locked
Create complete environment with script - need help RRS feed

  • Question

  • Hi Guys,

    Before I start I would like to point that I am not a beginner in powershell. One of my friends was on Microsoft Techdays and there was people from Microsoft and few MVP's. Interesting thing was that they had a script that install complete environment with domain controllers, memeber servers, rds whatever you name it. I am installing everything through powershell and I know how to use it but I don't want to have many scripts that install peace by peace. I know that there are Lab Builders but if I am not wrong they are used just for labs and not the production. My question is how can I create a script that will install DC, create desired ad groups and OU structure add member servers to domain etc. To start with I would like to install one DC and 3 member servers. Is there a way to do it with minimal administrative action or not? I don't know how can I run script from member server to install DC when all servers are in workgroup from the beginning or I am doing it wrong. Please give me some advice. One more time I know how to use powershell and install all parts manually but not from a single script where we have domain reboots and things like that. I am not asking that you guys create a script just advice how to start and what I need to think in scenarios like this



    • Edited by kaktak Wednesday, September 12, 2018 7:09 PM
    Wednesday, September 12, 2018 7:06 PM

Answers

  • Hi,

    That what you are asking for is DSC (Desired State Configuration).

    You don't need to create a dc first and join those machines to domain. You can do it without having a dc first.

    DSC does not require domain and basically first thing you need to configure is trusted hosts so that your management machine can find those workgroup servers. PS Remoting is enabled by default on 2012/2106 if you are using those and once trusted hosts are configured you can use Enter-PSSession to verify that you can access those machines. Next you need to configure is LCM on the target machines to use push or pull method (push is by default) and you need to tell how to handle reboots and what to do after reboot occurs. Your third step is to configure 2 files, one for configuration data and second one is the code. There are a lot of videos and docs on how to do this but without learning how DSC works you will not be able to understand/manage and configure all of this. 

    -----------------------------------------------------------------------------------------------------------

    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    • Marked as answer by kaktak Wednesday, October 3, 2018 2:47 PM
    Friday, September 21, 2018 1:21 PM

All replies

  • I suggest that you first learn PowerShell then learn the Windows provisioning CmdLets.  You have to use the "feature" CmdLets to install server roles.

    The following will help get you started.

    Please carefully review the following links to set your expectation for posting in  technical forums.

    This Forum is for Scripting Questions Rather than script requests


    \_(ツ)_/

    Wednesday, September 12, 2018 7:30 PM
  • Hi,

    From that what you post I can see that you didn't even read my question. I said that I am not a beginner and I know and I am installing things with powershell but that what I am interested of is if it is possible to create a script which will install many things in one shot even if there are reboots involved and how to accomplish that. I created many scripts but those install one thing at the time, example one for dc installation, second is for rds installation with collections etc... but is there a way to configure all of that with one? Like I said "One of my friends was on Microsoft Techdays and there was people from Microsoft and few MVP's. Interesting thing was that they had a script that install complete environment with domain controllers, memeber servers, rds whatever you name it. "

    I know that there is Lab builder but that is only for testing purposes not for the production. We know that DC needs to reboot after installing domain same is for servers which join to the domain. I am looking for advice on how to accomplish this with one script. Please read people questions first before posting things like that.


    • Edited by kaktak Thursday, September 13, 2018 6:17 AM
    Thursday, September 13, 2018 6:16 AM
  • What your friend saw was a tool called DSC (Desired State Configuration) or they saw a demo of MDT (Microsoft Deployment Toolkit).

    Look up those terms to find articles on how to use them.

    You can also use  workflow to build a system in stages with reboots. 

    help about_workflow


    \_(ツ)_/

    Thursday, September 13, 2018 7:22 AM
  • Hi Jrv,

    Now we talking. This could be the answer the workflows. I heard about dsc but I also heard that I need to have that file present all the time if something happens to the file whole configuration will be ruined or if I make changes and forgot to update the script it will revert those changes back. I will take a look at workflows and report back. Thank you.

    Thursday, September 13, 2018 8:29 AM
  • I think that workflows will make the trick but I have one question. If I have 5 servers in workgroup. How will server from which I am executing things know about other servers that are in workgroup? I am talking here about server that will become new DC it will be renamed and ad will be installed and other 4 server that will be joined to domain. Is it possible to do it with workflow or how to pass this problem with workgroup comps?
    Thursday, September 13, 2018 1:39 PM
  • I recently watched the PowerShell Summit Session "Finally! Create, Permission, and Publish an AD CS Certificate Template with PowerShell" by Ashley McGlone on YouTube. In the first few minutes he kicks of a DSC Configuration that turns his Workgroup Server into a Domain Controller including OUs, Users, Groups and ADCS.

