Monday, February 11, 2013

SCVMM Service Template for the first DC in a Forest – part 1

I am teaching myself about Service Templates in SCVMM and I always like to take something that I am doing and repurpose it.

Today, I finally had success with taking the PowerShell scripts behind creating a new domain controller in a new forest and automating that using the SCVMM Service Template model.

Oh my (quoting George Takei).  What an interesting adventure this has been.

So, if you are looking for a real world examples of building your own Template, here is it.  No references to Pet Shop here. 

Also, this is not a walkthrough or a point and click post.  I am expecting you to have some familiarity with setting up SCVMM and read all the other blogs about building an SCVMM Service Template.  I am going straight to the peculiar things that you need to be aware of or do to make this happen.



I begin with the Server 2012 evaluation VHD (nice and small, prepared with sysprep, no baggage.) and I place that in my SCVMM Library.


And this is (what I think is) the key – I build some scripts.  The SCVMM Library comes with a few “Application Frameworks” and these are Custom Resources.  Server App-V and WebDeploy are delivered this way.

How do you do this?  Go to your SCVMM Library share, and model the built in ones.

Create a Folder called  Add a file to that called “”  - Don’t copy an existing one, create one.

Add your scripts to this folder.

The Scripts:

Welcome back to the world of BATCH.  If you have been here before, you will recall it fondly.  If you have never been here, you must be relatively young.  There are some excellent web sites with some excellent BATCH command references.  Just search a bit (there aren’t lots, so you find them rather quickly).

Why batch – look at the MSFT included stuff.  Fun with BATCH.  And it ‘just works’.

So here is my trick:  Running PowerShell commands from a BATCH script:

echo Set the Execution Policy to RemotedSigned
%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe -command set-executionpolicy remotesigned –force

And for this exercise I can install all the required features of Active Directory and DNS:

REM echo Add the RSAT tools
%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe -command Add-WindowsFeature RSAT-AD-Tools

REM echo Add the Windows Features
%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe -command Add-WindowsFeature AD-Domain-Services -IncludeAllSubFeature –IncludeManagementTools

%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe -command Add-WindowsFeature DNS -IncludeAllSubFeature –IncludeManagementTools

%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe -command Add-WindowsFeature GPMC -IncludeAllSubFeature -IncludeManagementTools

And this is where BATCH fails.  This needs to be totally unattended.  And the cmdlet to create the AD Forest requires a secure string.  I can’t do that in BATCH.  I need to actually use a script (or call the command and add my script as a script block).

This PowerShell script will be in the same folder as the BATCH script (

param (

# convert the password to a secure string as required
$secPass = ConvertTo-SecureString -String $safeModePass -AsPlainText -Force

# Create the Forest and Domain
Install-ADDSForest -CreateDnsDelegation:$false -DomainMode Win2012 -DomainName $domainName -DomainNetbiosName $netbiosName -ForestMode Win2012 -InstallDns -Force -SafeModeAdministratorPassword $secPass

Okay, back to the batch script.  You need to properly call the PowerShell script from the BATCH script.

REM Running the PowerShell Domain Controller script
%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe -file %~dp0\DomainController.ps1 %domName% %domNBios% %recoPass%

But what are those “%” thingies?  Parameters.  I pass parameters to the BATCH script, which are in turn passed to the PowerShell script.  All because of the Secure String.

Now, setting this in the Service Template:

The executable program is cmd.exe (because we are using the command prompt)

And the parameters are: /q /c DCInstall.cmd @DomainName@ @DomainNetbiosName@ @SafeModeAdministratorPassword@

The /q is for ‘quiet’ and the /c defines the ‘command’ – the /c needs to be the last entry of the line.  The @thing@ are the parameters that SCVMM will prompt you for when you deploy.

And the Run As account is my local admin run as account profile.  And the timeout needs to be turned up to about 600 seconds.

And the Script resource package is that folder you created that you put the scripts into.  This gets copied to your VM via BITS (the VM OS does a pull from the Library share BTW), executed, and then deleted on success.

It should look something like this:


And the Custom Resource:



Next post, a twist.  Who wants to call the command prompt and relive the glory days of BATCH all the time?  Why not use only PowerShell??

No comments: