auto-win-vm-ad ============== Automatically create Windows Virtual Machines with Active Directory and Certificate Services This allows you to create a Windows VM complete with Active Directory and Certificate Services, and Active Directory TLS/SSL enabled, completely automated and unattended. Currently only tested on (and hardcoded to work with) RHEL 6.3 with kvm/qemu virtualization and Windows Server 2008 R2 Enterprise Datacenter 64-bit. Pre-Requisites ============== These are the tools I've used so far: * RHEL 6.3 64-bit with KVM/QEMU ** qemu-kvm - the basic virtualization packages ** python-virtinst - virt-install ** qemu-img ** libvirt-client - virsh ** dosfstools - mkfs.vfat ** openldap-clients - for testing the AD connection and getting the AD CA cert ** genisoimage - "extras" CD * en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso ** an MSDN subscription is required for access to Windows ISO files and product keys ** I know 2008 R2 Enterprise Datacenter comes with Active Directory and Certificate Services ** Not sure what other versions contain these ** autounattend.xml, dcinstall.ini, adcertreq.inf, and the cmd scripts depend on this version * KVM/Machine setup ** In order to easily keep track of the VM hostname/IP address I have done the following: ** edit /etc/hosts - assign an IP address and FQDN for the VM e.g. something like this: 192.168.122.2 ad.test.example.com ad ** The FQDN must be the first one listed (just like for SSL/Kerberos testing) ** virsh net-edit default - add a name, the IP address from above, and a unique MAC address ** This part can be automated too You will need to provide at least the name of the VM to the script. The script will attempt to find the FQDN, the IP address, and the MAC address (or you can provide these). Running ======= ANS_FILE_DIR=/path/to/thisscript/answerfiles \ VM_NAME=nameofvm \ ADMINPASSWORD="your windows admin password" \ make-ad-vm.sh There are many, many parameters you can pass as environment variables VM_NAME - name of virtual machine - default - ad VM_IMG_DIR - path to your KVM/QEMU disk images * default - /var/lib/libvirt/images ANS_FILE_DIR - path to the config files and scripts used during Windows install/setup * no default - you must provide this WIN_VER_REL_ARCH - windows version, release, arch * default - win2k8x8664 * must correspond to the WIN_ISO WIN_ISO - the full path and file name of the Windows install ISO * default - $VM_IMG_DIR/en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso WIN_VM_DISKFILE - the full path and file name of the Windows VM disk image * default - $VM_IMG_DIR/$VM_NAME.raw VM_RAM - amount of RAM to use for VM, in MB * default - 2048 (2GB) VM_CPUS - number of CPUs to use for VM * default - 2 VM_DISKSIZE - size of WIN_VM_DISKFILE in GB * default - 16 ADMINNAME - user of Windows admin account * default - Administrator ADMINPASSWORD - password for ADMINNAME account * no default - must be provided VM_MAC - MAC address for VM * default - will lookup from virsh net-dumpxml default for the VM name VM_FQDN - fully qualified host and domain name for the VM * default - will lookup from virsh net-dumpxml and getent hosts from the VM name VM_CA_NAME - the name of the CA that will be created * default - LMDN-LMHN-ca - where ** LMDN is the leftmost part of the domain name e.g. if your VM_FQDN is ad.test.example.com ** then the LMDN is "test" ** LMHN is the leftmost part of the FQDN e.g. if your VM_FQDN is ad.test.example.com ** then the LMHN is "ad" ** so the VM_CA_NAME would be test-ad-ca VM_AD_DOMAIN - the domain of the AD server * default - the part of VM_FQDN after the hostname part e.g. if VM_FQDN is ad.test.example.com * the domain is test.example.com VM_AD_SUFFIX - the AD root suffix * default - derived from the VM_AD_DOMAIN - e.g. test.example.com -> dc=test,dc=example,dc=com VM_NETBIOS_NAME - the NETBIOS domain name * default - derived from VM_AD_DOMAIN e.g. test.example.com -> TESTEXAMPLECOM ADMIN_DN - the full AD DN of the Windows Administrator * default - cn=$ADMINNAME,cn=users,$VM_AD_SUFFIX Windows ======= Windows supports unattended install and setup. In 2008 and some other new-ish versions, this is done via a file called autounattend.xml. When Windows boots off of the ISO, it looks for a file called autounattend.xml in the root directory of all removable media. We use a virtual floppy drive (answerfloppy.vfd) as drive A:\ in Windows and put the file there. Setup goes through several different phases, or "passes" in Windows parlance. The last pass is oobeSystem. It is during this pass that we set the first of our "callback" scripts, postinstall.cmd. We first set Windows to AutoLogin the Administrator so that we can use the FirstLogonCommands and later RunOnce commands, and tell it to AutoLogin 999 times. We use the FirstLogonCommands SynchronousCommand to run the postinstall.cmd script. This script uses dcpromo.exe to setup Active Directory with our chosen domain. It also activates Windows with the specified product key. At the end, it creates the RunOnce script for the next setup pass (setuppass2.cmd), and tells Windows to reboot in 2 minutes. Active Directory requires a reboot in order to complete the setup process. During the setuppass2 pass at next login, we install and configure Certificate Services in Standalone Root CA mode (setupca.vbs /IS), then set the RunOnce to run setuppass3.cmd, and reboot again in 2 minutes. During the setuppass3 pass at next login, we generate an AD server cert request, submit it to the CA, sign it, and install it in the AD cert repo, using certreq and certutil. Once this is done, AD will automatically configure itself to be a TLS/SSL server. The different Windows files are: PLATFORM.xml - e.g. win2k8x8664.xml - this is copied to the virtual floppy disk as the main autounattend.xml file postinstall.cmd - activate Windows with the specified product key, setup AD, setup pass2, reboot setuppass2.cmd - install and setup Cert Services, setup pass3, reboot setuppass3.cmd - request and install AD server cert dcinstall.ini - unattended setup file for AD adcertreq.inf - unattended AD cert request file Setupca.vbs - Virtual Basic script that installs and sets up Cert Services otherfiles - currently unused Windows Troubleshooting ======================= For general setup issues, look in c:\windows\panther\setup*.log dcpromo - c:\dcinstall.log setupca.vbs - c:\_setupca.log postinstall - c:\postinstall.log setuppass2 - c:\setuppass2.log setuppass3 - c:\setuppass3.log References ========== Windows Unattended Installation Information for 2008 * http://technet.microsoft.com/en-us/library/cc730695%28v=WS.10%29.aspx Sample Unattend.xml files for 2008 * http://technet.microsoft.com/en-us/library/cc732280(v=ws.10) Enabling TLS/SSL in Active Directory * http://www.richardhyland.com/diary/2009/05/12/installing-a-ssl-certificate-on-your-domain-controller/ * http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 Windows certreq reference * http://technet.microsoft.com/en-us/library/cc736326%28v=ws.10%29 Source for Setupca.vbs * http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx * http://technet.microsoft.com/en-us/library/ee918754(WS.10).aspx