Setting up an All-In-One Windows AD Test Environment (VirtualBox Edition)

Build a basic all-in-one lab in VirtualBox. This how-to shows you how to build a virtual Windows Active Directory environment isolated from your home or work network.  See my follow-up post using VMware Workstation here: https://smudj.wordpress.com/2019/01/23/setting-up-an-all-in-one-windows-ad-test-environment-vmware-workstation-edition/

Note: I’m no AD expert, there are better, worse, and different ways to do this and you’re not required to use VirtualBox.

Requirements:
16GB RAM minimum
SSD or multiple HDDs
Quad-core or better CPU with hardware virtualization enabled

 

1. Download the necessary software. Download the ISOs for the OSes you’ll be installing. For this example, I’ll be using IPFire and MSDN versions of Windows Server 2012R2 and Windows 10 Pro.
   1. VirtualBox: https://www.virtualbox.org/wiki/Downloads
   2. Windows OS Evaluation: https://www.microsoft.com/en-us/evalcenter/
   3. IPFire: https://www.ipfire.org/download/ipfire-2.21-core124
2. Create your IPFire router VM
   1. Click New, enter the name of your router, ie “IPFire”
   2. Change the OS to Linux, Ubuntu 64bit is fine as the version. Click Next.
   3. Enter 512MB for memory. Click Next.
   4. Click Create for a new virtual HDD and select VDI. Click Next.
   5. Select Dynamically allocated and click Next.
   6. Change the location here if necessary. The 10GB default is large enough, click Create.
   7. Once created, click Settings and then click Network. We need to modify the networking options.
      1. Adapter 1 should be set to NAT or Bridged.
      2. Adapter 2 needs to be enabled and set to Internal Network. **Make note of the MAC address for adapter 2. You can find it by expanding the Advanced tab.** 
      3. Click OK.
      4. 

 

3. Mount the IPFire ISO and install
   1. Click Settings on the IPFire VM. Click Storage.
   2. Click “Empty” next to the CD icon. Click the CD icon next to the far right to mount the ISO.
   3. Select “choose a virtual optical disk file” and browse to the ISO’s location.
   4. Select to mount. Click Ok to close the window.
   5. Power on the VM.
   6. Follow the IPFire prompts. Press enter to select, tab to move between selections, and the space bar to select check boxes.
   7. All defaults can be used.
   8. 
4. Configure IPFire
   1. Select the keyboard mapping. I’m using “us.” Press Enter to accept.
   2. Set your timezone. By pressing the first letter of your timezone, you can jump to that section. Select the correct timezone via the arrow keys and press Enter to accept.
   3. Enter a host name, the default is fine for our lab. Press Enter twice.
   4. The default domain is fine for our lab, press Enter twice to continue.
   5. Enter the root password and press Enter each time and once more to continue.
   6. Do the same for the admin password. Password can be the same for both for our lab purposes.–Network Configuration–
      1. Press Enter for “network configuration type”
      2. Select “Green + Red” and press Enter
      3. Arrow down to “drivers and card assignments.” and press Enter.
      4. Green: This is our internal network. Press Enter to select. Compare the MAC and select the correct interface. Press Enter to select the Interface.
      5. Red: This is our internet facing network, NAT or Bridged. Select RED, press Enter, and press Enter again to select the remaining interface.
      6. Tab over to done and press Enter.–Address Settings–
         Press Enter to select.
         GREEN:
         1. Select GREEN and press Enter.
         2. This is a new private, virtual network for our lab. Select a different IP subnet than your host network to avoid confusion.
         3. The IP warning can be ignored as we are not logged in remotely. In this example, the subnet is 192.168.211.1/24. Since this will be the gateway, we can use 192.168.211.1. The subnet mask does not need to change.
         4. Press Enter until you return to the GREEN/RED menu.
         RED:
         1. Select RED and press Enter.
         2. Select DHCP. This interface will get the IP from the VBox NAT or your physical network’s DHCP server. You can modify the hostname here if necessary.
         3. Tab to Done and press Enter.
         –DNS and Gateway settings–
         1. DNS and Gateway settings are only needed if using a static IP. Since we are using DHCP, there is nothing to change here. Tab to Done and press Enter.–DHCP Configuration–
         We will be using Windows DHCP instead of IPFire’s. Tab to OK and press enter without enabling DHCP. Press Enter to close setup.
5. Create Windows Server 2012 R2 VM
   1. From the VBox main men, click New.
   2. Enter a name, ex: “WS2012R2”, select the appropriate type (Windows 2012) and version (64-bit). Click Next.
   3. Set RAM to 4096MB. If you have more than 16GB of RAM, you can increase to 6 or 8GB, if needed. Click Next.
   4. Create a new virtual hard disk, click Create.
   5. Select VDI and click Next.
   6. Select Dynamically allocated, and click Next.
   7. Enter 80GB and click Create.
   8. Click Settings, then click Network.
   9. Select Internal Network.
   10. Select Storage. Click the CD under storage devices, then click the CD icon to the left of Optical Drive.
   11. Select Choose virtual optical disk file. Browse and select your Windows Server ISO.
   12. Click OK.
6. Install Windows Server 2012
   1. Install Windows as you normally would.
7. Configure Windows Server and Domain
   1. Enter the IP information. The IP needs to be on the same subnet as configured for the GREEN network. EX: 192.168.211.200, GW: 192.168.211.1, DNS: 127.0.0.1 since we’ll be creating a domain controller with DNS and DHCP services.
   2. You should be able to ping an IP address, but not a DNS name.
   3. Change the name of your server and reboot.Start the Add Roles and Feature Wizard
      1. Add the following roles:
      –Active Directory Domain Services
      –DHCP Services
      –DNS Services
      2. Follow the wizard’s steps.
      3. Promote: Add a new forest.
      4. Enter your domain name and follow the wizard.  –you will get a warning about DNS, this will be resolved later.
8. Configure DNS and DHCP

