Laborumgebung installieren
Mit diesem Powershell-Skript kann man eine Test-Domäne aufsetzen und konfigurieren. Selbstverständlich kann dieses Skript weiter ausgebaut werden.
Domain Controller LAB – One click
#### Grundkonfiguration des Servers und Neustart
$computerName = “DC01”
# Netzwerkadressen bestimmen
$IPv4Address = “172.18.32.31”
$IPv4Prefix = “24”
$IPv4GW = “172.18.32.1”
$IPv4DNS = “172.18.32.31”
# Präfixe auslesen
$ipIF = (Get-NetAdapter).ifIndex
# IPv6 temporär abschalten
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled
# IPv6 Komponenten abschalten
Set-Net6to4Configuration -State Disabled
Set-NetIsatapConfiguration -State Disabled
Set-NetTeredoConfiguration -Type Disabled
# IPv4 Adresse, Gateway, and DNS setzen
New-NetIPAddress -InterfaceIndex $ipIF -IPAddress $IPv4Address -PrefixLength $IPv4Prefix -DefaultGateway $IPv4GW
Set-DNSClientServerAddress –interfaceIndex $ipIF –ServerAddresses $IPv4DNS
# Server umbennen und Neustart
Rename-Computer -NewName $computerName -force
Restart-Computer
### Domänen-Dienste installieren und Server zum DC promoten
$domainName = “ndsedv.de”
$netBIOSname = “ndsedv”
$mode = “Win2016”
Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
Import-Module ADDSDeployment
$forestProperties = @{
DomainName = $domainName
DomainNetbiosName = $netBIOSname
ForestMode = $mode
DomainMode = $mode
CreateDnsDelegation = $false
InstallDns = $true
DatabasePath = “C:\Windows\NTDS”
LogPath = “C:\Windows\NTDS”
SysvolPath = “C:\Windows\SYSVOL”
NoRebootOnCompletion = $false
Force = $true
}
Install-ADDSForest @forestProperties
### DNS, SItes & Services und Zeitserver konfigurieren
$IPv4netID = “172.18.32.0/24”
$siteName = “Büro”
$location = “Essen”
# Authoritative Internet TimeServer setzen
$timePeerList = “ptbtime1.ptb.de ptbtime2.ptb.de”
# DNS Reverse Lookup Zone setzen
Add-DNSServerPrimaryZone -NetworkID $IPv4netID -ReplicationScope ‘Forest’ -DynamicUpdate ‘Secure’
# Sites & Services anpassen
$defaultSite = Get-ADReplicationSite | Select DistinguishedName
Rename-ADObject $defaultSite.DistinguishedName -NewName $siteName
New-ADReplicationSubnet -Name $IPv4netID -site $siteName -Location $location
# Neuregistrierung des DNS Records vom DC01
Register-DnsClient
# Scavenging-Einstellungen für alle Zonen und auf dem DNS Server aktivieren
Set-DnsServerScavenging –ScavengingState $True –ScavengingInterval 7:00:00:00 –ApplyOnAllZones
$Zones = Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne ‘TrustAnchors’}
$Zones | Set-DnsServerZoneAging -Aging $True
# ZeitServer setzen
w32tm /config /manualpeerlist:$timePeerList /syncfromflags:manual /reliable:yes /update
### OUs Struktur aufbauen
$baseDN = “DC=ndsedv,DC=de”
$resourcesDN = “OU=ORG2,” + $baseDN
New-ADOrganizationalUnit “Resources” -path $baseDN
New-ADOrganizationalUnit “Admin Users” -path $resourcesDN
New-ADOrganizationalUnit “Groups Security” -path $resourcesDN
New-ADOrganizationalUnit “Service Accounts” -path $resourcesDN
New-ADOrganizationalUnit “Workstations” -path $resourcesDN
New-ADOrganizationalUnit “Servers” -path $resourcesDN
New-ADOrganizationalUnit “Users” -path $resourcesDN
### AD Papierkorb aktivieren
$ForestFQDN = “ndsedv.de”
$SchemaDC = “DC01.ndsedv.de”
Enable-ADOptionalFeature –Identity ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target $ForestFQDN -Server $SchemaDC -confirm:$false
### Benutzerkonto erstellen
$Password = Read-Host -assecurestring “User Password”
$userProperties = @{
Name = “Joern Walter”
GivenName = “Joern”
Surname = “Walter”
DisplayName = “Joern Walter”
Path = “OU=Admin Users,OU=ORG2,DC=ndsedv,DC=de”
SamAccountName = “JoernW”
UserPrincipalName = “joern.walter@ndsedv.de”
AccountPassword = $Password
PasswordNeverExpires = $True
Enabled = $True
Description = “Enterprise Admin”
}
New-ADUser @userProperties
# Privilegierte Rechte seten ENU-OS
Add-ADGroupMember “Domain Admins” $userProperties.SamAccountName
Add-ADGroupMember “Enterprise Admins” $userProperties.SamAccountName
Add-ADGroupMember “Schema Admins” $userProperties.SamAccountName
# Privilegierte Rechte seten DE-OS
#Add-ADGroupMember “Domänen-Admins” $userProperties.SamAccountName
#Add-ADGroupMember “Organisations-Admins” $userProperties.SamAccountName
#Add-ADGroupMember “Schema-Admins” $userProperties.SamAccountName
### Lokalen Administrator härten
Set-ADUser Administrator -AccountNotDelegated:$true -Enabled:$false
### Active Directory Datenbank sichern
C:\Windows\system32\ntdsutil.exe snapshot “activate instance ntds” create quit quit