{"id":429,"date":"2014-10-30T00:01:00","date_gmt":"2014-10-30T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/10\/30\/automatedlab-tutorial-series-part-5-install-ca-two-tier-hierarchy-for-pki\/"},"modified":"2014-10-30T00:01:00","modified_gmt":"2014-10-30T00:01:00","slug":"automatedlab-tutorial-series-part-5-install-ca-two-tier-hierarchy-for-pki","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-series-part-5-install-ca-two-tier-hierarchy-for-pki\/","title":{"rendered":"AutomatedLab Tutorial Series Part 5: Install CA Two-Tier Hierarchy for PKI"},"content":{"rendered":"<p><b style=\"font-size:12px\">Summary<\/b><span style=\"font-size:12px\">: Microsoft PFEs, Raimund Andree and Per Pedersen, talk about using Windows PowerShell to automate the deployment of a PKI environment as it would typically be deployed in a production environment.<\/span>\nMicrosoft Scripting Guy, Ed Wilson, is here. Today is Part 5 of a series by Microsoft PFEs, Raimund Andree and Per Pedersen. Read their previous posts here:<\/p>\n<ul>\n<li><a href=\"http:\/\/blogs.technet.comhttps:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-deploy-automatedlab-with-powershell-part-1\/\" target=\"_blank\">AutomatedLab Tutorial Part&nbsp;1: Introduction to AutomatedLab<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.comhttps:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-part-2-create-a-simple-lab\/\" target=\"_blank\">AutomatedLab Tutorial Part 2: Create a Simple Lab<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.comhttps:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-part-3-working-with-predefined-server-roles\/\" target=\"_blank\">AutomatedLab Tutorial Part 3: Working with Predefined Server Roles<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2014\/10\/29\/automatedlab-tutorial-series-part-4-install-a-simple-pki-environment.aspx\" target=\"_blank\">AutomatedLab Tutorial Series Part 4: Install a Simple PKI Environment<\/a><\/li>\n<\/ul>\n<p>Following up on Part 4, this post explains how to deploy a public key infrastructure (PKI) environment as it would typically be deployed in a production environment. The PKI environment will be deployed using two servers. One server will be a root certification authority (CA) and the other will be a subordinate CA server.\nThe root CA will be in a workgroup and the subordinate CA will be in a domain. Subsequently, you will be able to request and issue certificates from the subordinate CA server to all computers and users in your lab. Also, if you want to sign Windows PowerShell scripts in the lab, a certificate can be created for this purpose.<\/p>\n<h2>Installation<\/h2>\n<p>If you have a version of AutomatedLab that is earlier than AutomatedLab&nbsp;2.5, please uninstall it and install the latest version. You can find what you need on Microsoft TechNet: <a href=\"https:\/\/gallery.technet.microsoft.com\/AutomatedLab-026d81f9\" target=\"_blank\">AutomatedLab<\/a>.\nThe installation process for AutomatedLab is explained in <a href=\"http:\/\/blogs.technet.comhttps:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-part-2-create-a-simple-lab\/\" target=\"_blank\">AutomatedLab Tutorial Part 2: Create a Simple Lab<\/a>.<\/p>\n<h2>Prerequisites for AutomatedLab<\/h2>\n<p>AutomatedLab requires Hyper-V and Windows PowerShell&nbsp;3.0 (or higher). Hence, you need one of the following operating systems on the host where you want to install the lab:<\/p>\n<ul>\n<li>Windows Server&nbsp;2012R2<\/li>\n<li>Windows Server&nbsp;2012<\/li>\n<li>Windows&nbsp;8.1<\/li>\n<li>Windows&nbsp;8<\/li>\n<\/ul>\n<p><b>&nbsp; &nbsp; Note<\/b>&nbsp; Although Windows Server&nbsp;2008&nbsp;R2 could work and Windows&nbsp;10 hasn&rsquo;t been tested, at this time, we recommend that you use one of the listed operating systems on the host machine.\nAutomatedLab scripts need to be running directly on the host where the lab environment (the virtual machines) will be created.\nFor more information about the overall installation process, refer to the previous posts.<\/p>\n<h2>Prerequisites for installing CA servers in the lab<\/h2>\n<p>The only prerequisite for the certification authority (CA) installation is that the server needs to be running Windows Server 2012&nbsp;R2 or Windows Server 2012.<\/p>\n<h2>Defining the lab machines<\/h2>\n<p>For the subordinate server, a domain is needed. Hence, a domain controller needs to be installed. The installation is the same as in Part&nbsp;4. The domain and the domain controller are defined as follows:<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition -Role RootDC `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp; -Properties @{DomainFunctionalLevel = &#8220;Win2012R2&#8221;<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ForestFunctionalLevel = &#8220;Win2012R2&#8221;}<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S1DC1 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labNetworkName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\nThen the root CA needs to be installed. This server will be a stand-alone CA server&mdash;it is not joined to any domain.