Quick, Automated AD Setup

Because I frequently test configurations for clients, research prospective article topics, or set up demonstration machines for classes, I'm constantly building new Active Directory (AD) networks from scratch. Wizards quickly become wearisome, and I sometimes feel as if I'm spending significant chunks of my day waiting for GUI-based tools to prompt me for input. I've been a fan of batch files since the PC-DOS 1.0 days, so I created a series of batch-based tools that let me quickly set up AD networks—with little intervention necessary on my part. This month, I want to share these useful automated tools.

For the sake of simplicity, I limit this article's example to a simple network of two servers named UptownDC and DowntownDC. One server is a Windows Server 2003 machine, and the other is a Windows 2000 server—both with support tools and the DNS Server service installed. My first task is to establish static IP addresses on UptownDC and DowntownDC and set the DNS suffix to match the soon-to-be-created DNS zone. UptownDC's IP address is 192.168.0.2, and DowntownDC's IP address is 10.0.0.2. Both servers reside in C-subnetted networks—that is, they use subnet masks of 255.255.255.0.

I'm going to create an AD domain named bigfirm.biz, but before I do that, I need to create a DNS zone named bigfirm.biz—and accomplishing that is easier if my DNS servers already bear the bigfirm.biz DNS suffix. Therefore, I first need to set a static IP address and a DNS suffix. Unfortunately, I haven't found a good way to rename Win2K systems from the command line. (Netdom's Renamecomputer tool works only on systems that are already joined to domains.) So I need to set UptownDC and DowntownDC's machine names from the GUI.

Using Netsh
To set the IP address, I'll use a terrific yet little-known tool called Netsh, which is built into Win2K and later. To use Netsh to set a static IP address, type

netsh int ip set address
<nicsname> static <ipaddress>
<subnetmask> <gateway> <metric>

where nicsname is the name of the NIC whose IP address you want to set; ipaddress, subnetmask, and gateway are the NIC IP address, subnet mask, and IP addresses of the gateway you want to assign to that NIC, respectively; and metric is the IP metric value that you want to assign to that gateway. For example, if I type

netsh int ip set address
"Local Area Connection" static 192.168.0.2
255.255.255.0 192.168.0.1 2

at UptownDC, I'm setting its IP address to a static 192.168.0.2 with subnet mask 255.255.255.0 and default gateway of 192.168.0.1, and UptownDC will know that the default gateway requires one hop to access the Internet.

This command looks fairly simple—if lengthy—but I should mention two oddities. First, Netsh pauses for 1 or 2 minutes when executing. I'm not quite sure what it's doing, but don't be alarmed if you don't get an immediate response to a Netsh command. Second, the nicsname parameter isn't exactly intuitive.

The Netsh Int Ip Set Address command can set the IP address of your system's NIC, but many systems have more than one NIC, which is why Netsh has the nicsname parameter. To see the names of your NICs, you can right-click My Network Places, choose Properties, and look under the LAN or High-Speed Internet heading. If you have only one NIC, you'll probably see the default name Local Area Connection. Typing Local Area Connection is cumbersome, so I was pleased to discover that Netsh doesn't need the NIC's entire name. Instead, Netsh needs just enough letters to distinguish one NIC from any others. For example, if you have two NICs named inner NIC and outer NIC, you can use inner and outer or even i and o to identify them. If you have only one NIC named Local Area Connection, you can use Local or even L, as follows:

netsh int ip set address
L static 192.168.0.2
255.255.255.0 192.168.0.1 2

Notice that because L has no spaces, I don't need to enclose it in quotation marks.

By the way, if you want to set up a NIC to use DHCP, the Netsh syntax is easy. Just remove static and the specific IP addresses, subnet mask, and metric, then type either source=dhcp or dhcp after the NIC's name. To change your Local Area Connection NIC to DHCP, type

netsh int ip set address L dhcp

Setting DNS and WINS
Configuring TCP/IP on a NIC involves more than simply setting an IP address and gateway. You also need to set a DNS server and probably a WINS server. I could use a GUI to accomplish this step, but why not use a batch file? Netsh can set a system to use a DNS or WINS system, as follows:

netsh int ip set \[dns|wins\]
<nicsname> static <ipaddress>

Suppose I intend to have UptownDC (my server at 192.168.0.2) act as the WINS and DNS server for this particular subnet. But I'm setting up UptownDC, so what addresses should I provide for the DNS and WINS servers? Typically, I'd tell UptownDC to look to itself to resolve names with DNS and WINS, so I'd simply include the following lines in my batch file:

netsh int ip set dns
L static 192.168.0.2
netsh int ip set wins
L static 192.168.0.2

One more Netsh thought: If you have a complex IP setup that you'd like to create from the command line, you might find the Netsh Int Dump command useful. After you get your computer's TCP/IP stack just the way you want it, simply type

netsh int dump

and Netsh will produce a script that lets you regenerate that TCP/IP configuration.

