...building hybrid clouds that can support any device from anywhere
For those of you using some of the Application Management Track Service Templates in our blogs likeJim Britt’s awesome SharePoint Service Template or my own Service Template Example Kit (STEK), you might have noticed an underlying theme. The theme is rapid deployment of manageable, repeatable and consistent environments, which in my opinion play very nicely in a developer’s world of needing systems to build and test on. Whether on purpose, as in many templates we create, or not, these templates can and are a great base for self-service development and test labs. By using network isolation and automation the IT Admins could easily provide them “as a service” to developers and test teams and let them build or test rapidly, new application designs and concepts to run the businesses.
Here we’ll discuss how to create an Active Directory service template with minimal resources and minimal work. We are using System Center Virtual Machine Manager 2012 SP1 and Windows Server 2012 as our base. Later posts will show incorporating these components into a fully deployable service that will include multiple tiers like web front ends and SQL servers to build against.
Why an Active Directory or Domain Controller service as a SCVMM Service Template?
2 very easy and basic reasons. First you may be offering cloud based services to companies who desire their own cloud based Domain Controller instead of managing one on premise themselves. Second maybe even more basic, you may have teams that need to build and test against an AD that is not currently live and in production.
For example, if you need to repeatedly offer Exchange services to developers building collaboration tools in a sandbox, you will most likely want to sandbox the Active Directory component as well to prevent problems.
Quick note on best practices:
For those wanting to make sure you align to best practices in virtualizing Active Directory and Domain Names Services I suggest you take a look at this TechNet postinghttp://technet.microsoft.com/en-us/library/dd723681(v=WS.10).aspx or others like it. You’ll find it is a popular subject and very dependent a number of variables specific to your needs. I will meet best practices as needed and as required for my purposes but I also do not want to complicate things beyond usefulness in a lab where rapid repeatable deployments out-way the need for a five 9 service level uptime. Of course you need to review your own requirements and come up with your own models for deployment and you can easily customize this template to your needs.
Hopefully the first goes without saying, System Center Virtual Machine Manager 2012 SP1 or R2 and a desire to learn are basic requirements. I’m also making the assumption, similar to my past template blogs, that you have become familiar with navigating around SCVMM console and familiar with the fabric configurations in SCVMM.
OS Virtual Hard Drive
Sys prepped Windows 2012 VHDX. I used Convert-WindowsImage.ps1 PowerShell to create mine. (No roles and features selected)
VHDX of blank Data Drive
PowerShell New-VHD can be used. Read here on TechNet to find out more..
When deploying multiple Domain Controllers there are specific network requirements, I found Nigel’s to be one of the best post to describe SCVMM Networking.
Let’s get on with it!
Active Directory Service Template w/DNS
The download includes a custom resource folder named ‘ActiveDirectoryScripts.cr’ the PowerShell script which is used to enable Active Directory on the server. This script name is ‘ad-dc-dns_config.ps1’. One of the optional parameters controls whether or not DNS will be installed as part of the ADDSForrest install. Here we set it to true.
Here is the heart of the PowerShell script:
1: if((New-Object System.IO.DriveInfo($driveLetter)).DriveType -ne 'NoRootDirectory')
3: $dataDrive = $driveLetter + ":\Windows\"
7: $dataDrive = "c:\Windows\"
10: $databasePath = $dataDrive + "NTDS"
11: $sysvolPath = $dataDrive + "SYSVOL"
13: Import-Module ADDSDeployment
14: $result = Install-ADDSForest `
15: -CreateDNSDelegation:$false `
16: -safemodeadministratorpassword (convertto-securestring $pass -asplaintext -force) `
17: -DatabasePath $databasePath `
18: -DomainMode "Win2012" `
19: -DomainName $domain `
20: -ForestMode "Win2012" `
21: -InstallDNS:$true `
22: -LogPath $databasePath `
23: -NoRebootOnCompletion:$false `
24: -SYSVOLPath $sysvolPath `
The PowerShell script takes 2 required arguments and 1 optional.
.\ad-dc-dns_config.ps1 <Local Admin Password> <Domain Name> [Data Drive]
The first of the required arguments is the local administrators’ password which needs to match what is set as the local administrator’s password for the VM. It becomes the domain administrators password for login after Active Directory sets up. This is the password that is configured as part of the service template shown in the following screenshot and as a default I used Pass@word1. To change this you simply need to open the template in template designer, right click the on the Active Directory server and select properties. Select the OC Configuration and make changes. Yes, I know we could spend tons of cycles talking about security and such but that's beyond the scope of this post. Let’s just say that depending on the real world use case I would suggest additional thought be taken in the account creation and password space.
The second argument is the domain name, which is used to create the domain controller and accompanying DNS server. The domain names needs to be FQDN in the form name.com or name.local. The final optional argument is used when you have a data drive in use. In this particular template we use a separate VHDX file to make a small expandable data drive to meet some best practice guidelines. The script uses the data drive to store the SYSVOL and NTDS files. My recommendation would be to extend this further and use SCSI and/or separate onto multiple drives but this is simply a decision needing to be made based on requirements that need to be met versus resources used to accomplish.
As with many of my scripts this one does include some basic logic to log failures and completions in the application event log and also includes a little logic to test that the drive letter you selected as a data drive does exist. If given time I would extend this logic to test that the drive is writable and of proper size available to do the job.
1. Download compressed template from here
2. Extract the custom resource folder, ‘ActiveDirectoryScripts.cr’, to your VMM library under a folder named ‘Active Directory 2012’
3. Import the XML file as a template being sure to map correctly the resources you have in place of the template VHD’s
During the import you’ll be asked to map some of the resources to your local resources.
The PowerShell used to import is as follows: you’ll need to make changes to the $allMappings as required.
1: Import-Module –Name VirtualMachineManager
3: $package = Get-SCTemplatePackage -Path "C:\Active Directory.2012 with Data Drive.xml"
4: $allMappings = New-SCPackageMapping -TemplatePackage $package
6: Import-SCTemplate -TemplatePackage $package -Name "Active Directory Test" -PackageMapping $allMappings -Release "2012 with Data Drive" -SettingsIncludePrivate
If there are no errors and it doesn’t say ‘needs attention’ in the library list all you need to do is select it and then select configure deployment. Before deploying you’ll need to create a network where this Domain Controller will be deployed. This may require an isolated network depending on your requirements. For more information on virtualizing networks in SCVMM 2012 SP1 I suggest you read this series of post from Nigel Cain found here. http://blogs.technet.com/b/scvmm/archive/2013/01/08/virtual-networking-in-vmm-2012-sp1.aspx
When you start Configure Deployment of the Active Directory template the first thing you see is the select name and destination dialog box you are familiar with but with a twist. This template will ask you to select a network to deploy to since the @Network@ parameters was added to the template.
Select the browse option next to the network value box to choose an existing network and then select ok which will open the configure deployment dialog. In the following dialog you will enter the parameters needed to complete the deployment. Here it will require a domain name, password used for local administrator and of course the name you wish to assign to the Active Directory server.
If deployed correctly you should see the following in the data drive attached to the newly deploy VM.
Final steps are now to do any out of band configurations you have like adding users and computers.
Stay tuned for further blogs about use cases and additional workloads from the building clouds bloggers. Again my hopes are that this helps moves you along the Cloud path and also helps give you back some time in the process so use it in good health and enjoy a round of golf.