\nThe certification authority (like the domain controller) is a role in AutomatedLab, and this role needs to be specified when defining the lab machine. The role is selected by using the <b>Get-LabMachineRoleDefinition<\/b> cmdlet as follows:<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition -Role CaRoot\nThe lab machine can be defined by using the selected role, for example:<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S1ROOTCA1 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labNetworkName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.11 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\nNext, the subordinate CA server needs to be defined. This is the command:<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition -Role CaSubordinate\nThe lab machine can be defined by using the selected role. This command is the same as defining the root CA&mdash;only the content of the <b>$role<\/b> variable is different.<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S2SUBCA1 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labNetworkName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.12 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\nWhen all the machines have been defined, start the installation of the lab as usual:<\/p>\n<ol>\n<li>Export the lab definition.<\/li>\n<li>Import it (which also validates the configuration and reports any errors).<\/li>\n<li>Start the installation, which will create the virtual network, create base images, create virtual machines running Hyper-V, and install the roles found in the lab.<\/li>\n<\/ol>\n<p>The script looks like this:<\/p>\n<p style=\"margin-left:30px\">Export-LabDefinition -Force -ExportDefaultUnattendedXml<\/p>\n<p style=\"margin-left:30px\">Import-Lab -Path (Get-LabDefinition).LabFilePath<\/p>\n<p style=\"margin-left:30px\">Install-Lab -NetworkSwitches -BaseImages -VMs<\/p>\n<p style=\"margin-left:30px\">Install-Lab -Domains\nAt this point, the domain controller is installed and ready. Now the installation of the certification authority needs to be started. This is done like this:<\/p>\n<p style=\"margin-left:30px\">Install-Lab -CA\nNotice that you do not need to instruct the <b>Install-Lab<\/b> cmdlet about how to install the CA and how it should be configured. This is done automatically.\nThe lab is ready with a domain controller (hosting a domain, of course) and with two Enterprise CA servers. Now, you can request and issue certificates (from the subordinate CA) for use in your lab!<\/p>\n<h2>Customize the configuration of the CA servers<\/h2>\n<p>The first installation was very easy because the entire configuration is automatic when you call <b>Install-Lab -CA. <\/b>Now<b> <\/b>let&rsquo;s try installing a PKI environment where we define some of the CA configuration. Even though the default installation will work in the majority of situations for a test lab, it could be necessary to specify certain parts of the configuration for the PKI environment.\nFirst of all, the current lab needs to be removed:<\/p>\n<p style=\"margin-left:30px\">Remove-Lab -Path &lt;path to the <b>lab.xml<\/b> file&gt;\nThe <b>Remove-Lab<\/b> cmdlet turns off and removes the virtual machines, the disks, and the network adapter.\nThe domain and the domain controller need to be defined as previously:<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition -Role RootDC `<\/p>\n<p style=\"margin-left:30px\">-Properties @{DomainFunctionalLevel = &#8220;Win2012R2&#8221;<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ForestFunctionalLevel = &#8220;Win2012R2&#8221;}<span style=\"font-size:12px\">&nbsp;<\/span><\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S1DC1 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labNetworkName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\nWhen you define the CA, you have the option of specifying configuration parameters. Take a look at the following:<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition `<\/p>\n<p style=\"margin-left:30px\">&nbsp; -Role CaRoot @{CACommonName = &#8220;MySpecialRootCA1&#8221;<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; KeyLength = &ldquo;4096&rdquo;<\/p>\n<p style=\"margin-left:30px\">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ValidityPeriod = &#8220;Year&#8221;<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ValidityPeriodUnits &#8220;20&#8221;}\nThe lab machine can be defined by using the selected role with the customized configuration.<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S1ROOTCA1 -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labNetworkName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.11 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\n<span style=\"font-size:12px\">Lastly, the machine for subordinate CA needs to be defined. This command is the same as we used previously&mdash;only the content of the <\/span><b style=\"font-size:12px\">$role<\/b><span style=\"font-size:12px\"> variable is different:<\/span><\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition `<\/p>\n<p style=\"margin-left:30px\">&nbsp; -Role CaRoot @{CACommonName = &#8220;MySpecialRootCA1&#8221;<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; KeyLength = &ldquo;4096&rdquo;<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ValidityPeriod = &#8220;Year&#8221;<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ValidityPeriodUnits &#8220;20&#8221;}\nTo define (add) the machine, type the following command. This command is the same as the command we used to define the root CA&mdash;only the content of the <b>$role<\/b> variable is different.