On May 24, 2021, I published the Building Webster’s Lab V2 article series that used vSphere/vCenter 7.0 original release and XenServer 8.2.0.

This is a follow-up on building the lab with vSphere/vCenter 7.0U3L and XenServer 8.2.1.

Why didn’t I use vSphere/vCenter 8? Neither my hardware nor Synology units support vSphere 8. There is a change I can make to an install file to bypass the hardware compatibility check, but I would rather not risk it. It took Synology a long time to add vSphere 7 support, so I have no idea how long before they add support for vSphere 8.

I need to rebuild the lab because something terrible happened after powering down the lab for an extended weekend. When I powered on the lab after returning to the lab the following Monday, the vSphere servers would not connect to local storage and NFS storage, nor connect to any switches or networking.

Read the rest in the PDF…

You can always find the most current PDF by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

Script Bug Fix Updates 7-Feb-2022

• Changed the date format for the transcript and error log files from yyyy-MM-dd_HHmm format to the FileDateTime format
  • The format is yyyyMMddTHHmmssffff (case-sensitive, using a 4-digit year, 2-digit month, 2-digit day, the letter T as a time separator, 2-digit hour, 2-digit minute, 2-digit second, and 4-digit millisecond).
  • For example: 20221225T0840107271.
• Fixed the German Table of Contents (Thanks to Rene Bigler)
  • From
    • ‘de-‘ { ‘Automatische Tabelle 2’; Break }
  • To
    • ‘de-‘ { ‘Automatisches Verzeichnis 2’; Break }
• In Function AbortScript, add test for the winword process and terminate it if it is running
  • Added stopping the transcript log if the log was enabled and started
• In Functions AbortScript and SaveandCloseDocumentandShutdownWord, add code from Guy Leech to test for the “Id” property before using it
• Replaced most script Exit calls with AbortScript to stop the transcript log if the log was enabled and started
• Updated the help text
• Updated the ReadMe file

Active Directory 3.09 7-Feb-2022

• • Added to Domain Information the data for ms-DS-MachineAccountQuota

Active Directory Health Check 3.09 7-Feb-2022

• • Add missing variable $Script:ThisScriptPath
  • Changed all Write-Verbose statements from Get-Date to Get-Date -Format G as requested by Guy Leech
  • Removed Function Stop-Winword
  • Updated Functions CheckWordPrereq and SetupWord with the versions used in the other documentation scripts

Citrix Federated Authentication Services 1.14 7-Feb-2022

Citrix Provisioning Services (PVS) New 6.03 8-Feb-2022

Citrix Provisioning Services (PVS) Old 4.32 10-Feb-2022

Citrix XenApp/XenDesktop 7.0 through 7.7 1.51 13-Feb-2022

• • Since the Citrix.GroupPolicy.Commands.psm1 module file was removed in  1.50,  removed the block for Elevation if $Policies is True

Citrix XenApp/XenDesktop 7.8 through CVAD 2006 2.46 15-Feb-2022

Citrix Virtual Apps and Desktops V3.32 15-Feb-2022

Microsoft Configuration Manager 2012R2 V2.40 17-Feb-2022

Microsoft DHCP V2.05 17-Feb-2022

Microsoft DNS V2.03 18-Feb-2022

Citrix NetScaler Old (uses ns.conf file) V2.62 18-Feb-2022

• • Fixed $Null comparisons that were on the wrong side
  • Updated Functions CheckWordPrereq and SendEmail to the latest version

Parallels RAS V17 V1.02 18-Feb-2022

• • Added Function OutputReportFooter
  • Added Parameter ReportFooter
    • Outputs a footer section at the end of the report.
    • Report Footer
      • Report information:
        • Created with: <Script Name> – Release Date: <Script Release Date>
        • Script version: <Script Version>
        • Started on <Date Time in Local Format>
        • Elapsed time: nn days, nn hours, nn minutes, nn.nn seconds
        • Ran from domain <Domain Name> by user <Username>
        • Ran from the folder <Folder Name>
  • Updated Functions SaveandCloseTextDocument and  SaveandCloseHTMLDocument to add a “Report Complete” line
  • Updated Functions ShowScriptOptions and ProcessScriptEnd to add  $ReportFooter

Parallels RAS V18 V2.11 18-Feb-2022

• • Added Function OutputReportFooter
  • Added Parameter ReportFooter
    • Outputs a footer section at the end of the report.
    • Report Footer
      • Report information:
        • Created with: <Script Name> – Release Date: <Script Release Date>
        • Script version: <Script Version>
        • Started on <Date Time in Local Format>
        • Elapsed time: nn days, nn hours, nn minutes, nn.nn seconds
        • Ran from domain <Domain Name> by user <Username>
        • Ran from the folder <Folder Name>
  • Updated Functions SaveandCloseTextDocument and  SaveandCloseHTMLDocument to add a “Report Complete” line
  • Updated Functions ShowScriptOptions and ProcessScriptEnd to add  $ReportFooter

VMware vSphere 1.93 23-Feb-2022

Citrix XenApp 6.5 5.06 23-Feb-2022

If you have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

• Added array error checking for non-empty arrays before attempting to create the Word table for most Word tables
• Added Function OutputReportFooter
• Added Parameter ReportFooter
  • Outputs a footer section at the end of the report.
  • Report Footer
    • Report information:
      • Created with: <Script Name> – Release Date: <Script Release Date>
      • Started on <Date Time in Local Format>
      • Elapsed time: nn days, nn hours, nn minutes, nn.nn seconds
      • Ran from domain <Domain Name> by user <Username>
      • Ran from the folder <Folder Name>
  • Updated Functions SaveandCloseTextDocument and SaveandCloseHTMLDocument to add a “Report Complete” line
  • Updated Functions ShowScriptOptions and ProcessScriptEnd to add $ReportFooter
  • Updated the help text
  • Updated the ReadMe file

Thanks to fellow CTP Thomas Krampe for the push to add the report footer.

If you have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

I updated the PDF last on 22-Sep-2021.

You can always find the most current PDF by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

The next step is to create a management computer from the Windows 10 template with the additional servers built and configured. We use the VM built in this article for PowerShell scripting running consoles from Citrix, Microsoft, Parallels, and VMware. My lab’s infrastructure VMs reside in my XenServer pool, as explained in the Introduction article. I consider the management computer an infrastructure computer as it is permanent.

Note: What I call a Management Computer goes by different names.

• Jump Server
• Jump Machine
• Jump Host
• Bastion Machine
• Bastion Host
• And I am sure other locations around the world use other names

Whatever you want to call it, this is a centralized computer for managing and accessing servers, network equipment, storage devices, and other management activities. Some people use a server operating system (OS), and some use a desktop OS. It depends on the licensing restrictions of the software used on the computer.

From the introduction article, this is the VM we are building.

VMware

In vCenter, right-click the Windows 10 Template and click on New VM from This Template…, as shown in Figure 1.

Enter a Virtual machine name and click Next, as shown in Figure 2.

Click Next, as shown in Figure 3.

Select the NFS shared datastore created earlier in this series and click Next, as shown in Figure 4.

Select Power on virtual machine after creation and click Next, as shown in Figure 5.

Verify that the configuration data for the new VM is correct and click Finish, as shown in Figure 6. If any item is incorrect, click Back, correct the item(s), and continue.

It took about 2 minutes to create the VM from the template in my lab.

Wait for the creation of the VM to complete, as shown in Figure 7.

Since we enabled Remote Desktop in the Template, the new VM has it enabled.

In vCenter, select the new Windows 10 VM, and in the right pane, look at the IP address, as shown in Figure 8.

As shown in Figure 9, click Start, Run, and type in mstsc /v:ipaddress /admin, and press Enter [where IP Address is the IP address shown in Figure 8].

Using Remote Desktop at this point makes it easier for me to get screenshots.

Enter the credentials for the local account created during the Windows 10 template build and press Enter, as shown in Figure 10.

Click Yes, as shown in Figure 11.

Select your region and click Yes, as shown in Figure 12.

Select your keyboard layout and click Yes, as shown in Figure 13.

Click Skip, as shown in Figure 14.

Click Accept, as shown in Figure 15.

Click Domain join instead, as shown in Figure 16.

Type in a local user account name and click Next, as shown in Figure 17.

Enter a password and click Next, as shown in Figure 18.

Confirm the password and click Next, as shown in Figure 19.

Select three security questions, enter the answer, and click Next, as shown in Figures 20 through 22.

Select your privacy settings and click Accept, as shown in Figure 23. I set them all to No.

Make a selection for Cortana, as shown in Figure 24. I selected Not now, plus one of the settings in my Lab Defaults Group Policy to disable the use of Cortana.

If you receive the following popup, click Yes, as shown in Figure 25. I only received this popup for VMware, not XenServer.

Right-click the network icon in the systray and click Open Network & Internet settings, as shown in Figure 26.

Click Change adapter options, as shown in Figure 27.

Right-click the adapter and click Properties, as shown in Figure 28.

Click Configure…, as shown in Figure 29.

Click the Power Management tab, deselect every option, and click OK, as shown in Figure 30.

Right-click the Adapter and click Properties, as shown in Figure 28.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 31.

Select Use the following IP address, enter the IP information for your network, and click OK, as shown in Figure 32. For the DNS server addresses, use the IP addresses of your domain controllers.

How many DNS servers should you configure on the network adapter? Not as many as you think. I recommend on DCs, a total of three where the third is always 127.0.0.1. For all other computers, also no more than three. I have seen places with 15 DCs, and every computer had all 15 DCs in the list of DNS servers. If you understand Windows DNS client resolution timeouts, limit the number of DNS entries.

Click Close, as shown in Figure 33.

After clicking Close,  you lose the connection to the RDP session. Reconnect using the new static IP address.

Close Network Connections.

Click Home, then System, then About, and finally Rename this PC (Advanced), as shown in Figure 34.

Click Change, as shown in Figure 35.

Enter a Computer name, Domain, and click OK, as shown in Figure 36.

Enter the domain’s Administrator name and password and click OK, as shown in Figure 37.

Click OK, as shown in Figure 38.

Click OK, as shown in Figure 39.

Click Close, as shown in Figure 40.

Click Restart Now, as shown in Figure 41.

When the VM restarts, log in using the domain’s Administrator account.

Make any customizations you require to the VM before we start installing consoles. I upgraded my Windows 10 20H2 VM to Windows 10 21H1.

XenServer

In XenCenter, right-click the Windows 10 Template and click on New VM wizard…, as shown in Figure 42.

Select the Windows 10 Template template and click Next, as shown in Figure 43.

Enter a Name, an optional Description, and click Next, as shown in Figure 44.

Since the operating system is installed in the template VM, Click Next, as shown in Figure 45.

Select Don’t assign this VM a home server and click Next, as shown in Figure 46.

You may change the Number of vCPUs, Topology, and Memory if you wish. I left everything the same as the template VM. Click Next, as shown in Figure 47.

As my hosts do not have a GPU card, I clicked Next, as shown in Figure 48.

Click Edit, as shown in Figure 49.

I recommend changing both the Name and Description. Doing so makes it easier later if you ever delete a VM and its attached hard disks. If all the hard disks have the same name and description, it is challenging to determine which disks go with which VM.

Enter a Name and Description and click OK, as shown in Figure 50.

Click Next, as shown in Figure 51.

If multiple Virtual network interfaces are available, select the appropriate interface and click Next, as shown in Figure 52.

Verify all the configuration options are correct and click Create Now, as shown in Figure 53. If an option is not correct, click Previous, correct the option and then continue.

I deselected the option Start the new VM automatically since it doesn’t work.

Wait for the creation of the VM to complete, as shown in Figure 54. It took about 2 seconds in my lab to create the VM from the template.

In XenCenter, right-click the new VM and click Start, as shown in Figure 55.

Expand the XenServer host on which you started the VM, click the VM, and click the Networking tab, as shown in Figure 56. You see the IP address assigned to the VM.

As shown in Figure 57, click Start, Run, and type in mstsc /v:ipaddress /admin, and press Enter [where IP Address is the IP address shown in Figure 56].

Using Remote Desktop at this point makes it easier for me to get screenshots.

Enter the credentials for the local account created during the Windows 10 template build and press Enter, as shown in Figure 58.

Click Yes, as shown in Figure 59.

Select your region and click Yes, as shown in Figure 60.

Select your keyboard layout and click Yes, as shown in Figure 61.

