Tuesday, February 12, 2013

SCVMM Service Template for the first DC in a Forest – part 2

Okay, so I posted the traditional way of handling this, with a BATCH file.

But, in reality all I did was sue a BATCH file to in turn process a PowerShell script.  I considered this silly.  There must be a way to process the PowerShell script without having to use the BATCH script.

I mean, come on.  This is Server 2012 I am using and PowerShell v3.  Yes, I know there are some advanced things that ca be done with BATCH scripting (I have done some in my history), but think out of the box here.

So, I spent bunches of time playing around with this (so you wouldn’t have to (if you stumbled on my post)).

In the end, it wasn’t that difficult, just had to think about things a bit differently.

Oh, and one important thing I left out of my previous post.  Use a local administrator Run As account for adding the local administrator admin credentials to the OS and the same Run As account a second time to process the scripts.

So, here is the script the PowerShell way:

param (

# Build a domain controller and the test domain.

# Add the RSAT tools
Add-WindowsFeature RSAT-AD-Tools

# Add the features
Add-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
Add-WindowsFeature DNS -IncludeAllSubFeature -IncludeManagementTools
Add-WindowsFeature GPMC -IncludeAllSubFeature -IncludeManagementTools

# convert the password to a secure string as required
$secPass = ConvertTo-SecureString -String $safeModePass -AsPlainText -Force

# Create the Forest and Domain
Install-ADDSForest -CreateDnsDelegation:$false -DomainMode Win2012 -DomainName $domainName -DomainNetbiosName $netbiosName -ForestMode Win2012 -InstallDns -Force -SafeModeAdministratorPassword $secPass

I know what you are thinking, that can be shortened.  And my reply; yes, it can.  And you advanced folks, go right ahead.

Now, in the Application Configuration of the Tier in the Service.  Two pre-install scripts.

The first pre-install script is to set script execution to RemoteSigned:

The executable program is: %WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe

And the Parameters are: -command set-executionpolicy remotesigned –force 

(I don’t have a Run As account defined BTW).


The second pre-install script is everything above.  But those are included in the Custom Resource Package as a .ps1 file.

The executable program is the same.  The Parameters are different: -file .\DomainController.ps1 @DomainName@ @DomainNetbiosName@ @SafeModeAdministratorPassword@

And the Run As account is my local admin run as account profile.  And the timeout needs to be turned up to about 600 seconds.


That is it.  I tried it a few times.  It works. 


Anonymous said...

This all looks great!

So do you think would you be able to deploy service templates in this way to effectively create a multi-tenancy/multi forest environment. Or would you still require a 2 way trust to the additional forests?

BrianEh said...

This was designed for a very basic one DC deployment.
Now, if you want to expand on this, you could create a tier for each AD role.

Also, SCVMM no longer requires that the VMs be in the same domain or trusted to the domain that SCVMM is in. (I think that is what you are getting at).

Anonymous said...

Hi Brian

Cool stuff man, thanks for sharing!

I've tested it and I've hit the same issue as you did in February:

Have you ever managed to get this running in a "unreachable" network. I have the same error and don't know how to get around (except for deploying it to a routed/reachable network).

Thanks for your reply!


BrianEh said...

SCVMM is incorrectly attempting to use the agent within the VM to contact the Library Server and pull the scripts using BITS.
What SCVMM should be doing is using its ISO method when the VM is not on the same network as the Library Server. (or it can also be a DNS issue due to timing).

What I have been told is this:
"A workaround to unblock you (albeit a slower one), is to use constrained network deployment, which is to unset the VMNetwork on the library server that your VM is being deployed to. That will get guest payload transferred via ISO to the guest, instead of over the network, bypassing the problem completely."

Anonymous said...

That did not work for me unfortunately, I always got the following error:

"Application deployment to disconnected networks cannot be performed on the host"

Which should actually not happen with VMM 2012 SP1 and Hyper-V 2012 as it should work with the ISO method you described, at least that's what they tell :-)

But I found a "dirty" little workaround which totally works for my needs (Test-Labs) even though it compromises the concept of the Service Templates.
Instead of using the DomainController.ps1 in the library I modified the VHDX-file to contain the script "locally" (i. e. C:\temp\DomainController.ps1), removing the script resource (set to None) in the Pre-Install 2 and then simply run it as follows: ... -file C:\temp\DomainController.ps1 @DomainName@ ...
Now the BITS job is needless and won't run, hence the job succeeds :-)

Thanks again and Cheers

BrianEh said...

No reason why that shouldn't work.
It only breaks the MSFT model, not the use case.
Glad you found a way to make it work.