param ( [string]$domainName, [string]$AD1NetBIOSName, [string]$safem

1. param (
2. [string]$domainName,
3. [string]$AD1NetBIOSName,
4. [string]$safemodepassword,
5. [string]$DomainAdminPassword,
6. [string]$ADServer1PrivateIp
7. )
8.  
9. Function New-DscCert {
10. [CmdletBinding()]
11. param(
12. [string]
13. $Password,
14.  
15. [string]
16. $Instance
17. )
18.  
19. try {
20. Write-Verbose 'Creating Certificate'
21. $DomainDNSName = $Instance
22.  
23. $name = new-object -com 'X509Enrollment.CX500DistinguishedName.1'
24. $name.Encode("CN=$DomainDNSName", 0)
25.  
26. $key = new-object -com 'X509Enrollment.CX509PrivateKey.1'
27. $key.ProviderName = 'Microsoft RSA SChannel Cryptographic Provider'
28. $key.KeySpec = 1
29. $key.Length = 1024
30. $key.SecurityDescriptor = 'D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)'
31. $key.MachineContext = 1
32. $key.ExportPolicy = 0x1
33. $key.Create()
34.  
35. $serverauthoid = new-object -com 'X509Enrollment.CObjectId.1'
36. $serverauthoid.InitializeFromValue('1.3.6.1.4.1.311.80.1')
37. $ekuoids = new-object -com 'X509Enrollment.CObjectIds.1'
38. $ekuoids.add($serverauthoid)
39. $ekuext = new-object -com 'X509Enrollment.CX509ExtensionEnhancedKeyUsage.1'
40. $ekuext.InitializeEncode($ekuoids)
41.  
42. $cert = new-object -com 'X509Enrollment.CX509CertificateRequestCertificate.1'
43. $cert.InitializeFromPrivateKey(2, $key, '')
44. $cert.Subject = $name
45. $cert.Issuer = $cert.Subject
46. $cert.NotBefore = get-date
47. $cert.NotAfter = $cert.NotBefore.AddDays(730)
48. $cert.X509Extensions.Add($ekuext)
49. $cert.Encode()
50.  
51. $enrollment = new-object -com 'X509Enrollment.CX509Enrollment.1'
52. $enrollment.InitializeFromRequest($cert)
53. $certdata = $enrollment.CreateRequest(0)
54. $enrollment.InstallResponse(2, $certdata, 0, '')
55.  
56. Write-Verbose 'Exporting Certificate'
57. $certificate = Get-ChildItem cert:\localmachine\my -ErrorAction Stop | Where-Object { $_.Subject -eq "CN=$DomainDNSName" }
58.  
59. $mypwd = ConvertTo-SecureString -String $Password -Force -AsPlainText -ErrorAction Stop
60. Export-Certificate -Cert $certificate -FilePath c:\dsc.cer -ErrorAction Stop -Force
61. }
62. catch {
63. $_
64. }
65. }
66.  
67. New-DscCert -Password 'P@ssw0rd' -Instance $env:COMPUTERNAME
68.  
69. $secpasswd = ConvertTo-SecureString $safemodepassword -AsPlainText -Force
70. $SafeModePW = New-Object System.Management.Automation.PSCredential ('guest', $secpasswd)
71.  
72. $secDomainAdminPassword = ConvertTo-SecureString "$DomainAdminPassword" -AsPlainText -Force
73. $domainCred = New-Object System.Management.Automation.PSCredential ("dummy\versent", $secDomainAdminPassword)
74.  
75. $ConfigurationData = @{
76. AllNodes = @(
77. @{
78. nodename = '*'
79. domain_name = $domainName
80. RetryCount = 20
81. RetryIntervalSec = 30
82. },
83. @{
84. nodename = 'localhost'
85. role = 'primary'
86. newName = $AD1NetBIOSName
87. CertificateFile = 'C:\dsc.cer'
88. PSDscAllowDomainUser = $true
89. }
90. )
91. }
92.  
93. [DscLocalConfigurationManager()]
94. configuration meta
95. {
96. Node localhost
97. {
98. Settings
99. {
100. RebootNodeIfNeeded = $true
101. CertificateID = (Get-ChildItem Cert:\LocalMachine\My)[1].Thumbprint
102. ActionAfterReboot = 'ContinueConfiguration'
103. ConfigurationMode = 'ApplyOnly'
104. }
105. }
106. }
107.  
108. meta
109.  
110. Set-DscLocalConfigurationManager -Path .\meta -Force -Verbose
111.  
112. Configuration adds {
113.  
114. param
115. (
116. [Parameter(Mandatory)]
117. [pscredential]$SafeModePW,
118. [Parameter(Mandatory)]
119. [pscredential]$domainCred
120. )
121.  
122. Import-DscResource -ModuleName @{ModuleName="xActiveDirectory"; RequiredVersion="2.11.0.0"}
123. Import-DscResource -ModuleName xComputerManagement
124. Import-DscResource -ModuleName xNetworking
125. Import-DscResource -ModuleName PSDesiredStateConfiguration
126.  
127. Node $AllNodes.Where{$_.role -eq 'primary'}.nodename
128. {
129. File ADFiles
130. {
131. DestinationPath = 'D:\NTDS'
132. Type = 'Directory'
133. Ensure = 'Present'
134. }
135.  
136. xIPAddress DCIPAddress {
137. InterfaceAlias = (Get-NetAdapter).Name
138. IPAddress = $ADServer1PrivateIp
139. }
140.  
141. xDefaultGatewayAddress DefaultGateway {
142. InterfaceAlias = (Get-NetAdapter).Name
143. Address = (Get-AWSDefaultGateway -IPAddress $ADServer1PrivateIp)
144. AddressFamily = "IPv4"
145. }
146.  
147. xDnsServerAddress DnsServerAddress {
148. Address = '172.20.0.2'
149. InterfaceAlias = (Get-NetAdapter).Name
150. AddressFamily = 'IPv4'
151. DependsOn = '[xIPAddress]DCIPAddress'
152. }
153.  
154. WindowsFeature ADDSInstall
155. {
156. Ensure = 'Present'
157. Name = 'AD-Domain-Services'
158. }
159.  
160. xComputer NewName
161. {
162. Name = $Node.newName
163. }
164.  
165. WindowsFeature ADDSTools
166. {
167. Ensure = 'Present'
168. Name = 'RSAT-ADDS'
169. }
170.  
171. xADDomain FirstDS
172. {
173. DomainName = $Node.domain_name
174. DomainAdministratorCredential = $domainCred
175. SafemodeAdministratorPassword = $SafeModePW
176. DatabasePath = 'D:\NTDS'
177. LogPath = 'D:\NTDS'
178. DependsOn = '[WindowsFeature]ADDSInstall','[File]ADFiles'
179. }
180.  
181. xADUser FirstUser
182. {
183. DomainName = $Node.domain_name
184. UserName = "versent"
185. Password = $domainCred
186. Ensure = "Present"
187. DependsOn = "[xADDomain]FirstDS"
188. }
189.  
190. xADGroup AddVersentToDomainAdmin
191. {
192. GroupName = 'Domain Admins'
193. Members = 'versent','Administrator'
194. Ensure = 'present'
195. }
196. }
197. }
198.  
199. adds -Outputpath c:\temp -SafeModePW $SafeModePW -domainCred $domainCred -ConfigurationData $ConfigurationData
200.  
201. Start-DscConfiguration -Wait -Verbose -Force -Path c:\temp