Click Skip, as shown in Figure 62.

Click Accept, as shown in Figure 63.

Click Domain join instead, as shown in Figure 64.

Type in a local user account name and click Next, as shown in Figure 65.

Enter a password and click Next, as shown in Figure 66.

Confirm the password and click Next, as shown in Figure 67.

Select three security questions, enter the answer, and click Next, as shown in Figures 68 through 70.

Select your privacy settings and click Accept, as shown in Figure 71. I set them all to No.

Make a selection for Cortana, as shown in Figure 72. I selected Not now, plus one of the settings in my Lab Defaults Group Policy to disable the use of Cortana.

If you receive the following popup, click Yes, as shown in Figure 73. I only received this popup for VMware, not XenServer.

Right-click the network icon in the systray and click Open Network & Internet settings, as shown in Figure 74.

Click Change adapter options, as shown in Figure 75.

Right-click the adapter and click Properties, as shown in Figure 76.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 77.

Select Use the following IP address, enter the IP information for your network, and click OK, as shown in Figure 78. For the DNS server addresses, use the IP addresses of your domain controllers.

How many DNS servers should you configure on the network adapter? Not as many as you think. I recommend on DCs, a total of three where the third is always 127.0.0.1. For all other computers, also no more than three. I have seen places with 15 DCs, and every computer had all 15 DCs in the list of DNS servers. If you understand Windows DNS client resolution timeouts, limit the number of DNS entries.

Click Close, as shown in Figure 79.

After clicking Close,  you lose the connection to the RDP session. Reconnect using the new static IP address.

Close Network Connections.

Click Home, then System, then About, and finally Rename this PC (Advanced), as shown in Figure 80.

Click Change, as shown in Figure 81.

Enter a Computer name, Domain, and click OK, as shown in Figure 82.

Enter the domain’s Administrator name and password and click OK, as shown in Figure 83.

Click OK, as shown in Figure 84.

Click OK, as shown in Figure 85.

Click Close, as shown in Figure 86.

Click Restart Now, as shown in Figure 87.

When the VM restarts, log in using the domain’s Administrator account.

Make any customizations you require to the VM before we start installing consoles. I upgraded my Windows 10 20H2 VM to Windows 10 21H1.

Install Active Directory Consoles

There are no Citrix Virtual Apps and Desktops or Parallels Remote Application Server or VMware Horizon environments at this point in the lab’s building process. The only consoles to install at this point are for the Microsoft products in the lab.

Before the October 2018 update to Windows 10, a download was available for the Remote Server Administrative Tools (RSAT). The old approach to RSAT was that the Windows 10 upgrade removed the RSAT from the computer. The new approach allows the RSAT to persist between Windows 10 upgrades.

Click the Start button and click Settings, as shown in Figure 88.

Click Apps, as shown in Figure 89.

Click Optional features, as shown in Figure 90.

Click Add a feature, as shown in Figure 91.

Select the following items and click Install, as shown in Figure 92.

• RSAT: Active Directory Certificate Services Tools
• RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
• RSAT: DHCP Server Tools
• RSAT: DNS Server Tools
• RSAT: Group Policy Management Tools

The tools install, as shown in Figure 93.

You can find the tools by clicking Start, scrolling down to, and expanding Windows Administrative Tools, as shown in Figure 94.

Installing RSAT installed several PowerShell modules. To ensure that we have current help text for every PowerShell module, start an elevated PowerShell session.

Click Start, scroll down to and expand Windows Powershell, right-click Windows PowerShell, click More, and click Run as administrator, as shown in Figure 95.

Type in the following in the PowerShell window, as shown in Figure 96.

update-help -force

The help text updates, as shown in Figure 96. You can safely ignore any warnings or errors.

To verify that PowerShell Remoting is enabled, type the following in the PowerShell window, as shown in Figure 97.

enable-psremoting

You can access each of the RSAT consoles from the start menu or build an MMC console containing all the snap-ins you use often.

Type mmc and press Enter in the PowerShell window and then exit PowerShell.

The mmc console opens, as shown in Figure 98.

Click File, click Add/Remove Snap-in…, or press Ctrl+M (my preference), as shown in Figure 99.

Double-click the following items, as shown in Figure 100.

• Active Directory Do…
• Active Directory Site…
• Active Directory Use…
• ADSI Edit

Double-click Certification Authority, and on the popup, type in the name of your Certification Authority server and click Finish, as shown in Figure 101.

Scroll down, double-click the following and click OK, as shown in Figure 102.

• DHCP
• DNS
• Group Policy Manag…

Click on and expand each node. Connect to the appropriate server when requested.

Figure 103 shows my console.

I always recommend using these consoles installed on a management computer to avoid logging in on a production server (i.e., domain controller or certificate authority). While our lab servers may not be “production” level servers, we learn a valuable habit: stay off production servers when possible.

Save the mmc console to the location and name of your choice, as shown in Figure 104.

Install SQL Server Management Studio

We install the SQL Server Management Studio (SSMS) in the management computer to avoid logging in to a production SQL Server. While our lab servers may not be “production” level servers, we learn a valuable habit: stay off production servers when possible.

In your internet browser, browse to https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15, and click the link to Download SQL Server Management Studio (SSMS), as shown in Figure 105.

Note: The version number may change.

Click the link your browser provides to open the downloaded file, as shown in Figure 106.

Click Run on the popup, as shown in Figure 107.

You can exit your browser at this point.

Click Install, as shown in Figure 108.

SSMS begins installing, as shown in Figure 109. The installation takes a few minutes.

Click Close, as shown in Figure 110.

Click Start, scroll to and expand Microsoft SQL Server Tools 18, click Microsoft SQL Server Management…, as shown in Figure 111.

Enter the name of your SQL Server and click Connect, as shown in Figure 112.

As shown in Figure 113, we made a connection to the SQL Server.

If you get the error shown in Figure 114, did you remember to create the Inbound TCP Port 1433 firewall rule on the SQL Server?

Exit SSMS.

Install Microsoft Office

I only need Microsoft Excel and Word on my management PC for use with scripting. Unfortunately, if you tell the Office 365 site to install Office or select the Install option from the Office ISO, you get every Office component installed. To restrict what you download, install, and configure, you must use an XML file.

Microsoft makes the Office Customization Tool if you do not know how to create the required XML file.

Open a command prompt.

Make a folder named O365 on the C drive by typing md c:\O365 followed by cd c:\O365, as shown in Figure 115.

In your internet browser, browse to https://config.office.com/ and click Create, as shown in Figure 116.

Select the following, as shown in Figure 117:

Architecture: 64-bit

Office Suites: Microsoft 365 Apps for business

Viso: None (shows as Select Visio product)

Project: None (shows as Select Project product)

Additional products: None (shows as Select Additional product)

Select the update channel and Select the version you prefer, as shown in Figure 118.

Deselect the apps you do NOT want to be installed and click Next, as shown in Figure 119.

Select primary language and any additional languages or proofing tools required and click Next, as shown in Figure 120.

Select Office Content Delivery Network (CDN), leave the other two options at the default settings, and click Next, as shown in Figure 121.

Deselect Uninstall any MSI versions of Office, including Visio and Project, leave the other options at their default settings, and click Next, as shown in Figure 122.

Select Automatically accept the EULA and click Next, as shown in Figure 123.

Enter your organization’s name, an optional description, and click Next, as shown in Figure 124.

Microsoft offers numerous settings for configuring Office applications. If you wish, you can review the options and make any configuration changes required. After reviewing the Application preferences, click Finish, as shown in Figure 125.

Click Export, as shown in Figure 126.

Select your desired Default File Format and click OK. As shown in Figure 127, I prefer using Office Open XML formats.

Select I accept the terms in the license agreement, enter a File Name for the XML file, and click Export, as shown in Figure 128.

Using Windows File Explorer, browse to the location your internet browser save the XML file, typically your user account’s Downloads folder, as shown in Figure 129.

Right-click the XML file and click Copy, as shown in Figure 130.

In Windows File Explorer, browse to C:\O365, right-click in the empty space and click Paste, as shown in Figure 131.

Exit Windows File Explorer.

Now we need to download the Office Deployment Toolkit.

In your internet browser, browse to https://www.microsoft.com/en-us/download/details.aspx?id=49117, and click Download, as shown in Figure 132.

Click the link your browser provides to open the file, as shown in Figure 133.

Click Run, as shown in Figure 134.

Select Click here to accept the Microsoft Software License Terms and click Continue, as shown in Figure 135.

Browse to C:\O365 and click OK, as shown in Figure 136.

Click OK, as shown in Figure 137.

Exit your internet browser.

In the command prompt, type in setup.exe /configure configuration.xml (use your XML file name) and press Enter, as shown in Figure 138.

Office starts installing, as shown in Figures 139 and 140.

When the installation and configuration are complete, click Close, as shown in Figure 141.

Exit the command prompt.

Click Start and verify that only the Office applications you installed are there. I installed only Microsoft Excel and Word, as shown in Figures 142 and 143.

Start any installed Office product to start the licensing and activation process, as shown in Figure 144.

After the activation process completes, click Done, as shown in Figure 145.

Additional Applications

There are many other applications you can install. Feel free to install and configure any software you require.

Here is some of the software I use.

• Citrix PVS Console (Can’t install yet)
• Citrix Studio Console (Can’t install yet)
• Google Chrome
• Notepad++
• Parallels Remote Application Server Console and PowerShell (Can’t install yet)
• PuTTY
• VMware Horizon Dynamic Environment Manager Management Console (Can’t install yet)
• WinSCP

Many management consoles are web-based—for example, vCenter, Citrix Director, VMware Horizon Connection Server, and others. I manage my Netgear switches and WiFi router and my two Synology units using a browser.

Install vCenter Root Certificate

The vCenter root certificate requires installing to manage vCenter from this computer. Citrix Studio also requires it to create a hosting connection to vCenter.

In Part 6, we downloaded the root certificate from vCenter.

Browse to the certs\win folder, as shown in Figure 146.

Double-click the file with the extension “crt”.

Click Open if you receive a file security warning, as shown in Figure 147.

Click Install Certificate…, as shown in Figure 148.

Click Local machine and Next, as shown in Figure 149.

Select Place all certificates in the following store and click Browse…, as shown in Figure 150.

Click on Trusted Root Certification Authorities and click OK, as shown in Figure 151.

Click Next, as shown in Figure 152.

Click Finish, as shown in Figure 153.

Click OK, as shown in Figure 154.

Click OK, as shown in Figure 155.

Using your browser, go to the link for the vCenter Getting Started Page. For me, that is https://vcenter.labaddomain.com, as shown in Figure 156.

Click the padlock symbol, as shown in Figure 157.

Activate Windows 10

If you have a MAPS or similar subscription service, you can activate your copy of Windows 10.

Click Start, Settings, as shown in Figure 158.

Click Windows isn’t activated. Activate Windows now., as shown in Figure 159.

Click Change product key, as shown in Figure 160.

Enter your Windows 10 Product key and click Next, as shown in Figure 161.

Click Activate, as shown in Figure 162.

If your copy of Windows 10 activated successfully, click Close, as shown in Figure 163.  If activation was not successful, resolve the issue and attempt the activation again.

Windows 10 now shows as activated.

Exit all open windows.

Up next: Create a 10ZiG Management Server

Landing page for the article series

With the two Server 2019 VMs built for domain controllers, the next step is to create Active Directory (AD).  To make sure you understand what I cover in this article, you should understand a few terms.

Definitions

What is Active Directory?

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as AD, provides the methods for storing directory data and making this data available to network users and administrators. For example, AD stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

AD stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store to form a logical, hierarchical organization of directory information.

This data store, also known as the directory, contains information about AD objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts.

What is Domain Name System (DNS)?

DNS is one of the industry-standard suites of protocols that comprise TCP/IP. The DNS Client and DNS Server provide computer name-to-IP address mapping name resolution services to computers and users.

AD uses DNS as its domain controller location mechanism. When any principal AD operations are performed, such as authentication, updating, or searching, computers use DNS to locate Active Directory domain controllers. In addition, domain controllers use DNS to locate each other.

What is the Global Catalog (GC)?

A Domain run by AD can consist of many partitions or naming contexts. The distinguished name (DN) includes enough information to locate a replica of the partition that holds the object. However, the user or application may not know the DN of the target object or which partition might contain the object. The GC allows users and applications to find objects in an AD domain tree, given one or more attributes of the target object.

