On May 24, 2021, I published the Building Webster’s Lab V2 article series that used vSphere/vCenter 7.0 original release and XenServer 8.2.0.

This is a follow-up on building the lab with vSphere/vCenter 7.0U3L and XenServer 8.2.1.

Why didn’t I use vSphere/vCenter 8? Neither my hardware nor Synology units support vSphere 8. There is a change I can make to an install file to bypass the hardware compatibility check, but I would rather not risk it. It took Synology a long time to add vSphere 7 support, so I have no idea how long before they add support for vSphere 8.

I need to rebuild the lab because something terrible happened after powering down the lab for an extended weekend. When I powered on the lab after returning to the lab the following Monday, the vSphere servers would not connect to local storage and NFS storage, nor connect to any switches or networking.

Read the rest in the PDF…

You can always find the most current PDF by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

• Fixed bug in Function getDSUsers with MaxPasswordAge reported by Danny de Kooker
• Moved the following section headings so that the error/warning/notice messages had a section heading
  • Domain Controllers
  • Fine-grained password policies

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

• Added Windows Server 2022 to AD Schema version 88
• Fixed some text output alignment
• In Function OutputNicItem, fixed several issues with DHCP data
• Replaced all Get-WmiObject with Get-CimInstance
• Some general code cleanup
• Updated schema numbers for Exchange CUs
  • “15334” = “Exchange 2016 CU21-CU23”
  • “17003” = “Exchange 2019 CU10-CU12”

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

Script Bug Fix Updates 7-Feb-2022

• Changed the date format for the transcript and error log files from yyyy-MM-dd_HHmm format to the FileDateTime format
  • The format is yyyyMMddTHHmmssffff (case-sensitive, using a 4-digit year, 2-digit month, 2-digit day, the letter T as a time separator, 2-digit hour, 2-digit minute, 2-digit second, and 4-digit millisecond).
  • For example: 20221225T0840107271.
• Fixed the German Table of Contents (Thanks to Rene Bigler)
  • From
    • ‘de-‘ { ‘Automatische Tabelle 2’; Break }
  • To
    • ‘de-‘ { ‘Automatisches Verzeichnis 2’; Break }
• In Function AbortScript, add test for the winword process and terminate it if it is running
  • Added stopping the transcript log if the log was enabled and started
• In Functions AbortScript and SaveandCloseDocumentandShutdownWord, add code from Guy Leech to test for the “Id” property before using it
• Replaced most script Exit calls with AbortScript to stop the transcript log if the log was enabled and started
• Updated the help text
• Updated the ReadMe file

Active Directory 3.09 7-Feb-2022

• • Added to Domain Information the data for ms-DS-MachineAccountQuota

Active Directory Health Check 3.09 7-Feb-2022

• • Add missing variable $Script:ThisScriptPath
  • Changed all Write-Verbose statements from Get-Date to Get-Date -Format G as requested by Guy Leech
  • Removed Function Stop-Winword
  • Updated Functions CheckWordPrereq and SetupWord with the versions used in the other documentation scripts

Citrix Federated Authentication Services 1.14 7-Feb-2022

Citrix Provisioning Services (PVS) New 6.03 8-Feb-2022

Citrix Provisioning Services (PVS) Old 4.32 10-Feb-2022

Citrix XenApp/XenDesktop 7.0 through 7.7 1.51 13-Feb-2022

• • Since the Citrix.GroupPolicy.Commands.psm1 module file was removed in  1.50,  removed the block for Elevation if $Policies is True

Citrix XenApp/XenDesktop 7.8 through CVAD 2006 2.46 15-Feb-2022

Citrix Virtual Apps and Desktops V3.32 15-Feb-2022

Microsoft Configuration Manager 2012R2 V2.40 17-Feb-2022

Microsoft DHCP V2.05 17-Feb-2022

Microsoft DNS V2.03 18-Feb-2022

Citrix NetScaler Old (uses ns.conf file) V2.62 18-Feb-2022

• • Fixed $Null comparisons that were on the wrong side
  • Updated Functions CheckWordPrereq and SendEmail to the latest version

Parallels RAS V17 V1.02 18-Feb-2022

• • Added Function OutputReportFooter
  • Added Parameter ReportFooter
    • Outputs a footer section at the end of the report.
    • Report Footer
      • Report information:
        • Created with: <Script Name> – Release Date: <Script Release Date>
        • Script version: <Script Version>
        • Started on <Date Time in Local Format>
        • Elapsed time: nn days, nn hours, nn minutes, nn.nn seconds
        • Ran from domain <Domain Name> by user <Username>
        • Ran from the folder <Folder Name>
  • Updated Functions SaveandCloseTextDocument and  SaveandCloseHTMLDocument to add a “Report Complete” line
  • Updated Functions ShowScriptOptions and ProcessScriptEnd to add  $ReportFooter

Parallels RAS V18 V2.11 18-Feb-2022

• • Added Function OutputReportFooter
  • Added Parameter ReportFooter
    • Outputs a footer section at the end of the report.
    • Report Footer
      • Report information:
        • Created with: <Script Name> – Release Date: <Script Release Date>
        • Script version: <Script Version>
        • Started on <Date Time in Local Format>
        • Elapsed time: nn days, nn hours, nn minutes, nn.nn seconds
        • Ran from domain <Domain Name> by user <Username>
        • Ran from the folder <Folder Name>
  • Updated Functions SaveandCloseTextDocument and  SaveandCloseHTMLDocument to add a “Report Complete” line
  • Updated Functions ShowScriptOptions and ProcessScriptEnd to add  $ReportFooter

VMware vSphere 1.93 23-Feb-2022

Citrix XenApp 6.5 5.06 23-Feb-2022

If you have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

• In Function AbortScript, add test for the winword process and terminate it if it is running
• In Function ProcessDomainControllers, added “Computer Object DN” to the output
  • If the DN doesn’t contain “OU=Domain Controllers”, highlight the Word/HTML output in red and add “***” to the text output
• In Functions AbortScript and SaveandCloseDocumentandShutdownWord, add code from Guy Leech to test for the “Id” property before using it
• Updated Functions ShowScriptOptions and ProcessScriptEnd to add $ReportFooter
• Updated schema numbers for Exchange CUs
  • “15334” = “Exchange 2016 CU21-CU22”
  • “17003” = “Exchange 2019 CU10-CU11”
• Updated the help text
• Updated the ReadMe file

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

In Chapter 2, Azure Virtual Desktop, Claudio walks through configuring Synchronizing AD with Azure Active Directory. Step 4 in that process is verifying your custom domain. My verification failed with the message shown in Figure 1.

To make an hours-long story short, it took me a while to figure out when I had set up LabADDomain.com for use in Azure or Office 365 (along with the username and password). I eventually found that I created a free Azure account and an Office 365 account several years ago. Removing the domain LabADDomain.com for those accounts took a few hours because even Microsoft support didn’t know how to remove an old domain.

This article outlines the steps that took Microsoft and me over four hours to resolve. I hope you can follow these steps saving you hours of frustration for those with labs and possibly multiple domain names.

Several years ago, I created an Office 365 trial for LabADDomain.com with an admin account named ctxadmin@labaddomain.com. I used that account to create a free Azure trial using Azure AD Connect connecting to my on-premises AD LabADDomain.com domain. That version of the LabADDomain.com AD is long gone. Webster’s Lab gets rebuilt almost annually. The original domain and domain controllers no longer exist, so nothing to uninstall and remove the sync to Azure AD. To resolve the issue, it took many emails, phone calls, and remote support sessions with Microsoft Support.

When you create an Office 365 subscription, there are two domains created: YourDomain.com and YourDomain.OnMicrosoft.com.

Here are the steps we took to remove the stale domain.

1. Create a global admin for labaddomain.onmicrosoft.com named ctxadmin.

2. Log off from the old ctxadmin@labaddomain.com admin account.

3. Login with the new ctxadmin@labaddomain.onmicrosoft.com admin account.

4. Go to the O365 admin center, Figure 2.

5. Show all, Figure 3.

6. Setup, Figure 4.

7. Domains, Figure 5.

8. Select the old domain to remove.

9. Click the vertical three dots next to Filter.

10. Click either Delete Domain or Remove Domain (I can’t remember the verbiage).

11. Wait about an hour.

12. Click Refresh every few minutes. For me, it took about an hour before the console no longer showed the old domain. You must wait until the domain deletes before continuing.

13. You can now use the old domain as a new domain for AAD, Figure 6.

I hope this brief article helps someone else from spending hours with Microsoft support to remove a long-forgotten domain from a long-forgotten Azure or Office 365 trial.

Thanks

Webster

• Added array error checking for non-empty arrays before attempting to create the Word table for most Word tables
• Added Function OutputReportFooter
• Added Parameter ReportFooter
  • Outputs a footer section at the end of the report.
  • Report Footer
    • Report information:
      • Created with: <Script Name> – Release Date: <Script Release Date>
      • Started on <Date Time in Local Format>
      • Elapsed time: nn days, nn hours, nn minutes, nn.nn seconds
      • Ran from domain <Domain Name> by user <Username>
      • Ran from the folder <Folder Name>
• Updated Function OutputADFileLocations to better report on the SYSVOL state. Code supplied by Michael B. Smith.
• Updated Function ProcessgGPOsByOUOld to allow Word table output to handle GPOs that somehow PowerShell thinks are arrays
• Updated Functions SaveandCloseTextDocument and SaveandCloseHTMLDocument to add a “Report Complete” line
• Updated Functions ShowScriptOptions and ProcessScriptEnd to add $ReportFooter
• Updated the help text
• Updated the ReadMe file

Thanks to fellow CTP Thomas Krampe for the push to add the report footer.

If you run the script in a multiple domain forest or have Read-only Domain Controller appliances and have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

• Add new Function ProcessOUsForBlockedInheritance to add a report section for OUs with GPO Block Inheritance set
• Add new Function ProcessSYSVOLStateInfo to show the SYSVOL state for each DC as an Appendix
• Added by MBS, HTML codes for AlignLeft and AlignRight
  • Update Function AddHTMLTable
  • Update Function FormatHTMLTable
  • Update Function Get-ComputerCountByOS
  • Update Function getDSUsers
  • Update Function OutputEventLogInfo
  • Update Function ProcessEventLogInfo
  • Update Function ProcessGroupInformation
  • Update Function ProcessOrganizationalUnits
  • Update Function ProcessSYSVOLStateInfo
  • Update Function WriteHTMLLine
• In Function ProcessAllDCsInTheForest, change the way all domain controllers in the forest are retrieved
  • The previous method did not always find RODC appliances
  • Use new method given by MBS
• The following fixes were requested by Jorge de Almeida Pinto
  • In Function Get-RegistryValue, removed the Write-Verbose message on error as it confused people
  • In Function OutputADFileLocations, check only for null to catch appliances (Riverbed) with no registry
  • In Function OutputEventLogInfo, add Try/Catch to Get-EventLog to catch appliances (Riverbed) with no event logs
  • In Function OutputTimeServerRegistryKeys, check only for null to catch appliances (Riverbed) with no registry
  • When processing DCs, add testing to see if the DC is online before processing registry keys
    • Add an error message to the console and output file
  • When testing a DC to see if it was online, I used the wrong variable name
• In Function ProcessScriptEnd, always output Company Name
• In Function ShowScriptOptions, always output Company Name

If you run the script in a multiple domain forest or have Read-only Domain Controller appliances and have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

I updated the PDF last on 22-Sep-2021.

You can always find the most current PDF by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

• Add fixes provided by Jorge de Almeida Pinto
  • Fixed the way the $Script:AllDomainControllers array is built
  • Fixed getting Fine-grained Password policies to work in a multiple domain/child domain forest
• Change the CompanyName parameter so that HTML and Text output can use it. (requested by Michael B. Smith)
  • .PARAMETER CompanyName
    • Company Name to use for the Word Cover Page or the Forest Information section for HTML and Text.
    • Default value for Word output is contained in
    • HKCU:\Software\Microsoft\Office\Common\UserInfo\CompanyName or
    • HKCU:\Software\Microsoft\Office\Common\UserInfo\Company, whichever is populated on the computer running the script.
    • This parameter has an alias of CN.
    • For Word output, if either registry key does not exist and this parameter is not specified, the report will not contain a Company Name on the cover page.
    • For HTML and Text output, the Forest Information section will not contain the Company Name if this parameter is not specified.
• For both HTML and Text output, at the end of the report add a “Report Complete” line (requested by Michael B. Smith)
• For Privileged Groups, add a column for SamAccountName (requested by Michael B. Smith)
• For the forest section, if a company name is entered, added the company name to the section title (requested by Michael B. Smith)
• For the section Computer Operating Systems, fix the HTML tables to have slightly wider columns (requested by Michael B. Smith)
• For Users with AdminCount=1, add columns for SamAccountName and Domain (requested by Michael B. Smith)
• Renamed items in the list of AD Schema Items (requested by Michael B. Smith)
  • RAS Server -> NPS/RAS Server
  • LAPS -> On-premises LAPS
  • SCCM -> MECM/SCCM
  • Lync/Skype for Business -> On-premises Lync/Skype for Business
  • Exchange -> On-premises Exchange
• Update schema numbers for Exchange CUs
  • “15333” = “Exchange 2016 CU19/CU20”
  • “15334” = “Exchange 2016 CU21”
  • “17002” = “Exchange 2019 CU8/CU9”
  • “17003” = “Exchange 2019 CU10”
• Updated the help text
• Updated the ReadMe file

If you run the script in a multiple domain forest and have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

The next step is to create a management computer from the Windows 10 template with the additional servers built and configured. We use the VM built in this article for PowerShell scripting running consoles from Citrix, Microsoft, Parallels, and VMware. My lab’s infrastructure VMs reside in my XenServer pool, as explained in the Introduction article. I consider the management computer an infrastructure computer as it is permanent.

Note: What I call a Management Computer goes by different names.

• Jump Server
• Jump Machine
• Jump Host
• Bastion Machine
• Bastion Host
• And I am sure other locations around the world use other names

Whatever you want to call it, this is a centralized computer for managing and accessing servers, network equipment, storage devices, and other management activities. Some people use a server operating system (OS), and some use a desktop OS. It depends on the licensing restrictions of the software used on the computer.

From the introduction article, this is the VM we are building.

VMware

In vCenter, right-click the Windows 10 Template and click on New VM from This Template…, as shown in Figure 1.

Enter a Virtual machine name and click Next, as shown in Figure 2.

Click Next, as shown in Figure 3.

Select the NFS shared datastore created earlier in this series and click Next, as shown in Figure 4.

Select Power on virtual machine after creation and click Next, as shown in Figure 5.

Verify that the configuration data for the new VM is correct and click Finish, as shown in Figure 6. If any item is incorrect, click Back, correct the item(s), and continue.

It took about 2 minutes to create the VM from the template in my lab.

Wait for the creation of the VM to complete, as shown in Figure 7.

Since we enabled Remote Desktop in the Template, the new VM has it enabled.

In vCenter, select the new Windows 10 VM, and in the right pane, look at the IP address, as shown in Figure 8.

As shown in Figure 9, click Start, Run, and type in mstsc /v:ipaddress /admin, and press Enter [where IP Address is the IP address shown in Figure 8].

Using Remote Desktop at this point makes it easier for me to get screenshots.

Enter the credentials for the local account created during the Windows 10 template build and press Enter, as shown in Figure 10.

Click Yes, as shown in Figure 11.

Select your region and click Yes, as shown in Figure 12.

Select your keyboard layout and click Yes, as shown in Figure 13.

Click Skip, as shown in Figure 14.

Click Accept, as shown in Figure 15.

Click Domain join instead, as shown in Figure 16.

Type in a local user account name and click Next, as shown in Figure 17.

Enter a password and click Next, as shown in Figure 18.

Confirm the password and click Next, as shown in Figure 19.

Select three security questions, enter the answer, and click Next, as shown in Figures 20 through 22.

Select your privacy settings and click Accept, as shown in Figure 23. I set them all to No.

Make a selection for Cortana, as shown in Figure 24. I selected Not now, plus one of the settings in my Lab Defaults Group Policy to disable the use of Cortana.

If you receive the following popup, click Yes, as shown in Figure 25. I only received this popup for VMware, not XenServer.

Right-click the network icon in the systray and click Open Network & Internet settings, as shown in Figure 26.

Click Change adapter options, as shown in Figure 27.

Right-click the adapter and click Properties, as shown in Figure 28.

Click Configure…, as shown in Figure 29.

Click the Power Management tab, deselect every option, and click OK, as shown in Figure 30.

Right-click the Adapter and click Properties, as shown in Figure 28.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 31.

Select Use the following IP address, enter the IP information for your network, and click OK, as shown in Figure 32. For the DNS server addresses, use the IP addresses of your domain controllers.

How many DNS servers should you configure on the network adapter? Not as many as you think. I recommend on DCs, a total of three where the third is always 127.0.0.1. For all other computers, also no more than three. I have seen places with 15 DCs, and every computer had all 15 DCs in the list of DNS servers. If you understand Windows DNS client resolution timeouts, limit the number of DNS entries.

Click Close, as shown in Figure 33.

After clicking Close,  you lose the connection to the RDP session. Reconnect using the new static IP address.

Close Network Connections.

Click Home, then System, then About, and finally Rename this PC (Advanced), as shown in Figure 34.

Click Change, as shown in Figure 35.

Enter a Computer name, Domain, and click OK, as shown in Figure 36.

Enter the domain’s Administrator name and password and click OK, as shown in Figure 37.

Click OK, as shown in Figure 38.

Click OK, as shown in Figure 39.

Click Close, as shown in Figure 40.

Click Restart Now, as shown in Figure 41.

When the VM restarts, log in using the domain’s Administrator account.

Make any customizations you require to the VM before we start installing consoles. I upgraded my Windows 10 20H2 VM to Windows 10 21H1.

XenServer

In XenCenter, right-click the Windows 10 Template and click on New VM wizard…, as shown in Figure 42.

Select the Windows 10 Template template and click Next, as shown in Figure 43.

Enter a Name, an optional Description, and click Next, as shown in Figure 44.

Since the operating system is installed in the template VM, Click Next, as shown in Figure 45.

Select Don’t assign this VM a home server and click Next, as shown in Figure 46.

You may change the Number of vCPUs, Topology, and Memory if you wish. I left everything the same as the template VM. Click Next, as shown in Figure 47.

As my hosts do not have a GPU card, I clicked Next, as shown in Figure 48.

Click Edit, as shown in Figure 49.

I recommend changing both the Name and Description. Doing so makes it easier later if you ever delete a VM and its attached hard disks. If all the hard disks have the same name and description, it is challenging to determine which disks go with which VM.

Enter a Name and Description and click OK, as shown in Figure 50.

Click Next, as shown in Figure 51.

If multiple Virtual network interfaces are available, select the appropriate interface and click Next, as shown in Figure 52.

Verify all the configuration options are correct and click Create Now, as shown in Figure 53. If an option is not correct, click Previous, correct the option and then continue.

I deselected the option Start the new VM automatically since it doesn’t work.

Wait for the creation of the VM to complete, as shown in Figure 54. It took about 2 seconds in my lab to create the VM from the template.

In XenCenter, right-click the new VM and click Start, as shown in Figure 55.

Expand the XenServer host on which you started the VM, click the VM, and click the Networking tab, as shown in Figure 56. You see the IP address assigned to the VM.

As shown in Figure 57, click Start, Run, and type in mstsc /v:ipaddress /admin, and press Enter [where IP Address is the IP address shown in Figure 56].

Using Remote Desktop at this point makes it easier for me to get screenshots.

Enter the credentials for the local account created during the Windows 10 template build and press Enter, as shown in Figure 58.

Click Yes, as shown in Figure 59.

Select your region and click Yes, as shown in Figure 60.

Select your keyboard layout and click Yes, as shown in Figure 61.

Click Skip, as shown in Figure 62.

Click Accept, as shown in Figure 63.

Click Domain join instead, as shown in Figure 64.

Type in a local user account name and click Next, as shown in Figure 65.

