Configuration DomainController {
param
(
[Parameter(Mandatory = $true)][PSCredential]$SafeModeCredentials,
[Parameter(Mandatory = $true)][PSCredential]$VMCredentials,
[Parameter(Mandatory = $true)][PSCredential]$DomainAdministratorCredentials,
[Parameter(Mandatory = $true)][string]$AdministratorAccount,
[Parameter(Mandatory = $true)][string]$FirstDomainControllerName,
#[Parameter(Mandatory = $true)][string]$SecondDomainControllerIPAddress,
#[Parameter(Mandatory = $true)][string]$GatewayAddress,
#[Parameter(Mandatory = $true)][string]$SubnetMask,
[Parameter(Mandatory = $true)][string]$DomainName,
[Parameter(Mandatory = $true)][string]$DomainDnsName
)
Import-Module PSDesiredStateConfiguration
Import-Module xActiveDirectory
Import-Module xNetworking
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName xActiveDirectory
Import-DscResource -ModuleName xNetworking
Node $FirstDomainControllerName {
File ADFiles {
DestinationPath = 'C:\NTDS'
Type = 'Directory'
Ensure = 'Present'
}
WindowsFeature DNS {
Ensure = "Present"
Name = "DNS"
}
xDnsServerAddress DnsServerAddress {
Address= '127.0.0.1'
InterfaceAlias = 'Ethernet'
AddressFamily = 'IPv4'
DependsOn = "[WindowsFeature]DNS"
}
WindowsFeature AD-Domain-Services {
Ensure = "Present"
Name = "AD-Domain-Services"
DependsOn = "[File]ADFiles"
}
# These RSAT features are optional, but you may want
# the admin tools installed locally.
#WindowsFeature RSAT-DNS-Server {
# Ensure = "Present"
# Name = "RSAT-DNS-Server"
# DependsOn = "[WindowsFeature]DNS"
#}
#WindowsFeature RSAT-AD-Tools {
# Name = 'RSAT-AD-Tools'
# Ensure = 'Present'
# DependsOn = "[WindowsFeature]AD-Domain-Services"
#}
WindowsFeature RSAT-ADDS {
Ensure = "Present"
Name = "RSAT-ADDS"
DependsOn = "[WindowsFeature]AD-Domain-Services"
}
#WindowsFeature RSAT-ADDS-Tools {
# Name = 'RSAT-ADDS-Tools'
# Ensure = 'Present'
# DependsOn = "[WindowsFeature]RSAT-ADDS"
#}
#WindowsFeature RSAT-AD-AdminCenter {
# Name = 'RSAT-AD-AdminCenter'
# Ensure = 'Present'
# DependsOn = "[WindowsFeature]AD-Domain-Services"
#}
# Here’s where we create the domain.
# No slash at end of folder paths.
xADDomain PrimaryDC {
DomainName = $DomainDnsName
DomainNetbiosName = $DomainName
DomainAdministratorCredential = $DomainAdministratorCredentials
SafemodeAdministratorPassword = $SafeModeCredentials
#DatabasePath = "C:\NTDS"
LogPath = "C:\NTDS"
DependsOn = "[WindowsFeature]AD-Domain-Services"
}
# Here’s where we create the alternate administrator account,
# and add it to the appropriate groups.
xADUser AlternateAdminUser {
DomainName = $DomainDnsName
UserName = $AdministratorAccount
Password = $DomainAdministratorCredentials # Uses just the password
DisplayName = $AdministratorAccount
PasswordAuthentication = 'Negotiate'
DomainAdministratorCredential = $DomainAdministratorCredentials
Ensure = 'Present'
DependsOn = "[xADDomain]PrimaryDC"
}
xADGroup AddAdminToDomainAdminsGroup {
GroupName = "Domain Admins"
GroupScope = 'Global'
Category = 'Security'
MembersToInclude = @($AdministratorAccount, "Administrator")
Ensure = 'Present'
Credential = $DomainAdministratorCredentials
DependsOn = "[xADUser]AlternateAdminUser"
}
xADGroup AddAdminToEnterpriseAdminsGroup {
GroupName = "Enterprise Admins"
GroupScope = 'Universal'
Category = 'Security'
MembersToInclude = @($AdministratorAccount, "Administrator")
Ensure = 'Present'
Credential = $DomainAdministratorCredentials
DependsOn = "[xADUser]AlternateAdminUser"
}
}
}
#</code block>
#Compiling and running the configuration
#Now that the configuration exists, we need to compile it using the specific values we need. After that, we’ll push the configuration to the nodes.
#<code block>
$password = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
$password_local = ConvertTo-SecureString 'vagrant' -AsPlainText -Force
$FirstDomainControllerName = 'dc1'
$DomainName = ‘contoso.com’
$DomainDnsName = ‘contoso.com’
# We’ll disable the Administrator account; this is the name of the account that will become the new administrator.
$AdministratorAccount = 'ADifferentUsernameThanAdministrator'
#$VMCredentials = Get-Credential -Message "Enter the local administrator credentials." -UserName "vagrant"
$VMCredentials = New-Object System.Management.Automation.PSCredential ('.\vagrant', $password_local)
# This is where we’ll type in the password of the new administrator account.
#$DomainAdministratorCredentials = Get-Credential -Message "Enter the domain administrator credentials." -UserName ($DomainName + ‘\’ + $AdministratorAccount)
$DomainAdministratorCredentials = New-Object System.Management.Automation.PSCredential ($($DomainName + ‘\’ + $AdministratorAccount), $password)
# This is used just to type in the safe mode password; the username isn’t used.
#$SafeModeCredentials = Get-Credential -Message "Enter the new domain's Safe Mode administrator password." -UserName '(Password Only)'
$SafeModeCredentials = New-Object System.Management.Automation.PSCredential ('(Password Only)', $password)
$cd = @{
AllNodes = @(
@{
NodeName = $FirstDomainControllerName
PsDscAllowPlainTextPassword = $true
}
)
}
DomainController -ConfigurationData $cd -SafeModeCredentials $SafeModeCredentials -VMCredentials $VMCredentials -DomainAdministratorCredentials $DomainAdministratorCredentials -FirstDomainControllerName $FirstDomainControllerName -DomainName $DomainName -DomainDnsName $DomainDnsName -AdministratorAccount 'ADifferentUsernameThanAdministrator'
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
$VMSession1 = New-CimSession -Credential $VMCredentials -ComputerName $FirstDomainControllerName -Verbose
Start-DscConfiguration -Path DomainController -CimSession $VMSession1 -Verbose -Wait -Force
you might need to install modules on dc1 first:
Invoke-Command dc1 -Credential $VMCredentials {
Install-Module xActiveDirectory -force -Confirm:$false
Install-Module xNetworking -force -Confirm:$false
}