DNS.  We need to add a forwarder for our DNS settings.

1. From Administrative Tools, open DNS
2. Right-click on your server and click Properties.
3. Click the Forwarders tab
4. Click Edit, and add your external DNS servers like 4.2.2.1, 4.2.2.2, 8.8.8.8, and 8.8.4.4.

DHCP
1. Double-click DHCP from Administrative Tools
2. Expand IPv4 and right-click, click New Scope from the menu.
3. Enter an IP range, ex: 192.168.211.50 to 192.168.211.100
4. The remaining settings can be default for now.
5. When asked to configure scop options, verify “Yes” and click Next.
6. Router/Default gateway will be the IP we used to configure the GREEN NIC, ex: 192.168.211.1
7. Domain name and DNS should be pre-configured. You should see the server’s IP in IP address box, ex: 192.168.211.200
8. WINS does not need to be configured at this time.
9.When prompted to activate scope, verify “Yes” and click Next.
10. Click Finish to complete the wizard.

Right-click on the server’s name under DHCP, and click Authorize from the menu. Refresh and IPv4 should have a green circle with a white check mark.

9. Managing IPFire via web interface

You can access IPFire’s management console via a web browser.
Enter https://ipfire_ip-address:444, ex: https://192.168.211.1:444
Use “admin” and the password entered during step 4.

Note: You will get a certificate error when accessing the IPFire management page.

9. Adding Client VMs.

Nothing special here.  Install Windows/Linux as usual.  Make sure to select Internal Network for the VM’s network

10. Completion!

Here’s the money shot:
-VirtualBox
-IPFire VM
-WS2012R2 VM – domain controller for sw.net, DHCP and DNS roles
-Win10 VM – joined to sw.net, displaying IPFire’s web management page and network settings.

Hyper-V VMGuest.iso for older Windows OSes in Win10/2016

If you’re playing around with older OSes in the latest versions of Hyper-V, you’re missing one thing, the Integration Components (IC).

With Win10/Server2016 they no longer include this ISO as the current “supported” OSes all get their IC viaWindows Update.

You can get the IC from Hyper-V 2012/2012R2 Server, a free download, here:

https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2 ( to extract, you’ll need to mount the ISO, open the x:\sources\install.wim file with something like 7zip, browse to Windows\system32, and extract the vmguest.iso or install Hyper-V Server in a VM to get the vmguest.iso)

Or, if you’ve got a Windows 8/8.1/2012/2012R2 VM/system available with Hyper-V installed you’ll find it in the C:\windows\system32\ folder.

