|
@@ -0,0 +1,898 @@
|
|
|
+<body>
|
|
|
+ <div id="longDesc">
|
|
|
+ <p><span style="font-family:Calibri; font-size:medium"> </span></p>
|
|
|
+ <h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Introduction</h1>
|
|
|
+ <div id="longDesc">
|
|
|
+ <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <p>
|
|
|
+ The<strong> xActiveDirectory</strong> module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the
|
|
|
+ <strong>xADDomain, xADDomainController, xADUser, xWaitForDomain, and xADDomainTrust</strong> resources. These DSC Resources allow you to configure and manage Active Directory. Note: these resources do not presently install the RSAT tools.
|
|
|
+ </p>
|
|
|
+ <p>
|
|
|
+ <strong>All of the resources in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program or service. The "x" in xActiveDirectory stands for experimental</strong>, which means that these resources will
|
|
|
+ be <strong>fix forward</strong> and monitored by the module owner(s).
|
|
|
+ </p>
|
|
|
+ <p>Please leave comments, feature requests, and bug reports in the Q & A tab for this module.</p>
|
|
|
+ <p>
|
|
|
+ If you would like to modify <strong>xActiveDirectory</strong> module, feel free. When modifying, please update the module name, resource friendly name, and MOF class name (instructions below). As specified in the license, you may copy or modify this resource
|
|
|
+ as long as they are used on the Windows Platform.
|
|
|
+ </p>
|
|
|
+ <p>
|
|
|
+ For more information about Windows PowerShell Desired State Configuration, check out the blog posts on the
|
|
|
+ <a href="http://blogs.msdn.com/b/powershell/"><span style="color:#0000ff">PowerShell Blog</span></a> (<a href="http://blogs.msdn.com/b/powershell/archive/2013/11/01/configuration-in-a-devops-world-windows-powershell-desired-state-configuration.aspx"><span style="color:#0000ff">this</span></a>
|
|
|
+ is a good starting point). There are also great community resources, such as <a href="http://powershell.org/wp/tag/dsc/">
|
|
|
+ <span style="color:#0000ff">PowerShell.org</span>
|
|
|
+ </a>, or <a href="http://www.powershellmagazine.com/tag/dsc/">
|
|
|
+ <span style="color:#0000ff">PowerShell Magazine</span>
|
|
|
+ </a>. For more information on the DSC Resource Kit, check out
|
|
|
+ <a href="http://go.microsoft.com/fwlink/?LinkID=389546"><span style="color:#0000ff">this blog post</span></a>.
|
|
|
+ </p>
|
|
|
+ <h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Installation</h1>
|
|
|
+ <p>To install <strong>xActiveDirectory</strong> module</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>Unzip the content under $env:ProgramFiles\WindowsPowerShell\Modules folder </li>
|
|
|
+ </ul>
|
|
|
+ <p>To confirm installation:</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ Run <strong>Get-DSCResource</strong> to see that <strong>xADDomain, xADDomainController, xADUser, xWaitForDomain, and xADDomainTrust</strong> are among the DSC Resources listed
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Requirements</h1>
|
|
|
+ <p>
|
|
|
+ This module requires the latest version of PowerShell (v4.0, which ships in Windows 8.1 or Windows Server 2012R2). To easily use PowerShell 4.0 on older operating systems,
|
|
|
+ <a href="http://www.microsoft.com/en-us/download/details.aspx?id=40855"><span style="color:#0000ff">install WMF 4.0</span></a>. Please read the installation instructions that are present on both the download page and the release notes for WMF 4.0.
|
|
|
+ </p>
|
|
|
+ <h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Description</h1>
|
|
|
+ <p>
|
|
|
+ The <strong>xActiveDirectory </strong>module contains the <strong>xADDomain, xADDomainController, xADUser, xWaitForDomain, and ADDomainTrust</strong> DSC Resources. These DSC Resources allow you to configure new domain, child domains,high availability domain
|
|
|
+ controllers and establish cross-domain trusts. <span style="font-family:Calibri; font-size:medium">
|
|
|
+ The <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <strong>xADDomain</strong>
|
|
|
+ </span>resource is responsible to create new Active directory forest configuration or new Active directory domain configuration. <span style="font-family:Calibri; font-size:medium">
|
|
|
+ The
|
|
|
+ <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <strong>xADDomainController </strong>
|
|
|
+ </span>resource is responsible to install a domain controller in Active directory.
|
|
|
+ <span style="font-family:Calibri; font-size:medium">
|
|
|
+ The <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <strong>xADUser</strong>
|
|
|
+ </span>resource is responsible to modify or remove Active directory User. <span style="font-family:Calibri; font-size:medium">
|
|
|
+ The
|
|
|
+ <span style="font-family:Calibri; font-size:medium"><strong>xWaitForDomain</strong></span> resource is responsible to wait for new domain to setup. It's worth noting that the RSAT tools will not be installed when these resources are used to configure AD. The
|
|
|
+ <span style="font-family:Calibri; font-size:medium"><strong>xADDomainTrust</strong></span> resource is used to establish a cross-domain trust. <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <br>
|
|
|
+ </span>
|
|
|
+ </span>
|
|
|
+ </span>
|
|
|
+ </span>
|
|
|
+ </span>
|
|
|
+ </p>
|
|
|
+ <h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Details</h1>
|
|
|
+ <p><strong>xADDomain</strong> resource has following properties:</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ <strong>DomainName</strong>: <span>
|
|
|
+
|
|
|
+ </span>Name of the domain. If no parent name is specified, this is the fully qualified domain name for first domain in the forest.
