Install AD-Domain-Services And Configure A New Domain On Windows Server 2016

#Install AD-Domain-Services And Configure A New Domain On Windows Server 2016

#This is to install and configure a new Active Directory domain called domain.win10server2016.lan with a short name of domain. You will be disconnected from Microsoft PowerShell at the end of the procedure if you are connected via WinRM or PowerShell Direct. You’ll need to restart the server and login with domain\username credentials when you reconnect. 

#Just the code:

Get-WindowsFeature -Name AD-Domain-Services|Install-WindowsFeature -Verbose|fl
Import-Module ADDSDeployment -PassThru|fl
Install-ADDSForest -DomainName domain.win10server2016.lan -DomainNetbiosName DOMAIN -DomainMode 7 -ForestMode 7 -InstallDNS -Verbose|fl

#The Longer Story…

#This is just to install a single domain on Windows Server 2016 using PowerShell commands.

#Install AD-Domain-Services feature in Windows Server 2016 using PowerShell Direct

Get-WindowsFeature -Name AD-Domain-Services|Install-WindowsFeature -Verbose|fl

#Import the ADDSDeployment module that contains Install-ADDSForest

Import-Module -Name ADDSDeployment -PassThru|fl

#Create domain and forest

#-DomainMode 7 and -ForestMode 7 are for Server 2016 domain and forest mode. These settings should be modified if compatibility for previous Active Directory domain and forest mode support is needed. I do not see these settings on the Microsoft help page for Install-ADDSDeployment but if you use the GUI wizard method then Server 2016 mode is the default used there and this will be added when they update the Install-ADDSDeployment TechNet page past Server 2012 R2.

#The -DomainNetbiosName is different from a Netbios Computer Name and is what is used when logging in so domain\administrator is as valid as logging into domain.win10server2016.lan\administrator.

Install-ADDSForest -DomainName domain.win10server2016.lan -DomainNetbiosName DOMAIN -DomainMode 7 -ForestMode 7 -InstallDNS -Verbose -NoRebootOnCompletion|fl

 

#Full Output of Install-ADDSForest:

The target server will be configured as a domain controller. The server needs to be restarted manually when this
operation is complete.
Do you want to continue with this operation?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
VERBOSE: Active Directory Domain Services Setup
VERBOSE: Validating environment and parameters...
WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography
algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security
channel sessions.

For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
 does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
"domain.win10server2016.lan". Otherwise, no action is required.

VERBOSE: ----------------------------------------
VERBOSE: The following actions will be performed:
VERBOSE: Configure this server as the first Active Directory domain controller in a new forest.

The new domain name is "domain.win10server2016.lan". This is also the name of the new forest.

The NetBIOS name of the domain is "DOMAIN".

Forest Functional Level: Windows Server 2016

Domain Functional Level: Windows Server 2016

Site: Default-First-Site-Name

Additional Options:
  Read-only domain controller: "No"
  Global catalog: Yes
  DNS Server: Yes

Create DNS Delegation: No

Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL

The DNS Server service will be installed on this computer.
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server.

The password of the new domain Administrator will be the same as the password of the local Administrator of this
computer.
VERBOSE: ----------------------------------------
VERBOSE: Active Directory Domain Services Setup
VERBOSE: Validating environment and parameters...
WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography
algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.

For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it
 does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually
create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain
"domain.win10server2016.lan". Otherwise, no action is required.

VERBOSE: ----------------------------------------
VERBOSE: The following actions will be performed:
VERBOSE: Configure this server as the first Active Directory domain controller in a new forest.

The new domain name is "domain.win10server2016.lan". This is also the name of the new forest.

The NetBIOS name of the domain is "DOMAIN".

Forest Functional Level: Windows Server 2016

Domain Functional Level: Windows Server 2016

Site: Default-First-Site-Name

Additional Options:
  Read-only domain controller: "No"
  Global catalog: Yes
  DNS Server: Yes

Create DNS Delegation: No

Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL

The DNS Server service will be installed on this computer.
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server.

The password of the new domain Administrator will be the same as the password of the local Administrator of this
computer.
VERBOSE: ----------------------------------------
VERBOSE: Press CTRL-C to: Cancel
VERBOSE: Active Directory Domain Services is now installed on this computer for the domain
"domain.win10server2016.lan".

This Active Directory domain controller is assigned to the site "Default-First-Site-Name". You can manage sites with
the Active Directory Sites and Services administrative tool.


Message        : You must restart this computer to complete the operation.

Context        : DCPromo.General.4
RebootRequired : True
Status         : Success

#Restart the server.

Restart-Computer

#Reconnect to PowerShell Direct using the DOMAIN\administrator account after reboot from Install-ADDSForest is complete.

Enter-PSSession -VMName Server2016 -Credential domain\administrator

Manage Active Directory Users And Computers Using Windows 10 Creators Edition In PowerShell Direct Without CredSSP Or “Second-Hop” Issues

#Manage Active Directory Users And Computers Using Windows 10 Creators Edition Using PowerShell Direct Without CredSSP Or “Second-Hop” Issues

#If you connect to a virtual machine using PowerShell Remote then you need to enable CredSSP to avoid Second-Hop or “Multi-Hop” Issues when managing Active Directory objects. CredSSP is always needed when connecting to a physical machine since PowerShell Direct only works when connecting to a virtual machine directly from the host computer.

