auto-win-vm-ad
==============
Automatically create Windows Virtual Machines with Active Directory
and Certificate Services
This allows you to create a Windows VM complete with Active Directory
and Certificate Services, and Active Directory TLS/SSL enabled,
completely automated and unattended.
Currently only tested on (and hardcoded to work with) RHEL 6.X with
kvm/qemu virtualization, Windows Server 2008 R2 Enterprise
Datacenter 64-bit, and Windows Server 2012 Enterprise Datacenter 64-bit
Pre-Requisites
==============
These are the tools I've used so far:
* RHEL 6.x 64-bit with KVM/QEMU
** qemu-kvm - the basic virtualization packages
** python-virtinst - virt-install
** qemu-img
** libvirt-client - virsh
** dosfstools - mkfs.vfat
** openldap-clients - for testing the AD connection and getting the AD CA cert
** genisoimage - "extras" CD
** dos2unix - UNIX to DOS line feed converter
* en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
** an MSDN subscription is required for access to Windows ISO files
and product keys
** I know 2008 R2 Enterprise Datacenter comes with Active Directory
and Certificate Services
** Not sure what other versions contain these
** autounattend.xml, dcinstall.ini, adcertreq.inf, and the cmd scripts
depend on this version
* en_windows_server_2012_x64_dvd_915478.iso
** an MSDN subscription is required for access to Windows ISO files
and product keys
** I know 2012 Datacenter comes with Active Directory and Certificate Services
** Not sure what other versions contain these
** autounattend.xml, setupad.ps1, setupca.ps1, adcertreq.inf, and the cmd scripts
depend on this version
* KVM/Machine setup
** In order to easily keep track of the VM hostname/IP address I have
done the following:
** edit /etc/hosts - assign an IP address and FQDN for the VM
e.g. something like this:
192.168.122.2 ad.test.example.com ad
** The FQDN must be the first one listed (just like for SSL/Kerberos
testing)
** add your new vm/ip addr/mac address
*** virsh net-destroy default - virt network must be stopped first
*** virsh net-edit default - add a name, the IP address from above, and
a unique MAC address to the <dhcp> section like this:
<mac address='52:54:00:xx:xx:xx'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.128' end='192.168.122.254' />
<host mac='54:52:00:xx:yy:zz' name='win2k8' ip='192.168.122.2' />
That is, add a new <host ...> entry with a unique IP address and mac address
The mac address must start with 54:52:00: and must be unique.
The VM name (name='win2k8') does not have to match the hostname, but it must be
the same as the VM_NAME parameter (see below)
*** virsh net-start default - start up virt network
*** virsh net-dumpxml default - verify that your new host entry is listed
You will need to provide at least the name of the VM to the script.
The script will attempt to find the FQDN, the IP address, and the MAC
address (or you can provide these).
Running
=======
ANS_FILE_DIR=/path/to/thisscript/answerfiles \
VM_NAME=nameofvm \
ADMINPASSWORD="your windows admin password" \
PRODUCT_KEY=aaaaa-bbbbb-ccccc-ddddd-eeeee \
make-ad-vm.sh
There are many, many parameters you can pass as environment variables
PRODUCT_KEY - 25 character product key which must correspond exactly to the windows iso you are installing
* no default - must be provided or use PRODUCT_KEY_FILE
PRODUCT_KEY_FILE - can put the product key in a file instead of passing in PRODUCT_KEY
* no default - must be provided or use PRODUCT_KEY
VM_NAME - name of virtual machine
* default - ad
VM_IMG_DIR - path to your KVM/QEMU disk images
* default - /var/lib/libvirt/images
ANS_FILE_DIR - path to the config files and scripts used during Windows install/setup
* no default - you must provide this
WIN_VER_REL_ARCH - windows version, release, arch
* default - win2k8x8664
* must correspond to the WIN_ISO
WIN_ISO - the full path and file name of the Windows install ISO
* default - $VM_IMG_DIR/en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
WIN_VM_DISKFILE - the full path and file name of the Windows VM disk image
* default - $VM_IMG_DIR/$VM_NAME.raw
VM_RAM - amount of RAM to use for VM, in MB
* default - 2048 (2GB)
VM_CPUS - number of CPUs to use for VM
* default - 2
VM_DISKSIZE - size of WIN_VM_DISKFILE in GB
* default - 16
ADMINNAME - user of Windows admin account
* default - Administrator
ADMINPASSWORD - password for ADMINNAME account
* no default - must be provided
VM_MAC - MAC address for VM
* default - will lookup from virsh net-dumpxml default for the VM name
VM_FQDN - fully qualified host and domain name for the VM
* default - will lookup from virsh net-dumpxml and getent hosts from the VM name
VM_CA_NAME - the name of the CA that will be created
* default - LMDN-LMHN-ca - where
** LMDN is the leftmost part of the domain name e.g. if your VM_FQDN is ad.test.example.com
** then the LMDN is "test"
** LMHN is the leftmost part of the FQDN e.g. if your VM_FQDN is ad.test.example.com
** then the LMHN is "ad"
** so the VM_CA_NAME would be test-ad-ca
VM_AD_DOMAIN - the domain of the AD server
* default - the part of VM_FQDN after the hostname part e.g. if VM_FQDN is ad.test.example.com
* the domain is test.example.com
VM_AD_SUFFIX - the AD root suffix
* default - derived from the VM_AD_DOMAIN - e.g. test.example.com -> dc=test,dc=example,dc=com
VM_NETBIOS_NAME - the NETBIOS domain name
* default - derived from VM_AD_DOMAIN e.g. test.example.com -> TESTEXAMPLECOM
ADMIN_DN - the full AD DN of the Windows Administrator
* default - cn=$ADMINNAME,cn=users,$VM_AD_SUFFIX
AD_DOMAIN_LEVEL - 4 == 2008 R2, Win2012 == 2012
* default - same as version specifed in WIN_VER_REL_ARCH
AD_FOREST_LEVEL - 4 == 2008 R2, Win2012 == 2012
* default - same as version specifed in WIN_VER_REL_ARCH
Windows
=======
Windows supports unattended install and setup. In 2008 and some other
new-ish versions, this is done via a file called autounattend.xml.
When Windows boots off of the ISO, it looks for a file called
autounattend.xml in the root directory of all removable media. We use
a virtual CD-ROM as drive E:\ in Windows and put the file there.
Setup goes through several different phases, or "passes" in Windows
parlance. The last pass is oobeSystem. It is during this pass that
we set the first of our "callback" scripts, postinstall.cmd. We first
set Windows to AutoLogin the Administrator so that we can use the
FirstLogonCommands and later RunOnce commands, and tell it to
AutoLogin 999 times. We use the FirstLogonCommands SynchronousCommand
to run the postinstall.cmd script. This activates windows with the
given PRODUCT_KEY, creates the RunOnce script for the next setup pass
(setupscript1.cmd), and reboots.
During setupscript1 pass, setupscript1.cmd uses dcpromo.exe (2008) or
setupad.ps1 (2012) to setup Active Directory with our chosen domain.
It also activates Windows with the specified product key. At the end,
it creates the RunOnce script for the next setup pass
(setupscript1.cmd), and tells Windows to reboot in 2 minutes. Active
Directory requires a reboot in order to complete the setup process.
During the setupscript2 pass at next login, we install and configure
Certificate Services in Standalone Root CA mode - setupca.vbs /IS
(2008) or setupca.ps1 (2012) - then set the RunOnce to run
setupscript.cmd, and reboot again in 2 minutes.
During the setupscript3 pass at next login, we generate an AD server
cert request, submit it to the CA, sign it, and install it in the AD
cert repo, using certreq and certutil. Once this is done, AD will
automatically configure itself to be a TLS/SSL server.
The different Windows files are:
PLATFORM.xml - e.g. win2k8x8664.xml - this is copied to the virtual CD-ROM as the main
autounattend.xml file
postinstall.cmd - activate Windows with the specified product key, reboot
setupscript2.cmd - install and setup AD, setup pass2, reboot
setupscript2.cmd - install and setup Cert Services, setup pass3, reboot
setupscript3.cmd - request and install AD server cert
dcinstall.ini - unattended setup file for AD (2008)
adcertreq.inf - unattended AD cert request file
Setupca.vbs - Virtual Basic script that installs and sets up Cert Services (2008)
setupad.ps1 - unattended setup file for AD (2012)
setupca.ps1 - unattended setup file for CA (2012)
Windows Troubleshooting
=======================
For general setup issues, look in c:\windows\panther\setup*.log
dcpromo - c:\dcinstall.log (2008 only)
setupca.vbs - c:\_setupca.log (2008 only)
postinstall - c:\postinstall.log
setupscript1 - c:\setupscript1.log
setupscript2 - c:\setupscript2.log
setupscript3 - c:\setupscript3.log
References
==========
Windows Unattended Installation Information for 2008
* http://technet.microsoft.com/en-us/library/cc730695%28v=WS.10%29.aspx
Sample Unattend.xml files for 2008
* http://technet.microsoft.com/en-us/library/cc732280(v=ws.10)
Enabling TLS/SSL in Active Directory
* http://www.richardhyland.com/diary/2009/05/12/installing-a-ssl-certificate-on-your-domain-controller/
* http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
Windows certreq reference
* http://technet.microsoft.com/en-us/library/cc736326%28v=ws.10%29
Source for Setupca.vbs
* http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
* http://technet.microsoft.com/en-us/library/ee918754(WS.10).aspx
Info for 2012 Active Directory
* http://technet.microsoft.com/en-us/library/hh472162.aspxinntran/auto-win-vm-ad
Automatically create Windows Virtual Machines with Active Directory and Certificate Services
Visual Basic