Enter a password and click Next, as shown in Figure 66.

Confirm the password and click Next, as shown in Figure 67.

Select three security questions, enter the answer, and click Next, as shown in Figures 68 through 70.

Select your privacy settings and click Accept, as shown in Figure 71. I set them all to No.

Make a selection for Cortana, as shown in Figure 72. I selected Not now, plus one of the settings in my Lab Defaults Group Policy to disable the use of Cortana.

If you receive the following popup, click Yes, as shown in Figure 73. I only received this popup for VMware, not XenServer.

Right-click the network icon in the systray and click Open Network & Internet settings, as shown in Figure 74.

Click Change adapter options, as shown in Figure 75.

Right-click the adapter and click Properties, as shown in Figure 76.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 77.

Select Use the following IP address, enter the IP information for your network, and click OK, as shown in Figure 78. For the DNS server addresses, use the IP addresses of your domain controllers.

How many DNS servers should you configure on the network adapter? Not as many as you think. I recommend on DCs, a total of three where the third is always 127.0.0.1. For all other computers, also no more than three. I have seen places with 15 DCs, and every computer had all 15 DCs in the list of DNS servers. If you understand Windows DNS client resolution timeouts, limit the number of DNS entries.

Click Close, as shown in Figure 79.

After clicking Close,  you lose the connection to the RDP session. Reconnect using the new static IP address.

Close Network Connections.

Click Home, then System, then About, and finally Rename this PC (Advanced), as shown in Figure 80.

Click Change, as shown in Figure 81.

Enter a Computer name, Domain, and click OK, as shown in Figure 82.

Enter the domain’s Administrator name and password and click OK, as shown in Figure 83.

Click OK, as shown in Figure 84.

Click OK, as shown in Figure 85.

Click Close, as shown in Figure 86.

Click Restart Now, as shown in Figure 87.

When the VM restarts, log in using the domain’s Administrator account.

Make any customizations you require to the VM before we start installing consoles. I upgraded my Windows 10 20H2 VM to Windows 10 21H1.

Install Active Directory Consoles

There are no Citrix Virtual Apps and Desktops or Parallels Remote Application Server or VMware Horizon environments at this point in the lab’s building process. The only consoles to install at this point are for the Microsoft products in the lab.

Before the October 2018 update to Windows 10, a download was available for the Remote Server Administrative Tools (RSAT). The old approach to RSAT was that the Windows 10 upgrade removed the RSAT from the computer. The new approach allows the RSAT to persist between Windows 10 upgrades.

Click the Start button and click Settings, as shown in Figure 88.

Click Apps, as shown in Figure 89.

Click Optional features, as shown in Figure 90.

Click Add a feature, as shown in Figure 91.

Select the following items and click Install, as shown in Figure 92.

• RSAT: Active Directory Certificate Services Tools
• RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
• RSAT: DHCP Server Tools
• RSAT: DNS Server Tools
• RSAT: Group Policy Management Tools

The tools install, as shown in Figure 93.

You can find the tools by clicking Start, scrolling down to, and expanding Windows Administrative Tools, as shown in Figure 94.

Installing RSAT installed several PowerShell modules. To ensure that we have current help text for every PowerShell module, start an elevated PowerShell session.

Click Start, scroll down to and expand Windows Powershell, right-click Windows PowerShell, click More, and click Run as administrator, as shown in Figure 95.

Type in the following in the PowerShell window, as shown in Figure 96.

update-help -force

The help text updates, as shown in Figure 96. You can safely ignore any warnings or errors.

To verify that PowerShell Remoting is enabled, type the following in the PowerShell window, as shown in Figure 97.

enable-psremoting

You can access each of the RSAT consoles from the start menu or build an MMC console containing all the snap-ins you use often.

Type mmc and press Enter in the PowerShell window and then exit PowerShell.

The mmc console opens, as shown in Figure 98.

Click File, click Add/Remove Snap-in…, or press Ctrl+M (my preference), as shown in Figure 99.

Double-click the following items, as shown in Figure 100.

• Active Directory Do…
• Active Directory Site…
• Active Directory Use…
• ADSI Edit

Double-click Certification Authority, and on the popup, type in the name of your Certification Authority server and click Finish, as shown in Figure 101.

Scroll down, double-click the following and click OK, as shown in Figure 102.

• DHCP
• DNS
• Group Policy Manag…

Click on and expand each node. Connect to the appropriate server when requested.

Figure 103 shows my console.

I always recommend using these consoles installed on a management computer to avoid logging in on a production server (i.e., domain controller or certificate authority). While our lab servers may not be “production” level servers, we learn a valuable habit: stay off production servers when possible.

Save the mmc console to the location and name of your choice, as shown in Figure 104.

Install SQL Server Management Studio

We install the SQL Server Management Studio (SSMS) in the management computer to avoid logging in to a production SQL Server. While our lab servers may not be “production” level servers, we learn a valuable habit: stay off production servers when possible.

In your internet browser, browse to https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15, and click the link to Download SQL Server Management Studio (SSMS), as shown in Figure 105.

Note: The version number may change.

Click the link your browser provides to open the downloaded file, as shown in Figure 106.

Click Run on the popup, as shown in Figure 107.

You can exit your browser at this point.

Click Install, as shown in Figure 108.

SSMS begins installing, as shown in Figure 109. The installation takes a few minutes.

Click Close, as shown in Figure 110.

Click Start, scroll to and expand Microsoft SQL Server Tools 18, click Microsoft SQL Server Management…, as shown in Figure 111.

Enter the name of your SQL Server and click Connect, as shown in Figure 112.

As shown in Figure 113, we made a connection to the SQL Server.

If you get the error shown in Figure 114, did you remember to create the Inbound TCP Port 1433 firewall rule on the SQL Server?

Exit SSMS.

Install Microsoft Office

I only need Microsoft Excel and Word on my management PC for use with scripting. Unfortunately, if you tell the Office 365 site to install Office or select the Install option from the Office ISO, you get every Office component installed. To restrict what you download, install, and configure, you must use an XML file.

Microsoft makes the Office Customization Tool if you do not know how to create the required XML file.

Open a command prompt.

Make a folder named O365 on the C drive by typing md c:\O365 followed by cd c:\O365, as shown in Figure 115.

In your internet browser, browse to https://config.office.com/ and click Create, as shown in Figure 116.

Select the following, as shown in Figure 117:

Architecture: 64-bit

Office Suites: Microsoft 365 Apps for business

Viso: None (shows as Select Visio product)

Project: None (shows as Select Project product)

Additional products: None (shows as Select Additional product)

Select the update channel and Select the version you prefer, as shown in Figure 118.

Deselect the apps you do NOT want to be installed and click Next, as shown in Figure 119.

Select primary language and any additional languages or proofing tools required and click Next, as shown in Figure 120.

Select Office Content Delivery Network (CDN), leave the other two options at the default settings, and click Next, as shown in Figure 121.

Deselect Uninstall any MSI versions of Office, including Visio and Project, leave the other options at their default settings, and click Next, as shown in Figure 122.

Select Automatically accept the EULA and click Next, as shown in Figure 123.

Enter your organization’s name, an optional description, and click Next, as shown in Figure 124.

Microsoft offers numerous settings for configuring Office applications. If you wish, you can review the options and make any configuration changes required. After reviewing the Application preferences, click Finish, as shown in Figure 125.

Click Export, as shown in Figure 126.

Select your desired Default File Format and click OK. As shown in Figure 127, I prefer using Office Open XML formats.

Select I accept the terms in the license agreement, enter a File Name for the XML file, and click Export, as shown in Figure 128.

Using Windows File Explorer, browse to the location your internet browser save the XML file, typically your user account’s Downloads folder, as shown in Figure 129.

Right-click the XML file and click Copy, as shown in Figure 130.

In Windows File Explorer, browse to C:\O365, right-click in the empty space and click Paste, as shown in Figure 131.

Exit Windows File Explorer.

Now we need to download the Office Deployment Toolkit.

In your internet browser, browse to https://www.microsoft.com/en-us/download/details.aspx?id=49117, and click Download, as shown in Figure 132.

Click the link your browser provides to open the file, as shown in Figure 133.

Click Run, as shown in Figure 134.

Select Click here to accept the Microsoft Software License Terms and click Continue, as shown in Figure 135.

Browse to C:\O365 and click OK, as shown in Figure 136.

Click OK, as shown in Figure 137.

Exit your internet browser.

In the command prompt, type in setup.exe /configure configuration.xml (use your XML file name) and press Enter, as shown in Figure 138.

Office starts installing, as shown in Figures 139 and 140.

When the installation and configuration are complete, click Close, as shown in Figure 141.

Exit the command prompt.

Click Start and verify that only the Office applications you installed are there. I installed only Microsoft Excel and Word, as shown in Figures 142 and 143.

Start any installed Office product to start the licensing and activation process, as shown in Figure 144.

After the activation process completes, click Done, as shown in Figure 145.

Additional Applications

There are many other applications you can install. Feel free to install and configure any software you require.

Here is some of the software I use.

• Citrix PVS Console (Can’t install yet)
• Citrix Studio Console (Can’t install yet)
• Google Chrome
• Notepad++
• Parallels Remote Application Server Console and PowerShell (Can’t install yet)
• PuTTY
• VMware Horizon Dynamic Environment Manager Management Console (Can’t install yet)
• WinSCP

Many management consoles are web-based—for example, vCenter, Citrix Director, VMware Horizon Connection Server, and others. I manage my Netgear switches and WiFi router and my two Synology units using a browser.

Install vCenter Root Certificate

The vCenter root certificate requires installing to manage vCenter from this computer. Citrix Studio also requires it to create a hosting connection to vCenter.

In Part 6, we downloaded the root certificate from vCenter.

Browse to the certs\win folder, as shown in Figure 146.

Double-click the file with the extension “crt”.

Click Open if you receive a file security warning, as shown in Figure 147.

Click Install Certificate…, as shown in Figure 148.

Click Local machine and Next, as shown in Figure 149.

Select Place all certificates in the following store and click Browse…, as shown in Figure 150.

Click on Trusted Root Certification Authorities and click OK, as shown in Figure 151.

Click Next, as shown in Figure 152.

Click Finish, as shown in Figure 153.

Click OK, as shown in Figure 154.

Click OK, as shown in Figure 155.

Using your browser, go to the link for the vCenter Getting Started Page. For me, that is https://vcenter.labaddomain.com, as shown in Figure 156.

Click the padlock symbol, as shown in Figure 157.

Activate Windows 10

If you have a MAPS or similar subscription service, you can activate your copy of Windows 10.

Click Start, Settings, as shown in Figure 158.

Click Windows isn’t activated. Activate Windows now., as shown in Figure 159.

Click Change product key, as shown in Figure 160.

Enter your Windows 10 Product key and click Next, as shown in Figure 161.

Click Activate, as shown in Figure 162.

If your copy of Windows 10 activated successfully, click Close, as shown in Figure 163.  If activation was not successful, resolve the issue and attempt the activation again.

Windows 10 now shows as activated.

Exit all open windows.

Up next: Create a 10ZiG Management Server

Landing page for the article series

With the base of the Vmware infrastructure, Active Directory (AD), Certification Authority (CA), and Group Policy (GPO) built, the next step is to create additional server VMs from the Server 2019 template. We use the VMs built in this article for additional Microsoft infrastructure servers. My lab’s infrastructure VMs reside in my XenServer pool, as explained in the Introduction article. Building a server VM from the Server 2019 template was covered earlier.

From the introduction article, these are the VMs we are building.

Follow the earlier process to build the two servers above, but do not power on the servers. Before we power on the new servers, we need an additional hard drive on each server. For LabFS, that drive is for shared files and folders and LabSQL, SQL databases.

Follow these steps to add the second drive.

VMware

In vCenter, right-click a VM and click Edit Settings…, as shown in Figure 1.

Click ADD NEW DEVICE and click Hard Disk, as shown in Figure 2.

For New Hard disk*, enter 100 for the size in GB and click OK, as shown in Figure 3.

Expand VM Hardware and see both hard disks, as shown in Figure 4.

Repeat for the other server.

Power on both VMs.

XenServer

In XenCenter, select a VM in the left pane and click the Storage tab in the right pane, as shown in Figure 5.

Click Add, as shown in Figure 6.

Enter a Name, Description, type 100 for the Size, and click Add, as shown in Figure 7.

XenCenter shows both hard disks, as shown in Figure 8.

Repeat for the other server.

Power on both VMs.

File Server (LabFS)

The first thing we need to do is join our File Server to the domain.

If you remember, when we created Active Directory in Part 14, I placed all my Microsoft infrastructure servers in a specific OU.

Lab

Infrastructure

Microsoft

Open a PowerShell session and type in the following from one of the domain controllers, as shown in Figure 9.

Get-ADOrganizationalUnit -filter {Name -eq "Microsoft"}

Copy the DistinguishedName property to the clipboard.

We use PowerShell to install and configure the File Server.

Use mstsc to remote into the VM that is our File Server.

Exit Server Manager and start an elevated PowerShell session, as shown in Figure 10.

Copy and paste the following into the elevated PowerShell session and press Enter. The process took less than the blink of an eye to happen, which is why there is no screenshot.

Remember to set the values you need.

Note: Lines may wrap

#Join the computer to the domain</strong>

add-computer -Credential LabADDomain\Administrator `
-DomainName "LabADDomain.com" `
-OUPath "OU=Microsoft,OU=Infrastructure,OU=Lab,DC=LabADDomain,DC=com" `
-Force `
-Restart

#server reboots

After the VM restarts, log in using the domain’s Administrator account and password.

Right-click the Start menu and click Disk Management, as shown in Figure 11.

Select MBR (Master Boot Record) and click OK, as shown in Figure 12.

Right-click the 100GB Unallocated drive and click New Simple Volume…, as shown in Figure 13.

Click Next, as shown in Figure 14.

Click Next, as shown in Figure 15.

Select the drive letter to use and click Next, as shown in Figure 16.

Type in a meaningful Volume label and click Next, as shown in Figure 17.

Click Finish, as shown in Figure 18.

In a few seconds, Disk Management shows the new drive, as shown in Figure 19.

Now to install the server certificate from the CA.

Save the following to a file name c:\CertFiles\computer-request.inf.

I want to thank Michael B. Smith for creating this INF file for me.

Use the data needed for your environment.

LabFS                     = the name of your File Server 
LabADDomain.com           = your domain name 
"LabCA\LabDomain CA Root" = the name of your CA server and the name of your CA.

;----------------- computer-request.inf -----------------
; LabFS.LabADDomain.com
;
; certreq -new computer-request.inf computer-request.req
; certreq -submit -config "LabCA\LabDomain CA Root" computer-request.req computer-request.cer
; certreq -accept -config "LabCA\LabDomain CA Root" computer-request.cer
;

[Version]
Signature = "$Windows NT$"

[NewRequest]
Subject = "CN=LabFS.LabADDomain.com" ; replace with the FQDN of the File Server
FriendlyName = "Computer (Machine) for LabFS.LabADDomain.com"
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure but have a greater impact on performance.
KeySpec = 1                     ; AT_KEYEXCHANGE
Exportable = TRUE               ; private-key is exportable
MachineKeySet = TRUE            ; goes in machine store instead of user's personal store
SMIME = False                   ; cannot be used for signing S/MIME messages
PrivateKeyArchive = FALSE
HashAlgorithm = sha256          ; "certutil -oid 1 | findstr pwszName" -- gives a list (including sha1)
UserProtected = FALSE
UseExistingKeySet = FALSE       ; we are not renewing a key that already exists
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12               ; for ProviderName and ProviderType, see "certutil -csplist"
RequestType = PKCS10            ; if empty or set to "CERT" then a self-signed cert is created
KeyUsage = 0xa0                 ; 0xa0 - CERT_DIGITAL_SIGNATURE_KEY_USAGE + CERT_KEY_ENCIPHERMENT_KEY_USAGE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication - PKIX_KP_SERVER_AUTH

[Extensions]
; Note: 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "dns=LabFS.LabADDomain.com"

[RequestAttributes]
CertificateTemplate = "Server Template"

;-----------------------------------------------

Open an elevated command prompt.

Type in cd c:\CertFiles and press Enter.

The three commands we need to run are at the top of the computer-request.inf file.

Type in notepad computer-request.inf and press Enter.

Copy the line certreq -new computer-request.inf computer-request.req, paste it in the elevated command prompt, and press Enter.

Copy the line certreq -submit -config “LabCA\LabDomain CA Root” computer-request.req computer-request.cer, paste it in the elevated command prompt, and press Enter.

Note: If you get a warning similar to the following, you can ignore the warning. The warning tells you that the certificate request validity period is past the lifetime of the CA’s root certificate lifespan.

Certificate retrieved(Issued)Issued The certificate validity period will be shorter than the Server Template Certificate Template specifies because the template validity period is longer than the maximum certificate validity period allowed by the CA.  Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.

Copy the line certreq -accept -config “LabCA\LabDomain CA Root” computer-request.cer, paste it in the elevated command prompt, and press Enter.

Figure 20 shows the results of running the certificate request commands.

There is nothing else to do with the File Server VM at this point in this article series.

SQL Server (LabSQL)

Follow the same steps as the File Server to join the domain and provision the 100GB hard disk.

There are several pieces of information needed before installing Microsoft SQL Server.

1. Applications used in the lab
2. What versions of Microsoft SQL Server do the applications support?
3. Do the applications require any unique configuration in SQL Server?

In my lab, the products that use Microsoft SQL Server are Citrix Virtual Apps and Desktops (CVAD), Citrix Provisioning Services (PVS), and VMware Horizon. Both vendors provide documentation on the supported version of SQL Server.

Note: Parallels uses SQL Server for Parallels RAS Reporting, which I don’t use in the lab.

Supported Databases for Citrix Virtual Apps and Desktops and Provisioning Services

VMware Product Interoperability Matrix

In my lab, I run the latest version of each product.

• CVAD 2103
• PVS 2012
• VMware Horizon 8 2106

Using the links above, we can see that the current version of SQL Server supported is 2019.

Note: Starting with CVAD 2003, Citrix removed support for versions of SQL Server before SQL Server 2016. That leaves three versions of SQL Server supported: 2016, 2017, and 2019.

Figure 21 shows CVAD and PVS.

Figure 22 shows VMware Horizon 8 2106. Unfortunately, the VMware Product Interoperability Matrix does not allow you to select “Microsoft SQL Server”, nor does it allow you to sort the results. Yes, I left feedback on these shortcomings. Since I initially published this article, VMware added the capability to select a specific database version. I selected SQL Server 2019 Standard.

From both images, all the products support SQL Server 2019. Now, are there any particular configuration options required?

CVAD from https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/technical-overview/databases.html:

Windows authentication is required for connections between the Controller and the SQL Server site database.

Each database must have the following characteristics:

• Use a collation that ends with _CI_AS_KS. Citrix recommends using a collation that ends with _100_CI_AS_KS.
• For optimum performance, enable the SQL Server Read-Committed Snapshot. For details, see CTX 137161.

PVS from https://docs.citrix.com/en-us/provisioning/current-release/system-requirements.html:

When configuring databases for provisioning, consider that no preference exists for any specific SQL collation. Collation supports the standard method recommended by Citrix Virtual Apps and Desktops when using the configuration wizard. The administrator creates the database with a collation that ends with _CI_AS_KS. Citrix recommends using a collation that ends with _100_CI_AS_KS.

VMware Horizon from https://docs.vmware.com/en/VMware-Horizon/2103/horizon-installation.pdf:

Prepare an SQL Server Database for Event Reporting in Horizon Console

Before you can use Horizon Console to configure an event database on Microsoft SQL Server, you must configure the correct TCP/IP properties and verify that the server uses SQL Server Authentication.

Prerequisites

• Create an SQL Server database for event reporting. See Add a Database and Database User for VMware Horizon Events in Horizon Console.
• Verify that you have the required database privileges to configure the database.
• Verify that the database server uses the SQL Server Authentication method of authentication. Do not use Windows Authentication.

From these requirements, we know the following.

1. SQL Server must use both SQL Server and Windows Authentication
2. Enable SQL Server Read-Committed Snapshots
3. When creating a database for CVAD or PVS, make sure the database uses a collation that ends with _100_CI_AS_KS

Install Microsoft SQL Server 2019

Evaluation SQL Server 2019

You can download a 180-day evaluation copy of Microsoft SQL Server 2019 from the Microsoft Evaluation Center.

Copy the SQL2019-SSEI-Eval.exe file to the LabSQL server in C:\SQL2019.

Right-click SQL2019-SSEI-Eval.exe and click Run as administrator, as shown in Figure 23.

Click Download Media, as shown in Figure 24.

Select ISO, type in C:\SQL2019 for SELECT DOWNLOAD LOCATION, and click Download, as shown in Figure 25.

After the download completes, click Open folder, as shown in Figure 26.

Right-click the ISO file and click Mount, as shown in Figure 27.

Right-click setup.exe and click Run as administrator, as shown in Figure 28.

In the left pane, click Installation and in the right pane, click New SQL Server stand-alone installation or add features to an existing installation, as shown in Figure 29.

Click Next, as shown in Figure 30.

Select I accept the license terms and and click Next, as shown in Figure 31.

Select Use Microsoft Update to check for updates (recommended) and click Next, as shown in Figure 32.

Ignore the Windows Firewall warning and click Next, as shown in Figure 33.

Select Database Engine Services, as shown in Figure 34.

Scroll down and select Client Tools Connectivity and click Next, as shown in Figure 35.

Click Next, as shown in Figure 36.

Click the Collation tab and click Customize…, as shown in Figure 37.

Citrix requires a particular collation. Select Windows collation designator and sort order, and scroll down to select Latin1_General_100, as shown in Figure 38.

Select Accent-sensitive and Kana-sensitive, and click OK, as shown in Figure 39.

Notice the Collation is Latin1_General_100_CI_AS_KS, as recommended by Citrix.

“Citrix recommends using a collation that ends with _100_CI_AS_KS”

Click Next, as shown in Figure 40.

Because VMware requires SQL authentication and Citrix requires Windows authentication, select Mixed Mode (SQL Server authentication and Windows authentication), enter a password for the SQL Server’s sa account, and click Add Current User, as shown in Figure 41.

Clicking the Add Current User adds the domain’s administrator account as a SQL Server administrator.

Click Add, as shown in Figure 42.

We created two service accounts earlier—one for Citrix and one for VMware. Add the two service accounts and other required accounts or groups and click OK, as shown in Figure 43.

Click the Data Directories tab, change the Data root directory to the drive letter assigned to the second hard disk on the SQL server, and click Next, as shown in Figure 44.

Verify all the information is correct and click Install, as shown in Figure 45. If any information is not correct, click Back, correct the information, and then continue.

As shown in Figure 46, the SQL Server installation begins.

Once the installation completes, click Close, as shown in Figure 47.

Close all windows.

Full SQL Server 2019

Mount the SQL Server 2019 ISO to the VM.

Change to the D drive (or the CD/DVD drive where the ISO is mounted), right-click setup.exe, and click Run as administrator, as shown in Figure 48.

In the left pane, click Installation and in the right pane, click New SQL Server stand-alone installation or add features to an existing installation, as shown in Figure 49.

Click Next, as shown in Figure 50.

Select I accept the license terms and and click Next, as shown in Figure 51.

Follow the process as shown in Figures 32 through 47.

Now to install the server certificate from the CA.

Save the following to a file name c:\CertFiles\computer-request.inf.

I want to thank Michael B. Smith for creating this INF file for me.

Use the data needed for your environment.

LabSQL                    = the name of your SQL Server
LabADDomain.com           = your domain name
"LabCA\LabDomain CA Root" = the name of your CA server and the name of your CA.

;----------------- computer-request.inf -----------------
; LabSQL.LabADDomain.com
;
; certreq -new computer-request.inf computer-request.req
; certreq -submit -config "LabCA\LabDomain CA Root" computer-request.req computer-request.cer
; certreq -accept -config "LabCA\LabDomain CA Root" computer-request.cer
;

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=LabSQL.LabADDomain.com" ; replace with the FQDN of the SQL Server
FriendlyName = "Computer (Machine) for LabSQL.LabADDomain.com"
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure but have a greater impact on performance.
KeySpec = 1                     ; AT_KEYEXCHANGE
Exportable = TRUE               ; private-key is exportable
MachineKeySet = TRUE            ; goes in machine store instead of user's personal store
SMIME = False                   ; cannot be used for signing S/MIME messages
PrivateKeyArchive = FALSE
HashAlgorithm = sha256          ; "certutil -oid 1 | findstr pwszName" -- gives a list (including sha1)
UserProtected = FALSE
UseExistingKeySet = FALSE       ; we are not renewing a key that already exists
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12               ; for ProviderName and ProviderType, see "certutil -csplist"
RequestType = PKCS10            ; if empty or set to "CERT" then a self-signed cert is created
KeyUsage = 0xa0                 ; 0xa0 - CERT_DIGITAL_SIGNATURE_KEY_USAGE + CERT_KEY_ENCIPHERMENT_KEY_USAGE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication - PKIX_KP_SERVER_AUTH

[Extensions]
; Note: 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "dns=LabSQL.LabADDomain.com"

[RequestAttributes]
CertificateTemplate = "Server Template"

;-----------------------------------------------

Open an elevated command prompt.

Type in cd c:\CertFiles and press Enter.

The three commands we need to run are at the top of the computer-request.inf file.

Type in notepad computer-request.inf and press Enter.

Copy the line certreq -new computer-request.inf computer-request.req, paste it in the elevated command prompt, and press Enter.

Copy the line certreq -submit -config “LabCA\LabDomain CA Root” computer-request.req computer-request.cer, paste it in the elevated command prompt, and press Enter.

Note: If you get a warning similar to the following, you can ignore the warning. The warning tells you that the certificate request validity period is past the lifetime of the CA’s root certificate lifespan.

Certificate retrieved(Issued)Issued The certificate validity period will be shorter than the Server Template Certificate Template specifies because the template validity period is longer than the maximum certificate validity period allowed by the CA.  Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.

Copy the line certreq -accept -config “LabCA\LabDomain CA Root” computer-request.cer, paste it in the elevated command prompt, and press Enter.

Figure 52 shows the results of running the certificate request commands.

We need to configure a firewall rule to allow TCP port 1433 Inbound. If we don’t, when we create the management computer and install the SQL Server Management Studio, we can’t connect from the management computer to the SQL Server.

Please see Configure the Windows Firewall to Allow SQL Server Access.

Copy the following into the elevated command prompt and press Enter, as shown in Figure 53.

netsh advfirewall firewall add rule name = "SQL Server TCP Port 1433 Inbound" dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = Any

In the elevated command prompt, type in wf.msc, and press Enter to start Windows Defender Firewall with Advanced Security, as shown in Figure 54.

In the left pane, click Inbound Rules, and you see the new SQL Server firewall rule in the middle pane, as shown in Figure 55.

License Server

I use the second domain controller (DC), LabDC2, as my lab’s Citrix and Remote Desktop license server. Both components are lightweight and place no processing or security burden on the DC.

Remote Desktop Licensing

If you do not have a Microsoft Action Pack Subscription (MAPS) for Remote Desktop licenses, never fear as there is a 120-day grace period for clients that connect to a Remote Desktop Session Host server (RDSH).

License your RDS deployment with client access licenses (CALs)

There is a licensing grace period of 120 days, during which no license server is required. Once the grace period ends, clients must have a valid RDS CAL issued by a license server before they can log on to an RD Session Host server.

Until Citrix develops a community license program as Microsoft and VMware have, you have a 30-day grace period (provided you can find a CVAD product ISO to download).

To install Remote Desktop Licensing on LabDC2, start an elevated PowerShell session and enter the following command, as shown in Figure 56.

Install-WindowsFeature RDS-Licensing –IncludeAllSubFeature -IncludeManagementTools

Leave the PowerShell session open.

Click the Start Menu, expand Windows Administrative Tools, and click Remote Desktop Licensing Manager, as shown in Figure 57.

Expand All servers, right-click LabDC2, and click Activate Server, as shown in Figure 58.

Click Next, as shown in Figure 59.

Verify that the Connection method is Automatic connection and click Next, as shown in Figure 60.

Enter the required information and click Next, as shown in Figure 61.

If you wish, enter the optional information and click Next, as shown in Figure 62.

Leave Start Install License Wizard now selected and click Next, as shown in Figure 63.

Click Next, as shown in Figure 64.

For MAPS RDS CALs, verify the License program is License Pack (Retail Purchase) and click Next, as shown in Figure 65.

Enter your MAPS RDS CALs, click Add, and click Next, as shown in Figure 66.

After the license is installed, click Finish, as shown in Figure 67.

If your license did not install, either retry the installation or call the Microsoft Clearinghouse. The most frequent error I see is when someone moves RDS CALs to another server without deactivating the original server first.

Still in the RD Licensing Manager console, right-click LabDC2 and click Review Configuration, as shown in Figure 68.

Click Add to Group, as shown in Figure 69.

Click Continue, as shown in Figure 70.

Click OK, as shown in Figure 71.

We get a notice that the Remote Desktop Licensing service requires a restart, as shown in Figure 72.

In the elevated PowerShell session, type in the following commands, as shown in Figure 73.

Stop-Service TermServLicensing
Start-Service TermServLicensing

Exit the PowerShell session.

Click OK, as shown in Figure 74.

If you compare Figure 68 to Figure 75, you see a green checkmark next to the server name.

If you follow the steps for Figures 68 and 69, you see both items have green checkmarks now, as shown in Figure 76.

Exit the RD Licensing Manager console.

Citrix Licensing

Citrix Licensing documentation

Note: NEVER browse the internet or download files from a domain controller. That is a bad habit that can have dire consequences.

There are multiple ways to get Citrix Licensing.

1) From the internet browser on LabFS, browse to https://www.citrix.com/downloads/licensing/ and download the latest License Server for Windows to E:\CitrixLicense, as shown in Figures 77 and 78.

2) Mount the latest CVAD ISO to the LabDC2 VM, browse to x:\x64\Licensing (where x is the drive letter for the CD/DVD drive), as shown in Figure 79.

Right-click CitrixLicensing.exe and click Run as administrator, as shown in Figure 80.

Select I have read, understand, and accept the terms of the license agreement and click Next, as shown in Figure 81.

Click Next, as shown in Figure 82.

Leave all options at their default settings and click Next, as shown in Figure 83.

At this time, Citrix does not have a community license program available, so I am using the license provided to me courtesy of the CTP program. I must manually renew the license file every year.

Select Manually check for Customer Success Services renewal licenses and click Install, as shown in Figure 84.

When the installation completes, click Finish, as shown in Figure 85.

Citrix license files are associated with the CaSe senSiTivE name of the server. Start a command prompt and type in hostname to verify the correct hostname, as shown in Figure 86.

When allocating Citrix licenses, you get to enjoy the painful license return and reallocate process if you get the hostname wrong. Get it right the first time.

Keep the command prompt open.

My preferred way of getting Citrix license files onto a Citrix license server is to copy the .lic files to C:\Program Files (x86)\Citrix\Licensing\MyFiles and restart the Citrix Licensing service.

Once you copy your license files to C:\Program Files (x86)\Citrix\Licensing\MyFiles, enter the following commands from the command prompt, as shown in Figure 87.

net stop "Citrix Licensing" && net start "Citrix Licensing"

You can verify that the Citrix license file is valid by looking in the Application event log for Event ID 20736 from source Citrix_Licensing, as shown in Figure 88.

Following the steps used in Citrix XenServer Host and Pool ConfigurationI applied the new license file to my two XenServer pools, as shown in Figure 89.

Up next: Create a Management Computer

Landing page for the article series

1. Update DNS server entries for each XenServer host
2. Join the XenServer Pool to the lab’s Active Directory (AD) domain
3. Create a Read-only account for use with monitoring software, like ControlUp and Goliath Technologies

The only way to create additional non-root accounts for use in XenCenter is by joining the resource pool to AD. Once the Pool is in AD, the Users tab allows us to select accounts for Role-Based Access Control.

Start and, if required, connect or log in to XenCenter.

DNS

Note: I rewrote this section on 25-Jul-2021 to work around a XenServer bug where the DNS server (nameserver) entries in /etc/resolv.conf created using the original method (and several others I tried) never survived a host reboot. This new method has survived several restarts of every host and a shutdown of the entire pool.

Before the Pool can join AD, you must reconfigure the XenServer hosts to use the AD DNS servers. There is no central way to change the DNS server information on every XenServer host at one time. You must change each host independently.

In the left pane, expand the resource pool, and in the right pane, click the Networking tab, as shown in Figure 1.

Click Configure…, as shown in Figure 2.

Verify the Network is the Management bond of Bond 0 + 1, enter the desired DNS servers for Preferred DNS server and Alternate DNS server 1, and click OK, as shown in Figure 3.

Right-click the host and click Reboot, as shown in Figure 4.

Click Yes, Reboot, as shown in Figure 5.

After the host reboots, click the Console tab and enter the password for the root account, as shown in Figure 6.

Type in cat /etc/resolv.conf and press Enter, as shown in Figure 7.

The two DNS servers should be there, as shown in Figure 8.

Repeat the process shown in Figures 1 through 8 for the remaining XenServer hosts.

Active Directory

In the left pane, click the resource pool and in the right pane, click the Users tab, and click Join Domain…, as shown in Figure 9.

Enter the name for the Domain and the domain’s administrator account and password, and press Enter, as shown in Figure 10.

Figure 11 shows XenCenter enabling AD authentication.

After a few seconds, XenCenter shows the Pool is a member of the AD domain, as shown in Figure 12.

On the first domain controller, open Active Directory Users and Computers.

As shown in Figure 13, the XenServer hosts are in the Computers container.

We could use PowerShell to move the four computer accounts from CN=Computers,DC=LabADDOmain,DC=COM to OU=Citrix,OU=Infrastructure,OU=Lab,DC=LabADDomain,DC=COM, but that would require four lines of PowerShell. In my opinion, the quickest way is to expand the Lab OU, and expand the Infrastructure OU. Now select all four XenServer hosts and Drag and Drop them into the Citrix OU, as shown in Figure 14.

Click Yes, as shown in Figure 15.

The XenServer hosts are now in the Citrix OU, as shown in Figure 16.

Create a Read-only Account

In my lab, I use monitoring software from vendors like ControlUp and Goliath Technologies. To provide for Least Privilege Access, use a Read-only account.

First, we need to create an AD service account to assign the XenCenter Read-only Role.

On the first DC, open an elevated PowerShell session.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 17.

Remember to set the values you need.

Note: Lines may wrap

#Create the service account svc_CitrixReadOnly for Read-only XenCenter permissions

$ADDomain = "LabADDomain"
$TLD = "com"
$Protect = $False

$UserPwd = Read-Host -AsSecureString -Prompt "Enter password"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "svc_CitrixReadOnly" `
-Enabled $True `
-GivenName "svc_CitrixReadOnly" `
-Name "svc_CitrixReadOnly" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "svc_CitrixReadOnly" `
-UserPrincipalName "svc_CitrixReadOnly@LabADDomain.com"

Back in XenCenter, click Add…, as shown in Figure 18.

Enter the name of the new Citrix Read-only account and click Grant Access, as shown in Figure 19.

Click Close, as shown in Figure 20.

Select the Citrix Read-only account and click Change Role…, as shown in Figure 21.

Select Read Only and click Save, as shown in Figure 22.

The account is ready for use, as shown in Figure 23.

Next up: Create Additional Servers

Landing page for the article series

Before getting to work adding Citrix Virtual Apps and Desktops (CVAD), and VMware Horizon to the lab, there are a few additional items on the vCenter to-do list.

1. Join vCenter to the lab’s Active Directory (AD) domain
2. Add the lab’s AD to the SSO
3. Create a Citrix related service account with minimum vCenter permissions for the hosting connection in Citrix Studio and with Citrix App Layering
4. Create a VMware related service account with minimum vCenter permissions for VMware Horizon
5. Create a Read-only account for use with monitoring software, like ControlUp and Goliath Technologies

Log in to vCenter.

Active Directory

From the Menu dropdown, select Administration, as shown in Figure 1.

Click Configuration, Active Directory Domain, and click Join AD, as shown in Figure 2.

Enter the Domain, a Username, a Password, and click JOIN, as shown in Figure 3.

If you want the vCenter computer account in a specific Organizational Unit (OU), as I do, enter the Organization Unit.

The vCenter appliance is now a domain member but needs a restart.

From the Menu dropdown, select VMs and Templates, as shown in Figure 4.

Expand the cluster, right-click the vCenter VM, click Power, and click Restart Guest OS, as shown in Figure 5.

Click Yes to confirm the restart, as shown in Figure 6.

Wait about 10 minutes before trying to log in to vCenter.

If you specified an OU to place the vCenter computer account while waiting for the vCenter appliance to restart, go to one of the domain controllers and open the Active Directory Users and Computers console. Browse to the OU specified and verify the vCenter computer account exists, as shown in Figure 7.

At this point, you must use the administrator vCenter account to log in. Even though we joined vCenter to the AD domain, the AD domain isn’t a Single Sign-On domain yet.

Once logged on to vCenter, go back to Administration/Single Sign On/Configuration, as shown in Figure 8.

Click Identity Sources and click ADD IDENTITY SOURCE, as shown in Figure 9.

Select Active Directory (Windows Integrated Authentication) from the Identity source type dropdown. If it is not already populated, enter the Domain name, select Use machine account, and click ADD, as shown in Figure 10.

The AD domain now shows as an Identity Source, as shown in Figure 11.

We are not yet ready to log in to vCenter with AD credentials. First, we must add users and groups from the AD domain to a vCenter security role.

Click Global Permissions, as shown in Figure 12.

Click + (Plus sign) as shown in Figure 13.

Select the AD domain name from the Domain dropdown, type Domain Admins in the User/Group field, for Role, select Administrator, select Propagate to children, and click OK, as shown in Figure 14.

Now we can log in to vCenter with an AD domain account.

Log off vCenter and log in with an AD domain account granted permission, as shown in Figures 15 and 16.

Figure 17 shows a successful login with AD domain credentials.

Next, we need permissions for service accounts for Citrix Virtual Apps and Desktops (CVAD) and VMware Horizon. First up, CVAD.

Citrix Virtual Apps and Desktops and App Layering vCenter Permissions

I need a vCenter account for my lab to use with both the CVAD Hosting Connection in Citrix Studio and Citrix App Layering.

Citrix details the required permissions at  CVAD VMware virtualization environments and Citrix App Layering VMware vSphere.

To save time, here are the combined permissions with all the duplicates removed. I put an “(AL)” by the permissions that apply only to Citrix App Layering. If you do not use App Layering, you can safely ignore those permissions. I took these permissions from the CVAD 2103 and App Layering 2104 documentation. I also fixed the names of the permissions that Citrix has wrong in their documentation.

Table 1 vCenter Permissions for CVAD and App Layering

We created the svc_CtxVMware account previously.

In the vCenter console, go to Menu -> Administration, as shown in Figure 18.

Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 19.

The hard part is going through all the settings in Table 1 and selecting the required permissions, as shown in Figure 20.

Hey VMware, it would be nice if this dialog box were resizable.

Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 21.

Enter a Role name and an optional Description, click Finish, as shown in Figure 22.

Click Global Permissions and click the + (Plus sign), as shown in Figure 23.

Select your AD domain in the Domain dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 24.

If you are following this article series, there is no CVAD infrastructure to test the account.

VMware Horizon vCenter Permissions

VMware lists their required permissions for Horizon 8 2106 at Privileges Required for the vCenter Server User.

Figures 25 and 26 show the required permissions for the VMware Horizon 8 2106 service account.

Hey VMware, it would be better to list the Privilege Group on vCenter Server and Privileges to Enable in the same order they appear in the vCenter New Role wizard.