<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S1SUBCA1 -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labNetworkName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.11 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\nUse the following script to perform the actual installation of the lab:<\/p>\n<p style=\"margin-left:30px\">Export-LabDefinition -Force -ExportDefaultUnattendedXml<\/p>\n<p style=\"margin-left:30px\">Import-Lab -Path (Get-LabDefinition).LabFilePath<\/p>\n<p style=\"margin-left:30px\">Install-Lab -NetworkSwitches -BaseImages -VMs<\/p>\n<p style=\"margin-left:30px\">Install-Lab &ndash;Domains<\/p>\n<p style=\"margin-left:30px\">Install-Lab -CA\nAlso notice that the command for installing the CAs is almost the same as the command we previously used. The difference is that now the parameters specified in the <b>Role<\/b> parameters will be passed to the CA installation script.\nThe lab is ready with a domain controller (hosting a domain) and with a complete two-tier PKI hierarchy configured by using our customized parameters.\nTo see all the parameters that are possible to specify when you install a CA server in AutomatedLab, you can type the following:<\/p>\n<p style=\"margin-left:30px\">Get-Help Install-LWLabCAServers -Parameter *\nOr to see only the names of the parameters (without the detailed information), type:<\/p>\n<p style=\"margin-left:30px\">(Get-Command Install-LWLabCAServers).Parameters.Keys\n<b>&nbsp; &nbsp; Note<\/b>&nbsp;&nbsp;Changing the parameters for the CA servers requires that you know about how the corresponding configuration <br \/>&nbsp; &nbsp; parameters for CA servers are working. Hence, it is only recommended to customize parameters if you know about <br \/>&nbsp; &nbsp; the PKI and have the need to customize parameters.<\/p>\n<h2>Supported PKI configurations in AutomatedLab<\/h2>\n<p>AutomatedLab supports 1-tier and 2-tier deployments for the PKI. This means that you can solely deploy a root CA, or you can deploy a root CA with a subordinate CA to this root CA.\nAutomatedLab supports only PKI deployments in the same Active Directory forest. That is, deployment of a root CA in one Active Directory forest and a subordinate CA in another Active Directory forest is not supported.<\/p>\n<h2>The full script<\/h2>\n<p style=\"margin-left:30px\">$start = Get-Date<\/p>\n<p style=\"margin-left:30px\">#Some definitions about folder paths<\/p>\n<p style=\"margin-left:30px\">#This folder contains two sub folders<\/p>\n<p style=\"margin-left:30px\"># -ISOs &#8211; Stores all the DVD images<\/p>\n<p style=\"margin-left:30px\"># -PostInstallationActivities &#8211; any scripts to customize the environment after installation<\/p>\n<p style=\"margin-left:30px\">$labSources = &#8216;E:LabSources&#8217;<\/p>\n<p style=\"margin-left:30px\">$vmDrive = &#8216;D:&#8217;<\/p>\n<p style=\"margin-left:30px\">$labName = &#8216;PKITypical1&#8217;<\/p>\n<p style=\"margin-left:30px\">#this folder stores the XML files that contain all the information about the lab<\/p>\n<p style=\"margin-left:30px\">$labPath = &#8220;$vmDrive$labName&#8221;<\/p>\n<p style=\"margin-left:30px\">#create the target directory if it does not exist<\/p>\n<p style=\"margin-left:30px\">if (-not (Test-Path $labPath)) { New-Item $labPath -ItemType Directory | Out-Null }<\/p>\n<p style=\"margin-left:30px\">#create an empty lab template and define where the lab XML files and the VMs will be stored<\/p>\n<p style=\"margin-left:30px\">New-LabDefinition -Path $labPath -VmPath $labPath -Name $labName -ReferenceDiskSizeInGB 60<\/p>\n<p style=\"margin-left:30px\">#make the network definition<\/p>\n<p style=\"margin-left:30px\">Add-LabVirtualNetworkDefinition -Name $labName -IpAddress 192.168.81.1 -PrefixLength 24<\/p>\n<p style=\"margin-left:30px\">#and the domain definition with the domain admin account<\/p>\n<p style=\"margin-left:30px\">Add-LabDomainDefinition -Name test1.net -AdminUser administrator -AdminPassword Password1<\/p>\n<p style=\"margin-left:30px\">#these images are used to install the machines<\/p>\n<p style=\"margin-left:30px\">Add-LabIsoImageDefinition -Name Server2012 -Path $labSourcesISOsen_windows_server_2012_r2_with_update_x64_dvd_4065220.iso -IsOperatingSystem<\/p>\n<p style=\"margin-left:30px\">#these credentials are used for connecting to the machines. As this is a lab we use clear-text passwords<\/p>\n<p style=\"margin-left:30px\">$installationCredential = New-Object PSCredential(&#8216;Administrator&#8217;, (&#8216;Password1&#8217; | ConvertTo-SecureString -AsPlainText -Force))<\/p>\n<p style=\"margin-left:30px\">#the first machine is the root domain controller. Everything in $labSourcesTools get copied to the machine&#8217;s Windows folder<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition -Role RootDC @{ DomainFunctionalLevel = &#8216;Win2012R2&#8217;; ForestFunctionalLevel = &#8216;Win2012R2&#8217; }<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S1DC1 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217; `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role<\/p>\n<p style=\"margin-left:30px\">#the second will be a member server configured as Root CA server. Everything in $labSourcesTools get copied to the machine&#8217;s Windows folder<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition -Role CaRoot<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S1ROOTCA1 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.20 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217; `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role<\/p>\n<p style=\"margin-left:30px\">#the thrid will be a member server configured as Subordinate CA server. Everything in $labSourcesTools get copied to the machine&#8217;s Windows folder<\/p>\n<p style=\"margin-left:30px\">$role = Get-LabMachineRoleDefinition -Role CaSubordinate<\/p>\n<p style=\"margin-left:30px\">Add-LabMachineDefinition -Name S2SUBCA1 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -MemoryInMb 512 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IsDomainJoined `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DomainName test1.net `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Network $labName `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -IpAddress 192.168.81.30 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -DnsServer1 192.168.81.10 `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -InstallationUserCredential $installationCredential `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -ToolsPath $labSourcesTools `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217; `<\/p>\n<p style=\"margin-left:30px\">&nbsp;&nbsp;&nbsp; -Roles $role<\/p>\n<p style=\"margin-left:30px\">#This all has created the lab configuration in memory. Next step is to export it to XML. You could have made the<\/p>\n<p style=\"margin-left:30px\">#lab definitions in XML as well or can do modifications in the XML if this seems easier.<\/p>\n<p style=\"margin-left:30px\">Export-LabDefinition -Force -ExportDefaultUnattendedXml<\/p>\n<p style=\"margin-left:30px\">#Set trusted hosts to &#8216;*&#8217; and enable CredSSP<\/p>\n<p style=\"margin-left:30px\">Set-LabHostRemoting<\/p>\n<p style=\"margin-left:30px\">#Now the XML files needed to be reimported. Some basic checks are done for duplicate IP addresses, machine names, domain<\/p>\n<p style=\"margin-left:30px\">#membership, etc. If this reports errors please run &#8220;Test-LabDefinition D:LabSettingsLab.xml&#8221; for more information<\/p>\n<p style=\"margin-left:30px\">Import-Lab -Path (Get-LabDefinition).LabFilePath<\/p>\n<p style=\"margin-left:30px\">#Now the actual work begins. First the virtual network adapter is created and then the base images per OS<\/p>\n<p style=\"margin-left:30px\">#All VMs are diffs from the base.<\/p>\n<p style=\"margin-left:30px\">Install-Lab -NetworkSwitches -BaseImages -VMs<\/p>\n<p style=\"margin-left:30px\">#This sets up all domains \/ domain controllers<\/p>\n<p style=\"margin-left:30px\">Install-Lab -Domains<\/p>\n<p style=\"margin-left:30px\">#Install CA server(s)<\/p>\n<p style=\"margin-left:30px\">Install-Lab -CA<\/p>\n<p style=\"margin-left:30px\">#Start all machines what have not yet started<\/p>\n<p style=\"margin-left:30px\">Install-Lab -StartRemainingMachines<\/p>\n<p style=\"margin-left:30px\">$end = Get-Date<\/p>\n<p style=\"margin-left:30px\">Write-Host &#8220;Setting up the lab took $($end &#8211; $start)&#8221;<\/p>\n<h2>What&rsquo;s next?<\/h2>\n<p>The next post discusses how to manage software inside your lab and how to run custom tasks by leveraging the AutomatedLab infrastructure.\nThanks to Raimund and Per. This is really helpful stuff. Please join us tomorrow for Part 6.\nI invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"http:\/\/blogs.technet.commailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><b>Ed Wilson, Microsoft Scripting Guy<\/b><span style=\"font-size:12px\">&nbsp;<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Microsoft PFEs, Raimund Andree and Per Pedersen, talk about using Windows PowerShell to automate the deployment of a PKI environment as it would typically be deployed in a production environment. Microsoft Scripting Guy, Ed Wilson, is here. Today is Part 5 of a series by Microsoft PFEs, Raimund Andree and Per Pedersen. Read their [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[56,543,544,3,45],"class_list":["post-429","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-guest-blogger","tag-per-pedersen","tag-raimund-andree","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Microsoft PFEs, Raimund Andree and Per Pedersen, talk about using Windows PowerShell to automate the deployment of a PKI environment as it would typically be deployed in a production environment. Microsoft Scripting Guy, Ed Wilson, is here. Today is Part 5 of a series by Microsoft PFEs, Raimund Andree and Per Pedersen. Read their [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=429"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/429\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}