

Installing ADDS

Next, we’ll install a server to run ADDS, DHCP, and DNS. This should provide all the basic network services needed for clients to easily access the internet.

  1. Build a VM with a single network interface, connected to the Private Network.
  2. Configure the IP information as follows:
    IP: 192.168.1.10
    Netmask: 255.255.255.0
    Gateway: 192.168.1.1
    DNS: 192.168.1.10
  3. Open PowerShell and run the following commands:
    Import-Module ServerManager
    Add-WindowsFeature ADDS-Domain-Controller
  4. Save the following code to C:\Install_Files\ADDS-Unattend.txt. Reference: Server 2008 R2 dcpromo.
    [DCINSTALL]
    InstallDNS=yes
    NewDomain=forest
    NewDomainDNSName=devdomain.local
    DomainNetBiosName=devdomain
    SiteName=Default-First-Site-Name
    ReplicaOrNewDomain=domain
    ForestLevel=4
    DomainLevel=4
    DatabasePath="%systemroot%\NTDS"
    LogPath="%systemroot%\NTDS"
    SYSVOLPath="%systemroot%\SYSVOL"
    RebootOnCompletion=yes
    SafeModeAdminPassword=P@ssw0rd
    
  5. Run the following command from the command prompt, then wait for the PC to reboot. If it doesn’t seem like things are working, type “Echo %errorlevel%” and cross-reference the number returned with the table here: dcpromo exit codes.
    start /wait dcpromo /unattend:C:\Install_Files\ADDS-Unattend.txt
  6. Run the following commands to configure your DNS service to forward queries to upstream DNS servers. In the code below, I’m using the Google public DNS service. You may have to use the upstream DNS server of your ISP or organization instead. Ref: Server 2008 R2 dnscmd.
    dnscmd %computername% /resetforwarders 8.8.8.8 8.8.4.4 /timeout 3 /noslave
  7. Next, run the following commands from PowerShell to install the DHCP service:
    Import-Module ServerManager
    Add-WindowsFeature DHCP
  8. Run the following commands from the command prompt to configure DHCP. Reference: Installing DHCP in Server Core.
    sc config dhcpserver start= auto
    net start dhcpserver
    netsh dhcp add server %computername% 192.168.1.10
    netsh dhcp server 192.168.1.10 add scope 192.168.1.0 255.255.255.0 DevDomainScope
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 add iprange 192.168.1.100 192.168.1.200
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 003 IPADDRESS 192.168.1.1
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set optionvalue 006 IPADDRESS 192.168.1.10
    netsh dhcp server 192.168.1.10 scope 192.168.1.0 set state 1

Now, any machines connected to your private network should get a DHCP address containing a working DNS server and gateway. You can test this by deploying a new windows VM and seeing if you can surf the internets.

Advertisements

Working With RRAS for NAT and VPN

I’ve recently done some work with RRAS for the first time, and had a lot of trouble getting things together.

Issue 1 – NAT\VPN is Unreliable

I installed a VPN with RRAS, and couldn’t for the life of me figure out why it would randomly disconnect all the time. It turns out that my problem was that I had 2 default gateways specified. When using RRAS as a NAT Gateway + VPN, the Internal\Private interface should _not_ have a default gateway. This cleared things up like magic.

Issue 2 – RRAS on VMWare Is Not Working

This took a while to figure out. It turns out that RRAS is currently incompatible with VMXNet3 ethernet adapters. Switching to E1000’s (eww…I know) was like throwing the magic switch (like Issue 1!). Please post on the VMWare forum here asking them to get things fixed. If you figure out how to work around the issue, please leave a comment below.

Issue 3 – What Protocol Should I Use?

There are 4 available protocols and a quick summary based on my limited knowledge and research.

  • PPTP – Insecure (cryptographically broken). Do not use.
  • L2TP\IPSec – Requires client certificate. XP+.
  • SSTP – Great when inside restricted firewalls; works over 443 only. Requires a web server cert on the server. Compatible with Vista+.
  • IKEv2 – Enabled ‘VPN Reconnect’, which means that you can switch from LAN to WiFi and back without dropping the VPN, etc. Win7+.

Issue 4 – Can the Windows VPN Client Auto-Map Drives?

You can use the Connection Manager Administration Kit (CMAK) to create bundled ‘profiles’ that will do things like:

  • Configure a default primary and fall-back protocol. For example: “try IKEv2 then SSTP”.
  • Configure whether the client should use the default gateway on the WAN interface for all traffic.
  • Run a script on successful connect or disconnect.

The last one there is the key — you can run a vbscript to map necessary drives and printers on a connection, based off of any LDAP info like the connecting user’s group membership. CMAK is available as a ‘feature’ to be installed from Server Manager on Windows 2008+. Bug me and I’ll throw up a blog post about using it!