In a previous post (https://enterpriseadmins.org/blog/virtualization/nested-vmware-workstation-lab-using-linked-clones/) I mentioned a nested ‘smash lab’ using VMware Workstation. This post will focus on one of the component VMs: lab-mgmt-01, which functions as the management console/GUI, domain controller, DNS Server, Certificate Authority, and NAT gateway.
This VM is a Windows Server 2022 Standard virtual machine with a very generic install. A lot of services will end up running on this VM and its likely that it will be used by nearly every test. Therefore, I decided to try and document the configuration in PowerShell, in case I ever wanted to update it to a newer version of Windows via re-deploy.
This first section of code will rename the computer
# Set IP address for interface #2; see previous post for network diagram. New-NetIPAddress -InterfaceAlias 'Ethernet1' -IPAddress 172.16.10.1 -PrefixLength 24 -Confirm:$false # Set the computer name Rename-Computer -NewName 'lab-mgmt-01' -Restart:$true ### We need a reboot after a name change before a dcpromo, this should happen automatically as part of above Rename-Computer setp ###
The second set of code will focus on installing the active directory components and promoting this system to a domain controller for a new forest named
example.org. I like using example domain names as these are specifically reserved by RFC 2606 – Reserved Top Level DNS Names (ietf.org) and make documentation/screenshots look nice.
# Install AD and DNS roles Install-WindowsFeature -name AD-Domain-Services,DNS -IncludeManagementTools # Make me a new AD Forest Import-Module ADDSDeployment Install-ADDSForest ` -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "WinThreshold" ` -DomainName "example.org" ` -DomainNetbiosName "EXAMPLE" ` -ForestMode "WinThreshold" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true
After the system is promoted to a domain controller it will automatically reboot. When the system comes back up there are a few more services we need to install like the Certificate Authority and Routing components.
### PART 2, AFTER AD REBOOT ### Install-WindowsFeature Routing,Adcs-Cert-Authority,Adcs-Web-Enrollment -IncludeManagementTools # Configure RRAS Install-RemoteAccess -VpnType RoutingOnly $ExternalInterface="Ethernet0" $InternalInterface="Ethernet1" cmd.exe /c "netsh routing ip nat install" cmd.exe /c "netsh routing ip nat add interface $ExternalInterface" cmd.exe /c "netsh routing ip nat set interface $ExternalInterface mode=full" cmd.exe /c "netsh routing ip nat add interface $InternalInterface" # Configure Certificate Authority Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CACommonName rootca.example.org -ValidityPeriod:Years -ValidityPeriodUnits 10 -Confirm:$false Install-AdcsWebEnrollment -Confirm:$false
There were a few more steps that I completed manually.
- In the Certification Authority console > right click the CA
rootca.example.org> Security tab > select the Administrators group > check the box for Request Certificates. This will allow the default admin user to be able to request certificates.
- Create a DNS record for time.example.org to be a CNAME back to the domain controller. This allows the domain controller to provide time to the ESXi hosts & VCSA and allows things to work as expected even when disconnected from the internet.
Note: any DNS edits will need to happen in this parent VM to be available for other lab exercises. In addition to this time record that was initially created, it might be helpful to create extra records that might point at the container host, for services like SMTP.
- Configured DNS to disable root hints and set forwarder to home network DNS Server (could have pointed to Google or CloudFlare).
- Installed PowerCLI module and configured some common settings:
Install-Module vmware.powercli; Set-PowerCLIConfiguration -InvalidCertificateAction:Prompt -ParticipateInCeip:$true -Scope:AllUsers
- Ran VMware Horizon OS Optimization Tool to disable services like screensaver and Windows Update.
- Configured autologin in Workstation under VM > Settings > Options > Autologin so that we automatically login as the domains Administrator account.
I rebooted the VM a couple of times to make sure that Autologin worked, services would startup and everything was working as expected. I finally powered down the VM and created a new snapshot so this could be used as a
parent virtual machine for future linked clones.