davidobrien1985 · May 31, 2016 11:21
diff --git a/adds.ps1 b/adds.ps1
 param (
    [string]$domainName,
    [string]$AD1NetBIOSName,
    [string]$safemodepassword,
    [string]$DomainAdminPassword,
    [string]$ADServer1PrivateIp
 )

 Function New-DscCert {
 [CmdletBinding()]
 param(
    [string]
    $Password,

    [string]
    $Instance
 )

    try {
        Write-Verbose 'Creating Certificate'
        $DomainDNSName = $Instance

        $name = new-object -com 'X509Enrollment.CX500DistinguishedName.1'
        $name.Encode("CN=$DomainDNSName", 0)

        $key = new-object -com 'X509Enrollment.CX509PrivateKey.1'
        $key.ProviderName = 'Microsoft RSA SChannel Cryptographic Provider'
        $key.KeySpec = 1
        $key.Length = 1024
        $key.SecurityDescriptor = 'D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)'
        $key.MachineContext = 1
        $key.ExportPolicy = 0x1
        $key.Create()

        $serverauthoid = new-object -com 'X509Enrollment.CObjectId.1'
        $serverauthoid.InitializeFromValue('1.3.6.1.4.1.311.80.1')
        $ekuoids = new-object -com 'X509Enrollment.CObjectIds.1'
        $ekuoids.add($serverauthoid)
        $ekuext = new-object -com 'X509Enrollment.CX509ExtensionEnhancedKeyUsage.1'
        $ekuext.InitializeEncode($ekuoids)

        $cert = new-object -com 'X509Enrollment.CX509CertificateRequestCertificate.1'
        $cert.InitializeFromPrivateKey(2, $key, '')
        $cert.Subject = $name
        $cert.Issuer = $cert.Subject
        $cert.NotBefore = get-date
        $cert.NotAfter = $cert.NotBefore.AddDays(730)
        $cert.X509Extensions.Add($ekuext)
        $cert.Encode()

        $enrollment = new-object -com 'X509Enrollment.CX509Enrollment.1'
        $enrollment.InitializeFromRequest($cert)
        $certdata = $enrollment.CreateRequest(0)
        $enrollment.InstallResponse(2, $certdata, 0, '')

        Write-Verbose 'Exporting Certificate'
        $certificate = Get-ChildItem cert:\localmachine\my -ErrorAction Stop | Where-Object { $_.Subject -eq "CN=$DomainDNSName" }

        $mypwd = ConvertTo-SecureString -String $Password -Force -AsPlainText -ErrorAction Stop
        Export-Certificate -Cert $certificate -FilePath c:\dsc.cer -ErrorAction Stop -Force
    }
    catch {
        $_
    }
 }

 New-DscCert -Password 'P@ssw0rd' -Instance $env:COMPUTERNAME

 $secpasswd = ConvertTo-SecureString $safemodepassword -AsPlainText -Force
 $SafeModePW = New-Object System.Management.Automation.PSCredential ('guest', $secpasswd)

 $secDomainAdminPassword = ConvertTo-SecureString "$DomainAdminPassword" -AsPlainText -Force
 $domainCred = New-Object System.Management.Automation.PSCredential ("dummy\versent", $secDomainAdminPassword)

 $ConfigurationData = @{
  AllNodes = @(
    @{
      nodename                    = '*'
      domain_name                 = $domainName
      RetryCount                  = 20
      RetryIntervalSec            = 30
    },
    @{
      nodename                    = 'localhost'
      role                        = 'primary'
      newName                     = $AD1NetBIOSName
      CertificateFile             = 'C:\dsc.cer'
      PSDscAllowDomainUser        = $true
    }
  )
 }

 [DscLocalConfigurationManager()]
 configuration meta
 {
    Node localhost
    {
        Settings
        {
            RebootNodeIfNeeded = $true
            CertificateID = (Get-ChildItem Cert:\LocalMachine\My)[1].Thumbprint
            ActionAfterReboot = 'ContinueConfiguration'
            ConfigurationMode = 'ApplyOnly'
        }
    }
 }

 meta

 Set-DscLocalConfigurationManager -Path .\meta -Force -Verbose

 Configuration adds {

  param
    (
      [Parameter(Mandatory)]
      [pscredential]$SafeModePW,
      [Parameter(Mandatory)]
      [pscredential]$domainCred
    )