The global catalog contains a partial replica of every naming context in the directory. It contains the schema and configuration naming contexts as well. This means the GC holds a replica of every object in the directory but with only a small number of their attributes. The attributes in the GC are those most frequently used in search operations (such as a user’s first and last names or login names) and those required to locate a full replica of the object. The GC allows users to quickly find objects of interest without knowing what domain holds them and without requiring a contiguous extended namespace in the enterprise.

What is Flexible Single Master Operations (FSMO)?

AD is the central repository in which all objects in an enterprise and their respective attributes are stored. It’s a hierarchical, multi-master-enabled database that can store millions of objects. Changes to the database can be processed at any given domain controller (DC) in the enterprise, regardless of whether the DC is connected or disconnected from the network.

A multi-master-enabled database, such as AD, provides the flexibility of allowing changes to occur at any DC in the enterprise. But it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values. It’s done by resolving to the DC to which changes were written last, which is the last writer wins. The changes in all other DCs are discarded. Although this method may be acceptable in some cases, there are times when conflicts are too difficult to resolve using the last writer wins approach. In such cases, it’s best to prevent the conflict from occurring rather than trying to resolve it after the fact.

To prevent conflicting updates in Windows, AD performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. It’s similar to the role given to a primary domain controller (PDC) in earlier versions of Windows, such as Microsoft Windows NT 3.51 and 4.0. In earlier versions of Windows, the PDC is responsible for processing all updates in a given domain.

AD extends the single-master model found in earlier versions of Windows to include multiple roles and transfer roles to any DC in the enterprise. Because an AD role isn’t bound to a single DC, it’s referred to as an FSMO role. Currently, in Windows, there are five FSMO roles:

• Schema master
• Domain naming master
• RID master
• PDC emulator
• Infrastructure master

What is Dynamic Host Configuration Protocol (DHCP)?

DHCP is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information. These include the subnet mask and default gateway.

What are AD Sites?

AD sites manage organizations that have branches spread across different geographical locations but fall under the same domain. It is a robust solution to geographically manage an AD network without changing any aspect of the logical structure of the environment. AD sites are physical groupings of well-connected IP subnets used to efficiently replicate information among domain controllers (DC). Image AD sites as a map describing the best routes for replicating in AD, thus efficiently using the available network bandwidth. AD sites help to achieve cost-efficiency and speed. It also lets one exercise better control over the replication traffic and the authentication process. AD sites can locate the closest DC to perform these actions when more than one DC is in the associated site capable of handling client logon, services, and directory searches. Sites also play a role in the deployment and targeting of group policies.

In AD, the information about the topology is stored as site link objects. By default, the Default-First-Site-Name site container is created for the forest. Until another site is created, all DCs are automatically assigned to this site.

What are Subnets?

Within sites, subnets are entities that help in grouping neighboring computer systems based on their IP addresses. A range of associated IP addresses identifies every subnet, and a site is the aggregate of all well-connected subnets. Subnets could be based on either TCP/IPv4 or TCP/IPv6 protocol addresses.

What is Directory Services Restore Mode (DSRM)?

DSRM is a special boot mode for repairing or recovering Active Directory. Use DSRM to log on to the computer when AD has failed or needs restoring.

What are AD Forest and Domain Functional Levels?

Functional levels determine the available AD domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers joined to the domain or forest.

When deploying AD, set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. When you deploy a new forest, you are prompted to set the forest functional level and domain functional level. You can set the domain functional level to a value that is higher than the forest functional level. You cannot set the domain functional level to a lower value than the forest functional level.

What is the AD Recycle Bin?

The accidental deletion of Active Directory objects is common for AD. Before Windows Server 2008 R2, you could recover accidentally deleted objects in AD, but the solutions had drawbacks.

In Windows Server 2008, you could use the Windows Server Backup feature and ntdsutil authoritative restore command to mark objects as authoritative to ensure that the restored data replicates throughout the domain. The drawback to the authoritative restore solution was that you had to perform it in DSRM. During DSRM, the domain controller used for the restoration had to remain offline. Therefore, it could not service client requests.

In Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you could recover deleted AD objects through tombstone reanimation. However, reanimated objects’ link-valued attributes (for example, group memberships of user accounts) that were physically removed and non-link-valued attributes cleared were not recovered. Therefore, administrators could not rely on tombstone reanimation as the ultimate solution to the accidental deletion of objects. For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects.

Starting in Windows Server 2008 R2, AD Recycle Bin builds on the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover accidentally deleted Active Directory objects.

When the AD Recycle Bin is enabled, all link-valued and non-link-valued attributes of the deleted AD objects are preserved. The objects are restored in their entirety to the same consistent logical state they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

In Windows Server 2012 and newer, the AD Recycle Bin feature is enhanced with a new graphical user interface to manage and restore deleted objects. Users can now visually locate a list of deleted objects and restore them to their original or desired locations.

Create Forest

The first DC we build is a GC, DNS, and DHCP server. We use PowerShell to install and configure all AD Roles and Features.

Use mstsc to remote into the VM that is our first DC. Exit Server Manager and start an elevated PowerShell session, as shown in Figure 1.

We start by installing the necessary Roles and Features.

• Active Directory Domain Services
• Remote Server Administration Tools
  • Role Administration Tools
    • Active Directory module for Windows PowerShell
    • AD DS and AD LDS Tools
      • Active Directory Administrative Center
      • AD DS Snap-Ins and Command-Line Tools
• Telnet Client

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 2.

#setup new AD Forest/Domain
Install-WindowsFeature AD-Domain-Services, RSAT-AD-PowerShell, RSAT-ADDS, RSAT-AD-AdminCenter, RSAT-ADDS-Tools, Telnet-Client

We now create the new AD Forest, which automatically creates the first domain. The first domain is also known as the forest root domain. You can never rename this domain without destroying the domain or migrating to a new forest or domain.

Remember to use your domain name.

The first thing we need is the password used for DSRM. This password should be the same for every DC.

The highest forest and domain functional level support is Windows Server 2016. The help text for the Install-ADDSForest cmdlet shows the following allowed values:

-DomainMode (and also for -ForestMode)

The acceptable values for this parameter are:

• Windows Server 2003: 2 or Win2003
• Windows Server 2008: 3 or Win2008
• Windows Server 2008 R2: 4 or Win2008R2
• Windows Server 2012: 5 or Win2012
• Windows Server 2012 R2: 6 or Win2012R2
• Windows Server 2016: 7 or WinThreshold

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 3.

$DomainName = "LabADDomain.com"
$NetbiosName = "LabADDomain"
$SafeModePwd = Read-Host -AsSecureString -Prompt "Enter DSRM password"

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 4.

Install-ADDSForest `
-Confirm:$False `
-CreateDnsDelegation:$False `
-DomainMode "WinThreshold" `
-DomainName $DomainName `
-DomainNetbiosName $NetbiosName `
-ForestMode "WinThreshold" `
-SafeModeAdministratorPassword $SafeModePwd

#new DC restarts at this point

The local account named Administrator is now the domain account named Administrator, and the password used for the local account is the password used for the domain account.

After the VM restarts, log in using the domain’s Administrator account and password.

Now we can start the debate. The DC promotion process changed the network card’s Preferred DNS Server to 127.0.0.1, the Local Loopback address. My AD mentors taught me over the years that on the first DC, the Preferred DNS Server should be the DC’s IP address, and, at this time, the Loopback address should be Secondary. I recommend changing the DNS servers, as shown in Figure 5.

Next up is enabling the AD Recycle Bin.

AD Recycle Bin

Open the AD Administrative Center.

Server Manager, Tools, and click on Active Directory Administrative Center, as shown in Figure 6.

In the left pane, click on your domain, and in the right pane, you see Enable Recycle Bin…, as shown in Figure 7. We do not use the GUI to enable the recycle bin. We use PowerShell to enable the recycle bin.

Start an elevated PowerShell session.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 8.

#enable the AD Recycle Bin
$DomainName = "LabADDomain.com"
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target $DomainName -Confirm:$False

Refresh the AD Administrative Center and see that Enable Recycle Bin… greyed out, as shown in Figure 9.

Exit the AD Administrative Center.

Now we set the domain’s password and lockout policy.

Set the Domain’s Password and Lockout Policy

Open the Group Policy Management console.

Server Manager, Tools, and click on Group Policy Management, as shown in Figure 10.

You may want to widen the console and expand the width of the two panes.

In the left pane, expand the Forest node.

Expand Domains.

Expand your domain.

Click on Default Domain Policy, click on the Settings tab in the right pane, and scroll down to the Security Settings section, as shown in Figure 11.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 12.

Remember to set the values you need.

#set the domain's password and lockout policy
$DomainName = "LabADDomain.com"
Set-ADDefaultDomainPasswordPolicy -Identity $DomainName `
-PasswordHistoryCount 6 `
-MaxPasswordAge 90.00:00:00 `
-MinPasswordAge 7.00:00:00 `
-MinPasswordLength 8 `
-ComplexityEnabled $False `
-ReversibleEncryptionEnabled $False `
-LockoutDuration 00:00:00 `
-LockoutObservationWindow 00:00:00 `
-LockoutThreshold 5

Refresh the Group Policy Management console and view the Security Settings in the Default Domain Policy, as shown in Figure 13.

See how the settings in the policy match what we set using PowerShell.

Exit the Group Policy Management console.

Next up is AD Sites and Services.

AD Sites and Services

Open the Active Directory Sites and Services console.

Server Manager, Tools, and click on Active Directory Sites and Services, as shown in Figure 14.

We perform the following steps using PowerShell.

1. Create a new site named after the city where I live
2. Move the new DC from the default Default-First-Site-Name site to the site created in Step 1
3. Remove the default Default-First-Site-Name site
4. Create a subnet and link it to the site created in Step 1

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 15.

Remember to set the values you need.

#setup Sites
$DomainName = "LabADDomain.com"
$ADSites2 = @()
#create a new site
$ADSites = @{
    "Tullahoma" = "Webster's Lab in Tullahoma, TN"
}

ForEach($ADSite in $ADSites.Keys)
{
    $ADSites2 += $ADSite
    New-ADReplicationSite -Name $ADSite -Description $ADSites[$ADSite] -ProtectedFromAccidentalDeletion $True -Server $DomainName
}

#move the new domain controller from the Default-First-Site-Name site to the new site
Move-ADDirectoryServer -Identity "LabDC1" -Site "Tullahoma"

#remove the Default-First-Site-Name site
Remove-ADReplicationSite -Identity "Default-First-Site-Name" -Confirm:$False

#create subnets and associate them to a site
$Subnets = @{
"Tullahoma" = "192.168.1.0/24"
}

ForEach($Subnet in $Subnets.Keys)
{
    New-ADReplicationSubnet -Name $Subnets[$Subnet] -Site $Subnet
}

Refresh the Active Directory Sites and Services console. Expand the various nodes to verify the changes, as shown in Figure 16.

Note: If you have multiple AD Sites in your lab, please read Report and Edit AD Site Links From PowerShell (Turbo Your AD Replication) for Microsoft’s recommendations on DC replication between AD Sites.

Exit the Sites and Services console.

Now on to the topics that need much discussion: DNS, Aging & Scavenging, and DHCP. This discussion is only necessary if you run Microsoft DHCP and Microsoft DNS on a Microsoft AD domain controller.

Even though we create and configure the DHCP server later, let’s discuss the various settings now.

DNS and DHCP

DNS Aging and Scavenging

The DNS Server service supports Aging and Scavenging features. These features are provided as a mechanism for performing cleanup and removing stale resource records that accumulate in zone data over time.

With dynamic updates, resource records are automatically added to zones when computers start on the network. However, sometimes, they are not automatically removed when computers leave the network. For example, if a computer registers its host (A) resource record at startup and is later improperly disconnected from the network, its host (A) resource record might not be deleted. If your network has mobile users and computers, this situation can occur frequently.

If left unmanaged, the presence of stale resource records in zone data may cause problems:

• If many stale resource records remain in zones, they can eventually take up server disk space and cause unnecessarily long zone transfers.
• DNS servers that load zones that contain stale resource records might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network.
• The accumulation of stale resource records at the DNS server can degrade its performance and responsiveness.
• Sometimes, the presence of a stale resource record in a zone can prevent a DNS domain name from being used by another computer or host device.

The DNS Server service has these features to solve these problems:

• Timestamping, based on the current date and time set at the server computer, for any resource records added dynamically to primary-type zones. Also, timestamps are recorded in standard primary zones where aging and scavenging are enabled.
• A timestamp value of zero is used for manually added resource records, indicating that these records are not affected by the aging process. They can remain without limitation in zone data unless you otherwise change their time stamp or delete them.
• Aging of resource records in local data, based on a specified refresh time period for any eligible zones.
• Only primary-type zones loaded by the DNS Server service are eligible to participate in this process.
• Scavenging for any resource records that persist beyond the specified refresh period.
• When a DNS server performs a scavenging operation, it can determine that resource records have aged to the point of becoming stale and remove them from zone data. You can configure servers to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server.
• A highly recommended option is to set an advanced zone parameter that enables you to specify a restricted list of IP addresses for DNS servers enabled to perform scavenging of the zone.

By default, if this parameter is not specified, all DNS servers that load an Active Directory-integrated zone (also enabled for scavenging) attempt to perform scavenging of the zone. Sometimes, this parameter can be helpful if it is preferable that scavenging is performed at some servers loading the directory-integrated zone.

To set this parameter, you must specify the list of IP addresses for the servers enabled to scavenge the zone in the ZoneResetScavengeServers parameter for the zone. You do this using the dnscmd command, a command line-based tool for administering Windows DNS servers.

Microsoft recommends configuring at least one and no more than two DNS servers for scavenging for a zone.

You must enable Aging and Scavenging in five places:

1. DNS Server
2. DNS Server Properties
3. Forward Lookup Zones
4. Reverse Lookup Zones
5. Then via dnscmd.exe, set a scavenging server

The default Aging and Scavenging interval is 7 days. Seven days is tied to the DHCP Lease Duration, which, by default, is 8 days. A DHCP client requests a lease renewal at 50% of the Lease Duration, or 4 days (by default). If the lease is not renewed, the DHCP Client attempts another lease renewal at 87.5% of the Lease Duration, or 7 days (by default). If the lease is not renewed, the DHCP Client stops requesting a renewal of its IP address and requests a new IP address. If DHCP and DNS are correctly configured (DHCP DNS Dynamic Update Credentials and Secure Dynamic updates), the original DHCP server releases the non-renewed IP address. DNS is updated to show the DNS resource record flagged as eligible to be aged and then scavenged.

By default, the DNS Server does not accept any refreshes of a non-static resource record for7 days.

By default, the DNS Server waits 7 days for the resource record to have its timestamp refreshed.

By default, after these two 7-day intervals (14 days), the resource record is removed from the DNS management console and flagged as tombstoned. The resource record still resides in the AD database.

By default, the resource record is tombstoned for 7 days.

By default, after the 7-day tombstone period has passed, the resource record is marked to be scavenged.

By default, the resource record stays in the “to be scavenged” state for 7 days.

At this time, by default, 28 days have passed since the resource record was not renewed by DHCP and flagged as eligible to be aged and scavenged.

The resource record is purged from the AD database at 2 AM (non-configurable) on day 29 (by default).

At any time in the 28 days (by default), the record is flagged as deleted/tombstoned/scavenged, if the original DHCP Client is granted the original IP address from the original DHCP server, the resource record is reanimated from the scavenge/tombstone state and returned to DNS with an updated timestamp.

If you change the DHCP Lease Duration from the default 7 days, you should carefully consider aging and scavenging effects.

In AD, all domain controllers are equal. Still, the domain controller that holds the Primary Domain Controller Emulator (PDCe) Flexible Single Master Operations (FSMO) role holder is the most equal of all domain controllers. That specific domain controller provides several critical functions in an AD Domain and must be the most stable, reliable, and highly available domain controller in the domain.

All PDC Emulator Functions http://rickardnobel.se/all-pdc-emulator-functions/

Because of the importance of the PDCe FSMO role holder, I recommend making that DC the primary DNS Server.

Select a DNS Server for each domain to serve as a scavenging server for every AD-Integrated Forward and Reverse Lookup Zone.

DNS Forwarders

DNS servers are designed to resolve names for a specific set of computers. DNS calls this “specific set” a zone, but this typically maps to a domain or a forest in a Windows environment. If a DNS server hosts a zone, it is considered authoritative for that zone, and all those computers are considered to be internal to the zone. All other zones are external.

To resolve names for an external zone requires using a forwarder –a DNS server that “knows more” than the local DNS server. By default, external resolution is enabled in Windows DNS servers; however, it can be disabled if desired. Specific servers can be configured to be used as forwarders, or DNS can default to using Root Hints.

A forwarding query only occurs if a DNS server cannot resolve a query using its data or cache. This often occurs when a query for an external name occurs (for example, a DNS server hosting “contoso.local” receives a query for “www.microsoft.com”). Figure 17 depicts the sequence for DNS name resolution.

You can see where DNS Forwarders and Root Hints take part in name resolution on the above flowchart. DNS Forwarders itself is a list of DNS servers used to help resolve a query. A DNS Forwarder can be a master DNS appliance residing on the internal network or an external DNS server, such as Google or an ISP. The only thing to consider is the network accessibility between the servers (quicker access à better DNS).

DHCP: DNS Dynamic Update Credentials

If Microsoft DHCP runs on a domain controller and a DNS zone is configured for secure dynamic updates, and you do not configure DNS dynamic update credentials DHCP, DNS registrations fail.

DNS dynamic update credentials require no special rights, privileges, or permissions. You should use a regular domain user account following your naming standards.

Create a regular domain user account dedicated for use by DNS dynamic update credentials. You should set the account so the user cannot change the password, and the password should never expire.

I recommend using the account name DNSDynamicUpdateCred. In the Description property for this account, enter the text ” DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT”.

Once you configure DHCP with the DNS dynamic update credentials, configure all AD-related DNS Forward and Reverse lookup zones to secure dynamic updates only.

You should add this account to the IPv4 protocol on every DHCP server. The DHCP servers do not replicate the account between DHCP servers. If the password for this account is changed, you must enter the updated password on every DHCP server configured to use the account.

DHCP Name Protection

DHCP name protection is a feature of the DHCP service that, when used with Dynamic DNS registration, prevents a DHCP client with a name already in the DNS domain zone from registering or overwriting an existing name that it does not own (known as name squatting). This functionality prevents client and server spoofing and name corruption for statically configured systems already registered in DNS. You enable name protection at either the IPv4 or IPv6 node level or the scope level. When configured at the scope level, the settings take precedence over the IPv4 or IPv6 node settings.

Name squatting could also occur when a non-Windows-based computer registers in Domain Name System (DNS) with a name previously registered to a Windows-based computer. The use of name protection in Windows Server prevents name squatting by non-Windows-based computers. Name squatting does not present a problem on a homogeneous Windows network where Active Directory Domain Services (AD DS) can be used to reserve a name for a single user or computer.

Name protection is based on the Dynamic Host Configuration Identifier (DHCID) in the Dynamic Host Configuration Protocol (DHCP) server and supports the new DHCID RR (resource record) in DNS. DHCID RR is described by the Internet Engineering Task Force (IETF) in RFCs 4701 and 4703.

DHCID is a resource record (RR) stored in DNS that maps names to prevent duplicate registration. DHCP uses this RR to store an identifier for a computer and other information for the name, such as the computer’s A/AAAA records. The unique position of DHCP in the name registration process allows it to request this match and then refuse the registration of a computer with a different address attempting to register a name with an existing DHCID record.

DHCID prevents the following name squatting situations:

• Server name squatting by a client
• Server name squatting by another server
• Client name squatting by another client
• Client name squatting by a server

Using Name Protection requires the following:

• Use DNS Secure Dynamic Updates
• Secure the DnsUpdateProxy security group
• Add the DHCP server to the DnsUpdateProxy security group

Note: Creating the forest and domain created the forward lookup zone named after the domain. No reverse lookup zone exists.

Configure DNS

We perform the following steps using PowerShell.

1. Get the IP address for the DC to use as the scavenging server address
2. Enable aging and scavenging on all zones using the default values
3. Set the replication scope to all DNS servers in the forest
4. Set dynamic updates to secure
5. Set the zone’s aging to the default values and set the DC as the scavenging server
6. Configure DNS Forwarders
7. Create a reverse lookup zone named after the subnet created in AD Sites and Services
8. Set the replication scope to all DCs in the forest
9. Set dynamic updates to secure
10. Verify that all forward and reverse lookup zones that are not system created have the scavenging server and aging intervals set

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 18.

Remember to set the values you need.

#configure DNS
$DomainName = "LabADDomain.com"
$ScavengeServer = @(Get-ADDomainController).IPv4Address

Set-DnsServerScavenging `
-ApplyOnAllZones `
-ScavengingState $True `
-ScavengingInterval 7.00:00:00 `
-RefreshInterval 7.00:00:00 `
-NoRefreshInterval 7.00:00:00 

Set-DnsServerPrimaryZone -Name $DomainName -ReplicationScope "Forest"
Set-DnsServerPrimaryZone -Name $DomainName -DynamicUpdate "Secure"
Set-DnsServerZoneAging -Name $DomainName -Aging $True -ScavengeServers $ScavengeServer -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00 

Set-DnsServerForwarder -Confirm:$False -IPAddress 1.1.1.1,8.8.8.8,8.8.4.4 -UseRootHint $True

ForEach($Subnet in $Subnets.Keys)
{
    Add-DnsServerPrimaryZone -NetworkID $Subnets[$Subnet] -ReplicationScope "Forest" -DynamicUpdate "Secure" 
}

Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False} | Set-DnsServerZoneAging -Aging $True -ScavengeServers $ScavengeServer -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00

Open the DNS console.

Server Manager, Tools, and click on DNS, as shown in Figure 19.

Expand the server node.

The first thing we need to check is verifying that the Trusts Points node exists, as shown in Figure 20.

Side note:

I have seen in my lab and at many customer sites where the Trust Points node did not exist. If the node does not exist, the DC is not seen as a valid DNS server and is not used for name resolution. There is nothing to worry about as the fix is simple.

Run the following commands on the domain controller that holds the PDCe FSMO role from an elevated command prompt.

dnscmd <dcname> /Config /enablednssec 1
net stop dns && net start dns

Refresh the DNS console, and the missing Trust Points node is there.

Right-click the server, click Properties, and click the Forwarders tab, as shown in Figure 21.

The three forwarders are there.

Click the Advanced tab, as shown in Figure 22.

See that scavenging is enabled and set to 7 days.

Click Cancel.

Expand the Forward Lookup Zones node.

Right-click the msdcs.domainname.tld node and click Properties, as shown in Figure 23.

Click the General tab, as shown in Figure 24.

See that Replication is set to All DNS servers in this forest, and Dynamic updates are set to Secure only.

Click Aging.

As shown in Figure 25, Scavenging is enabled for the zone, and both refresh intervals are set to 7 days.

Click Cancel twice.

Verify that the same settings exist for the other forward lookup zone.

Expand Reverse Lookup Zones, right-click on the reverse zone, and click Properties, as shown in Figure 26.

Verify that the same settings exist for this zone, as shown in Figures 27 and 28.

Click Cancel twice and exit the DNS console.

Open a command prompt and run the following command. You may need to expand the window to see all the results.

dnscmd /zoneinfo <dns domain name>

For me, that is dnscmd /zoneinfo labaddomain.com, as shown in Figure 29.

There are two things I look for.

1. The words Scavenge Servers
2. The IP address

If those exist and the IP address belongs to the DC that holds the PDCe FSMO role, I know that scavenging is configured correctly.

Exit the command prompt.

We need to create the OU structure for the domain to create groups and users, place users into groups, and install and configure DHCP.

