#Install vmware tools d: setup64.exe #configure an ip address for the box new-netipaddress -ipaddress xx.xx.xx.xx -inferfacealias "ethernet" -defaultgateway xx.xx.xx.xx -addressfamily ipv4 -prefixlength 24 #set dns set-dnsclientserveraddress -Interfacealias "Ethernet" -ServerAddresses xx.xx.xx.xx #allow a machine in the firewall to manage the DC netsh advfirewall firewall add rule name="allow all from platformhomebase" dir=in action=allow protocol=ANY remoteip=10.10.10.253 #switch to powershell powershell enable-psremoting -force Enter-PSSession -computername 192.168.13.20 -Credential Administrator #rename computer if needed Rename-Computer example01 #install product key DISM /online /Set-Edition: /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula ##### optional and useless ############# #enable remote desktop C:\Windows\System32 > cscript scregedit.wsf /AR /v To enable remote desktop, issue this command: C:\Windows\System32 > cscript scregedit.wsf /AR 0 To disable remote desktop, issue this command: C:\Windows\System32 > cscript scregedit.wsf /AR 1 #start terminal services net start termservice ######################################## #download server manager (RSAT) (if win7 also activate the windows feature after download) # check if ad role is available Get-WindowsFeature Ad-domain-services # Install active directory feature Install-WindowsFeature -Name AD-Domain-Services #test forest and domain before promoting Test-ADDSForestInstallation Test-ADDSDomaininstallation # Promote the domain controller Import-Module ADDSDeployment Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2012" -DomainName "200013.net" -DomainNetbiosName "200013NET" -ForestMode "Win2012" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\Windows\SYSVOL" -Force:$true Exit-PSSession # log in as 200013.net\administrator and create a new domain admin [192.168.13.20]: PS AD:\CN=Users,DC=200013,DC=net> New-ADUser -SamAccountName "luciano" -AccountPassword (ConvertTo-Secu reString "xxxxxxxxxxxxx" -AsPlainText -force) -Name "Luciano Deldro" -GivenName "Luciano" -Surname "Deldro" -DisplayName "Luciano Deldro" -EmailAddress "luciano@200013.net" -Title "System Administrator" -City "Montréal" -Ena bled 1 -Department "IT" -Country "Canada" -Company "200013.net" # make this user domain admin Add-ADGroupMember "Domain Admins" "luciano" # disable old domain admin Set-ADUser -Identity administrator -Enable 0 #installing dns server (was already there) and dns tools on the server Dism.exe /online /enable-feature /featurename:DNS-Server-Full-Role /featurename:DNS-Server-Tools # dns cmdlets to manage the dns on core https://docs.microsoft.com/en-us/powershell/module/dnsserver/?view=win10-ps Add-DnsServerPrimaryZone -Name "200013.test" -ReplicationScope "Forest" Add-DnsServerResourceRecordA -Name "test" -Zonename "200013.test" -ipv4address "192.168.13.99" # remotly manage the dns with "Administrative Tools" on Win 10 broken as I write this. # lets add dc2 Enter-PSSession -computername 192.168.13.21 -Credential Administrator netsh interface ipv4 add dnsserver "Ethernet" address=192.168.13.20 index=1 Add-Computer -DomainName "200013.net" -Credential 200013.net\luciano -Restart Enter-PSSession -computername 192.168.13.21 -Credential 200013.net\luciano Set-ADUser -Identity administrator -Enable 0 Import-Module ADDSDeployment Install-WindowsFeature -Name AD-Domain-Services Install-ADDSDomainController -DomainName $domainName -InstallDns $domainAdminCredential = Get-Credential [192.168.13.21]: PS C:\Users\luciano\Documents> Install-ADDSDomainController -DomainName "200013.net" -InstallDns -Credential $domainAdminCredential WARNING: A script or application on the remote computer 192.168.13.21 is sending a prompt request. When you are prompted, enter sensitive information, such as credentials or passwords, only if you trust the remote computer and the application or script that is requesting the data. SafeModeAdministratorPassword: ******************* WARNING: A script or application on the remote computer 192.168.13.21 is sending a prompt request. When you are prompted, enter sensitive information, such as credentials or passwords, only if you trust the remote computer and the application or script that is requesting the data. Confirm SafeModeAdministratorPassword: ******************* The target server will be configured as a domain controller and restarted when this operation is complete. Do you want to continue with this operation? [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions. For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751). WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "200013.net". Otherwise, no action is required. WARNING: Windows Server 2012 R2 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions. For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751). WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "200013.net". Otherwise, no action is required. # Fix the time on both DC TZUTIL /s "US Eastern Standard Time" w32tm.exe /config /manualpeerlist:”time.nrc.ca” /syncfromflags:manual /reliable:YES /update w32tm.exe /config /update Restart-Service w32time