    Import-DscResource -ModuleName @{ModuleName="xActiveDirectory"; RequiredVersion="2.11.0.0"}
    Import-DscResource -ModuleName xComputerManagement
    Import-DscResource -ModuleName xNetworking
    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node $AllNodes.Where{$_.role -eq 'primary'}.nodename
    {
        File ADFiles
        {
            DestinationPath = 'D:\NTDS'
            Type = 'Directory'
            Ensure = 'Present'
        }

        xIPAddress DCIPAddress {
            InterfaceAlias = (Get-NetAdapter).Name
            IPAddress = $ADServer1PrivateIp
        }

        xDefaultGatewayAddress DefaultGateway {
            InterfaceAlias = (Get-NetAdapter).Name
            Address = (Get-AWSDefaultGateway -IPAddress $ADServer1PrivateIp)
            AddressFamily = "IPv4"
        }

        xDnsServerAddress DnsServerAddress {
            Address        = '172.20.0.2'
            InterfaceAlias = (Get-NetAdapter).Name
            AddressFamily  = 'IPv4'
            DependsOn = '[xIPAddress]DCIPAddress'
        }

        WindowsFeature ADDSInstall
        {
            Ensure = 'Present'
            Name = 'AD-Domain-Services'
        }

        xComputer NewName
        {
            Name = $Node.newName
        }

        WindowsFeature ADDSTools
        {
            Ensure = 'Present'
            Name = 'RSAT-ADDS'
        }

        xADDomain FirstDS
        {
            DomainName = $Node.domain_name
            DomainAdministratorCredential = $domainCred
            SafemodeAdministratorPassword = $SafeModePW
            DatabasePath = 'D:\NTDS'
            LogPath = 'D:\NTDS'
            DependsOn = '[WindowsFeature]ADDSInstall','[File]ADFiles'
        }

        xADUser FirstUser
        {
            DomainName = $Node.domain_name
            UserName = "versent"
            Password = $domainCred
            Ensure = "Present"
            DependsOn = "[xADDomain]FirstDS"
        }

        xADGroup AddVersentToDomainAdmin
        {
            GroupName = 'Domain Admins'
            Members = 'versent','Administrator'
            Ensure = 'present'
        }
    }
 }

 adds -Outputpath c:\temp -SafeModePW $SafeModePW -domainCred $domainCred -ConfigurationData $ConfigurationData

 Start-DscConfiguration -Wait -Verbose -Force -Path c:\temp
	param (
	[string]$domainName,
	[string]$AD1NetBIOSName,
	[string]$safemodepassword,
	[string]$DomainAdminPassword,
	[string]$ADServer1PrivateIp
	)

	Function New-DscCert {
	[CmdletBinding()]
	param(
	[string]
	$Password,

	[string]
	$Instance
	)

	try {
	Write-Verbose 'Creating Certificate'
	$DomainDNSName = $Instance

	$name = new-object -com 'X509Enrollment.CX500DistinguishedName.1'
	$name.Encode("CN=$DomainDNSName", 0)

	$key = new-object -com 'X509Enrollment.CX509PrivateKey.1'
	$key.ProviderName = 'Microsoft RSA SChannel Cryptographic Provider'
	$key.KeySpec = 1
	$key.Length = 1024
	$key.SecurityDescriptor = 'D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)'
	$key.MachineContext = 1
	$key.ExportPolicy = 0x1
	$key.Create()

	$serverauthoid = new-object -com 'X509Enrollment.CObjectId.1'
	$serverauthoid.InitializeFromValue('1.3.6.1.4.1.311.80.1')
	$ekuoids = new-object -com 'X509Enrollment.CObjectIds.1'
	$ekuoids.add($serverauthoid)
	$ekuext = new-object -com 'X509Enrollment.CX509ExtensionEnhancedKeyUsage.1'
	$ekuext.InitializeEncode($ekuoids)

	$cert = new-object -com 'X509Enrollment.CX509CertificateRequestCertificate.1'
	$cert.InitializeFromPrivateKey(2, $key, '')
	$cert.Subject = $name
	$cert.Issuer = $cert.Subject
	$cert.NotBefore = get-date
	$cert.NotAfter = $cert.NotBefore.AddDays(730)
	$cert.X509Extensions.Add($ekuext)
	$cert.Encode()

	$enrollment = new-object -com 'X509Enrollment.CX509Enrollment.1'
	$enrollment.InitializeFromRequest($cert)
	$certdata = $enrollment.CreateRequest(0)
	$enrollment.InstallResponse(2, $certdata, 0, '')

	Write-Verbose 'Exporting Certificate'
	$certificate = Get-ChildItem cert:\localmachine\my -ErrorAction Stop \| Where-Object { $_.Subject -eq "CN=$DomainDNSName" }

	$mypwd = ConvertTo-SecureString -String $Password -Force -AsPlainText -ErrorAction Stop
	Export-Certificate -Cert $certificate -FilePath c:\dsc.cer -ErrorAction Stop -Force
	}
	catch {
	$_
	}
	}

	New-DscCert -Password 'P@ssw0rd' -Instance $env:COMPUTERNAME

	$secpasswd = ConvertTo-SecureString $safemodepassword -AsPlainText -Force
	$SafeModePW = New-Object System.Management.Automation.PSCredential ('guest', $secpasswd)

	$secDomainAdminPassword = ConvertTo-SecureString "$DomainAdminPassword" -AsPlainText -Force
	$domainCred = New-Object System.Management.Automation.PSCredential ("dummy\versent", $secDomainAdminPassword)

	$ConfigurationData = @{
	AllNodes = @(
	@{
	nodename = '*'
	domain_name = $domainName
	RetryCount = 20
	RetryIntervalSec = 30
	},
	@{
	nodename = 'localhost'
	role = 'primary'
	newName = $AD1NetBIOSName
	CertificateFile = 'C:\dsc.cer'
	PSDscAllowDomainUser = $true
	}
	)
	}

	[DscLocalConfigurationManager()]
	configuration meta
	{
	Node localhost
	{
	Settings
	{
	RebootNodeIfNeeded = $true
	CertificateID = (Get-ChildItem Cert:\LocalMachine\My)[1].Thumbprint
	ActionAfterReboot = 'ContinueConfiguration'
	ConfigurationMode = 'ApplyOnly'
	}
	}
	}

	meta

	Set-DscLocalConfigurationManager -Path .\meta -Force -Verbose

	Configuration adds {

	param
	(
	[Parameter(Mandatory)]
	[pscredential]$SafeModePW,
	[Parameter(Mandatory)]
	[pscredential]$domainCred
	)

	Import-DscResource -ModuleName @{ModuleName="xActiveDirectory"; RequiredVersion="2.11.0.0"}
	Import-DscResource -ModuleName xComputerManagement
	Import-DscResource -ModuleName xNetworking
	Import-DscResource -ModuleName PSDesiredStateConfiguration

	Node $AllNodes.Where{$_.role -eq 'primary'}.nodename
	{
	File ADFiles
	{
	DestinationPath = 'D:\NTDS'
	Type = 'Directory'
	Ensure = 'Present'
	}

	xIPAddress DCIPAddress {
	InterfaceAlias = (Get-NetAdapter).Name
	IPAddress = $ADServer1PrivateIp
	}

	xDefaultGatewayAddress DefaultGateway {
	InterfaceAlias = (Get-NetAdapter).Name
	Address = (Get-AWSDefaultGateway -IPAddress $ADServer1PrivateIp)
	AddressFamily = "IPv4"
	}

	xDnsServerAddress DnsServerAddress {
	Address = '172.20.0.2'
	InterfaceAlias = (Get-NetAdapter).Name
	AddressFamily = 'IPv4'
	DependsOn = '[xIPAddress]DCIPAddress'
	}

	WindowsFeature ADDSInstall
	{
	Ensure = 'Present'
	Name = 'AD-Domain-Services'
	}

	xComputer NewName
	{
	Name = $Node.newName
	}

	WindowsFeature ADDSTools
	{
	Ensure = 'Present'
	Name = 'RSAT-ADDS'
	}

	xADDomain FirstDS
	{
	DomainName = $Node.domain_name
	DomainAdministratorCredential = $domainCred
	SafemodeAdministratorPassword = $SafeModePW
	DatabasePath = 'D:\NTDS'
	LogPath = 'D:\NTDS'
	DependsOn = '[WindowsFeature]ADDSInstall','[File]ADFiles'
	}

	xADUser FirstUser
	{
	DomainName = $Node.domain_name
	UserName = "versent"
	Password = $domainCred
	Ensure = "Present"
	DependsOn = "[xADDomain]FirstDS"
	}

	xADGroup AddVersentToDomainAdmin
	{
	GroupName = 'Domain Admins'
	Members = 'versent','Administrator'
	Ensure = 'present'
	}
	}
	}

	adds -Outputpath c:\temp -SafeModePW $SafeModePW -domainCred $domainCred -ConfigurationData $ConfigurationData

	Start-DscConfiguration -Wait -Verbose -Force -Path c:\temp