Create the OU Structure

The OU structure used in my lab is:

Lab

Accounts

Admin

Service

Users

Citrix

CVAD2103

Groups

Admin

Users

Horizon

PhysicalPC

RDS

VDI

Infrastructure

Citrix

Microsoft

Parallels

VMware

Parallels

RDS

VDI

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 30. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#create the OU structure
$ADDomain = "LabADDomain"
$TLD = "com"
$Protect = $True

#Create OUs
#Top level OU - Lab
New-ADOrganizationalUnit -Name "Lab" `
-Path "dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Second level OUs under Lab
New-ADOrganizationalUnit -Name "Accounts" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Citrix" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Groups" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Horizon" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Infrastructure" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Parallels" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Accounts
New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Service" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Users" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Citrix
New-ADOrganizationalUnit -Name "CVAD2103" `
-Path "ou=Citrix,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Groups
New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Users" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Horizon
New-ADOrganizationalUnit -Name "PhysicalPC" `
-Path "ou=Horizon,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "RDS" `
-Path "ou=Horizon,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "VDI" `
-Path "ou=Horizon,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Infrastructure
New-ADOrganizationalUnit -Name "Citrix" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Microsoft" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "Parallels" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "VMware" `
-Path "ou=Infrastructure,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

#Third level OUs under Lab/Parallels
New-ADOrganizationalUnit -Name "RDS" `
-Path "ou=Parallels,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "RemotePC" `
-Path "ou=Parallels,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

New-ADOrganizationalUnit -Name "VDI" `
-Path "ou=Parallels,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose

Open the Active Directory Users and Computers console.

Server Manager, Tools, and click on Active Directory Users and Computers (ADUC), as shown in Figure 31.

Expand the domain and expand the Lab node, as shown in Figure 32.

Verify that all the OUs exist.

Now, on to AD Security Groups.

Create AD Security Groups

I place my security groups here in the OU structure.

Lab

Groups

Admin

CtxAdmins

CtxHelpdesk

DEMAdmins

RASAdmins

RASHelpdesk

VMwAdmins

VMwHelpdesk

Users

DEMUsers

H8Users

RASUsers

XAUsers

XDUsers

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 33. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#admin security groups
$ADDomain = "LabADDomain"
$TLD = "com"
$Protect = $False

New-ADGroup -DisplayName "CtxAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "CtxAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "CtxAdmins$"

New-ADGroup -DisplayName "CtxHelpdesk" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "CtxHelpdesk" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "CtxHelpdesk$"

New-ADGroup -DisplayName "DEMAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "DEMAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "DEMAdmins$"

New-ADGroup -DisplayName "RASAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "RASAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "RASAdmins$"

New-ADGroup -DisplayName "RASHelpdesk" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "RASHelpdesk" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "RASHelpdesk$"

New-ADGroup -DisplayName "VMwAdmins" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "VMwAdmins" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "VMwAdmins$"

New-ADGroup -DisplayName "VMwHelpdesk" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "VMwHelpdesk" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "VMwHelpdesk$"

#user security groups
New-ADGroup -DisplayName "DEMUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "DEMUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "DEMUsers$"

New-ADGroup -DisplayName "H8Users" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "H8Users" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "H8Users$"

New-ADGroup -DisplayName "RASUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "RASUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "RASUsers$"

New-ADGroup -DisplayName "XAUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "XAUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "XAUsers$"

New-ADGroup -DisplayName "XDUsers" `
-GroupCategory "Security" `
-GroupScope "Global" `
-Name "XDUsers" `
-Path "ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "XDUsers$"

Refresh the ADUC console.

Click on Lab/Groups/Admin, and in the right pane, verify the admin security groups exist, as shown in Figure 34.

Click on Lab/Groups/Users, and in the right pane, verify the user security groups exist, as shown in Figure 35.

Now, on to AD User Accounts.

Create AD User Accounts

I place user accounts here in the OU structure.

Lab

Accounts

Admin

CtxAdmin

RASAdmin

UMSAdmin

VMwAdmin

Service

DNSDynamicUpdate

Users

CtxUser1

CtxUser2

CtxUser3

RASUser1

RASUser2

RASUser3

VMwUser1

VMwUser2

VMwUser3

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 36. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#Create admin user accounts
$UserPwd = Read-Host -AsSecureString -Prompt "Enter password"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxAdmin" `
-Enabled $True `
-Name "CtxAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxAdmin" `
-UserPrincipalName "CtxAdmin@LabADDomain.com"
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASAdmin" `
-Enabled $True `
-Name "RASAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASAdmin" `
-UserPrincipalName "RASAdmin@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "UMSAdmin" `
-Enabled $True `
-Name "UMSAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "UMSAdmin" `
-UserPrincipalName "UMSAdmin@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwAdmin" `
-Enabled $True `
-Name "VMwAdmin" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwAdmin" `
-UserPrincipalName VMwAdmin@LabADDomain.com

Refresh the ADUC console.

Click on Lab/Accounts/Admin, and in the right pane, verify the admin user accounts exist, as shown in Figure 37.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 38.

Remember to set the values you need.

#create service accounts
#Create the service account DNSDynamicUpdate DNS Dynamic Update Credentials account for DHCP
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "DNSDynamicUpdate" `
-Enabled $True `
-GivenName "DNSDynamicUpdate" `
-Name "DNSDynamicUpdate" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "DNSDynamicUpdate" `
-UserPrincipalName "DNSDynamicUpdate@LabADDomain.com"

#Create the service account svc_CtxVMware for CVAD hosting connection
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "svc_CtxVMware" `
-Enabled $True `
-GivenName "svc_CtxVMware" `
-Name "svc_CtxVMware" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "svc_CtxVMware" `
-UserPrincipalName "svc_CtxVMware@LabADDomain.com"

#Create the service account svc_VMwareHorizon for Horizon vCenter permissions
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "svc_VMwareHorizon" `
-Enabled $True `
-GivenName "svc_VMwareHorizon" `
-Name "svc_VMwareHorizon" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "svc_VMwareHorizon" `
-UserPrincipalName "svc_VMwareHorizon@LabADDomain.com"

#Create a service account ldap_query for LDAP Queries
New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-Description "DO NOT CHANGE THE PASSWORD OR DELETE/DISABLE ACCOUNT" `
-DisplayName "ldap_query" `
-Enabled $True `
-GivenName "ldap_query" `
-Name "ldap_query" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Service,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "ldap_query" `
-UserPrincipalName "ldap_query@LabADDomain.com"

Refresh the ADUC console.

Click on Lab/Accounts/Service, and in the right pane, verify the service user account exists, as shown in Figure 39.

In the right pane, double-click an account, click on the Account tab, and verify the properties, as shown in Figure 40.

Click Cancel.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 41. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#Create lab user accounts

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxUser1" `
-Enabled $True `
-Name "CtxUser1" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxUser1" `
-UserPrincipalName "CtxUser1@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxUser2" `
-Enabled $True `
-Name "CtxUser2" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxUser2" `
-UserPrincipalName "CtxUser2@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "CtxUser3" `
-Enabled $True `
-Name "CtxUser3" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "CtxUser3" `
-UserPrincipalName "CtxUser3@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASUser1" `
-Enabled $True `
-Name "RASUser1" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASUser1" `
-UserPrincipalName "RASUser1@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASUser2" `
-Enabled $True `
-Name "RASUser2" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASUser2" `
-UserPrincipalName "RASUser2@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "RASUser3" `
-Enabled $True `
-Name "RASUser3" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "RASUser3" `
-UserPrincipalName "RASUser3@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwUser1" `
-Enabled $True `
-Name "VMwUser1" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwUser1" `
-UserPrincipalName "VMwUser1@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwUser2" `
-Enabled $True `
-Name "VMwUser2" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwUser2" `
-UserPrincipalName "VMwUser2@LabADDomain.com"

New-ADUser -AccountPassword $UserPwd `
-CannotChangePassword $True `
-ChangePasswordAtLogon $False `
-DisplayName "VMwUser3" `
-Enabled $True `
-Name "VMwUser3" `
-PasswordNeverExpires $True `
-PasswordNotRequired $False `
-Path "OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD" `
-SamAccountName "VMwUser3" `
-UserPrincipalName "VMwUser@LabADDomain.com"

Refresh the ADUC console.

Click on Lab/Accounts/Users, and in the right pane, verify the user accounts exist, as shown in Figure 42.

Now on to adding admin users to admin security groups.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 43. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#add admin users to admin groups

Add-ADGroupMember -Identity "CN=CtxAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxAdmin,OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=CtxHelpdesk,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=DEMAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=RASAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=RASAdmin,OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=RASHelpdesk,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=RASUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=VMwAdmins,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwAdmin,OU=Admin,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=VMwHelpdesk,ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Refresh the ADUC console.

Click on Lab/Groups/Admins, and in the right pane, double-click one of the admin security groups and click on the Members tab, as shown in Figures 44 and 45.

Verify that the appropriate admin account exists as a member of the admin security group.

Now on to adding users to user security groups.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 46. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#add lab users to lab user groups

Add-ADGroupMember -Identity "CN=DEMUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=H8Users,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=VMwUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=VMwUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=RASUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=RASUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=RASUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=RASUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=XAUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Add-ADGroupMember -Identity "CN=XDUsers,ou=Users,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Members "CN=CtxUser1,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=CtxUser2,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD","CN=CtxUser3,OU=Users,OU=Accounts,OU=Lab,DC=$ADDomain,DC=$TLD"

Refresh the ADUC console.

Click on Lab/Groups/Users, and in the right pane, double-click one of the user security groups and click on the Members tab, as shown in Figures 47 and 48.

Verify that the appropriate user account exists as a member of the user security group.

Exit the ADUC console.

Now on to installing and configuring DHCP.

Installing and Configuring DHCP

We perform the following steps using PowerShell.

1. Install the DHCP Server role and the DHCP Server Tools
2. Authorize the new DHCP server in AD
3. Add the new DHCP server to the DnsUpdateProxy security group
4. Add DHCP security groups
5. Set DHCP server DNS settings
6. Set DHCP Server Network Access Protection policy settings
7. Set the DNS Dynamic Update Credentials
8. Set Filters
9. Set DHCP server options
10. Set DHCP scope
11. Set scope options
12. Set scope DNS settings
13. Set scope reservations
14. Set reservation DNS settings

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 49. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#install DHCP
Install-WindowsFeature DHCP, RSAT-DHCP

#authorize the new DHCP server in AD
$DHCPServer = "$($env:ComputerName).$($env:USERDNSDOMAIN)"
Add-DhcpServerInDC -DnsName $DHCPServer

#add new DHCP server to the DnsUpdateProxy security group
$computer = "$($env:ComputerName)$"
Add-ADGroupMember "DnsUpdateProxy" -members $computer

#add DHCP security groups
#This command adds the security groups DHCP Users and DHCP Administrators to the DHCP server
Add-DhcpServerSecurityGroup -ComputerName $DHCPServer

#Set DHCP server DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-DynamicUpdates Always `
-NameProtection $True

#Set DHCP Server Network Access Protection policy settings
Set-DhcpServerSetting -ComputerName $DHCPServer `
-NapEnabled $False `
-ConflictDetectionAttempts 0 `
-ActivatePolicies $False `
-NpsUnreachableAction Full

#set the DNS Dynamic Update Credentials
$DHCPCredentials = Get-Credential -UserName "DNSDynamicUpdate" -Message "Enter password for DNSDynamicUpdate"
Set-DhcpServerDnsCredential -Credential $DHCPCredentials -ComputerName $DHCPServer

#set Filters
Set-DhcpServerv4FilterList -ComputerName $DHCPServer -Allow $False -Deny $False

#set DHCP server options
Set-DhcpServerv4OptionValue -ComputerName $DHCPServer `
-DnsServer 192.168.1.201,192.168.1.202 `
-Router 192.168.1.1 `
-Force `
-DnsDomain "LabADDomain.com"

#set DHCP scope
Add-DhcpServerv4Scope -Name "Webster's Lab" `
-StartRange 192.168.1.100 `
-EndRange 192.168.1.199 `
-SubnetMask 255.255.255.0 `
-ComputerName $DHCPServer `
-LeaseDuration 8.00:00:00 `
-State Active `
-Type DHCP `
-Description ""

#set scope options
Set-DhcpServerv4OptionValue -ComputerName $DHCPServer `
-ScopeId 192.168.1.0 `
-DnsServer 192.168.1.201,192.168.1.202 `
-Force `
-DnsDomain "LabADDomain.com" `
-Router 192.168.1.1

#Set scope DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-ScopeId 192.168.1.0 `
-DynamicUpdates Always `
-NameProtection $True

#set scope reservations
Add-DhcpServerv4Reservation -Name "APC SmartUPS 2200" `
-ScopeId 192.168.1.0 `
-IPAddress 192.168.1.249 `
-ClientId "28-29-86-1b-f9-b1" `
-Type Both `
-Description "APC SmartUPS 2200"

#Set reservation DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-IPAddress 192.168.1.249 `
-DynamicUpdates Always 

Add-DhcpServerv4Reservation -Name "Netgear 1G Switch" `
-ScopeId 192.168.1.0 `
-IPAddress 192.168.1.250 `
-ClientId "28-80-88-6d-51-60" `
-Type Both `
-Description "Netgear 1G Switch"

#Set reservation DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-IPAddress 192.168.1.250 `
-DynamicUpdates Always 

Add-DhcpServerv4Reservation -Name "Netgear 10G Switch" `
-ScopeId 192.168.1.0 `
-IPAddress 192.168.1.251 `
-ClientId "3c-37-86-2a-0e-0c" `
-Type Both `
-Description "Netgear 10G Switch"

#Set reservation DNS settings
Set-DhcpServerv4DnsSetting -ComputerName $DHCPServer `
-IPAddress 192.168.1.251 `
-DynamicUpdates Always

#Added 22-Sep-2021 at the request of Jurjen van Leeuwen @Leodesk_IT on Twitter
#https://docs.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-deploy-wps#notify-server-manager-that-post-install-dhcp-configuration-is-complete-optional
Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2

Open the DHCP console.

