-
Notifications
You must be signed in to change notification settings - Fork 50
/
vCAC6-PreReq-Automation-v2.ps1
318 lines (261 loc) · 28.8 KB
/
vCAC6-PreReq-Automation-v2.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
#==============================================
# Generated On: 8/6/2014 3:12 PM
# Generated By: Brian Graf
# Technical Marketing Engineer - Automation
# Organization: VMware
# VCAC 6 Pre-Req Automation Script v2
#==============================================
#----------------------------------------------
#==================USAGE=======================
# For Windows Server 2008 & 2012
# This script has been created to aid in
# Configuring the settings for the vCAC 6
# Pre-Req Checker. This script will set all
# Pre-Req's except for enabling TCP/IP in
# MS SQL, chich needs to be performed manually
# And the services will need to be restarted.
#----------------------------------------------
#===============REQUIREMENTS===================
# For this script to run successfully be sure:
# *To run PowerShell as administrator
# *To have admin rights on the server
# *.NET 4.5 Framework installed
#----------------------------------------------
#=============EDITOR'S NOTE====================
# In order for this script to work on servers that
# have proxied or restricted access to the Internet,
# it is necessary to configure a local source repository
# or else the features and roles requiring .NET 3.5 will fail.
# To do so, configure the variable called $InstallSource
# below making sure to set the path appropriately. In
# this example, the source is provided by mounting the
# installation CD as drive D.
# - Chip Zoller, Senior Virtualization Engineer, Worldpay US
# ----------------------------------------
# USER CONFIGURATION - EDIT AS NEEDED
# ----------------------------------------
# Set IIS default locations to be used with IIS role
$InetPubRoot = "C:\Inetpub"
$InetPubLog = "C:\Inetpub\Log"
$InetPubWWWRoot = "C:\Inetpub\WWWRoot"
# ------------- Server 2012 ---------------
# Set install source location if unable to directly connect to the Internet
$InstallSource = "D:\sources\sxs\"
# This applies ONLY to 2012
# ----------------------------------------
# END OF USER CONFIGURATION
# ----------------------------------------
# ----Do not modify beyond this point-----
$ErrorActionPreference="SilentlyContinue"
$ErrorActionPreference="Continue"
# ----------------------------------------
# CHECK POWERSHELL SESSION
# ----------------------------------------
$Elevated = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent() )
& {
if ($Elevated.IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator ))
{
write-host "PowerShell is running as an administrator." -ForegroundColor Green
} Else {
throw "Powershell must be run as an adminstrator."
}
if( [IntPtr]::size * 8 -eq 64 )
{
Write-Host "You are running 64-bit PowerShell" -ForegroundColor Green
}
else
{
Write-Host "You are running 32-bit PowerShell" -ForegroundColor Red
Throw "Please run using 64-bit PowerShell as administrator"
}
}
# ----------------------------------------
# END OF POWERSHELL CHECK
# ----------------------------------------
# ----------------------------------------
# CHECK FOR .NET FRAMEWORK
# ----------------------------------------
# .NET FRAMEWORK 4.5 or higher is required for vCAC6 to run properly
# Check to see if .Net 4.5 or above is present
$DNVersion = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -name Version -EA 0 | Where-Object { $_.PSChildName -match '^(?!S)\p{L}'} | Sort-Object version -Descending | Select-Object -ExpandProperty Version -First 1
# If .Net is older than 4.5, stop installer until .Net is upgraded
if ($NetVersion -lt 4.5){ Write-Host ".NET version on this server is $DNVersion " -ForegroundColor Green
}else{
Throw "Please upgrade .Net framework to version 4.5 or above"
}
# ---------------------------------------
# END OF .NET FRAMEWORK CHECK
# ---------------------------------------
# ---------------------------------------
# Check Operating System Version
# ---------------------------------------
# Grab the OS Name
$os = (get-WMiObject -class Win32_OperatingSystem).caption
# Overwrite $OS variable with smaller string
switch -wildcard ($os) {
"*2008*" {
Write-Host "OS = $os" -ForegroundColor Green
$os = "2008"
}
"*2012*" {
Write-Host "OS = $os" -ForegroundColor Green