Table 2 vCenter Permissions for Horizon – Ordered List

We created the svc_VMwareHorizon AD account previously.

Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 27.

The hard part is going through all the settings and selecting the required permissions, as shown in Figure 28.

Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 29.

Enter a Role name and an optional Description, click Finish, as shown in Figure 30.

Click Global Permissions and click the + (Plus sign), as shown in Figure 31.

Select your AD domain in the Domain dropdown, enter the service account name, select the just created Role, select Propagate to children, and click OK, as shown in Figure 32.

If you are following this article series, there is no Horizon infrastructure to test the account.

Leave the vCenter console open to Global Permissions.

Create a Read-only Account

In my lab, I use monitoring software from vendors like ControlUp and Goliath Technologies. To provide for Least Privilege Access, use a Read-only account.

First, we need to create an AD service account to assign the vCenter Read-only Role.

On the first DC, open an elevated PowerShell session.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 33.

Remember to set the values you need.

Note: Lines may wrap

#Create the service account svc_VMwareReadOnly for Read-only vCenter permissions

$ADDomain = "LabADDomain"
$TLD = "com"
$Protect = $False

$UserPwd = Read-Host -AsSecureString -Prompt "Enter password"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "svc_VMwareReadOnly" `
-Enabled $True `
-GivenName "svc_VMwareReadOnly" `
-Name "svc_VMwareReadOnly" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "svc_VMwareReadOnly" `
-UserPrincipalName "svc_VMwareReadOnly@LabADDomain.com"

In Global Permissions, click the “+“, as shown in Figure 34.

Change the Domain to the AD domain, select the new Read-only account for User/Group, select the Read-only Role, select Propagate to children, and click OK, as shown in Figure 35.

The new Read-only account is added to the list, as shown in Figure 36.

Next up: Additional XenCenter Configuration

Landing page for the article series

With the domain controllers built, Active Directory (AD) configured, and the Certificate Authority Server configured, the next step is to create the initial settings within Group Policy Objects (GPOs). The primary purpose of the Group Policy engine is to apply policy settings to computers and users in an AD domain, enabling administrators to automate one-to-many management of settings to users and computers.  Using Group Policy as a settings delivery engine simplifies administrative tasks and reduces IT costs.  Administrators can efficiently implement security settings and enforce IT policies consistently across a given site, domain, or range of organizational units.

Group Policy consists of many pieces and parts, and there are tens of thousands of possible settings and options available. Here are a few helpful links to help you better understand Group Policy.

• Group Policy Overview
• Group Policy Planning and Deployment Guide
• What are Group Policy and Group Policy Objects?
• Group Policy Settings Storage (PDF)

One of my Group Policy mentors, Darren Mar-Elia, has several Group Policy training videos on Pluralsight.

• Group Policy Fundamentals
• Windows Server 2019: Group Policy Fundamentals
• Play by Play: Group Policy Best Practices with Darren Mar-Elia
• Best Practices for Group Policy Deployment and Management
• Designing and Managing a Group Policy Deployment

My other Group Policy mentor, Jeremy Moskowitz, has a Group Policy book you should read (I have all six editions). He also has a Group Policy training course which has hands-on labs. The course is in-person or online (labs are the same).

If you want a deep dive into all the technical details of Group Policy, please see Group Policy Protocols Overview and click the link to download a PDF or Word document. That is a great document to read if you have insomnia.

Default GPOs

When we created the AD domain in Part 14, the process created two default group policies: the Default Domain Policy and the Default Domain Controllers Policy.

Paraphrased from Group Policy Protocols Overview.

Default Domain Policy: A default GPO created and linked to the domain whenever a server becomes the first domain controller in a domain. It has the highest precedence of all GPOs linked to the domain, and it applies to all users and computers in the domain. The Default Domain Policy GPO is generally used to manage default account settings, although there are exceptions to this practice. For other areas of policy management, you can create new GPOs; however, some policy settings are best configured at the domain level, and there are no restrictions against doing so.

Default Domain Controllers Policy: A default GPO created and linked to the “Domain Controllers” OU whenever a server becomes the first domain controller in a domain. This GPO represents the default policy applied to all domain controllers in the Domain Controllers container.

In an article for the Dcgpofix utility, Microsoft makes statements about what those two GPOs should contain.

Default Domain Policy: As a best practice, you should configure the Default Domain Policy GPO only to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy.

Default Domain Controllers Policy: As a best practice, you should only configure the Default Domain Controllers Policy GPO to set user rights and audit policies.

I recommend you limit the changes made to the two default GPOs to specifically the areas instructed. If you wish to create new and existing “other policy items”, then instead, create new GPOs as needed to control your required domain and domain controller policy settings. If you ever find yourself needing to run the dcgpofix utility, you lose any changes made to those original built-in GPOs. This includes password settings and account lockout settings in the Default Domain Policy.

Figure 1 shows the settings in my Default Domain Policy. User Configuration settings should not exist in this GPO.

Figure 2 shows the settings in my Default Domain Controllers Policy. User Configuration settings should not exist in this GPO.

Authoritative Time Server GPO

Time is one of the most critical components that always makes AD work and work correctly. AD cannot work correctly if time synchronization is off between domain controllers and member computers. For example, in Kerberos V5 (which AD uses), computers that are more than five minutes out of sync may not authenticate by default. Another example is replication; AD uses timestamps to resolve replication conflicts.

I use the script from Jeremy Saunders to automate the creation and maintenance of time server settings.

Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy – http://www.jhouseconsulting.com/2014/01/10/script-to-create-group-policy-objects-and-wmi-filters-to-manage-the-time-server-hierarchy-1153

There is one change needed in the script. The script uses servers from pool.ntp.org for Australia, where Jeremy is based.

Change this line:

$TimeServers = "0.au.pool.ntp.org,0x8 1.au.pool.ntp.org,0x8 2.au.pool.ntp.org,0x8 3.au.pool.ntp.org,0x8"

To:

$TimeServers = "north-america.pool.ntp.org,0x8"

Note: Use the servers for your geolocation. You can also use dedicated hardware or a network appliance as your time source. Use the IP address. For example, “10.20.30.40, 0x8”

After you download and modify Jeremy’s script, save it on the first domain controller in c:\Scripts, as shown in Figure 3.

Open an elevated PowerShell session and enter the following commands, as shown in Figure 4.

cd c:\Scripts
.\CreateTimeServerGPOs.ps1

Press Enter and the script runs, as shown in Figure 5.

What did the script do?

Open the Group Policy Management Console (GPMC) by typing in gpmc.msc in the elevated PowerShell window and pressing Enter.

Expand the GPMC to view more content.

Expand the Forest.

Expand Domains.

Expand the Domain.

Expand Domain Controllers.

Expand Group Policy Objects.

Expand WMI Filters.

Figure 6 shows the three GPOs and the two WMI filters that Jeremy’s script created.

What these GPOs and WMI filters do is make your life easy. You never have to worry about ensuring the DC that holds the PDCe FSMO role is configured correctly as the authoritative time server. You never have to worry about transferring or seizing the PDCe FSMO role to another DC or about configuring that DC as the authoritative time server. You never have to worry if all the other servers and computers in your domain are configured correctly for the AD time hierarchy. All these concerns are handled by the GPOs that Jeremy’s script created.

To verify the GPOs are working correctly, open the Event Viewer on all three servers we have in the lab at this point.

On the PDCe DC, look for Event IDs 37 and 35, as shown in Figures 7 and 8.

Wait several minutes, then on the other DC, look for Event IDs 37 and 35, as shown in Figures 9 and 10.

Note: If you don’t want to wait, restart the Windows Time service.

PowerShell:

Stop-Service W32Time
Start-Service W32Time

Command Prompt:

net stop w32time && net start w32time

On the CA, after waiting several minutes, look for Event IDs 37 and 35, as shown in Figures 11 and 12.

Install Root and Intermediate Certificates

So far, we reviewed the two default policies and let PowerShell do all the work for the authoritative time server policy. We manually create the following policy.

I recommend creating all GPOs in the Group Policy Objects node in the GPMC. Why? If you create and link a GPO at any level, that GPO is immediately LIVE; and any changes you make could apply to whatever computers or users reside in the level you are working at any time. That is dangerous if you work on a policy and it’s incomplete. Or if you create or edit a security or lockdown policy and you make an inadvertent change. I prefer to create GPOs first, then after completing the work, link the GPO to the appropriate level(s), which puts its proposed actions into practice.

In the GPMC, right-click Group Policy Objects and click New, as shown in Figure 13.

Give the new policy a meaningful Name and click OK, as shown in Figure 14.

I have recommendations I make to customers for how to name GPOs.

• Convention: Policy Add-in Type (C or U or CU)-Policy Name
  • C = computer
  • U = User
  • CU = Computer and User
• Policy Name – Whatever makes sense but should be meaningful to the use of the GPO
• The policy name must not contain any of the following reserved characters:
  • < – less than
  • > – greater than
  • : – colon
  • ” – double-quote
  • \ – backslash
  • / – forward slash
  • | – The pipe symbol
  • ? – question mark
  • * – asterisk
• Examples:
  • (C) – Loopback Replace
  • (U) – IE Site to Zone Mapping
  • (CU) – Google Chrome Settings
  • (C) – Domain Password Policy – Enforced

Why the restriction on characters allowed in the GPO name? You can create a GPO with those characters in the GPO name. The problem comes when using PowerShell to create GPO backups and reports. PowerShell cannot create folders and files for a GPO with any reserved characters in the GPO’s name. Please see this article from Microsoft. Naming Files, Paths, and Namespaces

Right-click the new GPO and click Edit…, as shown in Figure 15.

In the left pane, expand Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, and in the right pane, click Certificate Services Client – Auto-Enrollment, as shown in Figure 16.

Double-click Certificate Services Client – Auto-Enrollment and change Configuration Model to Enabled, as shown in Figure 17.

Select Renew expired certificates, update pending certificates, and remove revoked certificates, and Update certificates that use certificate templates, and click OK, as shown in Figure 18.

Right-click Trusted Root Certification Authorities and click Import…, as shown in Figure 19.

Click Next, as shown in Figure 20.

Click Browse…, as shown in Figure 21.

Browse to the folder created on the CA server, click the exported Root Certificate file, and click Open, as shown in Figure 22.

Click Next, as shown in Figure 23.

Click Next, as shown in Figure 24.

Click Finish, as shown in Figure 25.

Click OK, as shown in Figure 26.

In the right pane, you see the Root Certificate added, as shown in Figure 27.

Right-click Intermediate Certification Authorities and click Import…, as shown in Figure 28.

Click Next, as shown in Figure 29.

Click Browse…, as shown in Figure 30.

Browse to the folder created on the CA server, click the exported Intermediate Certificate file, and click Open, as shown in Figure 31.

Click Next, as shown in Figure 32.

Click Next, as shown in Figure 33.

Click Finish, as shown in Figure 34.

Click OK, as shown in Figure 35.

In the right pane, you see the Intermediate Certificate added, as shown in Figure 36.

Exit the Group Policy Management Editor (not the GPMC).

I want this certificate group policy to apply to all computer accounts in the Lab OU since all computer accounts, other than domain controllers, must exist in that OU tree.

Right-click the Lab OU and click Link an Existing GPO…, as shown in Figure 37.

Select the new GPO and click OK, as shown in Figure 38.

Expand the Lab OU, and see the certificate group policy is at the top level of the Lab OU tree, as shown in Figure 39. This means that as computers join the domain and are placed in the Lab OU tree, they automatically receive this group policy on the first reboot.

Lab Defaults

Now you know how to create, edit, and link a GPO. For this GPO, I give you the recommended settings I use in my lab. You can decide which settings make sense for you, plus any additional settings you may want to add. Remember, there are thousands of settings from which to choose.

This GPO contains computer settings I apply to every computer in the domain.  You can find all of the settings here in Computer Configuration / Policies.

Windows Settings | Security Settings | System Services | DNS Client. Check “Define this Setting” and then specify “Automatic.” Leave other settings as-is. [Webster: I have seen customers have issues where the DNS Client Service somehow gets set to disabled. If this service is disabled, there could be name resolution issues.]

Administrative Templates | Control Panel | Regional and Language Options | Handwriting personalization | Turn off automatic learning. Set to Enabled.

Administrative Templates | Network | Link-Layer Topology Discovery | Turn on Mapper I/O (LLTDIO) driver. Set to Enabled and select Allow operation while in domain. [Webster: Without this configured, no computer in the domain can browse and find the File Server.]

Administrative Templates | Network | Link-Layer Topology Discovery | Turn on Responder (RSPNDR) driver. Set to Enabled and select Allow operation while in domain. [Webster: Without this configured, no computer in the domain can browse and find the File Server.]

Administrative Templates | System | Server Manager | Do not display Initial Configuration Tasks window automatically at logon. Set to Enabled. [Webster: Reduces the clutter on a computer’s screen at startup.]

Administrative Templates | System | Server Manager | Do not display Server Manager automatically at logon. Set to Enabled. [Webster: Reduces the clutter on a computer’s screen at startup.]

Administrative Templates | Windows Components | Add features to Windows 10 | Prevent the wizard from running. Set to Enabled.

Administrative Templates | Windows Components | Camera | Allow Use of Camera. Set to Disabled. [Webster: None of my hosts or VMs have cameras.]

Administrative Templates | Windows Components | Cloud Content | Do not show Windows tips. Set to Enabled.

Administrative Templates | Windows Components | Cloud Content | Turn off Microsoft consumer experiences. Set to Enabled.

Administrative Templates | Windows Components | Connect | Don’t allow this PC to be projected to. Set to Enabled.

Administrative Templates | Windows Components | Data Collection and Preview Builds | Allow commercial data pipeline. Set to Disabled.

Administrative Templates | Windows Components | Data Collection and Preview Builds | Allow Telemetry. Set to Enabled and set the Options to 3 – Full.

Administrative Templates | Windows Components | Data Collection and Preview Builds | Do not show feedback notifications. Set to Enabled.

Administrative Templates | Windows Components | Desktop Gadgets | Turn off desktop gadgets. Set to Enabled.

Administrative Templates | Windows Components | HomeGroup | Prevent the computer from joining a homegroup. Set to Enabled.

Administrative Templates | Windows Components | News and interests | Enable news and interests on the taskbar. Set to Disabled. [Webster: If you do not see this setting, wait until you finish the Central Store section and then see Group configuration: news and interests on the Windows taskbar.]

Administrative Templates | Windows Components | OneDrive | Prevent the usage of OneDrive for file storage. Set to Enabled. [Webster: I don’t use Onedrive. If you use OneDrive, do not configure this setting.]

Administrative Templates | Windows Components | Search |  Allow Cortana. Set to Disabled. [Webster: I don’t care for Cortana. If you use Cortana, do not configure this setting.]

Administrative Templates | Windows Components | Security Center | Turn on Security Center (Domain PCs only). Set to Disabled. [Webster: If you like the Security Center, do not configure this setting.]

Administrative Templates | Windows Components | Store | Turn off the Store application. Set to Enabled. [Webster: I don’t use the Store in lab VMs.]

Administrative Templates | Windows Components | Windows Defender SmartScreen | Explorer | Configure Windows Defender SmartScreen. Set to Disabled. [Webster: I find SmartScreen slows down Windows File Explorer. If you use SmartScreen, do not configure this setting.]

Administrative Templates | Windows Components | Windows Defender SmartScreen | Microsoft Edge | Configure Windows Defender SmartScreen. Set to Disabled. [Webster: I find SmartScreen slows down internet browsing. If you use SmartScreen, do not configure this setting.]

Administrative Templates | Windows Components | Windows Ink Workspace | Allow Windows Ink Workspace. Set to Disabled.

Administrative Templates | Windows Components | Windows PowerShell | Turn on Script Execution. Set to Enabled and set the Execution Policy to Allow all scripts. [Webster: I do a lot of PowerShell scripting and run PowerShell scripts from other friends. If you do not trust every PowerShell script, you should consider setting the Execution Policy to Allow local and remote signed scripts. That means every PowerShell script that doesn’t come from your computer requires a digital signature.]

Administrative Templates | Windows Components | Windows Remote Shell | Allow Remote Shell Access. Set to Enabled.

Administrative Templates | Windows Components | Windows Update | Configure Automatic Updates. Set to Disabled.

Administrative Templates | Windows Components | Windows Update | Windows Update for Business | Manage preview builds. Set to Enabled and Set the behavior for receiving preview builds to Disable preview builds.

Administrative Templates | Windows Components | Windows Update | Windows Update for Business | Select the target Feature Update version. Set to Disabled.

To go along with these two settings, we need to configure three Firewall settings.

• Administrative Templates | Network | Link-Layer Topology Discovery | Turn on Mapper I/O (LLTDIO) driver
• Administrative Templates | Network | Link-Layer Topology Discovery | Turn on Responder (RSPNDR) driver

In the Group Policy Management Edit (GPME), go to Windows Settings | Security Settings | Windows Defender Firewall with Advanced Security and expand Windows Defender Firewall with Advanced Security, as shown in Figure 40.

Right-click Inbound Rules and click New Rule…, as shown in Figure 41.

Select Predefined from the dropdown list, select File and Print Sharing, and click Next, as shown in Figure 42.

Click Next, as shown in Figure 43.

Select Allow the connection and click Finish, as shown in Figure 44.

Create another Inbound Rule.

Select Predefined from the dropdown list, select Network Discovery, and click Next, as shown in Figure 45.

Click Next, as shown in Figure 46.

Select Allow the connection and click Finish, as shown in Figure 47.

Create an Outbound Rule.

Select Predefined from the dropdown list, select File and Print Sharing, and click Next, as shown in Figure 48.

Click Next, as shown in Figure 49.

Select Allow the connection and click Finish, as shown in Figure 50.

Exit the GPME (not the GPMC).

Testing the Lab Defaults GPO

Before we go headlong and test out the Lab Defaults GPO we just created together, let’s do a quick sanity check.

First: Did you remember to create the policy in the Group Policy Objects node?

Second: Did you give the GPO a name recognizable by someone else later? In my example, I named my policy (C) Lab Defaults.

Lastly: Now that I finished configuring the GPO, I was sure to link my GPO at the domain level, as shown in Figure 51.

Be sure you have all three things set and ready to go before proceeding.

Now you’re ready to do a simple test of the settings within this GPO.

To do this, log off the CA or second DC and then log back in. One of the settings we specified was to disable the Server Manager from showing expressly. When you log in, the Server Manager should now be absent.

Tip: If Server Manager still appears, either restart the VM or do a Right-click Start, Run, gpupdate. Then log off and back on to see if it took effect. Gpupdate is a command-line utility from Microsoft that comes with all versions of the Windows operating system to refresh the Group Policy engine on the client. There are many ways of running gpupdate. As an administrator, you can even force a group policy refresh remotely using PowerShell or the GPMC.

We have all the GPOs we need at this time.

Exit the GPMC.

Central Store

Most Group Policy configuration settings that administrators use are in the Administrative Templates section of the Group Policy Management Editor. Microsoft divides Administrative Templates files into .admx files and language-specific .adml files for use by Group Policy administrators. To take advantage of the benefits of .admx files, you must create a Central Store in the sysvol folder on a Windows domain controller.

What is the Central Store? That link has links to Microsoft-supplied admx files for most versions of Windows. There are also vendor-supplied admx files for Google Chrome, Firefox, and many other products. With all the admx files available, especially for Microsoft Office, tens of thousands of settings are available for use with group policy.

With all the admx files available, it makes sense to have a central place to store the admx and related adml files. That is the purpose behind the Central Store.

Tip: For a video overview on creating a central store, see this video by Jeremy Moskowitz.

On the first domain controller (the one with the PDCe FSMO role), right-click Start, Run, as shown in Figure 52.

Type in \DomainName\SYSVOL\DomainName\Policies and click OK, as shown in Figures 53 and 54.

Open another File Explorer, go to C:\Windows, and scroll down to PolicyDefinitions, as shown in Figure 55.

Right-click the PolicyDefinitions folder and click Copy, as shown in Figure 56.