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>ParentDomainName</strong>: Name of the parent domain.
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>DomainAdministratorCredential</strong>: Credentials used to query for domain existence. Note: These are not used during domain creation. ( AD sets the localadmin credentials as new domain administrator credentials
|
|
|
+ during setup )<span style="font-family:Calibri; font-size:medium">
|
|
|
+ <br>
|
|
|
+ </span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>SafemodeAdministratorPassword</strong>: <span> </span>
|
|
|
+ <span style="font-family:Calibri; font-size:medium">
|
|
|
+ Password for the administrator account when the computer is started in Safe Mode.
|
|
|
+ </span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ DnsDelegationCredential:
|
|
|
+ </strong><span style="font-family:Calibri; font-size:medium">Credential used for creating DNS delegation</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ DatabasePath:
|
|
|
+ </strong><span style="font-family:Calibri; font-size:medium">Destination path for the AD database</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ LogPath:
|
|
|
+ </strong><span style="font-family:Calibri; font-size:medium">Destination path for the AD log files</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ SysvolPath:
|
|
|
+ </strong><span style="font-family:Calibri; font-size:medium">Destination path for the sysvol store</span>
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <p><strong>xADDomainController</strong> resource has following properties:</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ <strong>DomainName</strong>: <span>
|
|
|
+
|
|
|
+ </span>The fully qualified domain name for the domain where the domain controller will be present
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>DomainAdministratorCredential</strong>: <span>
|
|
|
+
|
|
|
+ </span>Specifies the credential for the account used to install the domain controller
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>SafemodeAdministratorPassword</strong>: Password for the administrator account when the computer is started in Safe Mode.
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ DatabasePath:
|
|
|
+ </strong><span style="font-family:Calibri; font-size:medium">Destination path for the AD database</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ LogPath:
|
|
|
+ </strong><span style="font-family:Calibri; font-size:medium">Destination path for the AD log files</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ SysvolPath:
|
|
|
+ </strong><span style="font-family:Calibri; font-size:medium">Destination path for the sysvol store</span>
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ </ul>
|
|
|
+ <p><strong>xADUser</strong> resource has following properties:</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ <strong>Ensure</strong>: <span>
|
|
|
+
|
|
|
+ </span>Specifies whether the given user is present or absent
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>DomainName</strong>: <span>
|
|
|
+
|
|
|
+ </span>Name of the domain to which the user will be added
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>UserName</strong>:
|
|
|
+ Name of the user
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>Password</strong>: <span>
|
|
|
+
|
|
|
+ Password value for the account
|
|
|
+ </span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>DomainAdministratorCredential: </strong>User account credentials used to perform the task
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <p><strong>xWaitForADDomain</strong> resource has following properties:</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ <strong>DomainName</strong>: <span>
|
|
|
+
|
|
|
+ </span>Name of the domain to wait for
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>RetryIntervalSec</strong>: <span>
|
|
|
+
|
|
|
+ </span>Interval to check for the domain's existance
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>RetryCount</strong>:
|
|
|
+ Maximum number of retries to check for the domain's existance
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <p><strong>xADDomainTrust</strong> resource has following properties:</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ <strong>Ensure:</strong> <span>
|
|
|
+
|
|
|
+ </span>Specifies whether the domain trust is present or absent
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>TargetDomainAdministratorCredential: </strong><span style="font-family:Calibri; font-size:medium">Credentials to authenticate to the target domain</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>TargetDomainName:</strong> <span>
|
|
|
+
|
|
|
+ </span>Name of the AD domain that is being trusted
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>TrustType:</strong>
|
|
|
+ Type of trust
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>TrustDirection:</strong>
|
|
|
+ Direction of trust, the values for which may be Bidirectional,Inbound, or Outbound
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>SourceDomainName:</strong> Name of the AD domain that is requesting the trust
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Renaming Requirements</h1>
|
|
|
+ <p>When making changes to these resources, we suggest the following practice:</p>
|
|
|
+ <ol style="list-style-type:decimal; direction:ltr">
|
|
|
+ <li>
|
|
|
+ Update the following names by replacing MSFT with your company/community name and replacing the
|
|
|
+ <strong>"x"</strong> with <strong>"c"</strong> (short for "Community") or another prefix of your choice:
|
|
|
+ <ul>
|
|
|
+ <li>
|
|
|
+ <strong>Module name (ex: x<span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span></strong> becomes
|
|
|
+ <strong>c<span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span></strong>)
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>Resource folder (ex: MSFT_</strong><span style="font-family:Calibri; font-size:medium"><strong>xADDomain</strong></span> becomes
|
|
|
+ <strong>Contoso_x</strong><span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span>)
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>Resource Name (ex: MSFT_<span style="font-family:Calibri; font-size:medium"><strong>xADDomain</strong></span></strong> becomes
|
|
|
+ <strong>Contoso_c</strong><span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span>)
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>
|
|
|
+ Resource Friendly Name (ex: <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <strong>xADDomain</strong>
|
|
|
+ </span>
|
|
|
+ </strong>becomes <strong>c<span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span></strong>)
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>MOF class name (ex: MSFT_x<span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span></strong> becomes
|
|
|
+ <strong>Contoso_c<span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span></strong>)
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <strong>Filename for the <resource>.schema.mof (ex: MSFT_x<span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span></strong>.schema.mof becomes
|
|
|
+ <strong>Contoso_c<span style="font-family:Calibri; font-size:medium"><strong>ADDomain</strong></span></strong>.schema.mof)
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ </li>
|
|
|
+ <li>Update module and metadata information in the module manifest </li>
|
|
|
+ <li>Update any configuration that use these resources </li>
|
|
|
+ </ol>
|
|
|
+ <p>
|
|
|
+ <em>
|
|
|
+ We reserve resource and module names without prefixes ("x" or "c") for future use (e.g. "MSFT_ADDomain" or "MSFT_ADUser"). If the next version of Windows Server ships with a "ADDomain" resource, we don't want to break any configurations that use any
|
|
|
+ community modifications. Please keep a prefix such as "c" on all community modifications.