Server Manager, Tools, and click on DHCP, as shown in Figure 50.

Expand the width of the console and the left and middle panes.

Expand the DHCP server.

Expand IPv4.

Right-click IPv4 and click Properties, as shown in Figure 51.

Click the DNS tab and verify that Name Protection is enabled, as shown in Figure 52.

Click the Filters tab and verify the both MAC Filters options are not selected, as shown in Figure 53.

Click the Advanced tab and Credentials, as shown in Figure 54.

Verify that the DNS dynamic update credentials are configured, as shown in Figure 55.

Exit the IPv4 Properties.

Right-click on the scope and click Properties, as shown in Figure 56.

Click the General tab and verify that the Scope configuration is correct, as shown in Figure 57.

Click the DNS tab and verify that Name Protection is enabled, as shown in Figure 58.

Exit the Scope Properties.

Click the Reservations node to verify the creation of the reservations, as shown in Figure 59.

Click the Address Leases node and look in the middle pane to see if the DHCP server is handing out DHCP leases, as shown in Figure 60.

Click the Scope Options node and verify that the scope options are correct, as shown in Figure 61.

Click the Server Options node and verify that the server options are correct, as shown in Figure 62.

Exit the DHCP console.

Even in a lab setup, having only one DC is a recipe for disaster. You should always have at least two DCs.

Create Second DC

Go to the second VM built to use as the second DC.

In Server Manager, click on Local Server.

Click on the IP Address link, as shown in Figure 63.

Right-click the network adapter and click Properties.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 64.

Change the Preferred DNS server to the IP address of the first DC, the Alternate DNS server to the IP address of this server, and click Advanced…, as shown in Figure 65.

Click the DNS tab and click Add…, as shown in Figure 66.

Enter 127.0.0.1 and click Add, as shown in Figure 67.

Verify that the IP addresses listed are in the order of the first DC, this server, and 127.0.0.1, and click OK, as shown in Figure 68. If they are not in the correct order, use the Up and Down arrows to reorder the list.

Click OK.

Click Close.

We are ready to add a DC to the existing forest/domain. We start by installing the necessary Roles and Features.

• Active Directory Administrative Center
• Active Directory Domain Services
• Active Directory module for Windows PowerShell
• Active Directory Snap-Ins and Command-Line Tools
• Active Directory Tools
• Remote Server Administration Tools
• Role Administration Tools
• Telnet Client

Start an elevated PowerShell session. Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 69.

#add a domain controller
Install-WindowsFeature AD-Domain-Services, RSAT-AD-PowerShell, RSAT-ADDS, RSAT-AD-AdminCenter, RSAT-ADDS-Tools, Telnet-Client

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 70.

$DomainName = "LabADDomain"
$SafeModePwd = Read-Host -AsSecureString -Prompt "Enter DSRM password"

Install-ADDSDomainController `
-Confirm:$False `
-Credential (Get-Credential "$DomainName\Administrator") `
-DomainName $DomainName `
-InstallDns `
-SafeModeAdministratorPassword $SafeModePwd

#new dc reboots

After the VM restarts, log in using the domain’s Administrator account and password.

We are now configuring this DC’s DNS server properties. We configured the zones and zone properties earlier, and this new DC picks up all the configured AD and DNS configurations via AD replication.

Start an elevated PowerShell session. Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 71.

#configure DNS
$computer = "$($env:ComputerName)"

Set-DnsServerScavenging `
-ComputerName $computer `
-ApplyOnAllZones `
-ScavengingState $True `
-ScavengingInterval 7.00:00:00 `
-RefreshInterval 7.00:00:00 `
-NoRefreshInterval 7.00:00:00 

Set-DnsServerForwarder -ComputerName $computer -Confirm:$False -IPAddress 1.1.1.1,8.8.8.8,8.8.4.4 -UseRootHint $True

Open the ADUC console, expand the domain and click on the Domain Controllers OU, as shown in Figure 72. Verify that both DCs exist in the OU.

Close the ADUC console.

Open the Active Directory Sites and Services console, expand Sites, expand the site created earlier, and click on the site, as shown in Figure 73. Verify that the new DC exists in the site.

Close the Active Directory Sites and Services console.

Despite what we might think, the new server is not technically a DC until the NETLOGON and SYSVOL shares are created, populated, and shared.

Open a command prompt on the new DC, type in net share, and press Enter, as shown in Figure 74.

If BOTH the NETLOGON and SYSVOL shares show in the list, the new server is officially a DC. In a large environment, especially if hundreds or thousands of Group Policies exist, it can take hours before SYSVOL appears in the share list.

Now that the second DC is officially a DC, we need to add its IP address to the DNS configuration on the first DC.

Go to the first DC.

In Server Manager, click Local Server, and click the IP Address link for the Etherther interface, as shown in Figure 75.

Right-click the network adapter and click Properties, as shown in Figure 76.

Click Internet Protocol Version 4 (TCP/IPv4) and click Properties, as shown in Figure 77.

Click Advanced…, as shown in Figure 78.

Click the DNS tab and click Add…, as shown in Figure 79.

Enter the IP address of the second DC and click Add, as shown in Figure 80.

Use the arrow buttons to arrange the DNS servers, so the top is the first DC, the middle is the second DC, and the third is the local loopback address, as shown in Figures 81 and 82.

Click OK, OK, and Close to exit the network adapters properties.

DC NIC Adapter DNS Settings

Why do I care so much about the adapter’s DNS configuration on DCs? Because I rarely see any consistency in the configuration. In most places I go, it looks like every admin built and configured each DC with their own opinion on the configuration. If there are 12 DCs, there are 12 different configurations. There is no one way to set the DNS configuration on DCs. The goal is to set a standard and use it.

As mentioned earlier, DNS is critical to a properly functioning AD. To ensure that DNS contains the proper resource records and registrations in DNS, every domain controller should have a consistent configuration for its DNS servers. You should only include DNS servers that know how to register, process and handle AD-related resource records in the DNS configuration on DCs. You should never use public DNS servers and DNS servers from Internet Service Providers.

There are different recommendations for the following scenarios:

• One Domain, one Site
• One Domain, multiple Sites, single domain controller per Site
• One Domain, multiple Sites, multiple domain controllers per Site
• Multiple Domains, one Site
• Multiple Domains, multiple Sites, single domain controller per Site
• Multiple Domains, multiple Sites, multiple domain controllers per Site

The number one recommendation is to be consistent in how domain controllers have their DNS servers configured.

1. The PDCe FSMO Role holder becomes the Primary DNS Server for the domain (PriDNS)
2. If a remote Site has multiple domain controllers, select a domain controller to be the Primary DNS for the Site (SitePri)

Domain DNS Configuration:

1. All domain controllers in the domain’s main Site point to PriDNS for Primary DNS
2. The PriDNS server points to Loopback for Secondary DNS
3. The PriDNS server points to a second DNS server in the domain’s main Site for tertiary DNS
4. All other domain controllers in the domain’s main Site point to themselves for Secondary DNS
5. All other domain controllers in the domain’s main Site point to Loopback for Tertiary DNS

Remote Site DNS Configuration:

1. SitePri points to PriDNS for Primary DNS
2. SitePri points to itself for Secondary DNS
3. SitePri points to Loopback for Tertiary DNS
4. All other domain controllers in the remote Site point to SitePri for Primary DNS
5. All other domain controllers in the remote Site point to themselves for Secondary DNS
6. All other domain controllers in the remote Site point to Loopback for Tertiary DNS

Figure 83 shows the recommended configuration for a single domain with a single site (like the lab we are building).

How many DNS servers should you configure on the network adapter? Not as many as you think. I recommend on DCs, a total of three where the third is always 127.0.0.1. For all other computers, also no more than three. I have seen places with 15 DCs, and every computer had all 15 DCs in the list of DNS servers. If you understand Windows DNS client resolution timeouts, limit the number of DNS entries.

Create Additional DNS A Records

After completing this article and creating the other articles, I realized I completely forgot about all the static DNS A records I mentioned in the introduction article. I am too lazy to rewrite this article and redo screenshots, so I am adding this information at the end of this article.

We create static A records with PowerShell, with the options shown when manually creating an A record, as shown in Figure 84.

Go back to the first DC we created and open an elevated PowerShell session.

Copy and paste the following into the elevated PowerShell session and press Enter, as shown in Figure 85. You may want to resize the PowerShell window vertically to see more of the output.

Remember to set the values you need.

#Do this on the first DC
#add the DNS static records I forgot
$ZoneName = "LabADDomain.com"

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.91" `
-Name "AppLayering" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.253" `
-Name "DiskStation1" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.254" `
-Name "DiskStation2" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.53" `
-Name "ESXiHost1" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.57" `
-Name "EsxiHost2" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.61" `
-Name "EsxiHost3" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.65" `
-Name "EsxiHost4" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.69" `
-Name "EsxiHost5" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA -AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.73" `
-Name "EsxiHost6" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Add-DnsServerResourceRecordA `
-AllowUpdateAny `
-CreatePtr `
-IPv4Address "192.168.1.90" `
-Name "vCenter" `
-TimeToLive 01:00:00 `
-ZoneName $ZoneName

Open the DNS console, expand the domain name’s Forward Lookup Zone, and verify that the static A records exist, as shown in Figure 86.

Expand Reverse Lookup Zones, click on the reverse zone created earlier, and verify that the static PTR records exist, as shown in Figure 87.

Up next: Create a Microsoft Certificate Authority

Landing page for the article series

On September 9, 2019, I published the Building Webster’s Lab V1 article series that used vSphere/vCenter 6.7 U3 and XenServer 8.0. This is a follow-up series on building the lab with vSphere/vCenter 7.0 and XenServer 8.2. I want to rebuild the lab as I’m not too fond of upgrades. Building new allows for learning new stuff and a chance to start clean. There are more details about the lab building process in this series. We cover the hypervisor details and create an Active Directory, a Microsoft Certificate Authority, Group Policies, and some basic server builds. Once I complete the lab build, I start the article series Learning the Basics of VMware Horizon 8 2106.

One of the significant issues I had with the original build process with all versions of vSphere 6.x was that I could not get NFS V4.1 to work between my Synology NAS and vSphere/vCenter 6.x. I tried for months to get it working and threw in the towel. Finally, someone on Twitter recommended using NFS V3, and everything worked. I was hopeful that NFS V4.1 would work between my Synology NAS and vSphere/vCenter 7.x. I let out a big YAHOO when it did work. WHEW!

Synology support told me back in 2019 that they thought the issue was on the VMware side. I was skeptical of their conclusion, but it appears they were correct. Nothing changed on the Synology side. The Synology NFS plug-in for VMware VAAI hadn’t changed since 25-Jun-2019 when it was updated to support ESXi 6.7. The same plug-in installed in ESXi 7 works with no issues.

VMware has an article to show the differences in the capabilities of NFS 3 and NFS 4.1. Please see NFS Protocols and ESXi.

Before continuing this introduction article, let me explain the products and technology that I list below. Not everyone has years of virtualization experience and virtualization knowledge. I spend many hours answering questions that come to me in emails and answering questions on Experts Exchange. Many people are new to the world of Citrix, Microsoft, Parallels, VMware, hypervisors, and application, desktop, and server virtualization.

There are two types of hypervisors: Type 1 and Type 2.