I’ve got a copy from Hyper-V 2012 R2 here: https://1drv.ms/u/s!AnbqFQxI6C6pibttEpT9LXnRf4jcYg 

Hyper-V 2008 R2 here: https://1drv.ms/u/s!AnbqFQxI6C6pio4TpkS4Yi9Pl0_Ejg 

Hyper-V 2008 here: https://1drv.ms/u/s!AnbqFQxI6C6pio4UYt3Jn_VLbrQs4w

No guarantees how long MS will allow it will stay up here, though it’s freely distributed with Hyper-V Server.

After installing the IC on OSes older than Windows Server 2012R2,  you will still see 2 unknown devices.  Per Microsoft, this is expected: https://support.microsoft.com/en-us/help/2925727/unknown-device-vmbus-in-device-manager-in-virtual-machine-for-avma

If you view the properties of these devices and check driver details, Hardware IDs or Compatible IDs, they will show the following:

• vmbus\{4487b255-b88c-403f-bb51-d1f69cf17f87}
• vmbus\{3375baf4-9e15-4b30-b765-67acb10d607b}
• vmbus\{99221fa0-24ad-11e2-be98-001aa01bbf6e}
• vmbus\{f8e65716-3cb3-4a06-9a60-1889c5cccab5}

These Virtual Devices (VDev) are provided for Automatic Virtual Machine Activation (AVMA) to communicate with the host. AVMA is only supported on virtual machines running Windows Server 2012 R2 or later versions of operating systems.

Windows XP Pro running in Hyper-V. Device Manager shows the 2 unknown devices after the IC have been installed.

—

Update:  The Integration Components won’t install in the Home and Starter versions of Windows.

Running DNS, DHCP, ADUC, etc, MMC Admin consoles with Windows 10 Microsoft Account

Note: This assumes you’ve already got the RSAT tools installed.  RSAT for Windows 10

Building on my post here for Hyper-V manager:

Running Hyper-V Manager as a different user in Windows 10 (Runas)

You can use the same method to get Active Directory Users and Computers (ADUC) and DNS MMC admin consoles working if you’re logged in with your Microsoft account versus your domain account:

DNS shortcut:

C:\Windows\System32\runas.exe /savecred /user:domain\username  "cmd /c Start /B %SystemRoot%\system32\mmc.exe %SystemRoot%\system32\dnsmgmt.msc""

Icon path:

%SystemRoot%\system32\dnsmgr.dll

ADUC shortcut:

C:\Windows\System32\runas.exe /savecred /user:domain\username  "cmd /c Start /B %SystemRoot%\system32\dsa.msc""

Icon path:

%SystemRoot%\system32\dsadmin.dll

When you double-click, you’ll get prompted for the password (if you haven’t already) and also for UAC

DHCP is a little more involved as the RSAT doesn’t include the DHCP manager.  NOTE: this is not currently supported by MS

1. 1. copy dhcpmgmt.msc and dhcpsnap.dll.mui from %windir%\system32\system32\en-us on the 2012 server to the same location on the w10 pc
2. copy dhcpsnap.dll from %windir%\system32\ on the 2012 server to the w10 pc
3. From an admin cmd prompt run: regsvr32.exe dhcpsnap.dll
4. Create the short-cut: C:\Windows\System32\runas.exe /savecred /user:domain\username  “cmd /c Start /B %SystemRoot%\system32\mmc.exe %SystemRoot%\system32\dhcpmgmt.msc””
5. Change Icon path: %SystemRoot%\System32\dhcpsnap.dll

You’ll need to manually add your DHCP server each time you run this.  I haven’t found a way to save the config.

*This was done with Windows 10 Build 1511 and Windows Server 2012.

For additional snap-ins, just modify the last part of the short-cut with the correct mmc path for the add-in you want.

Switching from Public to Private network via PowerShell

Here’s a quick way to get rid of the “public” network on Windows and switch it to a more usable private network type.

1. Open a PowerShell Window.
2. Get the list of network profiles on the system.  Note the InterfaceIndex number listed, you’ll need it for the final step.

   Get-NetConnectionProfile

3. Change the network interface to private, use the network interface index number from the previous command.

Set-NetConnectionProfile -InterfaceIndex xx -NetworkCategory Private

Running Hyper-V Manager as a different user in Windows 10 (Runas)

I hit a small issue while working on building up a test SCCM/SCVMM lab in Hyper-V.

