VMware Cloud Foundation, Will it run on Oracle Ravello? Part 2: Deploying ancillary services
Before we begin
If you have not checked out what this series is about then please take a look at the previous parts below.
Ancillary services?
These are the components that are required to make VMware Cloud Foundation work but are not going to be managed by the Software Defined Datacentre Manager. For this project, they include a Domain Controller, a jump box and a stand-alone ESXi 6.7 host.
In Ravello this will look a little something like this.
As I work through this blog post series, you will see each of the areas above fill up with the various workload types.
ESXi host deployment
I am not going to re-invent the wheel. I covered this process in step 1 in my blog post detailing how to run a VCSA appliance on a bare metal Ravello instance. Check it out here.
Domain controller deployment
Nothing too special here. I deployed Windows Server 2016 VM on a Ravello Bare Metal instance. I did use the following script though to automate domain controller deployment. Script courtesy of this blog post by John Dougherty and slightly tweaked by me.
This will deploy ADDS, set time source, create basic OU structure, create a new enterprise admin account and a basic user account. The default Administrator account is disabled as part of the script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 |
# Define the Computer Name $computerName = "vcfdc01" # Define the IPv4 Addressing $IPv4Address = "10.0.0.3" $IPv4Prefix = "16" $IPv4GW = "10.0.0.2" $IPv4DNS = "1.1.1.1" # Get the Network Adapter's Prefix $ipIF = (Get-NetAdapter).ifIndex # Turn off IPv6 Random & Temporary IP Assignments Set-NetIPv6Protocol -RandomizeIdentifiers Disabled Set-NetIPv6Protocol -UseTemporaryAddresses Disabled # Turn off IPv6 Transition Technologies Set-Net6to4Configuration -State Disabled Set-NetIsatapConfiguration -State Disabled Set-NetTeredoConfiguration -Type Disabled # Add IPv4 Address, Gateway, and DNS New-NetIPAddress -InterfaceIndex $ipIF -IPAddress $IPv4Address -PrefixLength $IPv4Prefix -DefaultGateway $IPv4GW Set-DNSClientServerAddress –interfaceIndex $ipIF –ServerAddresses $IPv4DNS # Rename the Computer, and Restart Rename-Computer -NewName $computerName -force Restart-Computer #============================================ $domainName = "vcf.local" $netBIOSname = "VCF" $mode = "Win2016" Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools Import-Module ADDSDeployment $forestProperties = @{ DomainName = $domainName DomainNetbiosName = $netBIOSname ForestMode = $mode DomainMode = $mode CreateDnsDelegation = $false InstallDns = $true DatabasePath = "D:\Windows\NTDS" LogPath = "D:\Windows\NTDS" SysvolPath = "D:\Windows\SYSVOL" NoRebootOnCompletion = $false Force = $true } Install-ADDSForest @forestProperties #================================================ # Define DNS and Sites & Services Settings $IPv4netID = "10.0.0.0/16" $siteName = "VCF-Services" $location = "Ravello" # Define Authoritative Internet Time Servers $timePeerList = "0.uk.pool.ntp.org 1.uk.pool.ntp.org" # Add DNS Reverse Lookup Zones Add-DNSServerPrimaryZone -NetworkID $IPv4netID -ReplicationScope 'Forest' -DynamicUpdate 'Secure' # Make Changes to Sites & Services $defaultSite = Get-ADReplicationSite | Select DistinguishedName Rename-ADObject $defaultSite.DistinguishedName -NewName $siteName New-ADReplicationSubnet -Name $IPv4netID -site $siteName -Location $location # Re-Register DC's DNS Records Register-DnsClient # Enable Default Aging/Scavenging Settings for All Zones and this DNS Server Set-DnsServerScavenging –ScavengingState $True –ScavengingInterval 7:00:00:00 –ApplyOnAllZones $Zones = Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne 'TrustAnchors'} $Zones | Set-DnsServerZoneAging -Aging $True # Set Time Configuration w32tm /config /manualpeerlist:$timePeerList /syncfromflags:manual /reliable:yes /update #================================================================== $baseDN = "DC=vcf,DC=local" $resourcesDN = "OU=Resources," + $baseDN New-ADOrganizationalUnit "Resources" -path $baseDN New-ADOrganizationalUnit "Admin Users" -path $resourcesDN New-ADOrganizationalUnit "Groups Security" -path $resourcesDN New-ADOrganizationalUnit "Service Accounts" -path $resourcesDN New-ADOrganizationalUnit "Workstations" -path $resourcesDN New-ADOrganizationalUnit "Servers" -path $resourcesDN New-ADOrganizationalUnit "Users" -path $resourcesDN #========================================================== $ForestFQDN = "vcf.local" $SchemaDC = "vcfdc01.vcf.local" Enable-ADOptionalFeature –Identity 'Recycle Bin Feature' –Scope ForestOrConfigurationSet –Target $ForestFQDN -Server $SchemaDC -confirm:$false #=================== # Prompt for a Password $Password = Read-Host -assecurestring "User Password" # Create a Privileged Account $userProperties = @{ Name = "VCFADMIN" GivenName = "VCF" Surname = "Admin" DisplayName = "VCF Admin" Path = "OU=Admin Users,OU=Resources,DC=vcf,DC=local" SamAccountName = "vcfadmin" AccountPassword = $Password PasswordNeverExpires = $True Enabled = $True Description = "VCF Enterprise Admin" } New-ADUser @userProperties # Add Privileged Account to EA, DA, & SA Groups Add-ADGroupMember "Domain Admins" $userProperties.SamAccountName Add-ADGroupMember "Enterprise Admins" $userProperties.SamAccountName Add-ADGroupMember "Schema Admins" $userProperties.SamAccountName #=========================================== # Add Privileged Account to EA, DA, & SA Groups Add-ADGroupMember "Domain Admins" $userProperties.SamAccountName #Add-ADGroupMember "Enterprise Admins" $userProperties.SamAccountName #Add-ADGroupMember "Schema Admins" $userProperties.SamAccountName #=========================================== # Create a Non-Privileged User Account $userProperties = @{ Name = "Ian Sanderson" GivenName = "Ian" Surname = "Sanderson" DisplayName = "Ian Sanderson" Path = "OU=Users,OU=Resources,DC=vcf,DC=local" SamAccountName = "ian.sanderson" AccountPassword = $Password PasswordNeverExpires = $True Enabled = $True Description = "VCF User" } New-ADUser @userProperties #=========================================== Set-ADUser Administrator -AccountNotDelegated:$true -SmartcardLogonRequired:$true -Enabled:$false #======================= C:\Windows\system32\ntdsutil.exe snapshot "activate instance ntds" create quit quit |
The domain controller is only accessible from the jump box, no open RDP to the internet here.
Jump box.
This is another Windows Server 2016 VM, nothing installed other than the Duo 2FA agent which I talked about in this blog post. The 2FA setup is an attempt to limit someone breaking into the lab. Only none privileged accounts can log onto this server.
3 Responses
[…] Part 2: Ancillary Services […]
[…] Part 2: Ancillary Services […]
[…] Part 2: Ancillary Services […]