Configure Active Directory with DSC

Are you ready to jump in and automate your Active Directory creation?
Warning: no way back from here!

azure-active-directory-180x110

This post is part of a series, at the bottom you find links to the other parts. In this part we will have a look at all the steps necessary to create a new Active Directory Domain.
We are going to:

  • Install the required modules
  • Create a DSC script
  • Create/compile a MOF file (by running the created DSC script
  • Configure our node with this MOF file.
Install the required modules
Install-Module xActiveDirectory -Verbose

Be aware: all modules starting with x are considered not final by Microsoft, so final implementation can be different when the module eventually becomes final.

If this is the first module you install, powershell will ask you to install NuGet-anycpu.exe. Behind the scene the Install-Module snippet uses PowerShellGet, wich in his turn uses NuGet, therefore NuGet-anycpu.exe must be available.
Do you want to download NuGet-anycpu.exe?
Click Yes

Next Install-Module will look in its online repository for the module you want to install, in this case xActiveDirectory. If found, it will ask you if you are sure that you want to install the module.
Are you sure you want to install software?
Click Yes

The output should be something like:
Output of Install-Module xActiveDirectory - Verbose

At this stage we have installed / configured all the necessary parts that will enable us to use DSC for crating our domain controller. Only one thing left, the actual PowerShell script itself.

Create a DSC script

Create and run a new PowerShell file: AssertDC.ps1
Be aware: you should never use plain text passwords in your production scripts!!!

# A configuration to Create a new Domain Controller for a new forest
configuration AssertDC
{
    param
    (
        [Parameter(Mandatory)]
        [pscredential]$safemodeAdministratorCred,
        [Parameter(Mandatory)]
        [pscredential]$domainCred,
        [Parameter(Mandatory)]
        [pscredential]$NewADUserCred,
        [Parameter(Mandatory)]
        [string]$NewADUser
    ) 

    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Import-DscResource -ModuleName 'xActiveDirectory'

    Node $AllNodes.Where{$_.Role -eq "Primary DC"}.Nodename
    {
        WindowsFeature ADDSInstall
        {
            Ensure = "Present"
            Name = "AD-Domain-Services"
        }
        WindowsFeature RSATTools
        {
            DependsOn= '[WindowsFeature]ADDSInstall'
            Ensure = 'Present'
            Name = 'RSAT-AD-Tools'
            IncludeAllSubFeature = $true
        }
        xADDomain FirstDS
        {
            DomainName = $Node.DomainName
            DomainAdministratorCredential = $domainCred
            SafemodeAdministratorPassword = $safemodeAdministratorCred
            DependsOn = "[WindowsFeature]RSATTools"
        }
        xWaitForADDomain DscForestWait
        {
            DomainName = $Node.DomainName
            DomainUserCredential = $domainCred
            RetryCount = $Node.RetryCount
            RetryIntervalSec = $Node.RetryIntervalSec
            DependsOn = "[xADDomain]FirstDS"
        }
        xADUser FirstUser
        {
            DomainName = $Node.DomainName
            DomainAdministratorCredential = $domainCred
            UserName = $NewADUser
            Password = $NewADUserCred
            Ensure = "Present"
            DependsOn = "[xWaitForADDomain]DscForestWait"
        }
    }
}
Create/compile a MOF file (by running the created DSC script

Run the following powershell commands, this will create a MOF file we can later use to configure our nodes (read computers)

$SafeModePW = 'S@fePassw0rd'
$NewADUser = 'Wouter'

# Configuration Data for AD
$ConfigData = @{
    AllNodes = @(
        @{
            Nodename = "sp2013-dev"
            Role = "Primary DC"
            DomainName = "development.local"
            PSDscAllowPlainTextPassword = $true
            RetryCount = 20
            RetryIntervalSec = 30
        }
    )
} 
AssertDC `
    -configurationData $ConfigData `
    -safemodeAdministratorCred (New-Object System.Management.Automation.PSCredential ('guest', (ConvertTo-SecureString $SafeModePW -AsPlainText -Force))) `
    -domainCred (New-Object System.Management.Automation.PSCredential ('Administrator', (ConvertTo-SecureString $SafeModePW -AsPlainText -Force))) `
    -NewADUserCred (New-Object System.Management.Automation.PSCredential ($NewADUser, (ConvertTo-SecureString $SafeModePW -AsPlainText -Force))) `
    -NewADUser $NewADUser

Result:
Result of running AssertDC

Configure our node with this MOF file.
$SafeModePW = 'S@fePassw0rd'
$Credential = (New-Object System.Management.Automation.PSCredential ('Administrator', (ConvertTo-SecureString $SafeModePW -AsPlainText -Force)))
Start-DscConfiguration -Wait -Force -Verbose `
    -ComputerName "sp2013-dev" `
    -Path .\AssertDC `
    -Credential $Credential

this will take a while as it will install and configure your domain…
When finished, reboot the server and you will find yourself having created a whole new domain controller.

To create the configured user you have re-run the last script again to configure the last part of the script.
This is because we have added “xWaitForADDomain DscForestWait” in the first script and the server needed a reboot.

$SafeModePW = 'S@fePassw0rd'
$Credential = (New-Object System.Management.Automation.PSCredential ('Administrator', (ConvertTo-SecureString $SafeModePW -AsPlainText -Force)))
Start-DscConfiguration -Wait -Force -Verbose `
    -ComputerName "sp2013-dev" `
    -Path .\AssertDC `
    -Credential $Credential

Voila, a newly created user in your new domain, in your new forest!
New user in new domain in new forest


This post is seperated into multiple parts:

  1. What is DSC?
  2. Setting up the environment for DSC
  3. Configure Active Directory with DSC (this post)
  4. What LEGO has to do with PowerShell DSC Partial Configurations!
  5. Configure IIS with DSC
  6. Install SQL with DSC
  7. Install SharePoint
  8. Configure SharePoint
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s