#PowerShell Direct doesn’t have the “Second-Hop” issue when managing Windows Server 2016 from a Windows 10 Creators Edition virtual machine running Hyper-V. I have enabled the Hyper-V role on Windows 10 Professional and my physical machine is not joined to a domain. The Windows 10 virtual machine will need to be joined to the Active  Directory domain you intend to manage without making further “workgroup” related configuration changes.

Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct
New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion
Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test

#The Longer Story…

#Create a new Organizational Unit in PowerShell Remote using just the computer name

#Without CredSSP enabled this command fails in PowerShell Remote

Enter-PSSession -ComputerName KERMIT -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Remote
New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test

#Create a new Organizational Unit in PowerShell Direct using just the computer name

#Just using OU=Test as an example to show how this command doesn’t fail in PowerShell Direct like it did in the previous example.

Enter-PSSession -VMName Win10 -Credential DOMAIN\administrator #Connect to a Windows 10 Creators Edition virtual machine using PowerShell Direct
New-ADOrganizationalUnit -Server KERMIT -Name Test -Description 'Administrator Rights' -DisplayName Test -PassThru -Verbose #Create a new OU called Test

#Set –ProtectedFromAccidentalDeletion to $false on OU=Test so it can be deleted

#This needs to be done to allow the OU to be deleted.

Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $false #Unprotect OU=Test for intentional deletion

#Delete OU=Test from -Server KERMIT.

#KERMIT is the NetBIOS computer name of my domain controller and not the domain NetBIOS name. They are different things.

Get-ADOrganizationalUnit -Server KERMIT -Identity 'OU=Test,DC=domain,DC=muppetlabs,DC=com'|Remove-ADOrganizationalUnit -Verbose #Delete OU=Test

 

Join Windows 10 Professional To An Active Directory Domain Using PowerShell Direct

#Join Windows 10 Professional To An Active Directory Domain Using PowerShell Direct

#These are the commands to rename a Windows 10 client computer to GONZO and add that computer to a domain called domain.win10server2016.lan .

Rename-Computer -NewName GONZO -Verbose -PassThru #Rename computer before joining domain. Requires restart
Restart-Computer
Add-Computer -DomainName domain.win10server2016.lan -Credential domain\administrator -Passthru -Verbose #Join Active Directory Domain and add to Computer container. Requires restart
Restart-Computer

#The Longer Story…

#Your computer may not need to be renamed so skip that if needed. Also the Add-Computer command sends your newly added computers to the Computers container by default unless you specify an -OUPath when running Add-Computer.

#Rename computer before joining your domain if your computer name doesn’t comply with server standards. Restart required.

Rename-Computer -NewName GONZO -Verbose -PassThru #Rename computer before joining domain. Requires restart
Restart-Computer

 

#Join a domain called domain.muppetlabs.com. Restart required.

#You need to change the -DomainName from domain.win10server2016.lan to what you call your domain. Use -Restart at the end of the Add-Computer command to automatically restart.

Add-Computer -DomainName domain.win10server2016.lan -Credential domain\administrator -Passthru -Verbose #Join Active Directory Domain and add to Computer container. Requires restart
Restart-Computer

 


#A Bit More

#Specify a preconfigured Organizational Unit path when joining domain

#My domain is simple and this is not needed for me at this time. I don’t have multiple Organizational Units yet and I don’t need any Group Policies affecting this PC since I’m working with my Windows 10 Creators Edition management PC. I’m able to specify the -OUPath shown below, once I complete the step below to create an OU called ServerAdmins. This command adds the computer to OU=ServerAdmins.

#You are not able to specify another container besides the default Computers container, but there is a way to change the default container if you don’t specify an OU. I definitely don’t want my computers added to the default OU which is OU=Domain Controllers, so I don’t use this command switch unless I have created a new OU first. It has been suggested to create the OU and computer object prior to joining the domain, but I don’t need to do that at this point.

#The command below is used to specify an Organizational Unit when joining a domain, if needed.

Add-Computer -DomainName 'domain.win10server2016.lan' -OUPath 'OU=Producers,DC=domain,DC=win10server2016,DC=lan' -Credential 'DOMAIN\administrator' -Passthru -Verbose
Restart-Computer

#Create a new Organizational Unit on the server (Needs to be run on Windows Server 2016 with the Active Directory role installed and configured)

#If you preconfigure an alternative Organizational Unit on Windows Server 2016 then you can add your computers directly to that OU by specifying a -OUPath when running Add-Computer.

New-ADOrganizationalUnit -Name ServerAdmins -Description 'Administrator Rights' -DisplayName Producers -PassThru -Verbose

Update Path Environment Variable Using PowerShell In Windows 10 Creators Edition

#Update Path Environment Variable Using PowerShell In Windows 10 Creators Edition

#These are the two PowerShell commands you need to permanently update the Path environment variable in Windows 10 Creators Edition and Windows 10 Anniversary Edition.  If that is all you want to do then you do not need to read further than the following two commands. These commands all work in both PowerShell and PowerShell Direct.