Type 1 hypervisors run directly on or take complete control of the system hardware (bare metal hardware). These include, but are not limited to:

Citrix Hypervisor (Formerly Citrix XenServer, which is the name I still use)

Microsoft Hyper-V

VMware ESXi

VMware vSphere

Xen Project

Type 2 hypervisors run under a host operating system. These include, but are not limited to:

Oracle VirtualBox

Parallels Desktop for Mac

VMware Fusion for Mac

VMware Workstation for Windows

Other terminology and abbreviations:

Virtualization Host: a physical computer that runs the Type 1 hypervisor.

Virtual Machine (VM): an operating system environment composed entirely of software that runs its operating system and applications like a physical computer. A VM behaves like a physical computer and contains its virtual processors (CPU), memory (RAM), hard disk, and networking (NIC).

Cluster or Pool: a single managed entity that binds together multiple physical hosts running the same Type 1 hypervisor and the VMs of those hosts.

Datastore or Storage Repository (SR): a storage container that stores one or more virtual hard disks.

Virtual Hard Disk: A virtual hard disk is a disk drive with similar functionalities as a typical hard drive but is accessed, managed, and installed on a virtual machine infrastructure.

Server Virtualization: Server virtualization is the masking of server resources, including the number and identity of individual physical servers, processors, and operating systems, from server users.

Application Virtualization: Application virtualization is the separation of an application from the client computer accessing the application.

Desktop Virtualization: Desktop virtualization is the concept of isolating a logical operating system (OS) instance from the client used to access it.

There are several products mentioned and used in this article series:

Citrix Virtual Apps and Desktops (CVAD, formerly XenApp and XenDesktop).

Microsoft Remote Desktop Services (RDS)

Parallels Remote Application Server (RAS)

VMware Horizon (Horizon)

Citrix uses XenCenter to manage XenServer resources, and VMware uses vCenter to manage vSphere resources. Both XenCenter and vCenter are centralized graphical consoles for managing, automating, and delivering virtual infrastructures.

In Webster’s Lab, I always try to use the latest Citrix XenServer, VMware Workstation, and VMware vSphere. This article series records the adventures of a networking amateur building a vSphere 7.0 cluster from start to finish.

Like most Citrix and Active Directory (AD) consultants, I can work with the various vSphere and vCenter clients. I can work with virtual machines (VMs), snapshots, templates, cloning, and customization templates. Most consultants don’t regularly install and configure new ESXi hosts, vCenter, networking, and storage, which can be confusing, at least the first few times.

I found much misinformation on the Internet as well as many helpful blogs on this journey. I ran into so much grief along the way that I thought that sharing this learning experience with the community was a good idea.

Have I got this all figured out? I seriously doubt it. Have I built the VMware part of the lab in the best way possible? Again, I doubt it. To figure this out, I experienced trials and errors (mainly errors!) in many scenarios. I found many videos and articles that used a single “server” with a single NIC. That meant there was essentially no network configuration to do once the installation of ESXi was complete. Many people used VMware Workstation and nested ESXi VMs. I never saw a video or article where the author used a real server with multiple NICs and configured networking and storage.

If you want to offer advice on my lab build, please email me at webster@carlwebster.com.

I watched many videos on this journey — some useless and rife with editing errors, some very useful and highly polished. The three most helpful video series came from Pluralsight. Disclaimer: As a Citrix Technology Professional (CTP), I receive a complimentary subscription to Pluralsight as a CTP Perk.

These are the videos I watched for the original article series.

VMware vSphere 6 Data Center Virtualization (VCP6-DCV) by Greg Shields

https://www.pluralsight.com/paths/vsphere-6-dcv

What’s New in vSphere 6.5 by Josh Coen

https://www.pluralsight.com/courses/whats-new-vsphere-6-5

VMware vSphere 6.5 Foundations by David Davis

I did not watch any Pluralsight videos on vSphere 7, but David Davis has several new courses in his Implementing and Managing VMware vSphere Learning Path.

The physical servers I use as my VMware and XenServer hosts are from TinkerTry and Wired Zone.

https://tinkertry.com/

Supermicro Mini Tower Intel Xeon D-1541 Bundle 2 – US Version

Paul Braren at TinkerTry takes great pride in the servers he recommends and has a very informative blog.

For the ESXi hosts, I have six of the 8-core servers with the following specifications:

• Mini tower case
• Intel Xeon D-1541 processor
• 64GB DDR4 RAM
• Two 1Gb NIC
• Two 10Gb NIC
• Crucial BX300 120GB SSD (ESXi install)
• Samsung 970 EVO 500GB NVMe PCIe M.2 SSD (Local datastore)
• Crucial MX500 250GB SSD (Host cache)

For the XenServer hosts, I have four of the 12-core servers with the following specifications:

• Mini tower case
• Intel Xeon D-1567 processor
• 64GB DDR4 RAM
• Two 1Gb NIC
• Two 10Gb NIC
• Samsung 970 EVO 500GB NVMe PCIe M.2 SSD (XenServer install and local SR)
• Samsung 860 EVO 1TB 2.5 Inch SATA III Internal SSD (Local SR for VMs)

NOTE: I would never buy or recommend the 12-core servers as I have had nothing but problems with the 10Gb NICs on the servers.

For VMware product licenses, I used VMUG Advantage and the EVALExperience. If you would like to try EVALExperience, Paul Braren has a 10% discount code on his site.

I am fortunate that Citrix supplies CTPs with licenses that work with most on-premises products.

Now that Citrix and other vendors support vSphere/vCenter 7, it is time to rebuild the lab with the latest version of both.

For XenServer, I went with XenServer 8.2, the latest version.

I decided to go with the Network File System (NFS) instead of the Internet Small Computer Systems Interface (iSCSI) for storage. Gregory Thompson was the first to tell me to use NFS instead of iSCSI for VMware. If you Google “VMware NFS iSCSI”, you find many articles that explain why NFS is better than iSCSI for VMware environments. For me, NFS is easier to configure on an ESXi host than iSCSI. I also found out my Synology 1817+ storage unit supported NFS. Synology 1817 and 1817+ support NFS 4.1, and Synology has provided a VAAI plug-in for NFS since 2014.

For XenServer, NFS is also simple to configure and use and requires no additional drivers or software.

The following is a noncomprehensive list of some of the activities this article series covers:

• Configuring a Synology 1817+ NAS for NFS, ESXi 7.0, and XenServer 8.2
• Install VMware ESXi 7.0
• Initial VMware ESXi Host Configuration
• VMware ESXi Host Configuration
• Install the VMware vCenter Server Appliance
• Create vSphere Networking and Network Storage
• Backup the vCenter Server Appliance using NFS
• Updating the vCenter Server Appliance
• Install Citrix XenServer 8.2
• Citrix XenServer Host and Pool Configuration
• Create a Server 2019 Template Image
• Create VMs from the Server 2019 Template
• Create Active Directory
• Create a Microsoft Certificate Authority
• Create Initial Group Policy Objects
• Additional vCenter Configuration
• Additional XenCenter Configuration
• Create Additional Servers
• Create a Management Computer
• Create a 10ZiG Management Server
• Create a Goliath Technologies Management Server
• Create an IGEL Management Server
• Create a ControlUp Management Server
• Update ESXi Hosts using VMware Lifecycle Manager
• Advice, Conclusions, and Lessons Learned

There are two classes of VMs in my lab: permanent and temporary. The permanent VMs are, for example, the domain controllers, CA, file server, SQL server, utility server, management PC, and others. The permanent VMs reside in Citrix XenServer, and I use the vSphere cluster for the virtual desktops and servers created by the various virtualization products. All the Microsoft-related infrastructure servers reside in XenServer.

Since I have built and rebuilt my hosts several times in this learning experience, below is the lab configuration.

Table 1 Lab Configuration

Servers and appliances that exist in the lab after I complete this article series.

I temporarily have DHCP running in my temporary AD, so when DHCP assigns an IP address, DHCP appends the AD domain name to the device’s hostname. For example, when I built the host ESXiHost1, it was given an IP address of 192.168.1.107.  I then give the host a static IP address of 192.168.1.53. When I connect to that host using Google Chrome, the hostname is ESXiHost1.LabADDomain.com, even though the host is not a member of the LabADDomain.com domain.

To work around the initial self-signed certificate issues when connecting to a host using a browser, add the Fully Qualified Domain Name (FQDN) of the various hosts to your AD’s DNS. If your computer, like mine, is not domain joined, you should also consider adding the IP address and FQDN to your computer’s hosts file (located in c:\Windows\System32\Drivers\etc).

Figures 1 through 3 show my DNS Forward and Reverse Lookup Zones and my computer’s hosts file.

Since I have a 10Gb switch and my Synology 1817+ NAS supports 10Gb I use Jumbo Frames. After much research, asking NETGEAR support, and talking with friends who know networking, I configured the following Maximum Transmission Unit (MTU) sizes:

• 10G Switch: 9000 as shown in Figure 4
• Synology 1817+: 9000 as shown in Figure 5
• (When created) 10G related Virtual Switch: 9000
• (When created) VMkernel NICs that connect to the 10G Virtual Switch: 9000

Fellow CTP, Leee Jeffries, provided Figure 6 after reviewing several of the articles in this series. Figure 6 is an overview of the networking in the lab.

This foray into installing and configuring the VMware Lab has been a painful but rewarding learning experience. I hope that through all my pain and errors, you can also gain from my experiences.

Along the way, several community members helped provide information, answered questions, and even did remote sessions with me when I ran into stumbling blocks.

• Abdullah Abdullah
• Greg Shields
• Gregory Thompson
• Leee Jeffries
• Tobias Kreidl

This article series is better because of the grammar, spelling, punctuation, style, and technical input from Michael B. Smith, Leee Jeffries (darn that British English), Tobias Kreidl, and Greg Thompson.

Up next: Configuring a Synology 1817+ NAS for NFS, ESXi 7.0, and XenServer 8.2.

Landing page for the article series

• Fixed issue with invalid name servers not highlighting in red
• Reordered parameters in an order recommended by Guy Leech
• Updated help text
• Updated ReadMe file

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

Creates a text file named DNSChangeStatus.txt, by default, in the folder where the script is run.

Optionally, can specify the output folder.

The user running the script must be a member of Domain Admins.

The script has a lot of error-checking in it. It validates the DNS Servers entered whether they are NetBIOS names, Fully Qualified Domain Names (FQDN), or IP address.  Once the name or IP address is verified as valid, another check is done to make sure the server is running Microsoft DNS. If the DNS server is entered as a NetBIOS name or FQDN, the IP address is found since you can’t add a server’s NetBIOS name or FQDN as a DNS server entry on a computers network card properties.

Figure 1 shows an example of a bad DNS server name entry.

Figure 2 shows a valid server name, but the server does not run Microsoft DNS.

Figure 3 shows a bad IP address.

Figure 4 shows using FQDNs.

Figure 5 shows using IP addresses. The IP addresses are used as entered. No sorting is done.

Figure 6 shows the DNSChangeStatus.txt file generated.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/.

Thanks

Webster

Only computers using a Static IP Address are processed.

Creates one text file and one CSV file, by default, in the folder where the script is run. The CSV file is named DNSInfo.csv and the other is named ComputerNames.txt.

Optionally, can specify the output folder.

Process each computer gathering the following information to put in the DNSInfo.csv file:

• DNSHostName
• InterfaceName
• MACAddress
• IPAddress
• IPSubnet
• DefaultIPGateway
• DNSServerSearchOrder
• DNSDomainSuffixSearchOrder

The ComputerNames.txt file contains the DNSHostName of the computers that were processed.

The user running the script must be a member of Domain Admins.

Figure 1 shows an example of the script running.

Figure 2 shows an example of the CSV file created.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/.

Thanks

Webster

• Cleaned up some code and typos driving my OCD up the wall
• Reformatted the terminating Write-Error messages to make them more visible and readable in the console

I put this script on Github.

https://github.com/CarlWebster/UpdateReverseZonesFromSubnets

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

This script was written specifically for a customer to help them with keeping their DNS Reverse Lookup Zones in sync with their Subnets. The customer’s CIO stated the script was useful to them, so it would be useful to the community. The CIO wanted this script made available to the community.

If you would like to thank this CIO for the generous gift, send an email to Webster at carlwebster dot com, I will gather up the responses and send them to the CIO.

I also want to thank all the testers. My always detailed and thorough tester David M., fellow CTP Trond Eirik Haavarstein (aka Mr. XenAppBlog), the testers from the IGEL Slack Community, and the World of EUC Slack Community.

