Wolftest Rebuild Process

PREREQUISITES

  •  Wolftest/Wolftest2 base VM shells have been created and network vlans assigned.
  •  QIP configured with each VMs hardware address and IP address with M-DHCP and WDS-Main template. This is to avoid statically assigned IP addresses and allow for faster server rebuilds.
  •  QIP configured with wolftest(2).ad.ncsu.edu dns namespace.
  •  Comtech Cisco Firewall has been configured to allow standard Windows and Active Directory port communication.
  •  Scripts created to import schema, OU structure, users, groups, and group policy objects from Wolftech.
  •  Scripts created to automate roles installations on various servers (DCs, file server, adfs, dfs, etc.).

 

The general sequence is:

  1. Run the scripts to export the schema, OU structure, users, groups, and group policy objects from Wolftech.
  2. Refresh the VMs with a new “Windows Server 2008 R2 Enterprise SP1 NDJ”  image after formatting the original “C:” partition during the WDS creation of the VM client. Note: This VM will have 2 partitions, with C being 30 GB (30720 Mb) and D being 16-19 GB (the remaining space).  C is Disk 0 Partition 2.  Format both the Disk 0 Partition 2 and Disk 1 Partition 1.  Highlight Disk 0 Partition 2 before continuing, to have this partition be the primary System partition.
  3. Recreation of the initial DC (Chekov), promoting it to become a DC and exporting the resulting SRV record information from that server.
  4. Submit the SRV record information to ComTech.  This SRV record should include all the DC01 details from the netlogon.dns, the generic DC02 netlogon.dns details (lacks the unique GUID details created at server to Domain join time) and the KMS details for the line on _vlmcs._tcp.wolftest.ad.ncsu.edu.
  5. Run the scripts to import the schema, OU structure, users, groups, and group policy objects on the new DC1 (Chekov ).
  6. Recreation of the 2nd DC (Sulu)
  • If the SRV record has been processed by ComTech, then setup the 2nd DC (Sulu) and export the additional SRV record information.
  • Submit the combined SRV record information to ComTech.
  • Create the joined Root CA that will also serve as the Enterprise CA.
  • Create the remaining servers (file server, adfs, dfs, etc.).

Scripts are available on \\oitfs00.oit.ncsu.edu\oit-test\Wolftest\scripts to simplify and standardize the various server  setup and configuration steps.  The initial script to run is:  0-copy-and-rename.cmd.  All the other scripts will then be copied to C:\Temp.

Steps for creating the VMs from PXE source:

  • Login to VSphere VCenter client and  select the VM to  rebuild. Wolftest VMs are located under Joint Services\Wolftest when viewing by VMs and Templates.
  • Force the server to PXE boot by selecting the vSphere server’s console VM=>Power=>Reset option and then repeatedly press the F12 key .
  • Within PXE, select Windows Server 2008 R2 Enterprise SP1 NDJ as the Operating System.

 

Creation Sequence:

2.0.  Create initial computer which will become the first Domain Controller.
2.0.1.  Close the “Initial Configuration Tasks” window and the “Server Manager” windows.
2.0.2.  From Start, right click on Command Prompt and select “Run as Administrator”.
2.0.3.  From within the command prompt, enter the following:

  •  net use * \\oitfs00.oit.ncsu.edu\oit-test\wolftest /user:{your .admin account of wolftech}@wolftech.ad.ncsu.edu *
  •  Z: (or the drive that was mapped above)
  • CD  scripts\
  • 0-copy-and-name.cmd
[Time and time zone will be set; VMWare tools will be installed; after about 3 minutes, you will be prompted to enter the computer’s NETBIOS name (this is subject to further scripting);  next, the administrator account will be renamed to LOCAL_ and the system will reboot.]

2.0.4.  After the system reboots:

  • Login.
  • Browse to C:\Temp and right click on 2-setup-server-DC.cmd.  Select “Run as Administrator”.
  • You will be prompted to login to wolftech (use your .admin account).
  • [DNS options are configured; patching begins;   Trend Micro Officescan is installed;  firewall ports are opened;  AD-DC roles are added;  remote-admin services are established].
  • About 40-50 minutes later, choose to “postpone 10 minutes” when the window popup requests reboot.
  • If at the command prompt there is a request to install updates enter “Y” to install updates, delaying any reboot request.
  • When the Reboot prompt appears,  reboot .

