VM Lab – Introduction

Hey guys,

It’s been a bit quiet lately, some holiday time and most importantly a change of jobs!
As of July 1st I now work for OSC as an Infrastructure Specialist and will hopefully have more time to expand my knowledge and share this with the community.

The last few weeks I’ve been busy playing around with a solution in order to quickly create a Lab with VM’s.

While I know how to manually set them up and create machines, I had a somewhat ‘ideal’ method in mind and didn’t really want to stray from that idea.

I will finish up the solution this week hopefully, but already have a Proof Of Concept [POC] solution working as intended.
While this sounds all fancy, basically I have all the tiny building blocks ready as scripts.
It means I will need to finish writing all the help files, modifying them from scripts to functions and putting them all in a single module.

What does the solution do?

Here’s a quick overview of what my solution does:

  • Create [or checks if it exists] a default Hyper-V folder structure in place where you can store everything you require for your Lab
  • Create a default Hyper-V infrastructure in place which you can utilize for your Lab
  • Creates template VHD files on which you can base your Lab VM’s.
    This solution provides templates for the following Operating Systems:

    • Windows 8.1
    • Windows 10
    • Windows Server 2008R2 [Core + GUI]
    • Windows Server 2012R2 [Core + GUI]
    • Windows Server 2016 TP5 [Core + GUI]
  • Creates differencing disks based on the above template VHDs, which are ‘enhanced’ by custom Unattend.xml files specifying:
    • ComputerName
    • UserName
    • Password
    • Organization
    • IP Address
    • DNS Server Address
    • Gateway Address

Once you have the template VHD files created [this takes the longest and only needs to be done once], it takes SECONDS to configure and start up your custom Lab VM

LabMachine_PowerShell

What next?

As mentioned above, I will need to update the help files, fine tune certain bits and convert the solution from separate scripts to functions in a module.
Now I’m not expecting this to take ages, but I want to make sure I don’t accidentally break my current solution.

In the coming time I will try and break down all created functions and provide the entire code.

To be continued! 🙂

twitterredditlinkedinmail

Lab: Configure PowerShell WebAccess for management

Now that I have my Lab configured and set up to accept remoting from my Client machine, I want to set up a small Hyper-V lab onto this Host.

Since my goal is to manage as much as possible through PowerShell, my current setup will run into the following problem:
I can remote into my lab host, but due to single-hop remoting, it is not recommended to daisy chain sessions.

In case you DO want this, you can look at the following articles that will give you more insight on multihop remoting.
A small insight on what is required:

What is the goal and what is required?

The goals I have are quite simple:

  • PowerShell access to my Host machine
  • PowerShell access to my Guest VM’s
  • It has to be secure, following Best Practice

In order to obtain these goals I first have to figure out what the best practice is, since I can already access Host machine.

According to a PowerPoint presentation made by  Lee Holmes [part of the PowerShell team since v.1] CredSSP should only be used in case of Highly Trusted Servers, because otherwise

‘This opens you up to credential theft, so is disabled by default on both the client and the server’

Ok, so I need another way to get access to my Hosts, which allows access to my Guest VM’s without having to multihop remote or RDP to my Host machine.

In comes PowerShell WebAccess!
This allows us to connect to the Host machine as console and through that session I can remote onto my Guest VM’s!

The Code

Getting this all done required 4 steps that can easily be done through PowerShell:

  • Install PowerShell WebAccess
  • Configure the PowerShell WebAccess Web Application – Gateway
  • Configure a restrictive authorization rule
  • Use PowerShell WebAccess

Installing PowerShell Web Access

To install PowerShell WebAccess is quite simple, but first let’s check if it’s not already installed or perhaps requires source media:

In my case this has not been done yet, so we’ll go ahead and install this.
Do note that PowerShell WebAccess required IIS as Web Server, so this will also get installed.

Reboot the machine if required, but normally you should be ready to continue.

Configure the PowerShell WebAccess Web Application – Gateway

Now that we have PowerShell WebAccess installed, we need to configure it for usage.
We can do this using

As the added parameter implies, this will set up a self signed certificate which is recommended for test environments only.
The certificate will expire in 90 days after which you should re-assign a new self-signed certificate.
When setting up a secure production environment be sure to use a valid certificate signed by a CA.

This  command will configure a few things for you:

  • Install the PSWA Web Application
  • Install the PSWA Application Pool
  • Install PSWA within the IIS Default Web Site container
  • Automatically configures IIS to run on the default website under https://[servername]/pswa
  • Bind a self signed certificate to the PSWA Web Application

In case you want to set up a valid certificate, use the following command

And configure the certificate through bindings on IIS Manager.