What does this script do?

1. Get all the Subnets defined in Sites and Services
2. Sort the Subnets
3. Change the Subnet to a format that resembles a DNS Reverse Lookup Zone
4. See if a matching Reverse Lookup Zone exists
5. If the reverse zone does exist, there is nothing to do
6. If the reverse zone doesn’t exist, depending on whether -WhatIf or -Confirm is used, create the Reverse Lookup Zone
7. Log everything done
8. Create a text file of all actions
9. Optionally, email the text file

The first problem encountered, was the difference in how Subnets and Reverse Lookup Zones are stored.

Let’s look at Subnets for 10.0.0.0/8, 172.16.0.0/16, 192.168.168.0/24, and 192.168.168.168/32, as shown in Figure 1.

Subnets as stored as a.b.c.d/nn and a reverse zone is stored as c.b.a.in-addr.arpa.

It is a simple task of splitting the Subnet into an array and then creating a temp zone with:

$SubnetArray = $Subnet.split("./")
$SubnetMask = [int]$SubnetArray[($SubnetArray.count-1)]

If($SubnetMask -le 8)
{
$RevZone = "$($SubnetArray[0]).in-addr.arpa"
}
ElseIf($SubnetMask -le 16)
{
$RevZone = "$($SubnetArray[1]).$($SubnetArray[0]).in-addr.arpa"
}
ElseIf($SubnetMask -le 24)
{
$RevZone = "$($SubnetArray[2]).$($SubnetArray[1]).$($SubnetArray[0]).in-addr.arpa"
}
Else
{
$RevZone = "$($SubnetArray2[0]).$($SubnetArray[2]).$($SubnetArray[1]).$($SubnetArray[0]).in-addr.arpa"
}

Creating a reverse lookup zone is different. You create a reverse lookup zone by using the Subnet! For example, you create a reverse zone by using “192.168.1.0/24”, but you retrieve the reverse zone by using “1.168.192.in-addr.arpa”.

To show you what the script does, I deleted the Reverse Lookup Zones I created to get the screenshot for Figure 1.

Figure 2 shows my DNS before the script runs.

Figure 3 shows the script in action.

Figure 4 shows DNS after the script ran.

Note: You cannot create a /32 Reverse Lookup Zone in the DNS console, but I did with PowerShell.

Figure 5 shows the contents of the text file generated by the script.

What happens if the script is rerun now that all the Subnets have DNS Reverse Lookup Zones? Figures 6 and 7 show what happens.

The script supports -WhatIf and -Confirm as shown in Figures 8 through 13.

The main customer request for this script was to run it as a scheduled task and email the text file without saving the email credentials.

This requires using an unauthenticated email sent through an email relay server. This turned out to be simple to implement. I found the solution on ServerFault.

The solution was only three lines of PowerShell.

$anonUsername = "anonymous"
$anonPassword = ConvertTo-SecureString -String "anonymous" -AsPlainText -Force
$anonCredentials = New-Object System.Management.Automation.PSCredential($anonUsername,$anonPassword)

For on-premises Exchange, what the script requires to use an unauthenticated email is the From email account is “anonymous”. i.e. anonymous@emaildomain.tld.

The help text shows an example.

.EXAMPLE
PS C:\PSScript > .\Get-SubnetsFromReverseZones.ps1
-SmtpServer mailrelay.domain.tld
-From Anonymous@domain.tld
-To ITGroup@domain.tld

***SENDING UNAUTHENTICATED EMAIL***

The script will use the email server mailrelay.domain.tld, sending from
anonymous@domain.tld, sending to ITGroup@domain.tld.

To send unauthenticated email using an email relay server requires the From email account
to use the name Anonymous.

The script will use the default SMTP port 25 and will not use SSL.

***GMAIL/G SUITE SMTP RELAY***
https://support.google.com/a/answer/2956491?hl=en
https://support.google.com/a/answer/176600?hl=en

To send email using a Gmail or g-suite account, you may have to turn ON
the "Less secure app access" option on your account.
***GMAIL/G SUITE SMTP RELAY***

The script will generate an anonymous secure password for the anonymous@domain.tld
account.

.EXAMPLE
	PS C:\PSScript > .\Get-SubnetsFromReverseZones.ps1 
	-SmtpServer labaddomain-com.mail.protection.outlook.com
	-UseSSL
	-From SomeEmailAddress@labaddomain.com 
	-To ITGroupDL@labaddomain.com	

	***OFFICE 365 Example***

	https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3
	
	This uses Option 2 from the above link.
	
	***OFFICE 365 Example***

	The script will use the email server labaddomain-com.mail.protection.outlook.com, sending from 
	SomeEmailAddress@labaddomain.com, sending to ITGroupDL@labaddomain.com.

	The script will use the default SMTP port 25 and will use SSL.

I tested this on the customer’s network and it worked the first time.

I have not tested the GMAIL/G Suite or Office 365 relay examples.

Adding the on-premises anonymous email capability required a change to a core script function (Function SendEmail), which means I will update every script using this function as soon as I can.

I want to again thank the customer for allowing me to give this script to the community and to all the testers.

If you find any issues with the script or any enhancement requests, send me an email.

I am creating the mirror image of this script to process reverse lookup zones and report (not create) on any missing subnets in Sites and Services.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

I have been meaning to write this script for a number of years, but never got around to it. Well, I finally got my “Round ToIt”.

I was working on an AD remediation project where the customer had over 100 AD-integrated Forward and Reverse Lookup Zones to configure. I did not want to issue over 100 “dnscmd” commands, copying and pasting the name of every zone.

DNS Aging and Scavenging is configured in five places.

1. DNS Server
2. DNS Server Properties
3. Forward Lookup Zones
4. Reverse Lookup Zones
5. Then via dnscmd.exe, set a scavenging server for every Forward and Reverse Lookup Zone

This new script handles item number five.

As with all my scripts, there is full help text available.

Since Microsoft only started supplying DNS PowerShell cmdlets with Windows Server 2012, PowerShell V4 or later is required. At least one Windows Server 2012 or later is required. Windows 8, or later, with Remote Server Administration Tools is required is you want to run the script from a non-server.

Because this script makes changes to DNS, there is support for -WhatIf and -Confirm.

The script creates a text file that contains the Before and After settings.

For the customer with over 100 zones to configure, running the script took less than five seconds.

If there is anything you would like added to the script, send me an email to webster@carlwebster.com.

As always, thanks to Michael B. Smith for the code review, corrections, and suggestions.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

• Fixed the sorting of Root Hint servers thanks to MBS
• Fixed the sorting on Name Servers

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster

That’s not the topic of this blog post, however. It’s not even a Citrix problem. But again, every Citrix admin will agree on this too; if the problem or issue is present on Citrix, then it’s a Citrix problem, period. So I won’t be writing on how to install and configure Office 365 applications on Citrix, it’s how those apps will connect to the magical entity, otherwise known as “The Cloud”.

Let’s take a look at Outlook. Outlook will always try to connect to outlook.office365.com. Now before Outlook can establish that connection, it needs to resolve that name into an IP address. Enter DNS. DNS is a vital part of today’s connected world. Microsoft will even tell you that Outlook uses a geolocation mechanism based on DNS to point you to the “best” entry point into their network. The latter is a crucial statement; you need the fastest connection to their network. Once there, they’ll take care of things for you.
Another important fact for you: “The Cloud” changes at an extraordinary pace. What’s relevant today, may be completely obsolete by tomorrow. In that light, it may or may not be true for you to see something like this when you do nslookup of outlook.office365.com.

First of all, if outlook.office365.com still resolves for you to something like outlook-emeawest3.office365.com, you’re in a bad place. More details on that below.

What can we actually learn from this? Microsoft DNS returns multiple IP addresses for that single DNS record. Why? Load distribution and high availability, what else? But if you look closer, there might be something off. When pinging those IP addresses individually, you might see a big difference in performance. Some will be a lot “faster” than others. And if ping can “see” that, you can be sure your users will “see” the difference too.

Why is this happening? Because those IP addresses are served from different Microsoft data centers around the world. And some are closer to you than others.

Remember I wrote something about being at a bad place some lines above?

Microsoft has been revamping the DNS resolution for some time now. How to find out? Outlook.office365.com should be resolving to a more generic outlook.ms-acdc.office.com by now. Microsoft keeps expanding its ACDC solution. And no, that’s not about music, but about AnyCast DNS Cafe. The reasoning is quite simple: Microsoft wants your users to connect to the Microsoft network as fast as possible. Once you’re on their network, you’re all set.

In general, ms-acdc returns a more consistent set of IP addresses and those would be “closer”, or in other words: faster for your users.

There is a moral to this story: you do have some influence of this DNS stuff. Choose your resolver/forwarder wisely. Some will work better than others. In my case, CloudFlare 1.1.1.1 servers returned IP addresses 10ms “faster” compared to the ones of our hosting/colo facility (even that’s a leading, global one).

Bottom line: DNS is essential to a successful Office 365 (or any cloud service really) implementation, on Citrix or otherwise. Your mileage will vary, so you’ll need to try and test for yourself and your users.

Thanks

Bart Jacobs

I have been speaking at conferences around the world on AD topics since Synergy 2012 in San Francisco. One of my “Top 10” things I look for when doing an AD Health Check is whether DNS Aging and Scavenging is configured correctly. I would estimate that 99% of the time, it is not configured correctly.

The DNS Server service supports Aging and Scavenging features as a mechanism for performing cleanup and removal of stale resource records which can accumulate in zone data over time.

With dynamic update, resource records are automatically added to zones when computers start on the network. However, in some cases, they are not automatically removed when computers leave the network. For example, if a computer registers its host (A) resource record at startup and is later improperly disconnected from the network, its host (A) resource record might not be deleted. If your network has mobile users and computers, this situation can occur frequently.

If left unmanaged, the presence of stale resource records in zone data may cause some problems:

• If many stale resource records remain in zones, they can eventually take up server disk space and cause unnecessarily long zone transfers.
• DNS servers that load zones that contain stale resource records might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network.
• The accumulation of stale resource records at the DNS Server can degrade its performance and responsiveness.
• In some cases, the presence of a stale resource record in a zone can prevent a DNS domain name from being used by another computer or host device.

The DNS Server service has the following features to solve the above problems:

• Time stamping, based on the current date and time set at the server computer, for any resource records that are added dynamically to primary-type zones. Also, timestamps are recorded in standard primary zones where aging and scavenging is enabled.

For resource records that you add manually, a time-stamp value of zero is used, indicating that these records are not affected by the aging process and that they can remain without limitation in zone data unless you otherwise change their time-stamp or delete them.

• Aging of resource records in local data, based on specified refresh intervals, for any eligible zones.

Only primary-type zones that are loaded by the DNS Server service are eligible to participate in this process.

• Scavenging for any resource records that persist beyond the specified refresh periods.

When a DNS Server performs a scavenging operation, it can determine that resource records have aged to the point of becoming stale and remove them from zone data. You can configure servers to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server.

Microsoft recommends setting an advanced zone parameter that enables you to specify a restricted list of IP addresses for DNS servers that are enabled to perform scavenging of the zone.

By default, if this parameter is not specified, all DNS servers that load a Directory-integrated zone (also enabled for scavenging) attempt to perform scavenging of the zone. In some cases, this parameter can be useful if it is preferable that scavenging is performed only at some servers loading the directory-integrated zone.

To set this parameter, you must specify the list of IP addresses for the servers that are enabled to scavenge the zone in the ZoneResetScavengeServers parameter for the zone. Configuring the scavenging server can be done using the dnscmd command, a command line-based tool for administering Windows DNS servers.

Microsoft recommends configuring at least one and no more than two DNS servers for scavenging a zone.

Before beginning, first, verify no scavenging server is configured by running dnscmd /ZoneInfo domain.tld as shown in Figure 1.

When trying to set a scavenging server, you receive “Command failed: DNS_ERROR_INVALID_ZONE_TYPE 9611 0x258B” as shown in Figure 2.

To resolve this, enable aging for the zone by issuing the following command, as shown in Figure 3.

dnscmd /Config domain.tld /Aging 1

Reissue the command to set the scavenging server (which now works), as shown in Figure 4.

dnscmd ServerName /ZoneResetScavengeServers domain.tld IPAddressOfServerName

You can now check the zone information again, which now shows the scavenging server set, as shown in Figure 5.

I hope this helps.

Webster