1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
auto-win-vm-ad
==============
Automatically create Windows Virtual Machines with Active Directory
and Certificate Services
This allows you to create a Windows VM complete with Active Directory
and Certificate Services, and Active Directory TLS/SSL enabled,
completely automated and unattended.
Currently only tested on (and hardcoded to work with) RHEL 6.3 with
kvm/qemu virtualization and Windows Server 2008 R2 Enterprise
Datacenter 64-bit.
Pre-Requisites
==============
These are the tools I've used so far:
* RHEL 6.3 64-bit with KVM/QEMU
** qemu-kvm - the basic virtualization packages
** python-virtinst - virt-install
** qemu-img
** libvirt-client - virsh
** dosfstools - mkfs.vfat
** openldap-clients - for testing the AD connection and getting the AD CA cert
** genisoimage - "extras" CD
* en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
** an MSDN subscription is required for access to Windows ISO files
and product keys
** I know 2008 R2 Enterprise Datacenter comes with Active Directory
and Certificate Services
** Not sure what other versions contain these
** autounattend.xml, dcinstall.ini, adcertreq.inf, and the cmd scripts
depend on this version
* KVM/Machine setup
** In order to easily keep track of the VM hostname/IP address I have
done the following:
** edit /etc/hosts - assign an IP address and FQDN for the VM
e.g. something like this:
192.168.122.2 ad.test.example.com ad
** The FQDN must be the first one listed (just like for SSL/Kerberos
testing)
** virsh net-edit default - add a name, the IP address from above, and
a unique MAC address
** This part can be automated too
You will need to provide at least the name of the VM to the script.
The script will attempt to find the FQDN, the IP address, and the MAC
address (or you can provide these).
Running
=======
ANS_FILE_DIR=/path/to/thisscript/answerfiles \
VM_NAME=nameofvm \
ADMINPASSWORD="your windows admin password" \
make-ad-vm.sh
There are many, many parameters you can pass as environment variables
VM_NAME - name of virtual machine
- default - ad
VM_IMG_DIR - path to your KVM/QEMU disk images
* default - /var/lib/libvirt/images
ANS_FILE_DIR - path to the config files and scripts used during Windows install/setup
* no default - you must provide this
WIN_VER_REL_ARCH - windows version, release, arch
* default - win2k8x8664
* must correspond to the WIN_ISO
WIN_ISO - the full path and file name of the Windows install ISO
* default - $VM_IMG_DIR/en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
WIN_VM_DISKFILE - the full path and file name of the Windows VM disk image
* default - $VM_IMG_DIR/$VM_NAME.raw
VM_RAM - amount of RAM to use for VM, in MB
* default - 2048 (2GB)
VM_CPUS - number of CPUs to use for VM
* default - 2
VM_DISKSIZE - size of WIN_VM_DISKFILE in GB
* default - 16
ADMINNAME - user of Windows admin account
* default - Administrator
ADMINPASSWORD - password for ADMINNAME account
* no default - must be provided
VM_MAC - MAC address for VM
* default - will lookup from virsh net-dumpxml default for the VM name
VM_FQDN - fully qualified host and domain name for the VM
* default - will lookup from virsh net-dumpxml and getent hosts from the VM name
VM_CA_NAME - the name of the CA that will be created
* default - LMDN-LMHN-ca - where
** LMDN is the leftmost part of the domain name e.g. if your VM_FQDN is ad.test.example.com
** then the LMDN is "test"
** LMHN is the leftmost part of the FQDN e.g. if your VM_FQDN is ad.test.example.com
** then the LMHN is "ad"
** so the VM_CA_NAME would be test-ad-ca
VM_AD_DOMAIN - the domain of the AD server
* default - the part of VM_FQDN after the hostname part e.g. if VM_FQDN is ad.test.example.com
* the domain is test.example.com
VM_AD_SUFFIX - the AD root suffix
* default - derived from the VM_AD_DOMAIN - e.g. test.example.com -> dc=test,dc=example,dc=com
VM_NETBIOS_NAME - the NETBIOS domain name
* default - derived from VM_AD_DOMAIN e.g. test.example.com -> TESTEXAMPLECOM
ADMIN_DN - the full AD DN of the Windows Administrator
* default - cn=$ADMINNAME,cn=users,$VM_AD_SUFFIX
Windows
=======
Windows supports unattended install and setup. In 2008 and some other
new-ish versions, this is done via a file called autounattend.xml.
When Windows boots off of the ISO, it looks for a file called
autounattend.xml in the root directory of all removable media. We use
a virtual floppy drive (answerfloppy.vfd) as drive A:\ in Windows and
put the file there.
Setup goes through several different phases, or "passes" in Windows
parlance. The last pass is oobeSystem. It is during this pass that
we set the first of our "callback" scripts, postinstall.cmd. We first
set Windows to AutoLogin the Administrator so that we can use the
FirstLogonCommands and later RunOnce commands, and tell it to
AutoLogin 999 times. We use the FirstLogonCommands SynchronousCommand
to run the postinstall.cmd script. This script uses dcpromo.exe to
setup Active Directory with our chosen domain. It also activates
Windows with the specified product key. At the end, it creates the
RunOnce script for the next setup pass (setuppass2.cmd), and tells
Windows to reboot in 2 minutes. Active Directory requires a reboot in
order to complete the setup process.
During the setuppass2 pass at next login, we install and configure
Certificate Services in Standalone Root CA mode (setupca.vbs /IS),
then set the RunOnce to run setuppass3.cmd, and reboot again in 2
minutes.
During the setuppass3 pass at next login, we generate an AD server
cert request, submit it to the CA, sign it, and install it in the AD
cert repo, using certreq and certutil. Once this is done, AD will
automatically configure itself to be a TLS/SSL server.
The different Windows files are:
PLATFORM.xml - e.g. win2k8x8664.xml - this is copied to the virtual floppy disk as the main
autounattend.xml file
postinstall.cmd - activate Windows with the specified product key, setup AD, setup pass2, reboot
setuppass2.cmd - install and setup Cert Services, setup pass3, reboot
setuppass3.cmd - request and install AD server cert
dcinstall.ini - unattended setup file for AD
adcertreq.inf - unattended AD cert request file
Setupca.vbs - Virtual Basic script that installs and sets up Cert Services
otherfiles - currently unused
Windows Troubleshooting
=======================
For general setup issues, look in c:\windows\panther\setup*.log
dcpromo - c:\dcinstall.log
setupca.vbs - c:\_setupca.log
postinstall - c:\postinstall.log
setuppass2 - c:\setuppass2.log
setuppass3 - c:\setuppass3.log
References
==========
Windows Unattended Installation Information for 2008
* http://technet.microsoft.com/en-us/library/cc730695%28v=WS.10%29.aspx
Sample Unattend.xml files for 2008
* http://technet.microsoft.com/en-us/library/cc732280(v=ws.10)
Enabling TLS/SSL in Active Directory
* http://www.richardhyland.com/diary/2009/05/12/installing-a-ssl-certificate-on-your-domain-controller/
* http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
Windows certreq reference
* http://technet.microsoft.com/en-us/library/cc736326%28v=ws.10%29
Source for Setupca.vbs
* http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
* http://technet.microsoft.com/en-us/library/ee918754(WS.10).aspx
|