    I've used his ADCSTemplate module and example (Examples/Build-ADCS.ps1) to replicate this in my Lab, but I haven't automated joining any member servers... yet.

    The DSC learning curve is a bit steep, but once you get the hang of it there's an abundance of examples and resources that you can leverage and re-use.


    • Edited by F. Van Roie Thursday, September 13, 2018 2:24 PM
    Thursday, September 13, 2018 2:12 PM
  • That is what a workflow is for.  You need to design a script that does what you need.  We cannot teach you how to write scripts or how to provision servers.  Start by learning PwoerShell.  Oce you are proficient at basic PwoerShell then learn about how PS scripts can rename servers and add features and roles.

    A good place to start your quest is here: Learn PowerShell  


    \_(ツ)_/

    Thursday, September 13, 2018 4:15 PM
  • @jrv --> You again with learn powershell thing. I already said that I know and that I made many scripts that configure things on remote computers BUT THOSE COMPUTERS ARE DOMAIN JOINED. I didn't ask you how to rename or reboot damn computer with powershell (read what the question is) I ask if we have 5 computers and all of them are in workgroup one of them will become DC and rest of them will be member servers with different roles, how will workflow or DSC find those computers if they are in workgroup. Does not matter what I run i receive 

    Connecting to remote server hyper failed with the following error message : WinRM cannot process the request.

    So my question is how will workflow find computers that will become dc and once dc is configured how will then that server add those servers to domain if they are in workgroup. 

    @F. Van Roie --> Thank you for the reply. I will take a look on that video. 

    Friday, September 14, 2018 11:12 AM
  • Again. You clearly don't know basic PowerShell as the error is telling you exactly the issue which is a very basic PS issue.

    You cannot remote to a workgroup computer using Kerberos, Basic or NTLM.  To remote you need to set up all systems with CredSSP. 

    I recommend that you stop trying to force others to give you a solution and spend some time learning to use PS in a workgroup or use another remoting technology such as WMI or PsExec.

    Post in the Windows Deployment forum for help understanding how to use automation to configure system.

    First create a DC.  Next use Add-Computer to join all to domain.  After that is done you can then use DSC to complete all configurations.

    Without a complete understanding of how PowerShell and WNF are designed to work you will be mostly lost.  Just knowing how to execute CmdLets does not count as "knowing" PowerShell.

    Do the tutorial.  You will then understand why I recommend learning first.

    Learn PowerShell

    Desired State Configuration

    Workflow  -  for complete WFF see MS docs online.

    The tutorial will cover workflow, remoting, DSC and other basic features of WMF 5.1.  The main tutorial is about 5 hours and is a pre-requisite for the remaining presentations.


    \_(ツ)_/

    Friday, September 14, 2018 11:32 AM
  • There is also a way to do this with VMs using the PS CmdLets.  This would not require remoting or workflows.

    See: https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#BKMK_installwps

    It is possible to use CmdLets to add features and join systems. You will have to learn more PowerShell and learn to use the computer and AD CmdLets as well as having the VMs set up correctly and available.

    Another method that is used here is to create images of the target systems using DISM.  DISM can crate images that are completely configured that can be copied/installed into a VHD and then run as a VM.  The member systems will still have to be joined but that is trivial and takes only one CmdLet.


    \_(ツ)_/

    Friday, September 14, 2018 12:09 PM
  • Hi,

    That what you are asking for is DSC (Desired State Configuration).

    You don't need to create a dc first and join those machines to domain. You can do it without having a dc first.

    DSC does not require domain and basically first thing you need to configure is trusted hosts so that your management machine can find those workgroup servers. PS Remoting is enabled by default on 2012/2106 if you are using those and once trusted hosts are configured you can use Enter-PSSession to verify that you can access those machines. Next you need to configure is LCM on the target machines to use push or pull method (push is by default) and you need to tell how to handle reboots and what to do after reboot occurs. Your third step is to configure 2 files, one for configuration data and second one is the code. There are a lot of videos and docs on how to do this but without learning how DSC works you will not be able to understand/manage and configure all of this. 

    -----------------------------------------------------------------------------------------------------------

    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    • Marked as answer by kaktak Wednesday, October 3, 2018 2:47 PM
    Friday, September 21, 2018 1:21 PM