In the other File Explorer window showing \DomainName\SYSVOL\DomainName\Policies, right-click in an empty space and click {Paste, as shown in Figure 57.

The C:\Windows\PolicyDefinitions folder and its contents are copied, as shown in Figures 58 through 60.

When you download additional admx and adml files, copy the admx file(s) to the PolicyDefinitions folder and the adml file(s) to the language-specific folder(s) under the PolicyDefinitions folder.

The SYSVOL folder tree replicates to all DCs. On both DCs, open File Explorer and browse to C:\Windows\SYSVOL\sysvol\<DomainName>\Policies. You see that each DC in the domain has a copy of the PolicyDefinitions folder.

As you add admx and adml files to one DC’s C:\Windows\SYSVOL\sysvol\<DomainName>\Policies\PolicyDefinitions folder, SYSVOL replication copies the new file(s) to all other DCs in the domain.

Backup Group Policy

Creating GPO backups is easy because I created a free script that backs up and creates HTML and XML reports for all GPOs.

Get-Help .\Get-GPOBackupAndReports.ps1 -full

Running the script is easy. First, make a folder to place the zip files, backups, and reports and run the script, as shown in Figure 61.

The folder I created, C:\GPOBackups, contains all the files created by the script, as shown in Figures 62 through 64.

Up next: Additional vCenter Configuration

Landing page for the article series

With the Server 2019 VM built for the certificate authority, the next step is to create the Certificate Authority (CA).  To make sure you understand what I cover in this article, you should understand a few terms. Microsoft provides a document that explains all the terms used in a Microsoft CA. You should take a few minutes to review that document.

Before we begin, I want to thank my friend and mentor, Michael B. Smith, who helped with this article and answered my numerous emails and questions. Michael helped make sure the information in this article was correct.

We perform the following steps in this article.

1. Join the CA server to the domain
2. Install and configure the CA
3. Create Files for Group Policy
4. Create a Server Certificate Template
5. Back up the CA to get a .p12 file

Item 5 was added 11-Jun-2021 after working on the IGEL Management Server article

Joining the Domain

The first thing we need to do is join our CA server to the domain.

From Part 14, I place all my Microsoft infrastructure servers in a specific OU.

Lab

Infrastructure

Microsoft

Open a PowerShell session and type in the following from one of the domain controllers, as shown in Figure 1.

Get-ADOrganizationalUnit -filter {Name -eq "Microsoft"}

Copy the DistinguishedName property to the clipboard.

We use PowerShell to install and configure the CA.

Use mstsc to remote into the VM that is our CA.

Exit Server Manager and start an elevated PowerShell session, as shown in Figure 2.

Copy and paste the following into the elevated PowerShell session and press Enter. The process took less than the blink of an eye to happen, which is why there is no screenshot.

Remember to set the values you need.

Note: Lines may wrap

#Join the computer to the domain

add-computer -Credential LabADDomain\Administrator `
-DomainName "LabADDomain.com" `
-OUPath "OU=Microsoft,OU=Infrastructure,OU=Lab,DC=LabADDomain,DC=com" `
-Force `
-Restart

#server reboots

After the VM restarts, log in using the domain’s Administrator account and password.

Start an elevated PowerShell session.

We start by installing the necessary Roles and Features.

• Active Directory Certificate Services
  • Certification Authority
  • Certification Authority Web Enrollment
• Web Server (IIS)
  • Web Server
    • Common HTTP Features
      • Default Document
      • Directory Browsing
      • HTTP Errors
      • Static Content
      • HTTP Redirection
    • Health and Diagnostics
      • HTTP Logging
      • Logging Tools
      • Request Monitor
      • Tracing
    • Performance
      • Static Content Compression
    • Security
      • Request Filtering
      • Windows Authentication
    • Application Development
      • ASP
      • ISAPI Extensions
    • Management Tools
      • IIS Management Console
      • IIS 6 Management Compatibility
        • IIS 6 Metabase Compatibility
      • Remote Server Administration Tools
        • Role Administration Tools
        • Active Directory Certificate Services Tools
          • Certification Authority Management Tools
        • Telnet Client

Install and Configure the CA

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 3.

#setup new CA

Install-WindowsFeature ADCS-Cert-Authority, Telnet-Client, ADCS-Web-Enrollment -IncludeManagementTools

The configuration for the CA is:

• The validity period is 10 years (you can make this 20 years or longer. I joke to the IT admin to make it past their retirement year, so it is someone else’s problem later.)
• The CA’s name is LabDomain CA Root
• The certificate key length is 2048 characters
• Use SHA256
• Use Web Enrollment

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 4.

Install-AdcsCertificationAuthority `
-ValidityPeriod Years `
-ValidityPeriodUnits 10 `
-CACommonName "LabDomain CA Root" `
-CAType EnterpriseRootCA `
-KeyLength 2048 `
-HashAlgorithmName SHA256 `
-Force

Install-AdcsWebEnrollment -Force

By default, the lifetime of a certificate that an  Enterprise CA issues is two years. We need to update our CA to handle the ten-year validity period. I am using the information from the Microsoft article Change the expiration date of certificates that Certificate Authority issues.

From the elevated PowerShell session, enter the following, as shown in Figure 5.

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\LabDomain CA Root" `
-Name 'ValidityPeriodUnits' `
-Value 10 `
-PropertyType DWORD `
-Force

Stop-Service -Name "certsvc"
Start-Service -Name "certsvc"

You can verify the update using the registry editor. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAname>, and look at the ValidityPeriodUnits key, as shown in Figure 6.

Create Files for Group Policy

We need to gather the CA’s Root and Intermediate certificate files for use in the group policy we create in the following article.

From the elevated PowerShell session, enter the following, as shown in Figure 7.

md c:\CACertFiles

In the elevated PowerShell session, type in mmc and press Enter.

Either Click File, click Add/Remove Snap-in…, or press Ctrl+M (my preference), as shown in Figure 8.

Double-click Certificates as shown in Figure 9.

Select Computer account and click Next, as shown in Figure 10.

Select Local computer and click Finish, as shown in Figure 11.

Click OK, as shown in Figure 12.

The next step is to export the files we need for the group policy.

Expand Certificates and Trusted Root Certification Authorities and Intermediate Certification Authorities, as shown in Figure 13.

Under Intermediate Certification Authorities, click on Certificates, and in the right pane, click on <CAname> (for me, that is LabDomain CA Root), as shown in Figure 14.

Right-click <CAname>, click All Tasks and click Export…, as shown in Figure 15.

Click Next, as shown in Figure 16.

Click DER encoded binary X.509 (.CER) and click Next, as shown in Figure 17.

Click Browse, as shown in Figure 18.

Browse to the folder created earlier in Figure 7, as shown in Figure 19, and give the file a meaningful name. Click Save when complete.

Click Next, as shown in Figure 20.

Click Finish, as shown in Figure 21.

Click OK, as shown in Figure 22.

Under Trusted Root Certification Authorities, click on Certificates, and in the right pane, click on <CAname> (for me, that is LabDomain CA Root), as shown in Figure 23.

Note: You see two domain root certificates with the same name. They are identical, and it doesn’t matter which one you use for the export.

Repeat the export process for the domain’s root certificate. When completed, you have two .cer files, as shown in Figure 24. We use these two files in the following article.

Exit the MMC console. You may save the console if you want. I save it to my server’s desktop.

On the domain controllers, repeat the steps shown in Figures 8 through 12 to open the Certificates MMC snap-in. Expand Certificates and Trusted Root Certification Authorities and Intermediate Certification Authorities, as shown in Figure 13.

Notice that the DCs already have the CA’s Root and Intermediate certificates installed with no Group Policy or extra work, as shown in Figures 25 and 26 from LabDC1.

Leave the MMC console opened on both DCs. The console is used later in this article.

Create a Server Certificate Template

A certificate template defines the CA’s policies and rules when a request for a certificate is received. You use a custom certificate template to customize the template’s options to a specific need.

Open the Certification Authority console.

Click the Start button, expand Windows Administrative Tools, and click Certification Authority, as shown in Figure 27.

Expand <CAname>, right-click Certificate Templates, and click Manage, as shown in Figure 28.

Microsoft supplies 33 Certificate Templates,  as shown in Figure 29 in the middle pane.

For this article series and this lab, we are only concerned with the Computer template.

If you would like to use Microsoft CA to generate certificates for use with vCenter and ESXi hosts, there are several excellent articles to guide you in that process.

• SSL Certificate Replacement – Hybrid Mode (my personal favorite)
• Obtaining vSphere certificates from a Microsoft Certificate Authority
• How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
• Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x

We can’t edit a Microsoft-supplied template; we first make a copy of the template.

Create the template

Right-click the Computer template and click Duplicate Template, as shown in Figure 30.

We go through every tab.

Compatibility Tab

Because the CA uses SHA256, in Compatibility Settings, change the Certification Authority to Windows Server 2012 R2 and click OK on the popup, as shown in Figures 31 and 32.

Note: There is a known issue if you select anything higher than Windows Server 2012 R2. Please see Cannot select Windows Server 2016 CA-compatible certificate templates from Windows Server 2016 or later-based CAs or CEP servers.

Workaround

To work around this issue, follow these steps:

• Configure the compatibility settings of the certificate template as follows:
  • Certificate Authority: Windows Server 2012 R2
  • Certificate recipient: Windows 8.1 / Windows Server 2012 R2

For the Certificate recipient, select the option that matches the lowest client operating system in your environment. My lab servers are all Windows Server 2019, and all clients are Windows 10, but as stated in the Known Issue mentioned above, select Windows 8.1 / Windows Server 2012 R2 from the dropdown list and click OK on the popup shown in Figures 33 and 34.

General Tab

As shown in Figure 35, enter the following information:

• A meaningful Template display name,
• Make the Template name the same as the Template display name,
• Select a Validity period (must be less than the lifespan of the CA’s Root certificate),
• Leave the Renewal period alone, and
• Select Publish certificate in Active Directory

Note 1: From Michael B. Smith.

Usually, Microsoft’s Template Name is the Template Display Name without spaces (there are some notable exceptions).

Since most reports show the Template Display Name, but certificate requests use the Template Name, it makes good sense for the two names to be similar.

Note 2: You can’t select a Validity period longer than the CA’s Root certificate lifespan or a period past the CA’s Root certificate lifespan.

Note 3: Michael B. Smith says that you should always select Publish certificate in Active Directory for computer certificates.

Request Handling Tab

Select Allow private key to be exported and leave all other options at their default values, shown in Figure 36.

Cryptography Tab

Leave all options at their default values, as shown in Figure 37.

Key Attestation Tab

There is nothing configurable, as shown in Figure 38.

Superseded Templates Tab

There is nothing to configure, as shown in Figure 39.

Extensions Tab

Click Application Policies and click Edit…, as shown in Figure 40.

Click Client Authentication and click Remove, as shown in Figure 41.

Click OK, as shown in Figure 42.

Security Tab

There is nothing to configure, as shown in Figure 43.

Subject Name Tab

Select Supply in the request, as shown in Figure 44.

Click OK, as shown in Figure 45.

Server Tab

Verify that neither option is selected, as shown in Figure 46.

Issuance Requirements Tab

Verify that neither option is selected, as shown in Figure 47.

Finally, click OK, and the new Server Template template is created, as shown in Figure 48.

Exit the Certificate Templates Console.

Configure the CA to Issue the New Template

In the Certification Authority console, right-click Certificate Templates, click New, and click Certificate Template to Issue, as shown in Figure 49.

Click on the new template and click OK, as shown in Figure 50.

The new template now shows in the list of published templates, as shown in Figure 51.

Using the New Certificate Template to Create a Server Certificate

Requesting a computer certificate from the new template is done via the command line.

On both DCs, create a folder on the C drive named CertFiles, as shown in Figure 52.

On the first DC, save the following to a file name c:\CertFiles\computer-request.inf, as shown in Figure 53.

I want to thank Michael B. Smith for creating this INF file for me.

Use the data needed for your environment.

LabDC1 = the name of your domain controller
LabADDomain.com = your domain name
"LabCA\LabDomain CA Root" = the name of your CA server and the name of your CA.

;----------------- computer-request.inf -----------------
; LabDC1.LabADDomain.com
;
; certreq -new computer-request.inf computer-request.req
; certreq -submit -config "LabCA\LabDomain CA Root" computer-request.req computer-request.cer
; certreq -accept -config "LabCA\LabDomain CA Root" computer-request.cer
;

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=LabDC1.LabADDomain.com" ; replace with the FQDN of the DC
FriendlyName = "Computer (Machine) for LabDC1.LabADDomain.com"
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure but have a greater impact on performance.
KeySpec = 1                     ; AT_KEYEXCHANGE
Exportable = TRUE               ; private-key is exportable
MachineKeySet = TRUE            ; goes in machine store instead of user's personal store
SMIME = False                   ; cannot be used for signing S/MIME messages
PrivateKeyArchive = FALSE
HashAlgorithm = sha256          ; "certutil -oid 1 | findstr pwszName" -- gives a list (including sha1)
UserProtected = FALSE
UseExistingKeySet = FALSE       ; we are not renewing a key that already exists
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12               ; for ProviderName and ProviderType, see "certutil -csplist"
RequestType = PKCS10            ; if empty or set to "CERT" then a self-signed cert is created
KeyUsage = 0xa0                 ; 0xa0 - CERT_DIGITAL_SIGNATURE_KEY_USAGE + CERT_KEY_ENCIPHERMENT_KEY_USAGE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication - PKIX_KP_SERVER_AUTH

[Extensions]
; Note: 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "dns=LabDC1.LabADDomain.com"

[RequestAttributes]
CertificateTemplate = "Server Template"
;-----------------------------------------------

On the first DC, open an elevated command prompt. I expanded the command prompt window size vertically to ensure I had visual space to capture all the output for screenshots.

Click the Start button, expand Windows System, right-click Command Prompt, click More, and click Run as administrator, as shown in Figure 54.

Type in cd c:\CertFiles and press Enter, as shown in Figure 55.

The three commands we need to run are at the top of the computer-request.inf file.

Type in notepad computer-request.inf and press Enter, as shown in Figure 56.

Copy the line certreq -new computer-request.inf computer-request.req, paste it in the elevated command prompt, and press Enter, as shown in Figure 57, along with the command results.

Copy the line certreq -submit -config “LabCA\LabDomain CA Root” computer-request.req computer-request.cer, paste it in the elevated command prompt, and press Enter, as shown in Figure 58, along with the command results.

Note: If you get a warning like the following, you can ignore the warning. The warning tells you that the certificate request validity period is past the lifetime of the CA’s root certificate lifespan.

Certificate retrieved(Issued)Issued The certificate validity period will be shorter than the Server Template Certificate Template specifies because the template validity period is longer than the maximum certificate validity period allowed by the CA.  Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.

Copy the line certreq -accept -config “LabCA\LabDomain CA Root” computer-request.cer, paste it in the elevated command prompt, and press Enter, as shown in Figure 59, along with the command results.

Testing the New Certificate

Let’s verify that the new certificate works.

In the command prompt window, type in ldp.exe and press Enter.

Click Connection and click Connect, as shown in Figure 60.

For Server, type the FQDN of the DC, type 636 for Port, and click OK, as shown in Figure 61.

You should see ldaps:// followed by information for the DC, a ldap_open using the secure port of 636, and DN: (RootDSE), as shown in Figure 62.

Repeat the process shown in Figures 52 through 62 for the other DC. Remember to change the DC name in the computer-request.inf file.

Back-Up the Certificate Authority

After this article was published, I started work on the Create an IGEL Management Server article. I needed the CA’s root certificate and key pair for the IGEL UMS Console and IGEL’s Web App console. To get the required .p12 file, we backup the CA server.

First, create a folder, C:\CABackup, as the backup process requires an empty folder.

From the Certification Authority console, right-click the CA Root, click All Tasks, and click Back up CA… as shown in Figure 63.

Click Next, as shown in Figure 64.

Select Private key and CA certificate, type in C:\CABackup for the backup location, and click Next, as shown in Figure 65.

Enter and confirm a Password to protect the backup file and click Next, as shown in Figure 66.

Click Finish, as shown in Figure 67.

As shown in Figure 68, we now have a .p12 file.  That file contains the CA’s root certificate and key files. When an application wants the pair of files, .crt and .key, we can use this .p12 file.

If you wish, you can copy this file to the C:\CACertFiles folder to keep all files are in one place.

This file allows you to import the required key pair into the Universal Management Suite console if you use IGEL.

Exit all open consoles and windows.

Up next: Create Initial Group Policy Objects.

Landing page for the article series

With the two Server 2019 VMs built for domain controllers, the next step is to create Active Directory (AD).  To make sure you understand what I cover in this article, you should understand a few terms.

Definitions

What is Active Directory?

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as AD, provides the methods for storing directory data and making this data available to network users and administrators. For example, AD stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

AD stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store to form a logical, hierarchical organization of directory information.

This data store, also known as the directory, contains information about AD objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts.

What is Domain Name System (DNS)?

DNS is one of the industry-standard suites of protocols that comprise TCP/IP. The DNS Client and DNS Server provide computer name-to-IP address mapping name resolution services to computers and users.

AD uses DNS as its domain controller location mechanism. When any principal AD operations are performed, such as authentication, updating, or searching, computers use DNS to locate Active Directory domain controllers. In addition, domain controllers use DNS to locate each other.

What is the Global Catalog (GC)?

A Domain run by AD can consist of many partitions or naming contexts. The distinguished name (DN) includes enough information to locate a replica of the partition that holds the object. However, the user or application may not know the DN of the target object or which partition might contain the object. The GC allows users and applications to find objects in an AD domain tree, given one or more attributes of the target object.

The global catalog contains a partial replica of every naming context in the directory. It contains the schema and configuration naming contexts as well. This means the GC holds a replica of every object in the directory but with only a small number of their attributes. The attributes in the GC are those most frequently used in search operations (such as a user’s first and last names or login names) and those required to locate a full replica of the object. The GC allows users to quickly find objects of interest without knowing what domain holds them and without requiring a contiguous extended namespace in the enterprise.

What is Flexible Single Master Operations (FSMO)?

AD is the central repository in which all objects in an enterprise and their respective attributes are stored. It’s a hierarchical, multi-master-enabled database that can store millions of objects. Changes to the database can be processed at any given domain controller (DC) in the enterprise, regardless of whether the DC is connected or disconnected from the network.

A multi-master-enabled database, such as AD, provides the flexibility of allowing changes to occur at any DC in the enterprise. But it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values. It’s done by resolving to the DC to which changes were written last, which is the last writer wins. The changes in all other DCs are discarded. Although this method may be acceptable in some cases, there are times when conflicts are too difficult to resolve using the last writer wins approach. In such cases, it’s best to prevent the conflict from occurring rather than trying to resolve it after the fact.

To prevent conflicting updates in Windows, AD performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. It’s similar to the role given to a primary domain controller (PDC) in earlier versions of Windows, such as Microsoft Windows NT 3.51 and 4.0. In earlier versions of Windows, the PDC is responsible for processing all updates in a given domain.

AD extends the single-master model found in earlier versions of Windows to include multiple roles and transfer roles to any DC in the enterprise. Because an AD role isn’t bound to a single DC, it’s referred to as an FSMO role. Currently, in Windows, there are five FSMO roles:

• Schema master
• Domain naming master
• RID master
• PDC emulator
• Infrastructure master

What is Dynamic Host Configuration Protocol (DHCP)?

DHCP is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information. These include the subnet mask and default gateway.

What are AD Sites?

AD sites manage organizations that have branches spread across different geographical locations but fall under the same domain. It is a robust solution to geographically manage an AD network without changing any aspect of the logical structure of the environment. AD sites are physical groupings of well-connected IP subnets used to efficiently replicate information among domain controllers (DC). Image AD sites as a map describing the best routes for replicating in AD, thus efficiently using the available network bandwidth. AD sites help to achieve cost-efficiency and speed. It also lets one exercise better control over the replication traffic and the authentication process. AD sites can locate the closest DC to perform these actions when more than one DC is in the associated site capable of handling client logon, services, and directory searches. Sites also play a role in the deployment and targeting of group policies.

In AD, the information about the topology is stored as site link objects. By default, the Default-First-Site-Name site container is created for the forest. Until another site is created, all DCs are automatically assigned to this site.

What are Subnets?

Within sites, subnets are entities that help in grouping neighboring computer systems based on their IP addresses. A range of associated IP addresses identifies every subnet, and a site is the aggregate of all well-connected subnets. Subnets could be based on either TCP/IPv4 or TCP/IPv6 protocol addresses.

What is Directory Services Restore Mode (DSRM)?

DSRM is a special boot mode for repairing or recovering Active Directory. Use DSRM to log on to the computer when AD has failed or needs restoring.

What are AD Forest and Domain Functional Levels?

Functional levels determine the available AD domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers joined to the domain or forest.

When deploying AD, set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. When you deploy a new forest, you are prompted to set the forest functional level and domain functional level. You can set the domain functional level to a value that is higher than the forest functional level. You cannot set the domain functional level to a lower value than the forest functional level.

What is the AD Recycle Bin?

The accidental deletion of Active Directory objects is common for AD. Before Windows Server 2008 R2, you could recover accidentally deleted objects in AD, but the solutions had drawbacks.

In Windows Server 2008, you could use the Windows Server Backup feature and ntdsutil authoritative restore command to mark objects as authoritative to ensure that the restored data replicates throughout the domain. The drawback to the authoritative restore solution was that you had to perform it in DSRM. During DSRM, the domain controller used for the restoration had to remain offline. Therefore, it could not service client requests.

In Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you could recover deleted AD objects through tombstone reanimation. However, reanimated objects’ link-valued attributes (for example, group memberships of user accounts) that were physically removed and non-link-valued attributes cleared were not recovered. Therefore, administrators could not rely on tombstone reanimation as the ultimate solution to the accidental deletion of objects. For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects.

Starting in Windows Server 2008 R2, AD Recycle Bin builds on the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover accidentally deleted Active Directory objects.

When the AD Recycle Bin is enabled, all link-valued and non-link-valued attributes of the deleted AD objects are preserved. The objects are restored in their entirety to the same consistent logical state they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

In Windows Server 2012 and newer, the AD Recycle Bin feature is enhanced with a new graphical user interface to manage and restore deleted objects. Users can now visually locate a list of deleted objects and restore them to their original or desired locations.

Create Forest

The first DC we build is a GC, DNS, and DHCP server. We use PowerShell to install and configure all AD Roles and Features.

Use mstsc to remote into the VM that is our first DC. Exit Server Manager and start an elevated PowerShell session, as shown in Figure 1.

We start by installing the necessary Roles and Features.

• Active Directory Domain Services
• Remote Server Administration Tools
  • Role Administration Tools
    • Active Directory module for Windows PowerShell
    • AD DS and AD LDS Tools
      • Active Directory Administrative Center
      • AD DS Snap-Ins and Command-Line Tools
• Telnet Client

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 2.

#setup new AD Forest/Domain
Install-WindowsFeature AD-Domain-Services, RSAT-AD-PowerShell, RSAT-ADDS, RSAT-AD-AdminCenter, RSAT-ADDS-Tools, Telnet-Client

We now create the new AD Forest, which automatically creates the first domain. The first domain is also known as the forest root domain. You can never rename this domain without destroying the domain or migrating to a new forest or domain.

Remember to use your domain name.

The first thing we need is the password used for DSRM. This password should be the same for every DC.

The highest forest and domain functional level support is Windows Server 2016. The help text for the Install-ADDSForest cmdlet shows the following allowed values:

-DomainMode (and also for -ForestMode)

The acceptable values for this parameter are:

• Windows Server 2003: 2 or Win2003
• Windows Server 2008: 3 or Win2008
• Windows Server 2008 R2: 4 or Win2008R2
• Windows Server 2012: 5 or Win2012
• Windows Server 2012 R2: 6 or Win2012R2
• Windows Server 2016: 7 or WinThreshold

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 3.

$DomainName = "LabADDomain.com"
$NetbiosName = "LabADDomain"
$SafeModePwd = Read-Host -AsSecureString -Prompt "Enter DSRM password"

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 4.

Install-ADDSForest `
-Confirm:$False `
-CreateDnsDelegation:$False `
-DomainMode "WinThreshold" `
-DomainName $DomainName `
-DomainNetbiosName $NetbiosName `
-ForestMode "WinThreshold" `
-SafeModeAdministratorPassword $SafeModePwd

#new DC restarts at this point

The local account named Administrator is now the domain account named Administrator, and the password used for the local account is the password used for the domain account.

After the VM restarts, log in using the domain’s Administrator account and password.

Now we can start the debate. The DC promotion process changed the network card’s Preferred DNS Server to 127.0.0.1, the Local Loopback address. My AD mentors taught me over the years that on the first DC, the Preferred DNS Server should be the DC’s IP address, and, at this time, the Loopback address should be Secondary. I recommend changing the DNS servers, as shown in Figure 5.

Next up is enabling the AD Recycle Bin.

AD Recycle Bin

Open the AD Administrative Center.

Server Manager, Tools, and click on Active Directory Administrative Center, as shown in Figure 6.

In the left pane, click on your domain, and in the right pane, you see Enable Recycle Bin…, as shown in Figure 7. We do not use the GUI to enable the recycle bin. We use PowerShell to enable the recycle bin.

Start an elevated PowerShell session.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 8.

#enable the AD Recycle Bin
$DomainName = "LabADDomain.com"
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target $DomainName -Confirm:$False

Refresh the AD Administrative Center and see that Enable Recycle Bin… greyed out, as shown in Figure 9.

Exit the AD Administrative Center.

Now we set the domain’s password and lockout policy.

Set the Domain’s Password and Lockout Policy

Open the Group Policy Management console.

Server Manager, Tools, and click on Group Policy Management, as shown in Figure 10.

You may want to widen the console and expand the width of the two panes.

In the left pane, expand the Forest node.

Expand Domains.

Expand your domain.

Click on Default Domain Policy, click on the Settings tab in the right pane, and scroll down to the Security Settings section, as shown in Figure 11.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 12.

Remember to set the values you need.

#set the domain's password and lockout policy
$DomainName = "LabADDomain.com"
Set-ADDefaultDomainPasswordPolicy -Identity $DomainName `
-PasswordHistoryCount 6 `
-MaxPasswordAge 90.00:00:00 `
-MinPasswordAge 7.00:00:00 `
-MinPasswordLength 8 `
-ComplexityEnabled $False `
-ReversibleEncryptionEnabled $False `
-LockoutDuration 00:00:00 `
-LockoutObservationWindow 00:00:00 `
-LockoutThreshold 5

Refresh the Group Policy Management console and view the Security Settings in the Default Domain Policy, as shown in Figure 13.

See how the settings in the policy match what we set using PowerShell.

Exit the Group Policy Management console.

Next up is AD Sites and Services.

AD Sites and Services

Open the Active Directory Sites and Services console.

Server Manager, Tools, and click on Active Directory Sites and Services, as shown in Figure 14.

We perform the following steps using PowerShell.

1. Create a new site named after the city where I live
2. Move the new DC from the default Default-First-Site-Name site to the site created in Step 1
3. Remove the default Default-First-Site-Name site
4. Create a subnet and link it to the site created in Step 1

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 15.

Remember to set the values you need.

#setup Sites
$DomainName = "LabADDomain.com"
$ADSites2 = @()
#create a new site
$ADSites = @{
    "Tullahoma" = "Webster's Lab in Tullahoma, TN"
}

ForEach($ADSite in $ADSites.Keys)
{
    $ADSites2 += $ADSite
    New-ADReplicationSite -Name $ADSite -Description $ADSites[$ADSite] -ProtectedFromAccidentalDeletion $True -Server $DomainName
}

#move the new domain controller from the Default-First-Site-Name site to the new site
Move-ADDirectoryServer -Identity "LabDC1" -Site "Tullahoma"

#remove the Default-First-Site-Name site
Remove-ADReplicationSite -Identity "Default-First-Site-Name" -Confirm:$False

#create subnets and associate them to a site
$Subnets = @{
"Tullahoma" = "192.168.1.0/24"
}

ForEach($Subnet in $Subnets.Keys)
{
    New-ADReplicationSubnet -Name $Subnets[$Subnet] -Site $Subnet
}

Refresh the Active Directory Sites and Services console. Expand the various nodes to verify the changes, as shown in Figure 16.

Note: If you have multiple AD Sites in your lab, please read Report and Edit AD Site Links From PowerShell (Turbo Your AD Replication) for Microsoft’s recommendations on DC replication between AD Sites.

Exit the Sites and Services console.

Now on to the topics that need much discussion: DNS, Aging & Scavenging, and DHCP. This discussion is only necessary if you run Microsoft DHCP and Microsoft DNS on a Microsoft AD domain controller.

Even though we create and configure the DHCP server later, let’s discuss the various settings now.

DNS and DHCP

DNS Aging and Scavenging

The DNS Server service supports Aging and Scavenging features. These features are provided as a mechanism for performing cleanup and removing stale resource records that accumulate in zone data over time.

With dynamic updates, resource records are automatically added to zones when computers start on the network. However, sometimes, they are not automatically removed when computers leave the network. For example, if a computer registers its host (A) resource record at startup and is later improperly disconnected from the network, its host (A) resource record might not be deleted. If your network has mobile users and computers, this situation can occur frequently.

If left unmanaged, the presence of stale resource records in zone data may cause problems:

• If many stale resource records remain in zones, they can eventually take up server disk space and cause unnecessarily long zone transfers.
• DNS servers that load zones that contain stale resource records might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network.
• The accumulation of stale resource records at the DNS server can degrade its performance and responsiveness.
• Sometimes, the presence of a stale resource record in a zone can prevent a DNS domain name from being used by another computer or host device.

The DNS Server service has these features to solve these problems:

• Timestamping, based on the current date and time set at the server computer, for any resource records added dynamically to primary-type zones. Also, timestamps are recorded in standard primary zones where aging and scavenging are enabled.
• A timestamp value of zero is used for manually added resource records, indicating that these records are not affected by the aging process. They can remain without limitation in zone data unless you otherwise change their time stamp or delete them.
• Aging of resource records in local data, based on a specified refresh time period for any eligible zones.
• Only primary-type zones loaded by the DNS Server service are eligible to participate in this process.
• Scavenging for any resource records that persist beyond the specified refresh period.
• When a DNS server performs a scavenging operation, it can determine that resource records have aged to the point of becoming stale and remove them from zone data. You can configure servers to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server.
• A highly recommended option is to set an advanced zone parameter that enables you to specify a restricted list of IP addresses for DNS servers enabled to perform scavenging of the zone.

By default, if this parameter is not specified, all DNS servers that load an Active Directory-integrated zone (also enabled for scavenging) attempt to perform scavenging of the zone. Sometimes, this parameter can be helpful if it is preferable that scavenging is performed at some servers loading the directory-integrated zone.

To set this parameter, you must specify the list of IP addresses for the servers enabled to scavenge the zone in the ZoneResetScavengeServers parameter for the zone. You do this using the dnscmd command, a command line-based tool for administering Windows DNS servers.

Microsoft recommends configuring at least one and no more than two DNS servers for scavenging for a zone.

You must enable Aging and Scavenging in five places:

1. DNS Server
2. DNS Server Properties
3. Forward Lookup Zones
4. Reverse Lookup Zones
5. Then via dnscmd.exe, set a scavenging server

The default Aging and Scavenging interval is 7 days. Seven days is tied to the DHCP Lease Duration, which, by default, is 8 days. A DHCP client requests a lease renewal at 50% of the Lease Duration, or 4 days (by default). If the lease is not renewed, the DHCP Client attempts another lease renewal at 87.5% of the Lease Duration, or 7 days (by default). If the lease is not renewed, the DHCP Client stops requesting a renewal of its IP address and requests a new IP address. If DHCP and DNS are correctly configured (DHCP DNS Dynamic Update Credentials and Secure Dynamic updates), the original DHCP server releases the non-renewed IP address. DNS is updated to show the DNS resource record flagged as eligible to be aged and then scavenged.

By default, the DNS Server does not accept any refreshes of a non-static resource record for7 days.

By default, the DNS Server waits 7 days for the resource record to have its timestamp refreshed.

By default, after these two 7-day intervals (14 days), the resource record is removed from the DNS management console and flagged as tombstoned. The resource record still resides in the AD database.

By default, the resource record is tombstoned for 7 days.

By default, after the 7-day tombstone period has passed, the resource record is marked to be scavenged.

By default, the resource record stays in the “to be scavenged” state for 7 days.

At this time, by default, 28 days have passed since the resource record was not renewed by DHCP and flagged as eligible to be aged and scavenged.

The resource record is purged from the AD database at 2 AM (non-configurable) on day 29 (by default).

At any time in the 28 days (by default), the record is flagged as deleted/tombstoned/scavenged, if the original DHCP Client is granted the original IP address from the original DHCP server, the resource record is reanimated from the scavenge/tombstone state and returned to DNS with an updated timestamp.

If you change the DHCP Lease Duration from the default 7 days, you should carefully consider aging and scavenging effects.

In AD, all domain controllers are equal. Still, the domain controller that holds the Primary Domain Controller Emulator (PDCe) Flexible Single Master Operations (FSMO) role holder is the most equal of all domain controllers. That specific domain controller provides several critical functions in an AD Domain and must be the most stable, reliable, and highly available domain controller in the domain.

All PDC Emulator Functions http://rickardnobel.se/all-pdc-emulator-functions/

Because of the importance of the PDCe FSMO role holder, I recommend making that DC the primary DNS Server.

Select a DNS Server for each domain to serve as a scavenging server for every AD-Integrated Forward and Reverse Lookup Zone.

DNS Forwarders

DNS servers are designed to resolve names for a specific set of computers. DNS calls this “specific set” a zone, but this typically maps to a domain or a forest in a Windows environment. If a DNS server hosts a zone, it is considered authoritative for that zone, and all those computers are considered to be internal to the zone. All other zones are external.

To resolve names for an external zone requires using a forwarder –a DNS server that “knows more” than the local DNS server. By default, external resolution is enabled in Windows DNS servers; however, it can be disabled if desired. Specific servers can be configured to be used as forwarders, or DNS can default to using Root Hints.

A forwarding query only occurs if a DNS server cannot resolve a query using its data or cache. This often occurs when a query for an external name occurs (for example, a DNS server hosting “contoso.local” receives a query for “www.microsoft.com”). Figure 17 depicts the sequence for DNS name resolution.

You can see where DNS Forwarders and Root Hints take part in name resolution on the above flowchart. DNS Forwarders itself is a list of DNS servers used to help resolve a query. A DNS Forwarder can be a master DNS appliance residing on the internal network or an external DNS server, such as Google or an ISP. The only thing to consider is the network accessibility between the servers (quicker access à better DNS).

DHCP: DNS Dynamic Update Credentials

If Microsoft DHCP runs on a domain controller and a DNS zone is configured for secure dynamic updates, and you do not configure DNS dynamic update credentials DHCP, DNS registrations fail.

DNS dynamic update credentials require no special rights, privileges, or permissions. You should use a regular domain user account following your naming standards.

Create a regular domain user account dedicated for use by DNS dynamic update credentials. You should set the account so the user cannot change the password, and the password should never expire.

I recommend using the account name DNSDynamicUpdateCred. In the Description property for this account, enter the text ” DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT”.

Once you configure DHCP with the DNS dynamic update credentials, configure all AD-related DNS Forward and Reverse lookup zones to secure dynamic updates only.

You should add this account to the IPv4 protocol on every DHCP server. The DHCP servers do not replicate the account between DHCP servers. If the password for this account is changed, you must enter the updated password on every DHCP server configured to use the account.

DHCP Name Protection

DHCP name protection is a feature of the DHCP service that, when used with Dynamic DNS registration, prevents a DHCP client with a name already in the DNS domain zone from registering or overwriting an existing name that it does not own (known as name squatting). This functionality prevents client and server spoofing and name corruption for statically configured systems already registered in DNS. You enable name protection at either the IPv4 or IPv6 node level or the scope level. When configured at the scope level, the settings take precedence over the IPv4 or IPv6 node settings.

Name squatting could also occur when a non-Windows-based computer registers in Domain Name System (DNS) with a name previously registered to a Windows-based computer. The use of name protection in Windows Server prevents name squatting by non-Windows-based computers. Name squatting does not present a problem on a homogeneous Windows network where Active Directory Domain Services (AD DS) can be used to reserve a name for a single user or computer.

Name protection is based on the Dynamic Host Configuration Identifier (DHCID) in the Dynamic Host Configuration Protocol (DHCP) server and supports the new DHCID RR (resource record) in DNS. DHCID RR is described by the Internet Engineering Task Force (IETF) in RFCs 4701 and 4703.

DHCID is a resource record (RR) stored in DNS that maps names to prevent duplicate registration. DHCP uses this RR to store an identifier for a computer and other information for the name, such as the computer’s A/AAAA records. The unique position of DHCP in the name registration process allows it to request this match and then refuse the registration of a computer with a different address attempting to register a name with an existing DHCID record.

DHCID prevents the following name squatting situations:

• Server name squatting by a client
• Server name squatting by another server
• Client name squatting by another client
• Client name squatting by a server

Using Name Protection requires the following:

• Use DNS Secure Dynamic Updates
• Secure the DnsUpdateProxy security group
• Add the DHCP server to the DnsUpdateProxy security group

Note: Creating the forest and domain created the forward lookup zone named after the domain. No reverse lookup zone exists.

Configure DNS

We perform the following steps using PowerShell.

1. Get the IP address for the DC to use as the scavenging server address
2. Enable aging and scavenging on all zones using the default values
3. Set the replication scope to all DNS servers in the forest
4. Set dynamic updates to secure
5. Set the zone’s aging to the default values and set the DC as the scavenging server
6. Configure DNS Forwarders
7. Create a reverse lookup zone named after the subnet created in AD Sites and Services
8. Set the replication scope to all DCs in the forest
9. Set dynamic updates to secure
10. Verify that all forward and reverse lookup zones that are not system created have the scavenging server and aging intervals set

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 18.

Remember to set the values you need.

#configure DNS
$DomainName = "LabADDomain.com"
$ScavengeServer = @(Get-ADDomainController).IPv4Address

Set-DnsServerScavenging `
-ApplyOnAllZones `
-ScavengingState $True `
-ScavengingInterval 7.00:00:00 `
-RefreshInterval 7.00:00:00 `
-NoRefreshInterval 7.00:00:00 

Set-DnsServerPrimaryZone -Name $DomainName -ReplicationScope "Forest"
Set-DnsServerPrimaryZone -Name $DomainName -DynamicUpdate "Secure"
Set-DnsServerZoneAging -Name $DomainName -Aging $True -ScavengeServers $ScavengeServer -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00 

Set-DnsServerForwarder -Confirm:$False -IPAddress 1.1.1.1,8.8.8.8,8.8.4.4 -UseRootHint $True

ForEach($Subnet in $Subnets.Keys)
{
    Add-DnsServerPrimaryZone -NetworkID $Subnets[$Subnet] -ReplicationScope "Forest" -DynamicUpdate "Secure" 
}

Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False} | Set-DnsServerZoneAging -Aging $True -ScavengeServers $ScavengeServer -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00

Open the DNS console.

Server Manager, Tools, and click on DNS, as shown in Figure 19.

Expand the server node.

The first thing we need to check is verifying that the Trusts Points node exists, as shown in Figure 20.

Side note:

I have seen in my lab and at many customer sites where the Trust Points node did not exist. If the node does not exist, the DC is not seen as a valid DNS server and is not used for name resolution. There is nothing to worry about as the fix is simple.

Run the following commands on the domain controller that holds the PDCe FSMO role from an elevated command prompt.

dnscmd <dcname> /Config /enablednssec 1
net stop dns && net start dns

Refresh the DNS console, and the missing Trust Points node is there.

