Skip to content

Instantly share code, notes, and snippets.

@MikaelSmith
Last active September 20, 2018 19:31
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save MikaelSmith/35277431d2fea42274fc6d32a36d23d7 to your computer and use it in GitHub Desktop.
Windows Bootstrapping
# Requires Powershell 5, Puppet, and the puppetlabs-dsc module.
# These variables may need customization.
$domain_name = 'example.com'
$domain_credential = {
'user' => 'Administrator',
'password' => 'Password1!'
}
$dns_servers = ['10.240.0.10','10.240.1.20']
['AD-Domain-Services','RSAT-AD-PowerShell','RSAT-AD-Tools'].each |String $feature| {
dsc_xwindowsfeature { $feature:
ensure => 'present',
dsc_name => $feature,
dsc_includeallsubfeature => true,
}
}
dsc_xaddomain { 'domain':
ensure => 'present',
dsc_domainname => $domain_name,
dsc_domainadministratorcredential => $domain_credential,
dsc_safemodeadministratorpassword => $domain_credential,
}
dsc_xdnsserverforwarder {'dnsforwarders':
ensure => 'present',
dsc_issingleinstance => 'yes',
dsc_ipaddresses => $dns_servers,
}
reboot { 'dsc_reboot':
message => 'DSC has requested a reboot',
when => 'pending',
}
# Setup fairly secure WinRM using a self-signed certificate.
# Disables unencrypted and simple authentication, and requires latest NTLM version.
$cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName $env:COMPUTERNAME
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $cert.Thumbprint –Force
New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm set winrm/config/service/Auth '@{Basic="false"}'
winrm set winrm/config/service/Auth '@{CredSSP="false"}'
winrm set winrm/config/service '@{AllowUnencrypted="false"}'
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 -Name "NtlmMinClientSec" -Value "0x20080030" -PropertyType DWORD -Force
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 -Name "NtlmMinServerSec" -Value "0x20080030" -PropertyType DWORD -Force
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "LmCompatibilityLevel" -Value "0x00000004" -PropertyType DWORD -Force
@MikaelSmith
Copy link
Author

Puppet's DSC relies on WinRM over HTTP, so setup the Domain Controller before changing WinRM config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment