Automating a DC deployment in Hyper-V

TL;DR how to automatically deploy a DC in Hypver-V and some tweaks that were required.

Welcome to Part V of our Back to the Basics Series!

Part I: NTDS.dit vs SAM

Part II: Ownership Matters

Part III: Recovering from a Crash

Part IV: Setting up a Simple Honeypot Account

Part V: Automating DC Deployment

Part VI: Sometimes it’s the dumbest thing

Background

We covered migrating a DC and the FSMO roles awhile back. More recently we covered recovering from a crash of the PDC. This is my notes from automating deployment of a DC while following along with the book PowerShell for Sysadmins. I had to

  • Download the newest copy of Convert-WindowsImage.ps1
  • Tweak the parameters being passed to it
  • Create a new answer file
  • Figure out why Hyper-V wouldn’t connect the VM to the outside world

Hence I ended up making a bunch of notes and figured I might as well post them here in case it helps anyone else.

This process was done on a member server in test.local running Hyper-V.

Provisioning the VM

Once I got it working this takes an ISO, answer file, and some parameters and creates a Hyper-V VM that is all ready to boot up and start using. An answer file is basically an XML that contains the answers to all the questions that Windows asks during a standard OS installation. You can create one using the Windows System Installation Manager. There is a step by step walkthrough of that process here.

I had to download the newest copy of Convert-WindowsImage.ps1 from the PowerShell gallery. I then had to tweak the author’s VM setup as the newer conversion took different parameters. I simply commented out the parts I had to change and put my tweak on the line below it.

To confirm the exact value to pass to the Edition parameter:

Then:

Configure the VM’s NIC

Storing credentials in a variable is a nifty feature I had not used before. My home lab is a ‘flat domain’ with SSO, so Mishka can just login to a workstation and go. However here we are working with a Hyper-V host that is a member server on test.local and running a VM that is the PDC for powerlab.local. There is no trust relationship between the two domains. Therefore to use PowerShell Direct, PSSession, Invoke-Command, or really any method one has to authenticate all over again.

This method stores the credentials in an encrypted format in XML, so only the user who stored them can use them. If anyone else opens the XML they’ll just see gibberish.

Going into promiscuous mode

I ran into an issue at this point. The Hyper-V VM could ping the host OS, a Windows Server 2019 VM running in ESXi, but could not reach anything else. Luckily a wise individual on Reddit had the answer. It turns out that you have to set the ESXi virtual switch that the Hyper-V host is using to allow

  • Promiscuous mode
  • MAC address changes
  • Forged transmits

Set Hyper-V to allow MAC address spoofing.

Make the VM a DC

If you are making the DC a backup in an existing domain, for example test.local, then simply change that to:

An astute reader will notice that we did not change the default ComputerName before promoting it to a DC. The book left that part out since it was focused on teaching PowerShell Direct. If this was more than just IaC practice then you would obviously do:

Populating the domain

Obviously this part is not applicable to adding a backup DC to an existing domain. However if you are creating the initial DC in a new forest then it is quite handy. We covered adding bulk users from a CSV file here. However this pertains to adding bulk users to a Hyper-V VM using PowerShell Direct.

The first thing you will want to do is add the AD and ImportExcel modules to the system that you are using to run code on the Hyper-V VM from via PowerShell Direct.

ImportExcel is an incredibly useful module that allows one to import and export Excel spreadsheets without requiring Excel itself on the system processing the data.

We are pulling the data from an Excel spreadsheet on the Hyper-V host, then using that data on the VM. This works via the nifty PowerShell feature ‘$using:<variable>’.

This method is not the most efficient, but it works. A perceptive reader will notice that this does not enable the accounts it creates, set an initial password on them, or even set basic attributes like SurName or GivenName. That’s because this was done while following along with a book that is teaching how to use PowerShell Direct. We have covered creating bulk accounts from a CSV with account attributes before here.

Summary

Overall I thought PowerShell for Sysadmins is a great book and very well put together. It stresses actually doing stuff instead of talking about theory. My only complaint would be that the author kind of blew past the security concerns of using CredSSP, but then this isn’t a security book. Security folks and auditors working in a Windows domain environment should already know about CredSSP. The author briefly mentioned the credential theft concern of using it for Sysadmin types who aren’t all that into security.

The book is two years old now though and some changes have taken place. Hence I had to tweak a fair amount to get the IaC working, took a bunch of notes on what I did, and figured I would post them here in case it helps anyone else.

There is also a good chance that I will be reading this myself in one to two years when I am trying to do something similar.

References

How to create an answer file: https://taylor.dev/automating-windows-server-2016-installs/

ImportExcel from PowerShell Gallery: https://www.powershellgallery.com/packages/ImportExcel/7.8.1

Using variables over PowerShell Direct: https://www.cloudsma.com/2018/06/using-powershell-variables-hyperv-powershell-direct/

CredSSP security issues: https://powershellmagazine.com/2014/03/06/accidental-sabotage-beware-of-credssp/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.