2.0.5.  After the system reboots, login.

  • Use the Server Manager utility to change the CD-Rom drive to R, if the first script has not made the change.
  • Use the Server Manager utility to Create the D partition as an NTFS drive with the name of NTDS (this is subject to further scripting).
  • Browse to C:\Temp and right click on 3-dcpromo-dc1.cmd.  Select “Run as Administrator”.
  • You will be prompted to login to wolftech (use your .admin account).
  • The system will reboot on its own at the completion of this phase.

2.0.6.  After the system reboots, login.

  • Browse to C:\Temp and right click on 4-dc1-finish.cmd.  Select “Run as Administrator”.
  • You will be prompted to login to wolftech (use your .admin account).
  • [domain SRV record that needs to be submitted to ComTech will be generated and copyed to \\oitfs00.oit.ncsu.edu\oit-test\wolftest\zone-src-info.  AD blob files for various servers will be created/provisioned.]

2.0.7.  Install any remaining updates.
2.0.8.  Submit SRV record to Comtech prior to installing 2nd domain controller.
2.1.  Time to run Jonn Perry’s code to import AD Schema, GPOs and AD OU structure.

 

2.2.  Create the 2nd Domain Controller.  This can only begin after ComTech process the SRV records generated after the creation of the first Domain Controller.

2.2.1.  Close the “Initial Configuration Tasks” window and the “Server Manager” windows.
2.2.2.  From Start, right click on Command Prompt and select “Run as Administrator”.
2.2.3.  From within the command prompt, enter the following:

  •  net use * \\oitfs00.oit.ncsu.edu\oit-test\wolftest
  •  Z: (or the drive that was mapped above)
  • CD  scripts\
  • 0-copy-and-name.cmd
[Time and time zone will be set; VMWare tools will be installed; after about 3 minutes, you will be prompted to enter the computer’s NETBIOS name;  next, the administrator account will be renamed to LOCAL_ and the system will reboot.]

2.2.4.  After the system reboots:

  • Login.
  • Browse to C:\Temp and right click on 2-setup-server-DC.cmd.  Select “Run as Administrator”.
  • You will be prompted to login to wolftech (use your .admin account).
  • [DNS options are configured; patching begins;   Trend Micro Officescan is installed;  firewall ports are opened;  AD-DC roles are added;  remote-admin services are established].
  • About 40-50 minutes later, choose to “postpone 10 minutes” when the window popup requests reboot.
  • In the command prompt, enter “Y” to install updates.
  • When the Reboot prompt appears,  reboot .

2.2.5.  After the system reboots, login.

  • Browse to C:\Temp and right click on 3-dcpromo-dc2.cmd.  Select “Run as Administrator”.
  • You will be prompted to login to wolftech (use your .admin account).
  • The system will reboot on its own at the completion of this phase.

2.2.6.  Install any remaining updates.

2.2.7.  Browse to C:\Temp.  Right click on 4-DC2-combine-SRV.cmd and select “Run as Administrator”.  You will be prompted to login to wolftech (use your .admin account).
Submit SRV record to ComTech that will contain the complete, combined domain controller information.

When changing to other domain names, you will need to adjust the following files:

  • source-files\defaultdomainname.reg
  • templates\2nd-controller\base.txt
  • templates\new-forest\base.txt
  • scripts\global-set.cmd  { change the set TESTDN target}

Server names are affected by:

  • scripts\create_server_ou.cmd
  • scripts\combine-SRV.cmd

 

3.0 Transfer FSMO Roles (PDC Emulator and Domain Naming Master are assigned to Chekov, Infrastructure Master and RID Master are assigned to Sulu, verify both Chekov and Sulu hold Global Catalog)

  • Log onto Sulu and open Active Directory Users and Computers
  • Right click the domain (wolftest.ad.ncsu.edu), select Operations Masters
  • RID tab change to Sulu, PDC tab leave as Chekov, Infrastructure tab change to Sulu
  • Open Active Directory Sites and Services, expand both Chekov and Sulu servers, right click NTDS Settings, verify Global Catalog box is checked, if not place a check to add

3.0  Importing the schema extensions from production into the test environment is documented here.

4.0  Certificates

Import current certificates from NCSU and Wolftech from:

https://activedirectory.ncsu.edu/advanced-topics/advanced-domain-design/certificate-services/

and http://www.ncsu.edu/itd/security/ncsu-ca.html

 

Steps for creating the WolfTest Enterprise Certificate Authority , running on WTest-cert-10.wolftest.ad.ncsu.edu:

 

Steps for creating the Wolftest OCSP server, running on Wtest-ocsp-00.oit.ncsu.edu: