Tagged: server 2008

Using Powershell to install roles

So, you’ve got your server 2k8 R2 installed as a base installation and you want to install a few roles onto it. You can use powershell to do this.

I know your asking “why when I can go through a few menus and its done”, humour me and it may save you some time.

To work with roles and powershell you will need to open powershell (duh). Before you can actually start tapping out the commands for installing services you will need to enable the modules within powershell.

So to begin with you will need to type:

import-module Servermanager

After you have completed that you can then type:

Get-windowsfeature

Which will output a rather verbose list of roles and features that can be installed onto a server 2008 R2 box (already installed roles will be documented with an [X]). For a more sensible list that you can reference I would use the command:

Get-Windowsfeature > c:\features.txt

Which would write the contents of the output into the features file on the C drive which I find easier to work with.

now the important bit installing features with powershell. You can install roles and features listed in the output given in the above command by typing add-windowsfeature “Name” where the “Name” you should replace it with the Name (note not Display Name) of the feature you wish to install.

You can test the predicted result of an installation of a role or feature by using the -whatif command for example add-Windowsfeature “Name” -whatif would run a simulated installation and produce a hopefully positive outcome, Its also quite handy for finding out if the server will need a reboot for the role so you can find out beforehand what you need to schedule in.

Now all this is fairly academic until you maybe starting thinking about multiple servers what if you were in a large organisation or just somewhere that bought a few servers, clicking through menus X amount of times suddenly seems a bit of a drag. So what you have got above is the ability to script role and feature installs in your servers. So for instance if you wrote the below in a txt file and called it something.ps1 then you could push it out to the brand new servers and have the roles auto install for you.

import-module Servermanager
Add-Windowsfeature “Name”

 

You could also add -restart after the role to restart the computer if it needs to after the role has installed.

You could save yourself a good bit of time when you have set this up correctly. Because its powershell you will have to allow powershell scripts to run which you can do by typing “set-executionpolicy unrestricted” which of course I would recommend you change back after the scripts you want to run have completed.

With a combination of scripts and your favourite distribution method you could shorten the time it takes to install the roles quite considerably thus giving you more time for Angry Birds which of course is always appreciated!

Read Only Domain Controller for Windows Server 2008 R2

RODC (Read Only Domain Controller’s) is a great new feature of server 2k8. A nice little light feature as well that does not require a great deal of setting up or babysitting.

RODC’s primary purpose is to provide local caching of the active directory database and DNS if required to remote branch offices. The main reasons for this could be that the link between the branch office and the domain controller at the head office is slow or prone to failures.

To implement a RODC there are several obvious pre-requisits:
Because its read only the RODC will need to be installed in an already established domain so all the fun stuff that goes with it is also required.

A RODC also has a couple of gotcha’s you will need to keep in mind, a RODC has a local administrator account….. Yep thats right it fly’s in he face of everything you know about domain controllers but it does, or at least a domain user or group is elected the local administrator of the RODC only. You can think of an RODC as not actually a full DC but maybe something along the lines of a a member server running a mini DC role. The handy thing with having a local administrator password is that maybe someone at your branch office has been given a little bit of power on the server, maybe they are allowed to reboot it for you if required or check something, They can without any fear of them being able to fiddle with any aspect of the DC service.

To install an RODC you will need to have added the server to the domain already as a member, it does not need to be added to the exact domain that the server will be an RODC for only a domain in the tree.

You would then need to run a DCpromo and follow the prompts as you would normally expect to until you get to the point of clicking the RODC option. You will also then have the choice of including DNS and global catalog as part of the RODC’s role. Now thinking back to the purpose of an RODC which is primarily to provide local authentication to branch office users without the constant game of ping pong across a WAN or some other slow means it sensible to leave DNS and global catalog so that it will be installed on the RODC as well. This will have the added bonus of allowing at least some backup and functionality on the branch site should the WAN link go down, this would leave the branch office at least some form of name resolution and authentication to any other servers or services in the branch site.

By default an RODC will not store password information from AD in its RODC role, this is controlled by 2 policies one allow and one denied. You may decide that it would be a good idea to allow password caching on the RODC for the users based at the branch office so they dont need to hop across the WAN for all authentication requests.

I will post another blog on administering an RODC once the role has been installed.