diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | answerfiles/SetupComplete.cmd.in (renamed from answerfiles/SetupComplete.cmd) | 4 | ||||
-rw-r--r-- | answerfiles/nextscript.cmd.in | 33 | ||||
-rw-r--r-- | answerfiles/postinstall.cmd.in | 13 | ||||
-rw-r--r-- | answerfiles/setuppass2.cmd | 7 | ||||
-rw-r--r-- | answerfiles/setupscript1.cmd.in | 3 | ||||
-rw-r--r-- | answerfiles/setupscript2.cmd.in | 4 | ||||
-rw-r--r-- | answerfiles/setupscript3.cmd.in (renamed from answerfiles/setuppass3.cmd) | 5 | ||||
-rw-r--r-- | answerfiles/specialize.cmd.in (renamed from answerfiles/specialize.cmd) | 2 | ||||
-rw-r--r-- | answerfiles/win2k8x8664.xml.in | 8 | ||||
-rw-r--r-- | make-ad-vm.sh | 91 | ||||
-rw-r--r-- | passsync-vars.cmd.in | 5 | ||||
-rw-r--r-- | setupscript4.cmd.in | 15 |
13 files changed, 136 insertions, 55 deletions
@@ -23,6 +23,7 @@ These are the tools I've used so far: ** libvirt-client - virsh ** dosfstools - mkfs.vfat ** openldap-clients - for testing the AD connection and getting the AD CA cert +** genisoimage - "extras" CD * en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso ** an MSDN subscription is required for access to Windows ISO files diff --git a/answerfiles/SetupComplete.cmd b/answerfiles/SetupComplete.cmd.in index 70cfe12..0c3fc10 100644 --- a/answerfiles/SetupComplete.cmd +++ b/answerfiles/SetupComplete.cmd.in @@ -2,8 +2,8 @@ echo hello from SetupComplete.cmd rem echo Disable LUA rem reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f rem echo Setup AD as Domain Controller -rem dcpromo.exe /unattend:a:\dcinstall.ini > c:\dcinstall.log 2>&1 +rem dcpromo.exe /unattend:@SETUP_PATH@\dcinstall.ini > c:\dcinstall.log 2>&1 rem echo Install Enterprise Root CA -rem cscript a:\Setupca.vbs /IE +rem cscript @SETUP_PATH@\Setupca.vbs /IE rem echo Enable LUA rem reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f diff --git a/answerfiles/nextscript.cmd.in b/answerfiles/nextscript.cmd.in new file mode 100644 index 0000000..531e0b4 --- /dev/null +++ b/answerfiles/nextscript.cmd.in @@ -0,0 +1,33 @@ +rem echo in %0 +set next=%1 +set reboot=%~2 +set max=99 +set nextscript= +echo off +for /L %%i in (%next%,1,%max%) do ( + if EXIST @SETUP_PATH@\setupscript%%i.cmd ( + set nextscript=@SETUP_PATH@\setupscript%%i.cmd + set idx=%%i + goto runscript + ) +) +echo on +echo No more scripts + +:runscript +echo on +if DEFINED reboot ( + if DEFINED nextscript ( + rem echo setup runonce for %nextscript% + reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v SetupPass%idx% /t REG_SZ /d "cmd /c %nextscript% > c:\setuppass%idx%.log 2>&1" + ) + echo %reboot% + shutdown -r -f -t 60 -c "Shutting down in 1 minute %reboot%" + rem echo reboot in 1 minute +) else ( + if DEFINED nextscript ( + rem no reboot - just call the next script + echo run %nextscript% + call %nextscript% > c:\setuppass%idx%.log 2>&1 + ) +) diff --git a/answerfiles/postinstall.cmd.in b/answerfiles/postinstall.cmd.in index 5dd05fd..67fb88f 100644 --- a/answerfiles/postinstall.cmd.in +++ b/answerfiles/postinstall.cmd.in @@ -2,15 +2,4 @@ echo these are commands to be run upon first login post installation rem echo activate windows with the product key rem cscript c:\Windows\System32\slmgr.vbs /ipk "@PRODUCT_KEY@" rem cscript c:\Windows\System32\slmgr.vbs /ato -echo Setup AD as Domain Controller -%SystemRoot%\System32\dcpromo.exe /unattend:a:\dcinstall.ini > c:\dcinstall.log 2>&1 -rem echo Disable LUA -rem reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f -echo Install Standalone Root CA -cscript a:\Setupca.vbs /IS -rem echo Enable LUA -rem reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -echo add setuppass2 RunOnce script -reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v SetupPass2 /t REG_SZ /d "cmd /c a:\setuppass2.cmd > c:\setuppass2.log 2>&1" -echo Reboot in 2 minutes because AD install require a reboot to complete -shutdown -r -f -t 120 -c "Shutting down in 2 minutes - Reboot required for AD installation to complete" +@SETUP_PATH@\nextscript.cmd 1 diff --git a/answerfiles/setuppass2.cmd b/answerfiles/setuppass2.cmd deleted file mode 100644 index 42426c6..0000000 --- a/answerfiles/setuppass2.cmd +++ /dev/null @@ -1,7 +0,0 @@ -echo these are commands to be run upon second login post installation -echo Install Standalone Root CA -cscript a:\Setupca.vbs /IS -echo add setuppass3 RunOnce script -reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v SetupPass3 /t REG_SZ /d "cmd /c a:\setuppass3.cmd > c:\setuppass3.log 2>&1" -echo Reboot in 2 minutes because CA install requires a reboot to complete -shutdown -r -f -t 120 -c "Shutting down in 2 minutes - Reboot required for CA installation to complete" diff --git a/answerfiles/setupscript1.cmd.in b/answerfiles/setupscript1.cmd.in new file mode 100644 index 0000000..b2b8e65 --- /dev/null +++ b/answerfiles/setupscript1.cmd.in @@ -0,0 +1,3 @@ +echo Setup AD as Domain Controller +%SystemRoot%\System32\dcpromo.exe /unattend:@SETUP_PATH@\dcinstall.ini > c:\dcinstall.log 2>&1 +@SETUP_PATH@\nextscript.cmd 2 "Reboot to complete Active Directory setup" diff --git a/answerfiles/setupscript2.cmd.in b/answerfiles/setupscript2.cmd.in new file mode 100644 index 0000000..feeed8d --- /dev/null +++ b/answerfiles/setupscript2.cmd.in @@ -0,0 +1,4 @@ +echo do this just after AD has been set up +echo Install Standalone Root CA +cscript @SETUP_PATH@\Setupca.vbs /IS +@SETUP_PATH@\nextscript.cmd 3 "Reboot to complete Cert Services setup" diff --git a/answerfiles/setuppass3.cmd b/answerfiles/setupscript3.cmd.in index d93377e..6eae277 100644 --- a/answerfiles/setuppass3.cmd +++ b/answerfiles/setupscript3.cmd.in @@ -1,6 +1,6 @@ -echo these are commands to be run upon third login post installation +echo these are commands to be run after setting up the CA echo create cert request for AD, sign it, and install it -certreq -v -q -new a:\adcertreq.inf c:\adcertreq.req +certreq -v -q -new @SETUP_PATH@\adcertreq.inf c:\adcertreq.req certreq -v -q -submit -attrib "CertificateTemplate:DomainController" c:\adcertreq.req echo this assumes the request ID is 2 - request 1 was the creation of the CA cert itself echo not sure how it is possible to capture the request ID from the certreq -submit output @@ -10,3 +10,4 @@ certreq -v -q -retrieve %requestid% c:\ad.cer c:\ad.p7b certreq -v -q -accept c:\ad.p7b certutil -store my echo you should now be able to access AD via TLS/SSL +@SETUP_PATH@\nextscript.cmd 4 diff --git a/answerfiles/specialize.cmd b/answerfiles/specialize.cmd.in index c6f252a..6a54bb2 100644 --- a/answerfiles/specialize.cmd +++ b/answerfiles/specialize.cmd.in @@ -3,4 +3,4 @@ echo these are commands run during the specialize phase of windows install echo better to use RunSynchronous in most cases echo create our SetupComplete.cmd md c:\windows\setup\scripts -copy a:\SetupComplete.cmd c:\windows\setup\scripts +copy @SETUP_PATH@\SetupComplete.cmd c:\windows\setup\scripts diff --git a/answerfiles/win2k8x8664.xml.in b/answerfiles/win2k8x8664.xml.in index 54918db..0355f98 100644 --- a/answerfiles/win2k8x8664.xml.in +++ b/answerfiles/win2k8x8664.xml.in @@ -63,7 +63,7 @@ <!-- <Description>Setup AD as Domain Controller</Description> <Order>1</Order> - <Path>%SystemRoot%\System32\dcpromo.exe /unattend:a:\dcinstall.ini</Path> + <Path>%SystemRoot%\System32\dcpromo.exe /unattend:@SETUP_PATH@\dcinstall.ini</Path> --> <!-- <WillReboot>OnRequest</WillReboot> 2012-07-17 14:31:27, Error [setup.exe] SMI data results dump: Source = Name: Microsoft-Windows-Setup, Language: neutral, ProcessorArchitecture: amd64, PublicKeyToken: 31bf3856ad364e35, VersionScope: nonSxS, /settings/RunSynchronous/RunSynchronousCommand/[Order="1"]/WillReboot @@ -97,7 +97,7 @@ <RunSynchronousCommand wcm:action="add"> <Description>Run Specialization commands</Description> <Order>1</Order> - <Path>cmd /c a:\specialize.cmd > c:\specialize.log 2>&1</Path> + <Path>cmd /c @SETUP_PATH@\specialize.cmd > c:\specialize.log 2>&1</Path> </RunSynchronousCommand> </RunSynchronous> </component> @@ -107,7 +107,7 @@ <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> - <Path>cmd /c a:\audituser.cmd > c:\audituser.log 2>&1</Path> + <Path>cmd /c @SETUP_PATH@\audituser.cmd > c:\audituser.log 2>&1</Path> </RunSynchronousCommand> </RunSynchronous> </component> @@ -150,7 +150,7 @@ </AutoLogon> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> - <CommandLine>cmd /c a:\postinstall.cmd > c:\postinstall.log 2>&1</CommandLine> + <CommandLine>cmd /c @SETUP_PATH@\postinstall.cmd > c:\postinstall.log 2>&1</CommandLine> <Order>1</Order> <Description>Run Post-Install commands</Description> </SynchronousCommand> diff --git a/make-ad-vm.sh b/make-ad-vm.sh index 5191578..7b1e206 100644 --- a/make-ad-vm.sh +++ b/make-ad-vm.sh @@ -3,8 +3,8 @@ # lots of parameters to set or override VM_IMG_DIR=${VM_IMG_DIR:-/var/lib/libvirt/images} ANS_FLOPPY=${ANS_FLOPPY:-$VM_IMG_DIR/answerfloppy.vfd} -ANS_FILE_DIR=${ANS_FILE_DIR:-/share/auto-win-vm-ad/answerfiles} FLOPPY_MNT=${FLOPPY_MNT:-/mnt/floppy} +ANS_FILE_DIR=${ANS_FILE_DIR:-/share/auto-win-vm-ad/answerfiles} WIN_VER_REL_ARCH=${WIN_VER_REL_ARCH:-win2k8x8664} WIN_ISO=${WIN_ISO:-$VM_IMG_DIR/en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso} # windows server needs lots of ram, cpu, disk @@ -14,6 +14,7 @@ VM_DISKSIZE=${VM_DISKSIZE:-16} VM_NAME=${VM_NAME:-ad} WIN_VM_DISKFILE=${WIN_VM_DISKFILE:-$VM_IMG_DIR/$VM_NAME.raw} ADMINNAME=${ADMINNAME:-Administrator} +SETUP_PATH=${SETUP_PATH:-"E:"} # fix .in files do_subst() @@ -26,6 +27,7 @@ do_subst() -e "s/@VM_NAME@/$VM_NAME/g" \ -e "s/@VM_FQDN@/$VM_FQDN/g" \ -e "s/@PRODUCT_KEY@/$PRODUCT_KEY/g" \ + -e "s/@SETUP_PATH@/$SETUP_PATH/g" \ $1 } @@ -71,34 +73,64 @@ VM_AD_SUFFIX=${VM_AD_SUFFIX:-"$suffix"} VM_NETBIOS_NAME=${VM_NETBIOS_NAME:-"$netbios"} ADMIN_DN=${ADMIN_DN:-"cn=$ADMINNAME,cn=users,$VM_AD_SUFFIX"} -if [ ! -f $ANS_FLOPPY ] ; then - mkfs.vfat -C $ANS_FLOPPY 1440 || { echo error $? from mkfs.vfat -C $ANS_FLOPPY 1440 ; exit 1 ; } -fi - -if [ ! -d $FLOPPY_MNT ] ; then - mkdir -p $FLOPPY_MNT || { echo error $? from mkdir -p $FLOPPY_MNT ; exit 1 ; } -fi +if [ -n "$USE_FLOPPY" ] ; then + if [ ! -f $ANS_FLOPPY ] ; then + mkfs.vfat -C $ANS_FLOPPY 1440 || { echo error $? from mkfs.vfat -C $ANS_FLOPPY 1440 ; exit 1 ; } + fi -mount -o loop -t vfat $ANS_FLOPPY $FLOPPY_MNT || { echo error $? from mount -o loop -t vfat $ANS_FLOPPY $FLOPPY_MNT ; exit 1 ; } - -# replace .in files with the real data -# convert to DOS format to make them easier to read in Windows -for file in $ANS_FILE_DIR/* ; do - err= - case $file in - *$WIN_VER_REL_ARCH.xml*) outfile=$FLOPPY_MNT/autounattend.xml ;; - *) outfile=$FLOPPY_MNT/`basename $file .in` ;; - esac - case $file in - *.in) do_subst $file | sed 's/$/
/' > $outfile || err=$? ;; - *) sed 's/$/
/' $file > $outfile || err=$? ;; - esac - if [ -n "$err" ] ; then - echo error $err copying $file to $outfile ; umount $FLOPPY_MNT ; exit 1 + if [ ! -d $FLOPPY_MNT ] ; then + mkdir -p $FLOPPY_MNT || { echo error $? from mkdir -p $FLOPPY_MNT ; exit 1 ; } fi -done -umount $FLOPPY_MNT || { echo error $? from umount $FLOPPY_MNT ; exit 1 ; } + mount -o loop -t vfat $ANS_FLOPPY $FLOPPY_MNT || { echo error $? from mount -o loop -t vfat $ANS_FLOPPY $FLOPPY_MNT ; exit 1 ; } + + # replace .in files with the real data + # convert to DOS format to make them easier to read in Windows + for file in $ANS_FILE_DIR/* ; do + err= + case $file in + *$WIN_VER_REL_ARCH.xml*) outfile=$FLOPPY_MNT/autounattend.xml ;; + *) outfile=$FLOPPY_MNT/`basename $file .in` ;; + esac + case $file in + *.in) do_subst $file | sed 's/$/
/' > $outfile || err=$? ;; + *) sed 's/$/
/' $file > $outfile || err=$? ;; + esac + if [ -n "$err" ] ; then + echo error $err copying $file to $outfile ; umount $FLOPPY_MNT ; exit 1 + fi + done + + umount $FLOPPY_MNT || { echo error $? from umount $FLOPPY_MNT ; exit 1 ; } + VI_FLOPPY="--disk path=$ANS_FLOPPY,device=floppy" +else + # just put everything on the CD + # first need a staging area + staging=`mktemp -d` + for file in $ANS_FILE_DIR/* "$@" ; do + err= + case $file in + *$WIN_VER_REL_ARCH.xml*) outfile=$staging/autounattend.xml ;; + *) outfile=$staging/`basename $file .in` ;; + esac + case $file in + *.in) do_subst $file | sed 's/$/