My primary system (call it One) has Windows 10 and is domain joined, but I’ve been doing the “Microsoft” thing and logging in with my “Microsoft” account instead of my local domain account.

I’ve got two Hyper-V hosts, one on Windows Server 2012 R2 and another running on Windows 10* (call it Two).  I’ve been able to launch my Hyper-V Manager on One and connect and manage the Hyper-V VMs on Server 2012.

However, I hit a roadblock trying to connect to Two.  The first thing I tried after failing and getting some error messages was to configure winrm.

On Two:

I opened an administrator PowerShell window and ran

winrm quickconfig

and followed the wizard and was able to start the winrm service and open the firewall.

On One:

Again in a administrator PowerShell window, I ran:

Enable-WSManCredSSP -role client -delegatecomputer two.mydomain.com

Failure!  I got a big text message in red that said to run winrm quickconfig.

This is odd, since I did none of this to connect to the Server 2012 Hyper-V instance.

I then shift+right-clicked on Hyper-V Manager and ran it with my domain credentials and it ran! Ah ha!  No problem, just create a runas shortcut for Hyper-V Manager.

C:\Windows\System32\runas.exe /user:mydomain\myusername /savecreds "%windir%\System32\mmc.exe "%windir%\System32\virtmgmt.msc""

Again, no joy.  Launching my new short-cut from a command prompt showed the error:

740: The requested operation requires elevation.

The command needs ADUC elevation, with some Googling** I finally found a solution, first launch a cmd prompt and then the command.  This allows you to receive the ADUC prompt and accept it.

C:\WINDOWS\system32\runas.exe /savecred /user:mydomain\myusername "cmd /c Start /B %windir%\System32\mmc.exe "%windir%\System32\virtmgmt.msc""

The path to the Hyper-V Manager icon is here:

%ProgramFiles%\Hyper-V\SnapInAbout.dll

...

*I don’t recall my logic in installing Windows 10 here instead of Server 2012…it may have just been laziness, an upgrade to Win10 from the previous Windows 8.1 OS that was installed.

 

**http://serverfault.com/questions/374342/run-active-directory-admin-center-as-another-user

Configuring/Removing Password Policies in Windows Server 2012 for Lab/Demo environments

The default password policies are pretty strict for a lab or demo environment.  If you’re not in a domain, it’s easy to modify these settings from the Local Security Policies:

1. Run gpedit.msc
2. Under Computer Configuration–>Windows Settings–>Security Settings–>Account Policies–Password Policy
   1. Change the Policy Security Settings you want.

Under a domain controller, you can do this via the Active Directory Administrative Center

1. Run dsac.exe, or via the GUI it’s under Administrative Tools–>Active Directory Administrative Center
2. Go to YourDomain(local)–>System–>Password Settings Container
3. Click New from the Tasks menu
4. Create your Password Settings

Here’s the window, note that I’ve already created a password policy.  A new forest/domain will not have anything populated in it.

I don’t recommend disabling all these settings if you’re in a production environment.

TinyBorders for Win8 replaced with Winaero Tweaker

I posted a while back about a nice little utility I use on all my Windows 8.x systems to reclaim those lost pixels from Win 8’s giant, padded borders.

It’s recently been replaced with a new tool, Winaero Tweaker, link: http://winaero.com/comment.php?comment.news.1836

A new feature with Winaero Tweaker allows you to change colors, which is nice when working with Windows Server 2012 R2.

If you try to change the color you’ll see this:

 

Winaero Tweaker launches with an error in Windows Server 2012 R2, but it doesn’t seem to affect the programs ability to change border size or color.

As you can see, I changed the color from cyan to a light purple, shown in the Winaero Tweaker page

 

 

 

 

Windows Update fix for corruption errors like 0x80070002

Microsoft KB 947821 (http://support.microsoft.com/kb/947821)

If you’ve gotten one of those cryptic 0x800xxxxxx Windows Update errors, Microsoft finally has a fix for Vista and higher, no XP solution.

Fix Windows Update corruption errors such as 0x80070002 and 0x80070057

Windows Update corruption errors prevent Windows updates and service packs from installing. For example, an update might not install if a system file is damaged. If the error you see is in the following list, try the solution in this article.

