Hi…my name is Nathan Muggli and I work in the Active Directory team at Microsoft.

 

I’m posting here today to demonstrate an exciting new way to deploy Read-only Domain Controllers made possible because of improvements in Windows Server 2008. RODCs are a new feature introduced in Windows Server 2008 and they make great devices for remote offices because they are read-only and don’t contain all the passwords in the domain. By using multiple features like Server Core, PowerShell, Hyper-Visor, and Sysprep an admin can quickly and securely deploy RODCs.

 

The goal is to start a conversation with folks about thinking differently when it comes to branch offices and deployment\management of AD. Attached to this Blog post is a “proof of concept” script which I wrote and hope people find useful. The script automates end-to-end the deployment process. I should warn you that I am not a PowerShell expert and learned it just to write this script. If you find errors or have feedback please leave a comment. I would love to improve the process, script, and documentation given enough interest.

 

The script uses the following procedure: First, DCPROMO runs (stage1) to precreate the RODC (similar in concept to pre-creating a computer account in AD). Next it takes the Virtual Hard Drive of a sysprep’d server core machine, copies the VHD file, it then mounts it as a disk drive. The script creates a custom sysprep answer file and copies it into the VHD. In the answer file DCPROMO (stage2) is configured to run at the end of Windows Setup. Finally a Virtual Machine is created in Hyper-Visor using the vhd image created.

 

Once the Virtual Machine is started, it will automatically promote itself to a Read-only Domain Controller. You could say these images are seedlings in the Active Directory Forest which grow to become RODCs after they are started. It’s easy to imagine how this process can be used to deploy hundreds of RODCs or servers with a single press of the button. Currently the script creates all the VM’s on a single Hyper-V host. Yes this is not real world as most customers would have a separate Hyper-V host in each branch. What’s important to call out here is not the script but rather the process used and the way the Windows Server 2008 features interact with each other for a better-together story. There has been some thinking done in how this process would work when there are lots of different Hyper-V hosts. That is for another blog post on another day.

 

Why the need for all of this?

 

Well….it started for two reasons. The first is that we have gotten inquiries to support really large deployments of RODCs in the 2000 to 6000 range. One was even for 10,000! This is something that we’re looking into and need to think carefully about in order to (if at all) recomend. The current recommended limit of DCs in a domain is around 1200, and this is mainly due to the amount of time it would take to recover in the advent of a disaster. Technologies in WS08 and AD could push this recommendation upwards. Questions we are asking ourselves are like “How would you manage such a large deployment?”. The first thing assumed is that the IT department probably isn’t going to triple in size to accommodate such a deployment. One reason is that there is a cost\benefit analysis made around having data close to the users and applications (data locality) and the cost to manage and secure that data. Besides connectivity, reduced security risk and scalable management make it more attractive to provide local IT services in my opinion. I believe automation is key to all of this. I mean, if you had 3000 RODCs deployed is an IT Pro really going to come into the office in the morning and start to investigate random event log errors or mis-configurations on some percentage of those servers? I would think not and one possible remediation would certainly be quick and swift: redeploy. That is, if deploying was a cheap enough process. Now enter Virtualization into our large scale deployment story. I love Virtualization and I think RODCs running on Server Core as Virtual Machines will be popular. I like working with VHDs. Why? Well for one reason *everyone* understands them and gets the concept. That’s a nice benefit to a technology in this day and age. Ok, I said there were two reasons for creating the script. The second reason was a tad less epic in the sense that I needed to come up with a demo for my presentation at the Directory Experts Conference in Chicago back in March. A lot of our Active Directory MVPs attend this conference and are relentless I tell you (you know who you are) in their thirst for understanding the product and what’s new.

 

The stuff below is taken from the help text in the script to provide more detail about the process being used (again, feedback welcome).

 

 Overview:                          This script is intended as a proof of concept to demonstrate a process for automating deployment of

                                                Read-only Domain Controllers. It uses Hyper-Visor, PowerShell 1.0, Server Core, and Sysprep technologies.

                                                It automatically precreates RODCs in AD, creates a unique Sysprep'd VHD and creates a Virtual Machine in  

                                               Hyper-V.

                                                Once the VM starts up and completes Sysprep setup, it runs second stage DCPROMO and automatically

                                                promotes itself.

 

 Requirements:                 Script should be executed locally on the Hyper-V machine (RC1) where VMs will be created. A

                                                Writeable Windows Server 2008 Domain Controller must be reachable by the script, and can be

                                                remote or local. Explicit credentials are not currently supported. Precreating RODC accounts

                                                requires Domain Admin credentials or equivalent.

 

                                Stage1 - setup hyper-V host

 

                                                1. Install Windows Server 2008 Full OS with Hyper-V RC1

                                                2. Install PowerShell 1.0 via Server Manager

                                                3. Create a Virtual Network for the RODC VMs

 

                                                If demoing, the easiest setup I found was to just make the Hyper-V host a

                                                writeable Domain Controller and use an Internal network. If you go that route its easiest just to

                                                install DHCP so the RODC VMs get IPv4 addresses automatically assigned.

 

                                Stage2 - create primary VHD

 

                                                4. Install Windows Server 2008 Server Core in a Virtual Machine

                                                5. After Windows Setup completes, log on and copy over unattend.xml

                                                6. Run "c:\windows\system32\sysprep\sysprep /generalize /oobe /shutdown /unattend:<filename>"

 

                                                This leaves you with a VHD file that is the source for every RODC. The global variable "VHDSrc"

                                                points to this file. Right now its set to a file named rodc_core.vhd that lives in the default

                                                VHD folder for Hyper-Visor

 

                                Stage3 - modify script settings

 

                                                7. If needed modify the settings in the (Params and Global settings) section. Or wait to change

                                                   them later as an optional parameter (ie -DNS:NO) from the command line.

                                                   The first section should be the only place in the script that needs to be customized. At least VMNIC

                                                   needs to be modified to be the friendly name of the NIC the VMs will be using

                                                   (note the nic needs to be able to communicate to a writeable Windows Server 2008 DC). Also the NIC needs to be

                                                   legacy.

 

                                Stage4 - deploy rodcs

 

                                                8. You can deploy RODCs several different ways

 

·         one method is to split the precreation stage (where the Domain Admin creds are needed) from the stage that setups the image and creates the VM.

                                               

o   RODCs can be precreated automatically by searching AD for sites with no RODC or FULL DC. The site detection isn't domain aware yet:

 

§  The command is "bogv2.ps1 -precreate:auto"

                                               

o   RODCs can be bulk precreated by just specifying a count of RODCs. They all go into Default-First-Site-Name:

 

§  The command is "bogv2.ps1 -precreate:42"

 

·         once the RODCs are precreated in AD then you can run anytime later the command to customize an image and setup the VM:

 

§  The command is "bogv2.ps1 -deployvm:auto"

 

·         or both stages can be done back to back:

 

§  The command is "bogv2.ps1 -precreate:auto -deployvm:auto"

 

 

                ""

                "Usage:"

                ""

                "              Required: At least one of the following"

                "                              -precreate:<count>        Precreates <count> RODCs"

 

                "                              -precreate:Auto                               Precreates an RODC in each site that currently has no DC or RODC"

                "                              -deployvm:Auto                               Prepares SYSPREP VHD and creates VM"

                ""

                "              Optional:"

                "                              -Domain:<domain>                         Default: $($Domain)"

                "                              -VMRAM:<number>                      Default: $($VMRAM)"

                "                              -VMNIC:<name of nic>                 Default: $($VMNIC)"

                "                              -GC:<Yes\No>                                   Default: $($GC)"

                "                              -DNS:<Yes\No>                                                Default: $($DNS)"

                "                              -VHDDir:<Path>                                                Default: $($VHDDir)"

                "                              -VHDSrc:<Path>                                               Default: $($VHDSrc)"

                "                              -UnattendXMLTemplate:<Path>              Default: $($UnattendXMLTemplate)"

                ""

                "Examples:"

                "              bogv2.ps1 -precreate:Auto"

                "              bogv2.ps1 -precreate:42"

                "              bogv2.ps1 -deployvm:Auto"

                "              bogv2.ps1 -precreate:Auto -deployvm:Auto -DNS:NO"

                ""

                ""