|
|
|
+ </em>
|
|
|
+ </p>
|
|
|
+ <h1 style="color:#2e74b5; font-family:Calibri Light; font-size:large">Versions</h1>
|
|
|
+ <p>1.0.0.0</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ Initial release with the following resources
|
|
|
+ <ul style="list-style-type:circle">
|
|
|
+ <li>
|
|
|
+ <span style="font-family:Calibri; font-size:medium">xADDomain, xADDomainController, xADUser, and xWaitForDomain</span>
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <p>2.0.0.0</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ Updated release, which added the resource
|
|
|
+ <ul style="list-style-type:circle">
|
|
|
+ <li><span style="font-family:Calibri; font-size:medium">xADDomainTrust</span> </li>
|
|
|
+ </ul>
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <p>2.1.0.0</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ Minor update: Get-TargetResource to use domain name instead of name
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <p>2.2</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ Modified xAdDomain and xAdDomainController to support Ensure as Present / Absent, rather than True/False. Note: this may cause issues for existing scripts. Also corrected return value to be a hashtable in both resources.
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <p>2.3</p>
|
|
|
+ <ul style="list-style-type:disc; direction:ltr">
|
|
|
+ <li>
|
|
|
+ Added properties to xAdDomain and xAdDomainController:
|
|
|
+ <ul style="list-style-type:circle">
|
|
|
+ <li>
|
|
|
+ <span style="font-family:Calibri; font-size:medium">DatabasePath</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <span style="font-family:Calibri; font-size:medium">LogPath</span>
|
|
|
+ </li>
|
|
|
+ <li>
|
|
|
+ <span style="font-family:Calibri; font-size:medium">SysvolPath</span>
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ </li>
|
|
|
+ </ul>
|
|
|
+ <h1 style="margin-bottom:0pt; font-family:Calibri Light; color:#2e74b5; font-size:large">
|
|
|
+ Example: Create a highly available Domain using multiple domain controllers
|
|
|
+ </h1>
|
|
|
+ <p>
|
|
|
+ In the following example configuration, a highly available domain is created by adding a domain controller to an existing domain. This example uses the xWaitForDomain resource to ensure that the domain is present before the second domain controller
|
|
|
+ is added.
|
|
|
+ </p>
|
|
|
+ <div class="scriptcode">
|
|
|
+ <div class="pluginEditHolder" plugincommand="mceScriptCode">
|
|
|
+ <div class="title"><span>PowerShell</span></div>
|
|
|
+ <div class="pluginLinkHolder"><span class="pluginEditHolderLink">Edit</span>|<span class="pluginRemoveHolderLink">Remove</span></div>
|
|
|
+ <span class="hidden">powershell</span>
|
|
|
+<pre class="hidden"># A configuration to Create High Availability Domain Controller
|
|
|
+configuration AssertHADC
|
|
|
+{
|
|
|
+ param
|
|
|
+ (
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]$safemodeAdministratorCred,
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]$domainCred,
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]$DNSDelegationCred,
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]$NewADUserCred
|
|
|
+ )
|
|
|
+ Import-DscResource -ModuleName xActiveDirectory
|
|
|
+ Node $AllNodes.Where{$_.Role -eq "Primary DC"}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = "Present"
|
|
|
+ Name = "AD-Domain-Services"
|
|
|
+ }
|
|
|
+ xADDomain FirstDS
|
|
|
+ {
|
|
|
+ DomainName = $Node.DomainName
|
|
|
+ DomainAdministratorCredential = $domainCred
|
|
|
+ SafemodeAdministratorPassword = $safemodeAdministratorCred
|
|
|
+ DnsDelegationCredential = $DNSDelegationCred
|
|
|
+ DependsOn = "[WindowsFeature]ADDSInstall"
|
|
|
+ }
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = $Node.DomainName
|
|
|
+ DomainUserCredential = $domainCred
|
|
|
+ RetryCount = $Node.RetryCount
|
|
|
+ RetryIntervalSec = $Node.RetryIntervalSec
|
|
|
+ DependsOn = "[xADDomain]FirstDS"
|
|
|
+ }
|
|
|
+ xADUser FirstUser
|
|
|
+ {
|
|
|
+ DomainName = $Node.DomainName
|
|
|
+ DomainAdministratorCredential = $domainCred
|
|
|
+ UserName = "dummy"
|
|
|
+ Password = $NewADUserCred
|
|
|
+ Ensure = "Present"
|
|
|
+ DependsOn = "[xWaitForADDomain]DscForestWait"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ Node $AllNodes.Where{$_.Role -eq "Replica DC"}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = "Present"
|
|
|
+ Name = "AD-Domain-Services"
|
|
|
+ }
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = $Node.DomainName
|
|
|
+ DomainUserCredential = $domainCred
|
|
|
+ RetryCount = $Node.RetryCount
|
|
|
+ RetryIntervalSec = $Node.RetryIntervalSec
|
|
|
+ DependsOn = "[WindowsFeature]ADDSInstall"
|
|
|
+ }
|
|
|
+ xADDomainController SecondDC
|
|
|
+ {
|
|
|
+ DomainName = $Node.DomainName
|
|
|
+ DomainAdministratorCredential = $domainCred
|
|
|
+ SafemodeAdministratorPassword = $safemodeAdministratorCred
|
|
|
+ DnsDelegationCredential = $DNSDelegationCred
|
|
|
+ DependsOn = "[xWaitForADDomain]DscForestWait"
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+# Configuration Data for AD
|
|
|
+$ConfigData = @{
|
|
|
+ AllNodes = @(
|
|
|
+ @{
|
|
|
+ Nodename = "dsc-testNode1"
|
|
|
+ Role = "Primary DC"
|
|
|
+ DomainName = "dsc-test.contoso.com"
|
|
|
+ CertificateFile = "C:\publicKeys\targetNode.cer"
|
|
|
+ Thumbprint = "AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"
|
|
|
+ RetryCount = 20
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ },
|
|
|
+ @{
|
|
|
+ Nodename = "dsc-testNode2"
|
|
|
+ Role = "Replica DC"
|
|
|
+ DomainName = "dsc-test.contoso.com"
|
|
|
+ CertificateFile = "C:\publicKeys\targetNode.cer"
|
|
|
+ Thumbprint = "AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"
|
|
|
+ RetryCount = 20
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ }
|
|
|
+ )
|
|
|
+}
|
|
|
+AssertHADC -configurationData $ConfigData `
|
|
|
+-safemodeAdministratorCred (Get-Credential -Message "New Domain Safe Mode Admin Credentials") `
|
|
|
+-domainCred (Get-Credential -Message "New Domain Admin Credentials") `
|
|
|
+-DNSDelegationCred (Get-Credential -Message "Credentials to Setup DNS Delegation") `
|
|
|
+-NewADUserCred (Get-Credential -Message "New AD User Credentials")
|
|
|
+Start-DscConfiguration -Wait -Force -Verbose -ComputerName "dsc-testNode1" -Path $PSScriptRoot\AssertHADC `
|
|
|
+-Credential (Get-Credential -Message "Local Admin Credentials on Remote Machine")
|
|
|
+Start-DscConfiguration -Wait -Force -Verbose -ComputerName "dsc-testNode2" -Path $PSScriptRoot\AssertHADC `
|
|
|
+-Credential (Get-Credential -Message "Local Admin Credentials on Remote Machine")
|
|
|
+</pre>
|
|
|
+ <div class="preview">
|
|
|
+<pre class="powershell"><span class="powerShell__com"># A configuration to Create High Availability Domain Controller </span>
|
|
|
+
|
|
|
+configuration AssertHADC
|
|
|
+{
|
|
|
+
|
|
|
+ <span class="powerShell__keyword">param</span>
|
|
|
+ (
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$safemodeAdministratorCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$domainCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$DNSDelegationCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$NewADUserCred</span>
|
|
|
+ )
|
|
|
+
|
|
|
+ Import<span class="powerShell__operator">-</span>DscResource <span class="powerShell__operator">-</span>ModuleName xActiveDirectory
|
|
|
+
|
|
|
+ Node <span class="powerShell__variable">$AllNodes</span>.Where{<span class="powerShell__variable">$_</span>.Role <span class="powerShell__operator">-</span>eq <span class="powerShell__string">"Primary DC"</span>}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ Name = <span class="powerShell__string">"AD-Domain-Services"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADDomain FirstDS
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ SafemodeAdministratorPassword = <span class="powerShell__variable">$safemodeAdministratorCred</span>
|
|
|
+ DnsDelegationCredential = <span class="powerShell__variable">$DNSDelegationCred</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[WindowsFeature]ADDSInstall"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainUserCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ RetryCount = <span class="powerShell__variable">$Node</span>.RetryCount
|
|
|
+ RetryIntervalSec = <span class="powerShell__variable">$Node</span>.RetryIntervalSec
|
|
|
+ DependsOn = <span class="powerShell__string">"[xADDomain]FirstDS"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADUser FirstUser
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ UserName = <span class="powerShell__string">"dummy"</span>
|
|
|
+ Password = <span class="powerShell__variable">$NewADUserCred</span>
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[xWaitForADDomain]DscForestWait"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ Node <span class="powerShell__variable">$AllNodes</span>.Where{<span class="powerShell__variable">$_</span>.Role <span class="powerShell__operator">-</span>eq <span class="powerShell__string">"Replica DC"</span>}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ Name = <span class="powerShell__string">"AD-Domain-Services"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainUserCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ RetryCount = <span class="powerShell__variable">$Node</span>.RetryCount
|
|
|
+ RetryIntervalSec = <span class="powerShell__variable">$Node</span>.RetryIntervalSec
|
|
|
+ DependsOn = <span class="powerShell__string">"[WindowsFeature]ADDSInstall"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADDomainController SecondDC
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ SafemodeAdministratorPassword = <span class="powerShell__variable">$safemodeAdministratorCred</span>
|
|
|
+ DnsDelegationCredential = <span class="powerShell__variable">$DNSDelegationCred</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[xWaitForADDomain]DscForestWait"</span>
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+<span class="powerShell__com"># Configuration Data for AD </span>