/' > $outfile || err=$? ;; + *.vbs|*.cmd|*.txt|*.inf|*.ini|*.xml) sed 's/$/
/' $file > $outfile || err=$? ;; + # just assume everything else is binary or we don't want to convert it + *) cp -p $file $outfile || err=$? ;; + esac + if [ -n "$err" ] ; then + echo error $err copying $file to $outfile ; umount $FLOPPY_MNT ; exit 1 + fi + done + EXTRAS_CD_ISO=${EXTRAS_CD_ISO:-$VM_IMG_DIR/$VM_NAME-extra-cdrom.iso} + rm -f $EXTRAS_CD_ISO + genisoimage -iso-level 4 -J -l -R -o $EXTRAS_CD_ISO $staging/* || { echo Error $? from genisoimage $EXTRAS_CD_ISO $staging/* ; exit 1 ; } + if [ -n "$VI_DEBUG" ] ; then + rm -rf $staging + fi + VI_EXTRAS_CD="--disk path=$EXTRAS_CD_ISO,device=cdrom" +fi serialpath=/tmp/serial-`date +'%Y%m%d%H%M%S'`.$$ @@ -107,7 +139,7 @@ virt-install --connect=qemu:///system --hvm \ --cdrom $WIN_ISO --vnc --os-type windows \ --serial file,path=$serialpath --serial pty \ --disk path=$WIN_VM_DISKFILE,bus=ide,size=$VM_DISKSIZE,format=raw,cache=none \ - --disk path=$ANS_FLOPPY,device=floppy \ + $VI_FLOPPY $VI_EXTRAS_CD \ --network=bridge=virbr0,model=rtl8139,mac=$VM_MAC \ $VI_DEBUG --noautoconsole || { echo error $? from virt-install ; exit 1 ; } @@ -147,3 +179,8 @@ else LDAPTLS_CACERT=$TMP_CACERT ldapsearch -d 1 -xLLL -ZZ -H ldap://$VM_FQDN -s base -b "" currenttime exit 1 fi + +if [ -n "$WIN_CA_CERT_FILE" ] ; then + cp -p $TMP_CACERT $WIN_CA_CERT_FILE + rm -f $TMP_CACERT +fi diff --git a/passsync-vars.cmd.in b/passsync-vars.cmd.in new file mode 100644 index 0000000..0df3a71 --- /dev/null +++ b/passsync-vars.cmd.in @@ -0,0 +1,5 @@ +set DS_FQDN=vmhost.testdomain.com +set PASSSYNC_PW=Secret123 +set DS_PORT=1389 +set DS_SUFFIX=dc=testdomain,dc=com +set PASSSYNC_DN=cn=directory manager diff --git a/setupscript4.cmd.in b/setupscript4.cmd.in new file mode 100644 index 0000000..3f89aa4 --- /dev/null +++ b/setupscript4.cmd.in @@ -0,0 +1,15 @@ +call @SETUP_PATH@\passsync-vars.cmd +for %%i in (@SETUP_PATH@\*PassSync*.msi) do msiexec /i %%i /quiet /passive /log c:\passsync-msi.log +reg add HKLM\Software\PasswordSync /f /v "Host Name" /t REG_SZ /d %DS_FQDN% +reg add HKLM\Software\PasswordSync /f /v "Password" /t REG_SZ /d "%PASSSYNC_PW%" +reg add HKLM\Software\PasswordSync /f /v "Port Number" /t REG_SZ /d %DS_PORT% +reg add HKLM\Software\PasswordSync /f /v "Search Base" /t REG_SZ /d "%DS_SUFFIX%" +reg add HKLM\Software\PasswordSync /f /v "User Name" /t REG_SZ /d "%PASSSYNC_DN%" + +setlocal ENABLEEXTENSIONS +for /f "skip=2 tokens=1-3*" %%a in ('reg query HKLM\Software\PasswordSync /v "Install Path"') do set instpath=%%d +cd "%instpath%" +certutil.exe -d . -A -n "DS CA cert" -t CT,, -a -i @SETUP_PATH@\ds-ca-cert.cer +certutil.exe -d . -L -n "DS CA cert" + +@SETUP_PATH@\nextscript.cmd 5 "Reboot to complete PassSync installation" |