The DNS Domain Suffix
So far so good: With three lines in a batch file, I've set up the IP address, subnet mask, gateway, and DNS and WINS servers. But now I need to tackle the DNS domain suffix. In my experience, setting up a DNS server is easier if it already has a domain suffix. Otherwise, the DNS server software leaves warnings in the event log. Also, the server doesn't know to dynamically register its DNS records if it doesn't know which zone to register them with. Therefore, if UptownDC will be a member of bigfirm.biz, the server will need a domain suffix of bigfirm.biz as soon as possible.

I haven't found a Microsoft-documented way to set a domain suffix from a batch file, so I've devised my own method. Remember that I'm starting from a simple system that's a member of a workgroup, not a domain. And the system contains little software—it's essentially limited to the server itself and the DNS and WINS server services. So although I can virtually guarantee that this method works on workgroup systems that have a minimum of preinstalled software, I can't vouch for its effectiveness on more complex systems. Test it before you rely on it.

Set a DNS domain suffix through the GUI, reboot, then search the registry for that domain suffix. Only two results will turn up, both in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey. Both the NV Domain and Domain entries (of type REG_SZ) contain the DNS domain suffix name. To make UptownDC into UptownDC.bigfirm.biz, I need to open regedit, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey, add a new REG_SZ entry named NV Domain, and place bigfirm.biz inside it, then perform the same steps for the Domain entry.

But how can I automate this procedure? Windows 2003, Windows XP, and Win2K contain a useful command-line tool for manipulating the registry—reg.exe. I can instruct reg.exe to create and populate a value entry in an HKEY_LOCAL_MACHINE registry subkey as follows:

reg add HKLM\<keyname> /v
 <valuename> /d <data> /f

The /v parameter specifies that you want to enter a particular value into the key (rather than creating an empty key). The /f parameter forces the command. If you don't force the command, when reg.exe finds that you already have a particular key or value, it stops and asks whether you're sure that you want to make the change. Equipped with this command, I can add two more lines to my setup batch file:

reg add HKLM\SYSTEM\CurrentControlSetServices\Tcpip\Parameters /v Domain /d "bigfirm.biz" /f

reg add HKLM\SYSTEM\CurrentControlSetServices\Tcpip\Parameters /v "NV Domain" /d "bigfirm.biz" /f

Typically, whenever you change a system's domain suffix, the system insists that you reboot. I've never understood why a reboot is necessary, but I suspect it's because Windows is programmed to force a reboot when you change a machine name, and the DNS domain suffix is on the same Properties page. The bottom line is that in my experience, you don't need to reboot after setting these registry properties.

Can you force a reboot if you'd like to ensure that your system reboots after the domain suffix change? Windows 2003 and XP offer a useful command called shutdown.exe that will do the job. Although Win2K doesn't offer the command, the XP version works fine in Win2K, and alternatively you can use the Microsoft Windows 2000 Server Resource Kit's shutdown.exe command. Shutdown.exe's syntax varies between Windows 2003 and Win2K, however, so your batch file will differ depending on your OS. The Windows 2003 batch file would end with

shutdown /r /t 0 /f

and the Win2K batch file would end with

shutdown /r /t:0 /c

In a future column, I'll show you how to set up an AD-ready DNS server from a batch file. I'll also show you how to run Dcpromo automatically to create a domain controller (DC).

netsh int ip set \[dns|wins\]
<nicsname> static <ipaddress>

netsh int ip set dns
L static 192.168.0.2
netsh int ip set wins
L static 192.168.0.2

netsh int dump

and Netsh will produce a script that lets you regenerate that TCP/IP configuration.

reg add HKLM\<keyname> /v
 <valuename> /d <data> /f

reg add HKLM\SYSTEM\CurrentControlSetServices\Tcpip\Parameters /v Domain /d "bigfirm.biz" /f

reg add HKLM\SYSTEM\CurrentControlSetServices\Tcpip\Parameters /v "NV Domain" /d "bigfirm.biz" /f

shutdown /r /t 0 /f

and the Win2K batch file would end with

shutdown /r /t:0 /c

In a future column, I'll show you how to set up an AD-ready DNS server from a batch file. I'll also show you how to run Dcpromo automatically to create a domain controller (DC).

Comments

Plain text