Parameterized install - added README

1 files changed, 171 insertions, 0 deletions

diff --git a/README b/README
new file mode 100644
index 0000000..0fbf9ca
--- /dev/null
+++ b/README
@@ -0,0 +1,171 @@
+auto-win-vm-ad
+==============
+
+Automatically create Windows Virtual Machines with Active Directory
+and Certificate Services
+
+This allows you to create a Windows VM complete with Active Directory
+and Certificate Services, and Active Directory TLS/SSL enabled,
+completely automated and unattended.
+
+Currently only tested on (and hardcoded to work with) RHEL 6.3 with
+kvm/qemu virtualization and Windows Server 2008 R2 Enterprise
+Datacenter 64-bit.
+
+Pre-Requisites
+==============
+
+These are the tools I've used so far:
+* RHEL 6.3 64-bit with KVM/QEMU
+** qemu-kvm - the basic virtualization packages
+** python-virtinst - virt-install
+** qemu-img
+** libvirt-client - virsh
+** dosfstools - mkfs.vfat
+** openldap-clients - for testing the AD connection and getting the AD CA cert
+
+* en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
+** an MSDN subscription is required for access to Windows ISO files
+   and product keys
+** I know 2008 R2 Enterprise Datacenter comes with Active Directory
+   and Certificate Services
+** Not sure what other versions contain these
+** autounattend.xml, dcinstall.ini, adcertreq.inf, and the cmd scripts
+   depend on this version
+
+* KVM/Machine setup
+** In order to easily keep track of the VM hostname/IP address I have
+   done the following:
+** edit /etc/hosts - assign an IP address and FQDN for the VM
+   e.g. something like this:
+ 192.168.122.2 ad.test.example.com ad
+** The FQDN must be the first one listed (just like for SSL/Kerberos
+   testing)
+** virsh net-edit default - add a name, the IP address from above, and
+   a unique MAC address
+** This part can be automated too
+
+You will need to provide at least the name of the VM to the script.
+The script will attempt to find the FQDN, the IP address, and the MAC
+address (or you can provide these).
+
+Running
+=======
+
+ANS_FILE_DIR=/path/to/thisscript/answerfiles \
+VM_NAME=nameofvm \
+ADMINPASSWORD="your windows admin password" \
+make-ad-vm.sh
+
+There are many, many parameters you can pass as environment variables
+VM_NAME - name of virtual machine
+- default - ad
+VM_IMG_DIR - path to your KVM/QEMU disk images
+* default - /var/lib/libvirt/images
+ANS_FILE_DIR - path to the config files and scripts used during Windows install/setup
+* no default - you must provide this
+WIN_VER_REL_ARCH - windows version, release, arch
+* default - win2k8x8664
+* must correspond to the WIN_ISO
+WIN_ISO - the full path and file name of the Windows install ISO
+* default - $VM_IMG_DIR/en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
+WIN_VM_DISKFILE - the full path and file name of the Windows VM disk image
+* default - $VM_IMG_DIR/$VM_NAME.raw
+VM_RAM - amount of RAM to use for VM, in MB
+* default - 2048 (2GB)
+VM_CPUS - number of CPUs to use for VM
+* default - 2
+VM_DISKSIZE - size of WIN_VM_DISKFILE in GB
+* default - 16
+ADMINNAME - user of Windows admin account
+* default - Administrator
+ADMINPASSWORD - password for ADMINNAME account
+* no default - must be provided
+VM_MAC - MAC address for VM
+* default - will lookup from virsh net-dumpxml default for the VM name
+VM_FQDN - fully qualified host and domain name for the VM
+* default - will lookup from virsh net-dumpxml and getent hosts from the VM name
+VM_CA_NAME - the name of the CA that will be created
+* default - LMDN-LMHN-ca - where
+** LMDN is the leftmost part of the domain name e.g. if your VM_FQDN is ad.test.example.com
+** then the LMDN is "test"
+** LMHN is the leftmost part of the FQDN e.g. if your VM_FQDN is ad.test.example.com
+** then the LMHN is "ad"
+** so the VM_CA_NAME would be test-ad-ca
+VM_AD_DOMAIN - the domain of the AD server
+* default - the part of VM_FQDN after the hostname part e.g. if VM_FQDN is ad.test.example.com
+* the domain is test.example.com
+VM_AD_SUFFIX - the AD root suffix
+* default - derived from the VM_AD_DOMAIN - e.g. test.example.com -> dc=test,dc=example,dc=com
+VM_NETBIOS_NAME - the NETBIOS domain name
+* default - derived from VM_AD_DOMAIN e.g. test.example.com -> TESTEXAMPLECOM
+ADMIN_DN - the full AD DN of the Windows Administrator
+* default - cn=$ADMINNAME,cn=users,$VM_AD_SUFFIX
+
+Windows
+=======
+Windows supports unattended install and setup.  In 2008 and some other
+new-ish versions, this is done via a file called autounattend.xml.
+When Windows boots off of the ISO, it looks for a file called
+autounattend.xml in the root directory of all removable media.  We use
+a virtual floppy drive (answerfloppy.vfd) as drive A:\ in Windows and
+put the file there.
+
+Setup goes through several different phases, or "passes" in Windows
+parlance.  The last pass is oobeSystem.  It is during this pass that
+we set the first of our "callback" scripts, postinstall.cmd.  We first
+set Windows to AutoLogin the Administrator so that we can use the
+FirstLogonCommands and later RunOnce commands, and tell it to
+AutoLogin 999 times.  We use the FirstLogonCommands SynchronousCommand
+to run the postinstall.cmd script.  This script uses dcpromo.exe to
+setup Active Directory with our chosen domain.  It also activates
+Windows with the specified product key.  At the end, it creates the
+RunOnce script for the next setup pass (setuppass2.cmd), and tells
+Windows to reboot in 2 minutes.  Active Directory requires a reboot in
+order to complete the setup process.
+
+During the setuppass2 pass at next login, we install and configure
+Certificate Services in Standalone Root CA mode (setupca.vbs /IS),
+then set the RunOnce to run setuppass3.cmd, and reboot again in 2
+minutes.
+
+During the setuppass3 pass at next login, we generate an AD server
+cert request, submit it to the CA, sign it, and install it in the AD
+cert repo, using certreq and certutil.  Once this is done, AD will
+automatically configure itself to be a TLS/SSL server.
+
+The different Windows files are:
+PLATFORM.xml - e.g. win2k8x8664.xml - this is copied to the virtual floppy disk as the main
+autounattend.xml file
+postinstall.cmd - activate Windows with the specified product key, setup AD, setup pass2, reboot
+setuppass2.cmd - install and setup Cert Services, setup pass3, reboot
+setuppass3.cmd - request and install AD server cert
+dcinstall.ini - unattended setup file for AD
+adcertreq.inf - unattended AD cert request file
+Setupca.vbs - Virtual Basic script that installs and sets up Cert Services
+otherfiles - currently unused
+
+Windows Troubleshooting
+=======================
+For general setup issues, look in c:\windows\panther\setup*.log
+
+dcpromo - c:\dcinstall.log
+setupca.vbs - c:\_setupca.log
+postinstall - c:\postinstall.log
+setuppass2 - c:\setuppass2.log
+setuppass3 - c:\setuppass3.log
+
+References
+==========
+Windows Unattended Installation Information for 2008
+* http://technet.microsoft.com/en-us/library/cc730695%28v=WS.10%29.aspx
+Sample Unattend.xml files for 2008
+* http://technet.microsoft.com/en-us/library/cc732280(v=ws.10)
+Enabling TLS/SSL in Active Directory
+* http://www.richardhyland.com/diary/2009/05/12/installing-a-ssl-certificate-on-your-domain-controller/
+* http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
+Windows certreq reference
+* http://technet.microsoft.com/en-us/library/cc736326%28v=ws.10%29
+Source for Setupca.vbs
+* http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
+* http://technet.microsoft.com/en-us/library/ee918754(WS.10).aspx