|
|
|
+
|
|
|
+<span class="powerShell__variable">$ConfigData</span> = @{
|
|
|
+ AllNodes = @(
|
|
|
+ @{
|
|
|
+ Nodename = <span class="powerShell__string">"dsc-testNode1"</span>
|
|
|
+ Role = <span class="powerShell__string">"Primary DC"</span>
|
|
|
+ DomainName = <span class="powerShell__string">"dsc-test.contoso.com"</span>
|
|
|
+ CertificateFile = <span class="powerShell__string">"C:\publicKeys\targetNode.cer"</span>
|
|
|
+ Thumbprint = <span class="powerShell__string">"AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"</span>
|
|
|
+ RetryCount = 20
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ },
|
|
|
+
|
|
|
+ @{
|
|
|
+ Nodename = <span class="powerShell__string">"dsc-testNode2"</span>
|
|
|
+ Role = <span class="powerShell__string">"Replica DC"</span>
|
|
|
+ DomainName = <span class="powerShell__string">"dsc-test.contoso.com"</span>
|
|
|
+ CertificateFile = <span class="powerShell__string">"C:\publicKeys\targetNode.cer"</span>
|
|
|
+ Thumbprint = <span class="powerShell__string">"AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"</span>
|
|
|
+ RetryCount = 20
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ }
|
|
|
+ )
|
|
|
+}
|
|
|
+
|
|
|
+AssertHADC <span class="powerShell__operator">-</span>configurationData <span class="powerShell__variable">$ConfigData</span> `
|
|
|
+<span class="powerShell__operator">-</span>safemodeAdministratorCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New Domain Safe Mode Admin Credentials"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>domainCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New Domain Admin Credentials"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>DNSDelegationCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Credentials to Setup DNS Delegation"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>NewADUserCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New AD User Credentials"</span>)
|
|
|
+
|
|
|
+Start<span class="powerShell__operator">-</span>DscConfiguration <span class="powerShell__operator">-</span>Wait <span class="powerShell__operator">-</span>Force <span class="powerShell__operator">-</span>Verbose <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__string">"dsc-testNode1"</span> <span class="powerShell__operator">-</span>Path <span class="powerShell__variable">$PSScriptRoot</span>\AssertHADC `
|
|
|
+<span class="powerShell__operator">-</span>Credential (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Local Admin Credentials on Remote Machine"</span>)
|
|
|
+
|
|
|
+Start<span class="powerShell__operator">-</span>DscConfiguration <span class="powerShell__operator">-</span>Wait <span class="powerShell__operator">-</span>Force <span class="powerShell__operator">-</span>Verbose <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__string">"dsc-testNode2"</span> <span class="powerShell__operator">-</span>Path <span class="powerShell__variable">$PSScriptRoot</span>\AssertHADC `
|
|
|
+<span class="powerShell__operator">-</span>Credential (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Local Admin Credentials on Remote Machine"</span>)
|
|
|
+</pre>
|
|
|
+ </div>
|
|
|
+ </div>
|
|
|
+ </div>
|
|
|
+ <div class="endscriptcode">
|
|
|
+ <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <h1 style="margin-bottom:0pt; font-family:Calibri Light; color:#2e74b5; font-size:large">
|
|
|
+ Example: Create a child domain under a parent domain
|
|
|
+ </h1>
|
|
|
+ <p>In this example, we create a domain, and then create a child domain on another node.</p>
|
|
|
+ <p> </p>
|
|
|
+ <div class="scriptcode">
|
|
|
+ <div class="pluginEditHolder" plugincommand="mceScriptCode">
|
|
|
+ <div class="title"><span>PowerShell</span></div>
|
|
|
+ <div class="pluginLinkHolder"><span class="pluginEditHolderLink">Edit</span>|<span class="pluginRemoveHolderLink">Remove</span></div>
|
|
|
+ <span class="hidden">powershell</span>
|
|
|
+ <div class="preview">
|
|
|
+<pre class="powershell"><span class="powerShell__com"># Configuration to Setup Parent Child Domains </span>
|
|
|
+
|
|
|
+configuration AssertParentChildDomains
|
|
|
+{
|
|
|
+ <span class="powerShell__keyword">param</span>
|
|
|
+ (
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$safemodeAdministratorCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$domainCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$DNSDelegationCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$NewADUserCred</span>
|
|
|
+ )
|
|
|
+
|
|
|
+ Import<span class="powerShell__operator">-</span>DscResource <span class="powerShell__operator">-</span>ModuleName xActiveDirectory
|
|
|
+
|
|
|
+ Node <span class="powerShell__variable">$AllNodes</span>.Where{<span class="powerShell__variable">$_</span>.Role <span class="powerShell__operator">-</span>eq <span class="powerShell__string">"Parent DC"</span>}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ Name = <span class="powerShell__string">"AD-Domain-Services"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADDomain FirstDS
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ SafemodeAdministratorPassword = <span class="powerShell__variable">$safemodeAdministratorCred</span>
|
|
|
+ DnsDelegationCredential = <span class="powerShell__variable">$DNSDelegationCred</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[WindowsFeature]ADDSInstall"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainUserCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ RetryCount = <span class="powerShell__variable">$Node</span>.RetryCount
|
|
|
+ RetryIntervalSec = <span class="powerShell__variable">$Node</span>.RetryIntervalSec
|
|
|
+ DependsOn = <span class="powerShell__string">"[xADDomain]FirstDS"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADUser FirstUser
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domaincred</span>
|
|
|
+ UserName = <span class="powerShell__string">"dummy"</span>
|
|
|
+ Password = <span class="powerShell__variable">$NewADUserCred</span>
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[xWaitForADDomain]DscForestWait"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ Node <span class="powerShell__variable">$AllNodes</span>.Where{<span class="powerShell__variable">$_</span>.Role <span class="powerShell__operator">-</span>eq <span class="powerShell__string">"Child DC"</span>}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ Name = <span class="powerShell__string">"AD-Domain-Services"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.ParentDomainName
|
|
|
+ DomainUserCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ RetryCount = <span class="powerShell__variable">$Node</span>.RetryCount
|
|
|
+ RetryIntervalSec = <span class="powerShell__variable">$Node</span>.RetryIntervalSec
|
|
|
+ DependsOn = <span class="powerShell__string">"[WindowsFeature]ADDSInstall"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADDomain ChildDS
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ ParentDomainName = <span class="powerShell__variable">$Node</span>.ParentDomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ SafemodeAdministratorPassword = <span class="powerShell__variable">$safemodeAdministratorCred</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[xWaitForADDomain]DscForestWait"</span>
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+<span class="powerShell__variable">$ConfigData</span> = @{
|
|
|
+
|
|
|
+ AllNodes = @(
|
|
|
+ @{
|
|
|
+ Nodename = <span class="powerShell__string">"dsc-testNode1"</span>
|
|
|
+ Role = <span class="powerShell__string">"Parent DC"</span>
|
|
|
+ DomainName = <span class="powerShell__string">"dsc-test.contoso.com"</span>
|
|
|
+ CertificateFile = <span class="powerShell__string">"C:\publicKeys\targetNode.cer"</span>
|
|
|
+ Thumbprint = <span class="powerShell__string">"AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"</span>
|
|
|
+ RetryCount = 50
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ },
|
|
|
+
|
|
|
+ @{
|
|
|
+ Nodename = <span class="powerShell__string">"dsc-testNode2"</span>
|
|
|
+ Role = <span class="powerShell__string">"Child DC"</span>
|
|
|
+ DomainName = <span class="powerShell__string">"dsc-child"</span>
|
|
|
+ ParentDomainName = <span class="powerShell__string">"dsc-test.contoso.com"</span>
|
|
|
+ CertificateFile = <span class="powerShell__string">"C:\publicKeys\targetNode.cer"</span>
|
|
|
+ Thumbprint = <span class="powerShell__string">"AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"</span>
|
|
|
+ RetryCount = 50
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ }
|
|
|
+ )
|
|
|
+}
|
|
|
+
|
|
|
+AssertParentChildDomains <span class="powerShell__operator">-</span>configurationData <span class="powerShell__variable">$ConfigData</span> `
|
|
|
+<span class="powerShell__operator">-</span>safemodeAdministratorCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New Domain Safe Mode Admin Credentials"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>domainCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New Domain Admin Credentials"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>DNSDelegationCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Credentials to Setup DNS Delegation"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>NewADUserCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New AD User Credentials"</span>)
|
|
|
+
|
|
|
+
|
|
|
+Start<span class="powerShell__operator">-</span>DscConfiguration <span class="powerShell__operator">-</span>Wait <span class="powerShell__operator">-</span>Force <span class="powerShell__operator">-</span>Verbose <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__string">"dsc-testNode1"</span> <span class="powerShell__operator">-</span>Path <span class="powerShell__variable">$PSScriptRoot</span>\AssertParentChildDomains `
|
|
|
+<span class="powerShell__operator">-</span>Credential (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Local Admin Credentials on Remote Machine"</span>)
|
|
|
