Awesome-How-To

View on GitHub

Setting up the NIC, Renaming the Computer, and Rebooting

# Define the Computer Name
$computerName = "dc1"

# Define the IPv4 Addressing
$IPv4Address = "10.10.100.25"
$IPv4Prefix = "24"
$IPv4GW = "10.10.100.1"
$IPv4DNS = "8.8.8.8"

# Get the Network Adapter's Prefix
$ipIF = (Get-NetAdapter).ifIndex

# Turn off IPv6 Random & Temporary IP Assignments
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

# Turn off IPv6 Transition Technologies
Set-Net6to4Configuration -State Disabled
Set-NetIsatapConfiguration -State Disabled
Set-NetTeredoConfiguration -Type Disabled

# Add IPv4 Address, Gateway, and DNS
New-NetIPAddress -InterfaceIndex $ipIF -IPAddress $IPv4Address -PrefixLength $IPv4Prefix -DefaultGateway $IPv4GW
Set-DNSClientServerAddress –interfaceIndex $ipIF –ServerAddresses $IPv4DNS

# Rename the Computer, and Restart
Rename-Computer -NewName $computerName -force
Restart-Computer

Install the ADDS Bits and Promote

$domainName  = "contoso.com"
$netBIOSname = "CONTOSO"
$mode  = "Win2012R2"

Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools

Import-Module ADDSDeployment

$forestProperties = @{

    DomainName           = $domainName
    DomainNetbiosName    = $netBIOSname
    ForestMode           = $mode
    DomainMode           = $mode
    CreateDnsDelegation  = $false
    InstallDns           = $true
    DatabasePath         = "C:\Windows\NTDS"
    LogPath              = "C:\Windows\NTDS"
    SysvolPath           = "C:\Windows\SYSVOL"
    NoRebootOnCompletion = $false
    Force                = $true

}

Install-ADDSForest @forestProperties

DNS, Sites & Services, and Time Keeping

# Define DNS and Sites & Services Settings
$IPv4netID = "10.10.100.0/24"
$siteName = "LAB"
$location = "New Lab City"

# Define Authoritative Internet Time Servers
$timePeerList = "0.us.pool.ntp.org 1.us.pool.ntp.org"

# Add DNS Reverse Lookup Zones
Add-DNSServerPrimaryZone -NetworkID $IPv4netID -ReplicationScope 'Forest' -DynamicUpdate 'Secure'

# Make Changes to Sites & Services
$defaultSite = Get-ADReplicationSite | Select DistinguishedName
Rename-ADObject $defaultSite.DistinguishedName -NewName $siteName
New-ADReplicationSubnet -Name $IPv4netID -site $siteName -Location $location

# Re-Register DC's DNS Records
Register-DnsClient

# Enable Default Aging/Scavenging Settings for All Zones and this DNS Server
Set-DnsServerScavenging –ScavengingState $True –ScavengingInterval 7:00:00:00 –ApplyOnAllZones
$Zones = Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne 'TrustAnchors'}
$Zones | Set-DnsServerZoneAging -Aging $True

# Set Time Configuration
w32tm /config /manualpeerlist:$timePeerList /syncfromflags:manual /reliable:yes /update

Build an OU Structure

$baseDN = "DC=contoso,DC=com"
$resourcesDN = "OU=Resources," + $baseDN

New-ADOrganizationalUnit "Resources" -path $baseDN
New-ADOrganizationalUnit "Admin Users" -path $resourcesDN
New-ADOrganizationalUnit "Groups Security" -path $resourcesDN
New-ADOrganizationalUnit "Service Accounts" -path $resourcesDN
New-ADOrganizationalUnit "Workstations" -path $resourcesDN
New-ADOrganizationalUnit "Servers" -path $resourcesDN
New-ADOrganizationalUnit "Users" -path $resourcesDN

Enable the Recycle Bin

$ForestFQDN = "contoso.com"
$SchemaDC   = "dc1.contoso.com"

Enable-ADOptionalFeature –Identity 'Recycle Bin Feature' –Scope ForestOrConfigurationSet –Target $ForestFQDN -Server $SchemaDC -confirm:$false

Create User Accounts

# Prompt for a Password
$Password = Read-Host -assecurestring "User Password"

# Create a Privileged Account
$userProperties = @{

    Name                 = "John Dougherty EA"
    GivenName            = "John"
    Surname              = "Dougherty EA"
    DisplayName          = "John Dougherty EA"
    Path                 = "OU=Admin Users,OU=Resources,DC=Contoso,DC=com"
    SamAccountName       = "dougherty-ea"
    UserPrincipalName    = "dougherty-ea@contoso.com"
    AccountPassword      = $Password
    PasswordNeverExpires = $True
    Enabled              = $True
    Description          = "Contoso Enterprise Admin"

}

New-ADUser @userProperties

# Add Privileged Account to EA, DA, & SA Groups
Add-ADGroupMember "Domain Admins" $userProperties.SamAccountName
Add-ADGroupMember "Enterprise Admins" $userProperties.SamAccountName
Add-ADGroupMember "Schema Admins" $userProperties.SamAccountName

Create a Non-Privileged User Account

$userProperties = @{

    Name                 = "John Dougherty"
    GivenName            = "John"
    Surname              = "Dougherty"
    DisplayName          = "John Dougherty"
    Path                 = "OU=Users,OU=Resources,DC=Contoso,DC=com"
    SamAccountName       = "john.dougherty"
    UserPrincipalName    = "john.dougherty@contoso.com"
    AccountPassword      = $Password
    PasswordNeverExpires = $True
    Enabled              = $True
    Description          = "Contoso User"

}

New-ADUser @userProperties

Secure & Disable the Administrator Account

Set-ADUser Administrator -AccountNotDelegated:$true -SmartcardLogonRequired:$true -Enabled:$false

Create an Active Directory Snapshot

C:\Windows\system32\ntdsutil.exe snapshot "activate instance ntds" create quit quit