Active Directory Domain Services LAB

image_pdfimage_print

Domain Controller LAB – One click

Mit diesem Powershell-Skript kann man eine Test-Domäne aufsetzen und konfigurieren.

#### Grundkonfiguration des Servers und Neustart
$computerName = “DC01”

# Netzwerkadressen bestimmen
$IPv4Address = “172.18.32.31”
$IPv4Prefix = “24”
$IPv4GW = “172.18.32.1”
$IPv4DNS = “172.18.32.31”

# Präfixe auslesen
$ipIF = (Get-NetAdapter).ifIndex

# IPv6 temporär abschalten
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

# IPv6 Komponenten abschalten
Set-Net6to4Configuration -State Disabled
Set-NetIsatapConfiguration -State Disabled
Set-NetTeredoConfiguration -Type Disabled

# IPv4 Adresse, Gateway, and DNS setzen
New-NetIPAddress -InterfaceIndex $ipIF -IPAddress $IPv4Address -PrefixLength $IPv4Prefix -DefaultGateway $IPv4GW
Set-DNSClientServerAddress –interfaceIndex $ipIF –ServerAddresses $IPv4DNS

# Server umbennen und Neustart
Rename-Computer -NewName $computerName -force
Restart-Computer

### Domänen-Dienste installieren und Server zum DC promoten
$domainName  = “ndsedv.de”
$netBIOSname = “ndsedv”
$mode  = “Win2016”

Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools

Import-Module ADDSDeployment

$forestProperties = @{

DomainName           = $domainName
DomainNetbiosName    = $netBIOSname
ForestMode           = $mode
DomainMode           = $mode
CreateDnsDelegation  = $false
InstallDns           = $true
DatabasePath         = “C:\Windows\NTDS”
LogPath              = “C:\Windows\NTDS”
SysvolPath           = “C:\Windows\SYSVOL”
NoRebootOnCompletion = $false
Force                = $true

}

Install-ADDSForest @forestProperties

### DNS, SItes & Services und Zeitserver konfigurieren
$IPv4netID = “172.18.32.0/24”
$siteName = “Büro”
$location = “Essen”

# Authoritative Internet TimeServer setzen
$timePeerList = “ptbtime1.ptb.de ptbtime2.ptb.de”

# DNS Reverse Lookup Zone setzen
Add-DNSServerPrimaryZone -NetworkID $IPv4netID -ReplicationScope ‘Forest’ -DynamicUpdate ‘Secure’

# Sites & Services anpassen
$defaultSite = Get-ADReplicationSite | Select DistinguishedName
Rename-ADObject $defaultSite.DistinguishedName -NewName $siteName
New-ADReplicationSubnet -Name $IPv4netID -site $siteName -Location $location

# Neuregistrierung des DNS Records vom DC01
Register-DnsClient

# Scavenging-Einstellungen für alle Zonen und auf dem DNS Server aktivieren
Set-DnsServerScavenging –ScavengingState $True –ScavengingInterval 7:00:00:00 –ApplyOnAllZones
$Zones = Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne ‘TrustAnchors’}
$Zones | Set-DnsServerZoneAging -Aging $True

# ZeitServer setzen
w32tm /config /manualpeerlist:$timePeerList /syncfromflags:manual /reliable:yes /update

### OUs Struktur aufbauen
$baseDN = “DC=ndsedv,DC=de”
$resourcesDN = “OU=ORG2,” + $baseDN

New-ADOrganizationalUnit “Resources” -path $baseDN
New-ADOrganizationalUnit “Admin Users” -path $resourcesDN
New-ADOrganizationalUnit “Groups Security” -path $resourcesDN
New-ADOrganizationalUnit “Service Accounts” -path $resourcesDN
New-ADOrganizationalUnit “Workstations” -path $resourcesDN
New-ADOrganizationalUnit “Servers” -path $resourcesDN
New-ADOrganizationalUnit “Users” -path $resourcesDN

### AD Papierkorb aktivieren
$ForestFQDN = “ndsedv.de”
$SchemaDC   = “DC01.ndsedv.de”

Enable-ADOptionalFeature –Identity ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target $ForestFQDN -Server $SchemaDC -confirm:$false

### Benutzerkonto erstellen
$Password = Read-Host -assecurestring “User Password”
$userProperties = @{

Name                 = “Joern Walter”
GivenName            = “Joern”
Surname              = “Walter”
DisplayName          = “Joern Walter”
Path                 = “OU=Admin Users,OU=ORG2,DC=ndsedv,DC=de”
SamAccountName       = “JoernW”
UserPrincipalName    = “joern.walter@ndsedv.de”
AccountPassword      = $Password
PasswordNeverExpires = $True
Enabled              = $True
Description          = “Enterprise Admin”

}

New-ADUser @userProperties

# Privilegierte Rechte seten ENU-OS
Add-ADGroupMember “Domain Admins” $userProperties.SamAccountName
Add-ADGroupMember “Enterprise Admins” $userProperties.SamAccountName
Add-ADGroupMember “Schema Admins” $userProperties.SamAccountName
# Privilegierte Rechte seten DE-OS
#Add-ADGroupMember “Domänen-Admins” $userProperties.SamAccountName
#Add-ADGroupMember “Organisations-Admins” $userProperties.SamAccountName
#Add-ADGroupMember “Schema-Admins” $userProperties.SamAccountName

### Lokalen Administrator härten
Set-ADUser Administrator -AccountNotDelegated:$true -Enabled:$false

### Active Directory Datenbank sichern
C:\Windows\system32\ntdsutil.exe snapshot “activate instance ntds” create quit quit

Domain Controller LAB

Kommentar hinterlassen