+Start<span class="powerShell__operator">-</span>DscConfiguration <span class="powerShell__operator">-</span>Wait <span class="powerShell__operator">-</span>Force <span class="powerShell__operator">-</span>Verbose <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__string">"dsc-testNode2"</span> <span class="powerShell__operator">-</span>Path <span class="powerShell__variable">$PSScriptRoot</span>\AssertParentChildDomains `
|
|
|
+<span class="powerShell__operator">-</span>Credential (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Local Admin Credentials on Remote Machine"</span>)
|
|
|
+
|
|
|
+</pre>
|
|
|
+ </div>
|
|
|
+ </div>
|
|
|
+ </div>
|
|
|
+ </span>
|
|
|
+ </div>
|
|
|
+ <div class="endscriptcode">
|
|
|
+ <span style="font-family:Calibri; font-size:medium">
|
|
|
+ <h1 style="margin-bottom:0pt; font-family:Calibri Light; color:#2e74b5; font-size:large">
|
|
|
+ Example: Create a cross-domain trust
|
|
|
+ </h1>
|
|
|
+ <p>In this example, we setup one-way trust between two domains</p>
|
|
|
+ <p> </p>
|
|
|
+ <div class="scriptcode">
|
|
|
+ <div class="pluginEditHolder" plugincommand="mceScriptCode">
|
|
|
+ <div class="title"><span>PowerShell</span></div>
|
|
|
+ <div class="pluginLinkHolder"><span class="pluginEditHolderLink">Edit</span>|<span class="pluginRemoveHolderLink">Remove</span></div>
|
|
|
+ <span class="hidden">powershell</span>
|
|
|
+<pre class="hidden">
|
|
|
+configuration Sample_xADDomainTrust_OneWayTrust
|
|
|
+{
|
|
|
+ param
|
|
|
+ (
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [String]$SourceDomain,
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [String]$TargetDomain,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [PSCredential]$TargetDomainAdminCred,
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [String]$TrustDirection
|
|
|
+ )
|
|
|
+ Import-DscResource -module xActiveDirectory
|
|
|
+ Node $AllNodes.Where{$_.Role -eq 'DomainController'}.NodeName
|
|
|
+ {
|
|
|
+ xADDomainTrust trust
|
|
|
+ {
|
|
|
+ Ensure = 'Present'
|
|
|
+ SourceDomainName = $SourceDomain
|
|
|
+ TargetDomainName = $TargetDomain
|
|
|
+ TargetDomainAdministratorCredential = $TargetDomainAdminCred
|
|
|
+ TrustDirection = $TrustDirection
|
|
|
+ TrustType = 'External'
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+$config = @{
|
|
|
+ AllNodes = @(
|
|
|
+ @{
|
|
|
+ NodeName = 'localhost'
|
|
|
+ Role = 'DomainController'
|
|
|
+ # Certificate Thumbprint that is used to encrypt/decrypt the credential
|
|
|
+ CertificateID = 'B9192121495A307A492A19F6344E8752B51AC4A6'
|
|
|
+ }
|
|
|
+ )
|
|
|
+}
|
|
|
+Sample_xADDomainTrust_OneWayTrust -configurationdata $config `
|
|
|
+ -SourceDomain safeharbor.contoso.com `
|
|
|
+ -TargetDomain corporate.contoso.com `
|
|
|
+ -TargetDomainAdminCred (get-credential) `
|
|
|
+ -TrustDirection 'Inbound'
|
|
|
+</pre>
|
|
|
+ <div class="preview">
|
|
|
+<pre class="powershell"><span class="powerShell__com"># Configuration to Setup Parent Child Domains </span>
|
|
|
+
|
|
|
+configuration AssertParentChildDomains
|
|
|
+{
|
|
|
+ <span class="powerShell__keyword">param</span>
|
|
|
+ (
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$safemodeAdministratorCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$domainCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$DNSDelegationCred</span>,
|
|
|
+
|
|
|
+ [Parameter(Mandatory)]
|
|
|
+ [pscredential]<span class="powerShell__variable">$NewADUserCred</span>
|
|
|
+ )
|
|
|
+
|
|
|
+ Import<span class="powerShell__operator">-</span>DscResource <span class="powerShell__operator">-</span>ModuleName xActiveDirectory
|
|
|
+
|
|
|
+ Node <span class="powerShell__variable">$AllNodes</span>.Where{<span class="powerShell__variable">$_</span>.Role <span class="powerShell__operator">-</span>eq <span class="powerShell__string">"Parent DC"</span>}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ Name = <span class="powerShell__string">"AD-Domain-Services"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADDomain FirstDS
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ SafemodeAdministratorPassword = <span class="powerShell__variable">$safemodeAdministratorCred</span>
|
|
|
+ DnsDelegationCredential = <span class="powerShell__variable">$DNSDelegationCred</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[WindowsFeature]ADDSInstall"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainUserCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ RetryCount = <span class="powerShell__variable">$Node</span>.RetryCount
|
|
|
+ RetryIntervalSec = <span class="powerShell__variable">$Node</span>.RetryIntervalSec
|
|
|
+ DependsOn = <span class="powerShell__string">"[xADDomain]FirstDS"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADUser FirstUser
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domaincred</span>
|
|
|
+ UserName = <span class="powerShell__string">"dummy"</span>
|
|
|
+ Password = <span class="powerShell__variable">$NewADUserCred</span>