$Old_Path=(Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name Path).Path #Save old Path variable value
Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH -Value ($Old_Path += ';c:\Important Executables') #Append new path to existing path variable

#The Longer Story…

#Setx is the old way to modify registry entries and set environment variables. It still works if needed but PowerShell commands are all I am attempting to use at this point.

#Check mounted drives and filesystems

#You do not need to run the command below. Is just to prove a point about accessing different mount points.

Get-PSDrive

#▲Run Get-PSDrive to see the drives available in PowerShell.

#▲You will see Env listed under the Name column and Provider is Environment meaning that the environment variables are an actual mounted file system to PowerShell and the same commands you use to manage other filesystems will work when modifying or adding environment variables manually.

#Add c:\Important Executables to the existing environment path for the current session only.

#Disconnecting your PowerShell session loses these changes when you reconnect to a new session. You instead need to update the registry to make the change permanent. There is no output for the following command but you would need to change c:\Important Executables to the directory you would like to include in your system path. This command has no results or confirmation.

$env:Path += ';c:\Important Executables'

#Check current permanent Path variable

#Check the registry key value for the Path variable to see what it is currently set to.  Any changes so far are still not there after running the last command. The path will revert to the results of the command below once you disconnect and reconnect your PowerShell session.

(Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name Path).Path|fl

#▲Get-ItemProperty before updating the registry value.

#▲Get-ItemProperty after updating the registry value.

#Use Get-Item Env:Path  to get the currently loaded Path environment variable value

Get-Item Env:Path|fl

#$Env:Path also works as a shortcut for Get-Item Env:Path

#▲Get-Item Env:Path before updating the path.

#▲$Env:Path after exiting PowerShell and reconnecting again.

#Perserve old path to $Old_Path and a new path to the existing path

#To save the current registry value for combining with the new path or at least have the original value stored in case you screw something up by typing:

$Old_Path=(Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name Path).Path

#Set registry key to the old registry value combined with the new directory

#Modify HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment|Path properties to include a new directory.

Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH -Value ($Old_Path += ';c:\Important Executables') -Verbose -PassThru|fl

#Delete Environment Variables

#Setting a variable = to an empty string will remove it completely.

$Env:VariableName = ''

#Default Path In Windows 10 Creators Edition

#For reference in case something gets screwed up. This is not a commnad
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\

Enable File And Printer Sharing In Windows 10 Creators Edition Without Using The netsh Command In PowerShell

#Enable File And Printer Sharing In Windows 10 Without Using The netsh Command in PowerShell

#It is as simple as enabling  the pre-configured rule in Windows Firewall to enable File and Printer Sharing in Windows 10 but using netsh is the old fashion way.

#Run this command in an elevated PowerShell prompt and you are done.

Get-NetFirewallRule -DisplayGroup 'File and Printer Sharing'|Set-NetFirewallRule -Profile 'Private, Domain' -Enabled true -PassThru|select Name,DisplayName,Enabled,Profile|ft -a

#The Long Story…

#Allow File and Printer Sharing services through the Windows Firewall to access shared information and to share information of your own. These commands all work in both in PowerShell and PowerShell Direct.

#Get Firewall rules for File and Printer Sharing

#This command shows the individual rules and the network connection profiles that  are explicitly enabled and disabled for the File and Printer Sharing services.

Get-NetFirewallRule -DisplayGroup 'File and Printer Sharing'|select Name,DisplayName,Enabled,Profile|ft -a

#Enable File and Printer Sharing for Private and Domain network profiles

#Enable the  File and Printer Sharing services for the Private and Domain network connection profiles by applying the preconfigured Windows Firewall group rule called File and Printer Sharing by typing this:

Get-NetFirewallRule -DisplayGroup 'File and Printer Sharing'|Set-NetFirewallRule -Profile 'Private, Domain' -Enabled true -PassThru|select Name,DisplayName,Enabled,Profile|ft -a

#▲That is what it looks like under Advanced Sharing Settings when the File and Printer Sharing firewall rule is enabled.

#Set Network Connection Profile to Private.

#I set the variable $InterfaceAlias to automatically query my primary network interface or NIC. The -NlMtuBytes 1500 switch is what makes it work. If you have changed the Maximum Transmission Unit (MTU) from the defaults then this command will need to be modified:

$InterfaceAlias = (Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected -NlMtuBytes 1500 -Verbose) #this works for me to automatically identify my nic - mtu 1500 may vary
Set-NetConnectionProfile -InterfaceIndex $InterfaceAlias.ifIndex -Ne

#Disable File and Printer Sharing on all network profiles

Get-NetFirewallRule -DisplayGroup 'File and Printer Sharing'|Set-NetFirewallRule -Enabled false -PassThru|select Name,DisplayName,Enabled,Profile|ft -a

#▲It will look like this when File and Printer Sharing is disabled.