Right-click the server, click Properties, and click the Forwarders tab, as shown in Figure 21.

The three forwarders are there.

Click the Advanced tab, as shown in Figure 22.

See that scavenging is enabled and set to 7 days.

Click Cancel.

Expand the Forward Lookup Zones node.

Right-click the msdcs.domainname.tld node and click Properties, as shown in Figure 23.

Click the General tab, as shown in Figure 24.

See that Replication is set to All DNS servers in this forest, and Dynamic updates are set to Secure only.

Click Aging.

As shown in Figure 25, Scavenging is enabled for the zone, and both refresh intervals are set to 7 days.

Click Cancel twice.

Verify that the same settings exist for the other forward lookup zone.

Expand Reverse Lookup Zones, right-click on the reverse zone, and click Properties, as shown in Figure 26.

Verify that the same settings exist for this zone, as shown in Figures 27 and 28.

Click Cancel twice and exit the DNS console.

Open a command prompt and run the following command. You may need to expand the window to see all the results.

dnscmd /zoneinfo <dns domain name>

For me, that is dnscmd /zoneinfo labaddomain.com, as shown in Figure 29.

There are two things I look for.

1. The words Scavenge Servers
2. The IP address

If those exist and the IP address belongs to the DC that holds the PDCe FSMO role, I know that scavenging is configured correctly.

Exit the command prompt.

We need to create the OU structure for the domain to create groups and users, place users into groups, and install and configure DHCP.

Create the OU Structure

The OU structure used in my lab is:

Lab

Accounts

Admin

Service

Users

Citrix

CVAD2103

Groups

Admin

Users

Horizon

PhysicalPC

RDS

VDI

Infrastructure

Citrix

Microsoft

Parallels

VMware

Parallels

RDS

VDI

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 30. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#create the OU structure
$ADDomain = "LabADDomain"
$TLD = "com"
$Protect = $True

#Create OUs
#Top level OU - Lab
New-ADOrganizationalUnit -Name "Lab" `
-Path "dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Second level OUs under Lab
New-ADOrganizationalUnit -Name "Accounts" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Citrix" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Groups" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Horizon" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Infrastructure" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Parallels" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Accounts
New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Service" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Users" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Citrix
New-ADOrganizationalUnit -Name "CVAD2103" `
-Path "ou=Citrix,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Groups
New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Users" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Horizon
New-ADOrganizationalUnit -Name "PhysicalPC" `
-Path "ou=Horizon,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "RDS" `
-Path "ou=Horizon,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "VDI" `
-Path "ou=Horizon,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Infrastructure
New-ADOrganizationalUnit -Name "Citrix" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Microsoft" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Parallels" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "VMware" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Parallels
New-ADOrganizationalUnit -Name "RDS" `
-Path "ou=Parallels,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "RemotePC" `
-Path "ou=Parallels,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "VDI" `
-Path "ou=Parallels,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

Open the Active Directory Users and Computers console.

Server Manager, Tools, and click on Active Directory Users and Computers (ADUC), as shown in Figure 31.

Expand the domain and expand the Lab node, as shown in Figure 32.

Verify that all the OUs exist.

Now, on to AD Security Groups.

Create AD Security Groups

I place my security groups here in the OU structure.

Lab

Groups

Admin

CtxAdmins

CtxHelpdesk

DEMAdmins

RASAdmins

RASHelpdesk

VMwAdmins

VMwHelpdesk

Users

DEMUsers

H8Users

RASUsers

XAUsers

XDUsers

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 33. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#admin security groups
$ADDomain = "LabADDomain"
$TLD = "com"
$Protect = $False

New-ADGroup -DisplayName "CtxAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "CtxAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "CtxAdmins$"

New-ADGroup -DisplayName "CtxHelpdesk" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "CtxHelpdesk" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "CtxHelpdesk$"

New-ADGroup -DisplayName "DEMAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "DEMAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "DEMAdmins$"

New-ADGroup -DisplayName "RASAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "RASAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "RASAdmins$"

New-ADGroup -DisplayName "RASHelpdesk" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "RASHelpdesk" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "RASHelpdesk$"

New-ADGroup -DisplayName "VMwAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "VMwAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "VMwAdmins$"

New-ADGroup -DisplayName "VMwHelpdesk" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "VMwHelpdesk" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "VMwHelpdesk$"

#user security groups
New-ADGroup -DisplayName "DEMUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "DEMUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "DEMUsers$"

New-ADGroup -DisplayName "H8Users" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "H8Users" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "H8Users$"

New-ADGroup -DisplayName "RASUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "RASUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "RASUsers$"

New-ADGroup -DisplayName "XAUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "XAUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "XAUsers$"

New-ADGroup -DisplayName "XDUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "XDUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "XDUsers$"

Refresh the ADUC console.

Click on Lab/Groups/Admin, and in the right pane, verify the admin security groups exist, as shown in Figure 34.

Click on Lab/Groups/Users, and in the right pane, verify the user security groups exist, as shown in Figure 35.

Now, on to AD User Accounts.

Create AD User Accounts

I place user accounts here in the OU structure.

Lab

Accounts

Admin

CtxAdmin

RASAdmin

UMSAdmin

VMwAdmin

Service

DNSDynamicUpdate

Users

CtxUser1

CtxUser2

CtxUser3

RASUser1

RASUser2

RASUser3

VMwUser1

VMwUser2

VMwUser3

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 36. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#Create admin user accounts
$UserPwd = Read-Host -AsSecureString -Prompt "Enter password"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxAdmin" `
-Enabled $True `
-Name "CtxAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxAdmin" `
-UserPrincipalName "CtxAdmin@LabADDomain.com"
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASAdmin" `
-Enabled $True `
-Name "RASAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASAdmin" `
-UserPrincipalName "RASAdmin@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "UMSAdmin" `
-Enabled $True `
-Name "UMSAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "UMSAdmin" `
-UserPrincipalName "UMSAdmin@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwAdmin" `
-Enabled $True `
-Name "VMwAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwAdmin" `
-UserPrincipalName VMwAdmin@LabADDomain.com

Refresh the ADUC console.

Click on Lab/Accounts/Admin, and in the right pane, verify the admin user accounts exist, as shown in Figure 37.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 38.

Remember to set the values you need.

#create service accounts
#Create the service account DNSDynamicUpdate DNS Dynamic Update Credentials account for DHCP
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "DNSDynamicUpdate" `
-Enabled $True `
-GivenName "DNSDynamicUpdate" `
-Name "DNSDynamicUpdate" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "DNSDynamicUpdate" `
-UserPrincipalName "DNSDynamicUpdate@LabADDomain.com"

#Create the service account svc_CtxVMware for CVAD hosting connection
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "svc_CtxVMware" `
-Enabled $True `
-GivenName "svc_CtxVMware" `
-Name "svc_CtxVMware" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "svc_CtxVMware" `
-UserPrincipalName "svc_CtxVMware@LabADDomain.com"

#Create the service account svc_VMwareHorizon for Horizon vCenter permissions
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "svc_VMwareHorizon" `
-Enabled $True `
-GivenName "svc_VMwareHorizon" `
-Name "svc_VMwareHorizon" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "svc_VMwareHorizon" `
-UserPrincipalName "svc_VMwareHorizon@LabADDomain.com"

#Create a service account ldap_query for LDAP Queries
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "ldap_query" `
-Enabled $True `
-GivenName "ldap_query" `
-Name "ldap_query" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "ldap_query" `
-UserPrincipalName "ldap_query@LabADDomain.com"

Refresh the ADUC console.

Click on Lab/Accounts/Service, and in the right pane, verify the service user account exists, as shown in Figure 39.

In the right pane, double-click an account, click on the Account tab, and verify the properties, as shown in Figure 40.

Click Cancel.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 41. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#Create lab user accounts

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxUser1" `
-Enabled $True `
-Name "CtxUser1" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxUser1" `
-UserPrincipalName "CtxUser1@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxUser2" `
-Enabled $True `
-Name "CtxUser2" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxUser2" `
-UserPrincipalName "CtxUser2@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxUser3" `
-Enabled $True `
-Name "CtxUser3" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxUser3" `
-UserPrincipalName "CtxUser3@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASUser1" `
-Enabled $True `
-Name "RASUser1" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASUser1" `
-UserPrincipalName "RASUser1@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASUser2" `
-Enabled $True `
-Name "RASUser2" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASUser2" `
-UserPrincipalName "RASUser2@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASUser3" `
-Enabled $True `
-Name "RASUser3" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASUser3" `
-UserPrincipalName "RASUser3@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwUser1" `
-Enabled $True `
-Name "VMwUser1" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwUser1" `
-UserPrincipalName "VMwUser1@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwUser2" `
-Enabled $True `
-Name "VMwUser2" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwUser2" `
-UserPrincipalName "VMwUser2@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwUser3" `
-Enabled $True `
-Name "VMwUser3" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwUser3" `
-UserPrincipalName "VMwUser@LabADDomain.com"

Refresh the ADUC console.

Click on Lab/Accounts/Users, and in the right pane, verify the user accounts exist, as shown in Figure 42.

Now on to adding admin users to admin security groups.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 43. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#add admin users to admin groups

Add-ADGroupMember -Identity "CN=CtxAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxAdmin,OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=CtxHelpdesk,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=DEMAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=RASAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=RASAdmin,OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=RASHelpdesk,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=RASUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=VMwAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwAdmin,OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=VMwHelpdesk,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Refresh the ADUC console.

Click on Lab/Groups/Admins, and in the right pane, double-click one of the admin security groups and click on the Members tab, as shown in Figures 44 and 45.

Verify that the appropriate admin account exists as a member of the admin security group.

Now on to adding users to user security groups.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 46. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#add lab users to lab user groups

Add-ADGroupMember -Identity "CN=DEMUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=H8Users,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=RASUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=RASUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=RASUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=RASUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=XAUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=XDUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=CtxUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=CtxUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Refresh the ADUC console.

Click on Lab/Groups/Users, and in the right pane, double-click one of the user security groups and click on the Members tab, as shown in Figures 47 and 48.

Verify that the appropriate user account exists as a member of the user security group.

Exit the ADUC console.

Now on to installing and configuring DHCP.

Installing and Configuring DHCP

We perform the following steps using PowerShell.

1. Install the DHCP Server role and the DHCP Server Tools
2. Authorize the new DHCP server in AD
3. Add the new DHCP server to the DnsUpdateProxy security group
4. Add DHCP security groups
5. Set DHCP server DNS settings
6. Set DHCP Server Network Access Protection policy settings
7. Set the DNS Dynamic Update Credentials
8. Set Filters
9. Set DHCP server options
10. Set DHCP scope
11. Set scope options
12. Set scope DNS settings
13. Set scope reservations
14. Set reservation DNS settings

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 49. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#install DHCP
Install-WindowsFeature DHCP, RSAT-DHCP

#authorize the new DHCP server in AD
$DHCPServer = "$($env:ComputerName).$($env:USERDNSDOMAIN)"
Add-DhcpServerInDC -DnsName $DHCPServer

#add new DHCP server to the DnsUpdateProxy security group
$computer = "$($env:ComputerName)$"
Add-ADGroupMember "DnsUpdateProxy" -members $computer

#add DHCP security groups
#This command adds the security groups DHCP Users and DHCP Administrators to the DHCP server
Add-DhcpServerSecurityGroup -ComputerName $DHCPServer

#Set DHCP server DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-DynamicUpdates Always `
-NameProtection $True

#Set DHCP Server Network Access Protection policy settings
Set-DhcpServerSetting -ComputerName $DHCPServer `
-NapEnabled $False `
-ConflictDetectionAttempts 0 `
-ActivatePolicies $False `
-NpsUnreachableAction Full

#set the DNS Dynamic Update Credentials
$DHCPCredentials = Get-Credential -UserName "DNSDynamicUpdate" -Message "Enter password for DNSDynamicUpdate"
Set-DhcpServerDnsCredential -Credential $DHCPCredentials -ComputerName $DHCPServer

#set Filters
Set-DhcpServerv4FilterList -ComputerName $DHCPServer -Allow $False -Deny $False

#set DHCP server options
Set-DhcpServerv4OptionValue -ComputerName $DHCPServer `
-DnsServer 192.168.1.201,192.168.1.202 `
-Router 192.168.1.1 `
-Force `
-DnsDomain "LabADDomain.com"

#set DHCP scope
Add-DhcpServerv4Scope -Name "Webster's Lab" `
-StartRange 192.168.1.100 `
-EndRange 192.168.1.199 `
-SubnetMask 255.255.255.0 `
-ComputerName $DHCPServer `
-LeaseDuration 8.00:00:00 `
-State Active `
-Type DHCP `
-Description ""

#set scope options
Set-DhcpServerv4OptionValue -ComputerName $DHCPServer `
-ScopeId 192.168.1.0 `
-DnsServer 192.168.1.201,192.168.1.202 `
-Force `
-DnsDomain "LabADDomain.com" `
-Router 192.168.1.1

#Set scope DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-ScopeId 192.168.1.0 `
-DynamicUpdates Always `
-NameProtection $True

#set scope reservations
Add-DhcpServerv4Reservation -Name "APC SmartUPS 2200" `
-ScopeId 192.168.1.0 `
-IPAddress 192.168.1.249 `
-ClientId "28-29-86-1b-f9-b1" `
-Type Both `
-Description "APC SmartUPS 2200"

#Set reservation DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-IPAddress 192.168.1.249 `
-DynamicUpdates Always 

Add-DhcpServerv4Reservation -Name "Netgear 1G Switch" `
-ScopeId 192.168.1.0 `
-IPAddress 192.168.1.250 `
-ClientId "28-80-88-6d-51-60" `
-Type Both `
-Description "Netgear 1G Switch"

#Set reservation DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-IPAddress 192.168.1.250 `
-DynamicUpdates Always 

Add-DhcpServerv4Reservation -Name "Netgear 10G Switch" `
-ScopeId 192.168.1.0 `
-IPAddress 192.168.1.251 `
-ClientId "3c-37-86-2a-0e-0c" `
-Type Both `
-Description "Netgear 10G Switch"

#Set reservation DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-IPAddress 192.168.1.251 `
-DynamicUpdates Always

#Added 22-Sep-2021 at the request of Jurjen van Leeuwen @Leodesk_IT on Twitter
#https://docs.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-deploy-wps#notify-server-manager-that-post-install-dhcp-configuration-is-complete-optional
Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2

Open the DHCP console.

Server Manager, Tools, and click on DHCP, as shown in Figure 50.

Expand the width of the console and the left and middle panes.

Expand the DHCP server.

Expand IPv4.

Right-click IPv4 and click Properties, as shown in Figure 51.

Click the DNS tab and verify that Name Protection is enabled, as shown in Figure 52.

Click the Filters tab and verify the both MAC Filters options are not selected, as shown in Figure 53.

Click the Advanced tab and Credentials, as shown in Figure 54.

Verify that the DNS dynamic update credentials are configured, as shown in Figure 55.

Exit the IPv4 Properties.

Right-click on the scope and click Properties, as shown in Figure 56.

Click the General tab and verify that the Scope configuration is correct, as shown in Figure 57.

Click the DNS tab and verify that Name Protection is enabled, as shown in Figure 58.

Exit the Scope Properties.

Click the Reservations node to verify the creation of the reservations, as shown in Figure 59.

Click the Address Leases node and look in the middle pane to see if the DHCP server is handing out DHCP leases, as shown in Figure 60.

Click the Scope Options node and verify that the scope options are correct, as shown in Figure 61.

Click the Server Options node and verify that the server options are correct, as shown in Figure 62.

Exit the DHCP console.

Even in a lab setup, having only one DC is a recipe for disaster. You should always have at least two DCs.

Create Second DC

Go to the second VM built to use as the second DC.

In Server Manager, click on Local Server.

Click on the IP Address link, as shown in Figure 63.

Right-click the network adapter and click Properties.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 64.

Change the Preferred DNS server to the IP address of the first DC, the Alternate DNS server to the IP address of this server, and click Advanced…, as shown in Figure 65.

Click the DNS tab and click Add…, as shown in Figure 66.

Enter 127.0.0.1 and click Add, as shown in Figure 67.

Verify that the IP addresses listed are in the order of the first DC, this server, and 127.0.0.1, and click OK, as shown in Figure 68. If they are not in the correct order, use the Up and Down arrows to reorder the list.

Click OK.

Click Close.

We are ready to add a DC to the existing forest/domain. We start by installing the necessary Roles and Features.

• Active Directory Administrative Center
• Active Directory Domain Services
• Active Directory module for Windows PowerShell
• Active Directory Snap-Ins and Command-Line Tools
• Active Directory Tools
• Remote Server Administration Tools
• Role Administration Tools
• Telnet Client

Start an elevated PowerShell session. Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 69.

#add a domain controller
Install-WindowsFeature AD-Domain-Services, RSAT-AD-PowerShell, RSAT-ADDS, RSAT-AD-AdminCenter, RSAT-ADDS-Tools, Telnet-Client

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 70.

$DomainName = "LabADDomain"
$SafeModePwd = Read-Host -AsSecureString -Prompt "Enter DSRM password"

Install-ADDSDomainController `
-Confirm:$False `
-Credential (Get-Credential "$DomainName\Administrator") `
-DomainName $DomainName `
-InstallDns `
-SafeModeAdministratorPassword $SafeModePwd

#new dc reboots

After the VM restarts, log in using the domain’s Administrator account and password.

We are now configuring this DC’s DNS server properties. We configured the zones and zone properties earlier, and this new DC picks up all the configured AD and DNS configurations via AD replication.

Start an elevated PowerShell session. Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 71.

#configure DNS
$computer = "$($env:ComputerName)"

Set-DnsServerScavenging `
-ComputerName $computer `
-ApplyOnAllZones `
-ScavengingState $True `
-ScavengingInterval 7.00:00:00 `
-RefreshInterval 7.00:00:00 `
-NoRefreshInterval 7.00:00:00 

Set-DnsServerForwarder -ComputerName $computer -Confirm:$False -IPAddress 1.1.1.1,8.8.8.8,8.8.4.4 -UseRootHint $True

Open the ADUC console, expand the domain and click on the Domain Controllers OU, as shown in Figure 72. Verify that both DCs exist in the OU.

Close the ADUC console.

Open the Active Directory Sites and Services console, expand Sites, expand the site created earlier, and click on the site, as shown in Figure 73. Verify that the new DC exists in the site.

Close the Active Directory Sites and Services console.

Despite what we might think, the new server is not technically a DC until the NETLOGON and SYSVOL shares are created, populated, and shared.

Open a command prompt on the new DC, type in net share, and press Enter, as shown in Figure 74.

If BOTH the NETLOGON and SYSVOL shares show in the list, the new server is officially a DC. In a large environment, especially if hundreds or thousands of Group Policies exist, it can take hours before SYSVOL appears in the share list.

Now that the second DC is officially a DC, we need to add its IP address to the DNS configuration on the first DC.

Go to the first DC.

In Server Manager, click Local Server, and click the IP Address link for the Etherther interface, as shown in Figure 75.

Right-click the network adapter and click Properties, as shown in Figure 76.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 77.

Click Advanced…, as shown in Figure 78.

Click the DNS tab and click Add…, as shown in Figure 79.

Enter the IP address of the second DC and click Add, as shown in Figure 80.

Use the arrow buttons to arrange the DNS servers, so the top is the first DC, the middle is the second DC, and the third is the local loopback address, as shown in Figures 81 and 82.

Click OK, OK, and Close to exit the network adapters properties.

DC NIC Adapter DNS Settings

Why do I care so much about the adapter’s DNS configuration on DCs? Because I rarely see any consistency in the configuration. In most places I go, it looks like every admin built and configured each DC with their own opinion on the configuration. If there are 12 DCs, there are 12 different configurations. There is no one way to set the DNS configuration on DCs. The goal is to set a standard and use it.