0x80070002 | 0x8007000D | 0x800F081F | 0x80073712 | 0x800736CC | 0x800705B9 | 0x80070246 | 0x8007370D | 0x8007370B | 0x8007370A | 0x80070057 | 0x800B0100 | 0x80092003 | 0x800B0101 | 0x8007371B | 0x80070490

 

Windows 8.x and Server 2012 Rx

To resolve this problem, use the inbox Deployment Image Servicing and Management (DISM) tool. Then, install the Windows update or service pack again.

1. Open an elevated command prompt. To do this, swipe in from the right edge of the screen, and then tap Search. Or, if you are using a mouse, point to the lower-right corner of the screen, and then click Search. Type Command Prompt in the Search box, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
2. Type the following commands. Press Enter after each command.
   Note It may take several minutes for each command operation to be completed.
   • DISM.exe /Online /Cleanup-image /Scanhealth
   • DISM.exe /Online /Cleanup-image /Restorehealth
3. Close the command prompt, and then run Windows Update again.

DISM creates a log file (%windir%/Logs/CBS/CBS.log) that captures any issues that the tool found or fixed. %windir% is the folder in which Windows is installed. For example, the %windir% folder is C:\Windows.

 

Windows 7, Windows Vista, Windows Server 2008 R2 or Windows Server 2008

See the KB link for the download you need. http://support.microsoft.com/kb/947821

Virtual Machines not shutting down on host shutdown in Windows Server 2012 R2

Ben Armstrong has a little blurb about  a fix included in the latest rollup for Windows Server 2012 R2

http://blogs.msdn.com/b/virtual_pc_guy/archive/2014/01/08/virtual-machines-not-shutting-down-on-host-shutdown-in-windows-server-2012-r2.aspx

http://support.microsoft.com/kb/2896800/en-us

Hyper-V guest OS does not shut down when you restart the host computer that is running Windows Server 2012 R2 or Windows 8.1

Symptoms

Consider the following scenario:

• You set up a Hyper-V virtual machine on a host computer that is running Windows Server 2012 R2 or Windows 8.1.
• You set the Automatic Stop Action setting of the virtual machine to Shut down the guest operating system.
• You restart the host computer.

In this scenario, the guest operating system (OS) on the virtual machine does not shut down. Additionally, after you restart the virtual machine, the following event is logged on the guest OS:Event ID: 6008
Message: The previous system shutdown at time on date was unexpected.

Note If the computer is part of a cluster, this issue does not occur.

Cause

This issue occurs because the Virtual Machine Management Service tries to shut down the virtual machine by using the Virtual Machine Worker process. However, the process encounters a logic failure that causes the shutdown operation to fail and reverts the shutdown operation. Therefore, power cycling occurs instead of a clean shutdown.

Resolution

Update information

To resolve this issue, install update rollup 2887595. For more information about how to obtain this update rollup package, click the following article number to go to the article in the Microsoft Knowledge Base:

2887595

(http://support.microsoft.com/kb/2887595/ )

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: November 2013

HVRemote updated for Hyper-V v.3 including Windows 8, 8.1, Server 2012, and Server 2012 R2

HVRemote has been updated for Hyper-V v.3  for supported use with Windows 8.x and Windows Server 2012 and R2.

HVRemote reduces the manual configuration steps needed for Hyper-V Remote Management down to a few simple commands, and can diagnose common configuration errors.

http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6

Supported Servers:

• Windows Server 2008 SP1 with Hyper-V RTM update applied (KB950050), Core & Full installations
• Windows Server 2008 SP2, Core & Full installations
• Microsoft Hyper-V Server 2008 SP1 (already contains Hyper-V RTM update)
• Microsoft Hyper-V Server 2008 SP2
• Windows Server 2008 R2, Core & Full installations
• Windows Server 2008 R2 SP1, Core & Full installations
• Microsoft Hyper-V Server 2008 R2
• Microsoft Hyper-V Server 2008 R2 SP1
• Windows Server 2012 Core & Full installations (Version 1.x or later)
• Microsoft Hyper-V Server 2012 (Version 1.x or later)
• Windows 8 Pro & Enterprise x64 with Hyper-V enabled (Version 1.x or later)
• Windows Server 2012 R2 Core & Full installations (Version 1.08 or later)
• Microsoft Hyper-V Server 2012 R2 (Version 1.08 or later)
• Windows 8.1 x64 Client Hyper-V (Version 1.08 or later)