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[xWaitForADDomain]DscForestWait"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ Node <span class="powerShell__variable">$AllNodes</span>.Where{<span class="powerShell__variable">$_</span>.Role <span class="powerShell__operator">-</span>eq <span class="powerShell__string">"Child DC"</span>}.Nodename
|
|
|
+ {
|
|
|
+ WindowsFeature ADDSInstall
|
|
|
+ {
|
|
|
+ Ensure = <span class="powerShell__string">"Present"</span>
|
|
|
+ Name = <span class="powerShell__string">"AD-Domain-Services"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xWaitForADDomain DscForestWait
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.ParentDomainName
|
|
|
+ DomainUserCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ RetryCount = <span class="powerShell__variable">$Node</span>.RetryCount
|
|
|
+ RetryIntervalSec = <span class="powerShell__variable">$Node</span>.RetryIntervalSec
|
|
|
+ DependsOn = <span class="powerShell__string">"[WindowsFeature]ADDSInstall"</span>
|
|
|
+ }
|
|
|
+
|
|
|
+ xADDomain ChildDS
|
|
|
+ {
|
|
|
+ DomainName = <span class="powerShell__variable">$Node</span>.DomainName
|
|
|
+ ParentDomainName = <span class="powerShell__variable">$Node</span>.ParentDomainName
|
|
|
+ DomainAdministratorCredential = <span class="powerShell__variable">$domainCred</span>
|
|
|
+ SafemodeAdministratorPassword = <span class="powerShell__variable">$safemodeAdministratorCred</span>
|
|
|
+ DependsOn = <span class="powerShell__string">"[xWaitForADDomain]DscForestWait"</span>
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+<span class="powerShell__variable">$ConfigData</span> = @{
|
|
|
+
|
|
|
+ AllNodes = @(
|
|
|
+ @{
|
|
|
+ Nodename = <span class="powerShell__string">"dsc-testNode1"</span>
|
|
|
+ Role = <span class="powerShell__string">"Parent DC"</span>
|
|
|
+ DomainName = <span class="powerShell__string">"dsc-test.contoso.com"</span>
|
|
|
+ CertificateFile = <span class="powerShell__string">"C:\publicKeys\targetNode.cer"</span>
|
|
|
+ Thumbprint = <span class="powerShell__string">"AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"</span>
|
|
|
+ RetryCount = 50
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ },
|
|
|
+
|
|
|
+ @{
|
|
|
+ Nodename = <span class="powerShell__string">"dsc-testNode2"</span>
|
|
|
+ Role = <span class="powerShell__string">"Child DC"</span>
|
|
|
+ DomainName = <span class="powerShell__string">"dsc-child"</span>
|
|
|
+ ParentDomainName = <span class="powerShell__string">"dsc-test.contoso.com"</span>
|
|
|
+ CertificateFile = <span class="powerShell__string">"C:\publicKeys\targetNode.cer"</span>
|
|
|
+ Thumbprint = <span class="powerShell__string">"AC23EA3A9E291A75757A556D0B71CBBF8C4F6FD8"</span>
|
|
|
+ RetryCount = 50
|
|
|
+ RetryIntervalSec = 30
|
|
|
+ }
|
|
|
+ )
|
|
|
+}
|
|
|
+
|
|
|
+AssertParentChildDomains <span class="powerShell__operator">-</span>configurationData <span class="powerShell__variable">$ConfigData</span> `
|
|
|
+<span class="powerShell__operator">-</span>safemodeAdministratorCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New Domain Safe Mode Admin Credentials"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>domainCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New Domain Admin Credentials"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>DNSDelegationCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Credentials to Setup DNS Delegation"</span>) `
|
|
|
+<span class="powerShell__operator">-</span>NewADUserCred (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"New AD User Credentials"</span>)
|
|
|
+
|
|
|
+
|
|
|
+Start<span class="powerShell__operator">-</span>DscConfiguration <span class="powerShell__operator">-</span>Wait <span class="powerShell__operator">-</span>Force <span class="powerShell__operator">-</span>Verbose <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__string">"dsc-testNode1"</span> <span class="powerShell__operator">-</span>Path <span class="powerShell__variable">$PSScriptRoot</span>\AssertParentChildDomains `
|
|
|
+<span class="powerShell__operator">-</span>Credential (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Local Admin Credentials on Remote Machine"</span>)
|
|
|
+Start<span class="powerShell__operator">-</span>DscConfiguration <span class="powerShell__operator">-</span>Wait <span class="powerShell__operator">-</span>Force <span class="powerShell__operator">-</span>Verbose <span class="powerShell__operator">-</span>ComputerName <span class="powerShell__string">"dsc-testNode2"</span> <span class="powerShell__operator">-</span>Path <span class="powerShell__variable">$PSScriptRoot</span>\AssertParentChildDomains `
|
|
|
+<span class="powerShell__operator">-</span>Credential (<span class="powerShell__cmdlets">Get-Credential</span> <span class="powerShell__operator">-</span>Message <span class="powerShell__string">"Local Admin Credentials on Remote Machine"</span>)
|
|
|
+
|
|
|
+</pre>
|
|
|
+ </div>
|
|
|
+ </div>
|
|
|
+ </div>
|
|
|
+ </span>
|
|
|
+ </div>
|
|
|
+ </span>
|
|
|
+ </div>
|
|
|
+ </div>
|
|
|
+
|
|
|
+</body>
|
|
|
+</html>
|