Configure a restrictive authorization rule

Now that we have the Role installed and the Gateway configured, we need to define who is actually allowed to access PowerShell WebAccess on this machine.
We can do this by explicitly granting access to users through the following commands.
Do note, there is no GUI alternative to add or manage there permissions, PowerShell will be required!

Now in case of a test environment, you won’t to be too picky on who can access your machine, but in case of production you should make sure to configure these settings with care!

As the command implies, all users, connecting to all computers, are allowed granted access to all configurations.

In case you want to restrict this access a little bit more, you can do this by simply defining the provided parameters with more detail.
For my environment I personally restricted the UserName to the local administrator, just because I can 🙂

Use PowerShell WebAccess

Now that everything’s configured, let’s give it a test run!

Open your browser to the server’s name or FQDN

PSWA

To log in there’s one tiny thing to keep in mind:

In the User name field, be sure to provide it in the format you’ve defined your PswaAuthorizationRule, so in my case CONTOSO-SRV001\administrator instead of simply Administrator.

PSWA2

 

You have full [secure] access to your Host VM, providing access to all Cmdlets, tab-completion etc. and you can now securely remote onto your Guest VM’s.

 

Happy scripting! 🙂

twitterredditlinkedinmail

Lab: Connect to your ServerCore using remoting – step by step

The next part in my Lab setup now that I’ve gotten network configured is to actually no longer touch my new Lab machine…

While that might sound strange at first, the reason for this is simple.
My Lab should be a headless server, stuffed in a cabinet somewhere with power and a network connection and I should be able to do ALL my management tasks remotely.

This should be a simple task you’d say, but for the sake of clarity [and to learn this process better myself] I have decided to write down all the steps required to do this.

What is the goal and what is required

I think it helps to first define your goals before you start tinkering with a solution, as you might be easily distracted and not reach the goal you had set for yourself.
According to your goals, you note down what steps are required to reach those goals.
Don’t get me wrong, not the immediate script, just the simple text version of what you think you need to do to achieve the goal.

This is especially helpful for me, as I tend to get distracted a LOT!
Think Hammy from Over the Hedge or Dug from UP!

My goal in this case are as follows:

  • Connect to ServerCore using the computername through PSRemoting.

What is required:

  • Add the ServerCore’s computer name to my client’s hosts file
  • Add the ServerCore’s computername to my client’s Trusted Clients settings under WSMAN
  • Connect to ServerCore WSMAN
  • Add the client’s IP address to the ServerCore’s Trusted Clients settings under WSMAN

The code

Client machine Hosts file

Please note: these steps require PowerShell to be run as Administrator.

First of all we want to define some variable which we want to use later on

Of course we want to automate the addition of the ServerCore’s computername to the local hosts file, but in case we’ve already done this, we need to build in a check

To explain: I’m reading the contents of the current Hosts file, located here:  C:\Windows\System32\drivers\etc\hosts .
Just in case you’ve installed Windows in another folder, the script automatically gets the correct location.
It will then check if the Hosts file already contains a line with the ServerCore’s IP address and Name.
If this is not there, it will automatically add this line to the $Hosts variable.
Once this is done it will write the contents of this variable back to the actual file and force it.

Client machine Trusted Hosts

Please note: these steps require PowerShell to be run as Administrator.

Now that you’ve changed the Hosts file, we need to add the ServerCore machine to our WSMAN Trusted Clients.

This will first read out the currently configured Trusted Hosts on your client machine and will then add the ServerCore to this list.
In case you DON’T have any Trusted Hosts configured on your client machine yet it will only add the ServerCore machine.

To check that everything is configured properly [or to check if you have any Trusted Hosts configured on your machine], you can run the following command:

Connect to ServerCore WSMAN

Please note: these steps require PowerShell to be run as Administrator.

While PSRemoting is enabled on Windows Server 2012 R2, it isn’t configured to allow connections from your Client machine.
WSMAN on the other hand is 🙂 .

We can simply create a connection to the machine by using the following commands:

ServerCore machine Trusted Hosts

Please note: these steps require PowerShell to be run as Administrator.

Now comes the tricky part:
We want to automatically get our Client machine’s IP Address and add this to the ServerCore’s Trusted Hosts list.

First we get our Client’s IP Address [requires PowerShell v4 and Windows 8+]:

Now that we have the Client machine’s IP Address, we can add this to the ServerCore’s Trusted Hosts:

Once again we want to check if everything’s properly configured:

The result

Once this is done, you should be able to do the following

Tada!! 🙂

 

twitterredditlinkedinmail