As mentioned earlier, DNS is critical to a properly functioning AD. To ensure that DNS contains the proper resource records and registrations in DNS, every domain controller should have a consistent configuration for its DNS servers. You should only include DNS servers that know how to register, process and handle AD-related resource records in the DNS configuration on DCs. You should never use public DNS servers and DNS servers from Internet Service Providers.

There are different recommendations for the following scenarios:

• One Domain, one Site
• One Domain, multiple Sites, single domain controller per Site
• One Domain, multiple Sites, multiple domain controllers per Site
• Multiple Domains, one Site
• Multiple Domains, multiple Sites, single domain controller per Site
• Multiple Domains, multiple Sites, multiple domain controllers per Site

The number one recommendation is to be consistent in how domain controllers have their DNS servers configured.

1. The PDCe FSMO Role holder becomes the Primary DNS Server for the domain (PriDNS)
2. If a remote Site has multiple domain controllers, select a domain controller to be the Primary DNS for the Site (SitePri)

Domain DNS Configuration:

1. All domain controllers in the domain’s main Site point to PriDNS for Primary DNS
2. The PriDNS server points to Loopback for Secondary DNS
3. The PriDNS server points to a second DNS server in the domain’s main Site for tertiary DNS
4. All other domain controllers in the domain’s main Site point to themselves for Secondary DNS
5. All other domain controllers in the domain’s main Site point to Loopback for Tertiary DNS

Remote Site DNS Configuration:

1. SitePri points to PriDNS for Primary DNS
2. SitePri points to itself for Secondary DNS
3. SitePri points to Loopback for Tertiary DNS
4. All other domain controllers in the remote Site point to SitePri for Primary DNS
5. All other domain controllers in the remote Site point to themselves for Secondary DNS
6. All other domain controllers in the remote Site point to Loopback for Tertiary DNS

Figure 83 shows the recommended configuration for a single domain with a single site (like the lab we are building).

How many DNS servers should you configure on the network adapter? Not as many as you think. I recommend on DCs, a total of three where the third is always 127.0.0.1. For all other computers, also no more than three. I have seen places with 15 DCs, and every computer had all 15 DCs in the list of DNS servers. If you understand Windows DNS client resolution timeouts, limit the number of DNS entries.

Create Additional DNS A Records

After completing this article and creating the other articles, I realized I completely forgot about all the static DNS A records I mentioned in the introduction article. I am too lazy to rewrite this article and redo screenshots, so I am adding this information at the end of this article.

We create static A records with PowerShell, with the options shown when manually creating an A record, as shown in Figure 84.

Go back to the first DC we created and open an elevated PowerShell session.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 85. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#Do this on the first DC
#add the DNS static records I forgot
$ZoneName = "LabADDomain.com"

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.91" `
-Name "AppLayering" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.253" `
-Name "DiskStation1" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.254" `
-Name "DiskStation2" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.53" `
-Name "ESXiHost1" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.57" `
-Name "EsxiHost2" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.61" `
-Name "EsxiHost3" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.65" `
-Name "EsxiHost4" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.69" `
-Name "EsxiHost5" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.73" `
-Name "EsxiHost6" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA `
-AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.90" `
-Name "vCenter" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Open the DNS console, expand the domain name’s Forward Lookup Zone, and verify that the static A records exist, as shown in Figure 86.

Expand Reverse Lookup Zones, click on the reverse zone created earlier, and verify that the static PTR records exist, as shown in Figure 87.

Up next: Create a Microsoft Certificate Authority

Landing page for the article series

On September 9, 2019, I published the Building Webster’s Lab V1 article series that used vSphere/vCenter 6.7 U3 and XenServer 8.0. This is a follow-up series on building the lab with vSphere/vCenter 7.0 and XenServer 8.2. I want to rebuild the lab as I’m not too fond of upgrades. Building new allows for learning new stuff and a chance to start clean. There are more details about the lab building process in this series. We cover the hypervisor details and create an Active Directory, a Microsoft Certificate Authority, Group Policies, and some basic server builds. Once I complete the lab build, I start the article series Learning the Basics of VMware Horizon 8 2106.

One of the significant issues I had with the original build process with all versions of vSphere 6.x was that I could not get NFS V4.1 to work between my Synology NAS and vSphere/vCenter 6.x. I tried for months to get it working and threw in the towel. Finally, someone on Twitter recommended using NFS V3, and everything worked. I was hopeful that NFS V4.1 would work between my Synology NAS and vSphere/vCenter 7.x. I let out a big YAHOO when it did work. WHEW!

Synology support told me back in 2019 that they thought the issue was on the VMware side. I was skeptical of their conclusion, but it appears they were correct. Nothing changed on the Synology side. The Synology NFS plug-in for VMware VAAI hadn’t changed since 25-Jun-2019 when it was updated to support ESXi 6.7. The same plug-in installed in ESXi 7 works with no issues.

VMware has an article to show the differences in the capabilities of NFS 3 and NFS 4.1. Please see NFS Protocols and ESXi.

Before continuing this introduction article, let me explain the products and technology that I list below. Not everyone has years of virtualization experience and virtualization knowledge. I spend many hours answering questions that come to me in emails and answering questions on Experts Exchange. Many people are new to the world of Citrix, Microsoft, Parallels, VMware, hypervisors, and application, desktop, and server virtualization.

There are two types of hypervisors: Type 1 and Type 2.

Type 1 hypervisors run directly on or take complete control of the system hardware (bare metal hardware). These include, but are not limited to:

Citrix Hypervisor (Formerly Citrix XenServer, which is the name I still use)

Microsoft Hyper-V

VMware ESXi

VMware vSphere

Xen Project

Type 2 hypervisors run under a host operating system. These include, but are not limited to:

Oracle VirtualBox

Parallels Desktop for Mac

VMware Fusion for Mac

VMware Workstation for Windows

Other terminology and abbreviations:

Virtualization Host: a physical computer that runs the Type 1 hypervisor.

Virtual Machine (VM): an operating system environment composed entirely of software that runs its operating system and applications like a physical computer. A VM behaves like a physical computer and contains its virtual processors (CPU), memory (RAM), hard disk, and networking (NIC).

Cluster or Pool: a single managed entity that binds together multiple physical hosts running the same Type 1 hypervisor and the VMs of those hosts.

Datastore or Storage Repository (SR): a storage container that stores one or more virtual hard disks.

Virtual Hard Disk: A virtual hard disk is a disk drive with similar functionalities as a typical hard drive but is accessed, managed, and installed on a virtual machine infrastructure.

Server Virtualization: Server virtualization is the masking of server resources, including the number and identity of individual physical servers, processors, and operating systems, from server users.

Application Virtualization: Application virtualization is the separation of an application from the client computer accessing the application.

Desktop Virtualization: Desktop virtualization is the concept of isolating a logical operating system (OS) instance from the client used to access it.

There are several products mentioned and used in this article series:

Citrix Virtual Apps and Desktops (CVAD, formerly XenApp and XenDesktop).

Microsoft Remote Desktop Services (RDS)

Parallels Remote Application Server (RAS)

VMware Horizon (Horizon)

Citrix uses XenCenter to manage XenServer resources, and VMware uses vCenter to manage vSphere resources. Both XenCenter and vCenter are centralized graphical consoles for managing, automating, and delivering virtual infrastructures.

In Webster’s Lab, I always try to use the latest Citrix XenServer, VMware Workstation, and VMware vSphere. This article series records the adventures of a networking amateur building a vSphere 7.0 cluster from start to finish.

Like most Citrix and Active Directory (AD) consultants, I can work with the various vSphere and vCenter clients. I can work with virtual machines (VMs), snapshots, templates, cloning, and customization templates. Most consultants don’t regularly install and configure new ESXi hosts, vCenter, networking, and storage, which can be confusing, at least the first few times.

I found much misinformation on the Internet as well as many helpful blogs on this journey. I ran into so much grief along the way that I thought that sharing this learning experience with the community was a good idea.

Have I got this all figured out? I seriously doubt it. Have I built the VMware part of the lab in the best way possible? Again, I doubt it. To figure this out, I experienced trials and errors (mainly errors!) in many scenarios. I found many videos and articles that used a single “server” with a single NIC. That meant there was essentially no network configuration to do once the installation of ESXi was complete. Many people used VMware Workstation and nested ESXi VMs. I never saw a video or article where the author used a real server with multiple NICs and configured networking and storage.

If you want to offer advice on my lab build, please email me at webster@carlwebster.com.

I watched many videos on this journey — some useless and rife with editing errors, some very useful and highly polished. The three most helpful video series came from Pluralsight. Disclaimer: As a Citrix Technology Professional (CTP), I receive a complimentary subscription to Pluralsight as a CTP Perk.

These are the videos I watched for the original article series.

VMware vSphere 6 Data Center Virtualization (VCP6-DCV) by Greg Shields

https://www.pluralsight.com/paths/vsphere-6-dcv

What’s New in vSphere 6.5 by Josh Coen

https://www.pluralsight.com/courses/whats-new-vsphere-6-5

VMware vSphere 6.5 Foundations by David Davis

I did not watch any Pluralsight videos on vSphere 7, but David Davis has several new courses in his Implementing and Managing VMware vSphere Learning Path.

The physical servers I use as my VMware and XenServer hosts are from TinkerTry and Wired Zone.

https://tinkertry.com/

Supermicro Mini Tower Intel Xeon D-1541 Bundle 2 – US Version

Paul Braren at TinkerTry takes great pride in the servers he recommends and has a very informative blog.

For the ESXi hosts, I have six of the 8-core servers with the following specifications:

• Mini tower case
• Intel Xeon D-1541 processor
• 64GB DDR4 RAM
• Two 1Gb NIC
• Two 10Gb NIC
• Crucial BX300 120GB SSD (ESXi install)
• Samsung 970 EVO 500GB NVMe PCIe M.2 SSD (Local datastore)
• Crucial MX500 250GB SSD (Host cache)

For the XenServer hosts, I have four of the 12-core servers with the following specifications:

• Mini tower case
• Intel Xeon D-1567 processor
• 64GB DDR4 RAM
• Two 1Gb NIC
• Two 10Gb NIC
• Samsung 970 EVO 500GB NVMe PCIe M.2 SSD (XenServer install and local SR)
• Samsung 860 EVO 1TB 2.5 Inch SATA III Internal SSD (Local SR for VMs)

NOTE: I would never buy or recommend the 12-core servers as I have had nothing but problems with the 10Gb NICs on the servers.

For VMware product licenses, I used VMUG Advantage and the EVALExperience. If you would like to try EVALExperience, Paul Braren has a 10% discount code on his site.

I am fortunate that Citrix supplies CTPs with licenses that work with most on-premises products.

Now that Citrix and other vendors support vSphere/vCenter 7, it is time to rebuild the lab with the latest version of both.

For XenServer, I went with XenServer 8.2, the latest version.

I decided to go with the Network File System (NFS) instead of the Internet Small Computer Systems Interface (iSCSI) for storage. Gregory Thompson was the first to tell me to use NFS instead of iSCSI for VMware. If you Google “VMware NFS iSCSI”, you find many articles that explain why NFS is better than iSCSI for VMware environments. For me, NFS is easier to configure on an ESXi host than iSCSI. I also found out my Synology 1817+ storage unit supported NFS. Synology 1817 and 1817+ support NFS 4.1, and Synology has provided a VAAI plug-in for NFS since 2014.

For XenServer, NFS is also simple to configure and use and requires no additional drivers or software.

The following is a noncomprehensive list of some of the activities this article series covers:

• Configuring a Synology 1817+ NAS for NFS, ESXi 7.0, and XenServer 8.2
• Install VMware ESXi 7.0
• Initial VMware ESXi Host Configuration
• VMware ESXi Host Configuration
• Install the VMware vCenter Server Appliance
• Create vSphere Networking and Network Storage
• Backup the vCenter Server Appliance using NFS
• Updating the vCenter Server Appliance
• Install Citrix XenServer 8.2
• Citrix XenServer Host and Pool Configuration
• Create a Server 2019 Template Image
• Create VMs from the Server 2019 Template
• Create Active Directory
• Create a Microsoft Certificate Authority
• Create Initial Group Policy Objects
• Additional vCenter Configuration
• Additional XenCenter Configuration
• Create Additional Servers
• Create a Management Computer
• Create a 10ZiG Management Server
• Create a Goliath Technologies Management Server
• Create an IGEL Management Server
• Create a ControlUp Management Server
• Update ESXi Hosts using VMware Lifecycle Manager
• Advice, Conclusions, and Lessons Learned

There are two classes of VMs in my lab: permanent and temporary. The permanent VMs are, for example, the domain controllers, CA, file server, SQL server, utility server, management PC, and others. The permanent VMs reside in Citrix XenServer, and I use the vSphere cluster for the virtual desktops and servers created by the various virtualization products. All the Microsoft-related infrastructure servers reside in XenServer.

Since I have built and rebuilt my hosts several times in this learning experience, below is the lab configuration.

Table 1 Lab Configuration

Servers and appliances that exist in the lab after I complete this article series.

I temporarily have DHCP running in my temporary AD, so when DHCP assigns an IP address, DHCP appends the AD domain name to the device’s hostname. For example, when I built the host ESXiHost1, it was given an IP address of 192.168.1.107.  I then give the host a static IP address of 192.168.1.53. When I connect to that host using Google Chrome, the hostname is ESXiHost1.LabADDomain.com, even though the host is not a member of the LabADDomain.com domain.

To work around the initial self-signed certificate issues when connecting to a host using a browser, add the Fully Qualified Domain Name (FQDN) of the various hosts to your AD’s DNS. If your computer, like mine, is not domain joined, you should also consider adding the IP address and FQDN to your computer’s hosts file (located in c:\Windows\System32\Drivers\etc).

Figures 1 through 3 show my DNS Forward and Reverse Lookup Zones and my computer’s hosts file.

Since I have a 10Gb switch and my Synology 1817+ NAS supports 10Gb I use Jumbo Frames. After much research, asking NETGEAR support, and talking with friends who know networking, I configured the following Maximum Transmission Unit (MTU) sizes:

• 10G Switch: 9000 as shown in Figure 4
• Synology 1817+: 9000 as shown in Figure 5
• (When created) 10G related Virtual Switch: 9000
• (When created) VMkernel NICs that connect to the 10G Virtual Switch: 9000

Fellow CTP, Leee Jeffries, provided Figure 6 after reviewing several of the articles in this series. Figure 6 is an overview of the networking in the lab.

This foray into installing and configuring the VMware Lab has been a painful but rewarding learning experience. I hope that through all my pain and errors, you can also gain from my experiences.

Along the way, several community members helped provide information, answered questions, and even did remote sessions with me when I ran into stumbling blocks.

• Abdullah Abdullah
• Greg Shields
• Gregory Thompson
• Leee Jeffries
• Tobias Kreidl

This article series is better because of the grammar, spelling, punctuation, style, and technical input from Michael B. Smith, Leee Jeffries (darn that British English), Tobias Kreidl, and Greg Thompson.

Up next: Configuring a Synology 1817+ NAS for NFS, ESXi 7.0, and XenServer 8.2.

Landing page for the article series

To fix these issues, I created a similar forest in my lab. I have never seen Tree domains before.

Here are a few screenshots from my new forest with three Tree domains.

Running the 3.04 AD doc script in the root domain using -ADForest.

Running the 3.04 AD doc script in a tree domain using -ADForest.

Running the 3.04 AD doc script in a tree domain using -ADDomain.

Version 3.04 24-Mar-2021

• Change the wording for schema extensions from “Just because a schema extension is Present does not mean it is in use.” to “Just because a schema extension is Present does not mean that the product is in use.”
• Only process and output Foreign Security Principal data for the Root Domain
• Only process the Appendix Domain Controller DNS Info if -DCDNSInfo is true. No need for an empty table and Appendix otherwise
• Removed a few warnings from the console output that were not warnings
• The following fixes are for running the script in a Forest with multiple domains
• When creating the array that contains all domain controllers, don’t sort after each domain as sorting changed the Type of the arraylist after the first domain was processed
  • This caused the three Appendixes to only contain the data for the DCs in the first domain
• When outputting domain controllers, sort the DCs by domain name and DC name
  • Put the DCs in domain name order, don’t put every DC in the Root domain
  • Change the header to reflect the actual domain name
• When retrieving Inherited GPOs, add the Domain name to the cmdlet
• When running in a child or tree domain, only the domain entered was used when calculating the number of domains in the forest
  • That is now fixed
• When running in a child or tree domain and using -ADForest, compare the root domain’s name to the name entered for -ADForest
  • If they are not the same, abort the script and state to rerun the script with -ADDomain and not -ADForest
• Updated the help text
• Updated the ReadMe file

I want to thank Michael B. Smith for the code review and for David McSpadden for testing in his single domain forest to make sure I didn’t break anything. I had a couple of people offer to test the script in their multiple domain forests, but I never heard from them after sending them the script for testing.

If you run the script in a multiple domain forest and have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

If you are still using FRS (Flaky Replication System) instead of DFSR (Darn Fine Replication System), you should migrate from FRS to DFSR.

To determine if FRS or DFSR is used, run the following command on one of your DCs:

dfsrmig /getmigrationstate

Possible results:

1. The current domain functional level is not Windows Server 2008 or above.
   DFSRMig is only supported on Windows Server 2008 or above level domains.
2. DFSR migration has not yet initialized. To start migration please
   set global state to desired value. [sic]
3. All domain controllers have migrated successfully to the Global state (‘Start’).
   Migration has reached a consistent state on all domain controllers.
   Succeeded.
4. All domain controllers have migrated successfully to the Global state (‘Prepared’).
   Migration has reached a consistent state on all domain controllers.
   Succeeded.
5. All domain controllers have migrated successfully to the Global state (‘Redirected’).
   Migration has reached a consistent state on all domain controllers.
   Succeeded.
6. All domain controllers have migrated successfully to the Global state (‘Eliminated’).
   Migration has reached a consistent state on all domain controllers.
   Succeeded.

If you see either number 1 or 2, you are using FRS. It would be best if you migrated to DFSR as soon as possible. If you see numbers 3 through 5, you should finish your migration from FRS to DFSR. You want to see the text from number 6.

Here is a quick PowerShell script to gather the state of SYSVOL of all Domain Controllers (DCs).

You do not need the Active Directory or Group Policy PowerShell modules.

You do not have to run this elevated.

You will need to run as an account with access to the DCs.

$DCs = dsquery server -o rdn
$DCs = $DCs | Sort-Object
$SysvolStatus = New-Object System.Collections.ArrayList
ForEach($DC in $DCs)
{
    $Results = Get-WMIObject -ComputerName $DC -Namespace "root/microsoftdfs" -Class "dfsrreplicatedfolderinfo" -Filter "ReplicatedFolderName = 'SYSVOL Share'" | Select-Object State

    If($? -and $Null -ne $Results)
    {
        $obj1 = [PSCustomObject] @{
            DCName       = $DC
            SysvolState  = $Results.State
        }
        $null = $SysvolStatus.Add($obj1)
    }
    Else
    {
        $obj1 = [PSCustomObject] @{
            DCName       = $DC
            SysvolState  = "Unknown: $($Results.State)"
        }
        $null = $SysvolStatus.Add($obj1)
    }
}

If($SysvolStatus.Count -gt 0)
{
    ForEach($Item in $SysvolStatus)
    {
        "DC: $($Item.DCName)`tSYSVOL State: $($Item.SysvolState)"
    }
}

You should see output similar to:

DC: LABDC1 SYSVOL State: 4
DC: LABDC2 SYSVOL State: 4

You do not want to see something similar to the following.

DC: LABDC1 SYSVOL State: 2
DC: LABDC2 SYSVOL State: 5

The possible State values are:

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

A state value other than 4 should be investigated.

I added this information to the AD documentation script update 3.03, which is currently in testing. If you want to test this script update, send me an email. If the SYSVOL State is not 4, I highlight the value in Red in the Word/PDF/HTML output. In the Text output, I use “***”.

I use this Microsoft article to troubleshoot and fix the incorrect state values.

How to troubleshoot missing SYSVOL and Netlogon shares

I hope your SYSVOL is normal and healthy.

Thanks

Webster