$os = "2012"
}
Default {Write-Host "The current operating system, $os, is not supported at this time" }
}
# ---------------------------------------
# END OF OS VERSION CHECK
# ---------------------------------------
# Begin installations
# ----------------------------------------
# BEGIN ROLE AND FEATURE INSTALL
# ----------------------------------------
# Loading feature installation modules
Write-Host "Importing Server Manager " -ForegroundColor Yellow
Import-Module ServerManager
Write-Host "Installing IIS roles " -ForegroundColor Yellow
if ($os -eq "2008") {
# Installing roles specified in vCAC 6 Pre-req checker
Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase
}
if ($os -eq "2012"){
# Checking for internet connectivity (pinging google.com)
if (!(Test-Connection google.com -Count 2 -ErrorAction SilentlyContinue)) {Write-Host "Internet Connection Not Successful. Installer will need access to the Server 2012 Installation ISO (/sources/sxs/)" -ForegroundColor Yellow
# If Installsource variable is empty, prompt user during script
if (!(Test-Path $InstallSource)) { Read-Host -Prompt "Please specify the source folder for required files (*\sources\sxs\)"; Write-Host "You have specified the $InstallSource " }
#if ($InstallSource -eq $null) {
# $InstallSource = Read-Host -Prompt "Please specify the source folder for required files (*\sources\sxs\)"; Write-Host "You have specified the $InstallSource "}
# Installing roles specified in vCAC 6 Pre-req checker
Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase -Source $InstallSource
} else
{Write-Host "Internet Connection Succeeded! Proceeding with configuration" -ForegroundColor Green
# Installing roles specified in vCAC 6 Pre-req checker
Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase
}
}
Write-Host "IIS role installation complete, adding features... " -ForegroundColor Green
# ---------------------------------------
# Install Correct Framework
# ---------------------------------------
# Run the correct command based off the OS result
switch ($os) {
"2008" {
# Adding 2008 features specified in vCAC 6 Pre-req checker
Write-Host "Adding Windows features " -ForegroundColor Yellow
Add-WindowsFeature -Name AS-Net-framework
Write-Host "Features installation complete, loading IIS module " -ForegroundColor Green
}
"2012" {
# Adding 2012 features specified in vCAC 6 Pre-req checker
Write-Host "Adding Windows features " -ForegroundColor Yellow
Install-WindowsFeature -name NET-Framework-Core
Write-Host "Features installation complete, loading IIS module " -ForegroundColor Green}
Default {Write-Host "The Operating System does not appear to be compatible with this script"
Throw "This is for Windows Server 2008 and 2012"
}
}
# ---------------------------------------
# END OF Framework Installation
# ---------------------------------------
# Loading IIS web admin module
if (Get-Module -ListAvailable WebAdministration){
Write-host "Importing Web Admin module " -Foregroundcolor Yellow
Import-Module WebAdministration
}
else {
throw "Webadministration is not installed on this system"
}
# Build the IIS folder structure
Write-Host "Setting up folder structure" -ForegroundColor Yellow
New-Item -Path $InetPubRoot -type directory -Force -ErrorAction SilentlyContinue
New-Item -Path $InetPubLog -type directory -Force -ErrorAction SilentlyContinue
New-Item -Path $InetPubWWWRoot -type directory -Force -ErrorAction SilentlyContinue
# Set the directory access for 'Builtin\IIS_IUSRS' and 'NT SERVICE\TrustedInstaller'
$Command = "icacls $InetPubWWWRoot /grant BUILTIN\IIS_IUSRS:(OI)(CI)(RX) BUILTIN\Users:(OI)(CI)(RX)"
cmd.exe /c $Command
$Command = "icacls $InetPubLog /grant ""NT SERVICE\TrustedInstaller"":(OI)(CI)(F)"
cmd.exe /c $Command
# Setting the default website location used in vCAC
Set-ItemProperty 'IIS:\Sites\Default Web Site' -name physicalPath -value $InetPubWWWRoot
# Setting authentication values for IIS
# Anonymous Authentication needs to be disabled
# Windows Authentication needs to be enabled
Write-Host "Setting authentication values for IIS" -ForegroundColor Yellow
Set-WebConfigurationProperty -filter /system.webServer/security/authentication/AnonymousAuthentication -name enabled -value false -PSPath IIS:\
Set-WebConfigurationProperty -filter /system.webServer/security/authentication/windowsAuthentication -name enabled -value True -PSPath IIS:\
# Sometimes the pre-req checker cannot distinguish the values of the Windows authentication without
# The providers being removed and added back in.
# Removing and re-adding Windows authentication providers
Write-Host "Removing and re-adding Windows authentication providers" -ForegroundColor Yellow
cd c:\windows\system32\inetsrv
invoke-expression ".\appcmd.exe set config '' -section:system.webServer/security/authentication/windowsAuthentication /-`"providers.[value='Negotiate']`" /commit:apphost"
invoke-expression ".\appcmd.exe set config '' -section:system.webServer/security/authentication/windowsAuthentication /-`"providers.[value='Ntlm']`" /commit:apphost"
invoke-expression ".\appcmd.exe set config '' -section:system.webServer/security/authentication/windowsAuthentication /+`"providers.[value='Negotiate']`" /commit:apphost"
invoke-expression ".\appcmd.exe set config '' -section:system.webServer/security/authentication/windowsAuthentication /+`"providers.[value='Ntlm']`" /commit:apphost"
# Extended protection needs to be enabled and disabled for vCAC to recognize the value
# Enable and disable the Extended Protection
Write-Host "Enabling and disabling Extended Protection" -ForegroundColor Yellow
Set-WebConfigurationProperty -Filter system.webServer/security/authentication/WindowsAuthentication -Location 'Default Web Site' -Name extendedProtection.tokenChecking -Value 'Allow'
Set-WebConfigurationProperty -Filter system.webServer/security/authentication/WindowsAuthentication -Location 'Default Web Site' -Name extendedProtection.tokenChecking -Value 'None'
# The same must happen with Kernel-Mode. This will disable then re-enable the value
# Resetting KERNEL MODE
Write-Host "Resetting Kernel Mode" -ForegroundColor Yellow
Set-WebConfigurationProperty -Filter system.webServer/security/authentication/WindowsAuthentication -Location 'Default Web Site' -Name useKernelMode -Value $false
Set-WebConfigurationProperty -Filter system.webServer/security/authentication/WindowsAuthentication -Location 'Default Web Site' -Name useKernelMode -Value $true
# IIS must be restarted for the changes to take effect
# Resetting IIS
Write-Host "Resetting IIS" -ForegroundColor Yellow
$Command = "IISRESET"
Invoke-Expression -Command $Command
Write-Host "IIS Reset Complete..." -ForegroundColor Green
# ----------------------------------------
# END OF ROLE & FEATURE INSTALL
# ----------------------------------------
# ----------------------------------------
# FIREWALL & SECURITY SETTINGS
# ----------------------------------------
# MSDTC is used for Coordinating Transactions spanning several resource managers (databases, message queues, etc)
# The following settings will allow vCAC to function properly on the network.
# Setting the MSDTC components
Write-Host "Setting MSDTC components in the registry. Please restart your system after installation completes" -ForegroundColor Yellow
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name LuTransactions -Value 1
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name NetworkDtcAccess -Value 1
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name NetworkDtcAccessInbound -Value 1
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name NetworkDtcAccessOutbound -Value 1
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name NetworkDtcClients -Value 1
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name NetworkDtcAccessTransactions -Value 1
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name NetworkDtcAccessAdmin -Value 1
Set-ItemProperty -Path HKLM:\Software\Microsoft\MSDTC\Security -Name NetworkDtcAccessClients -Value 1
# The Distributed Transaction Coordinator needs to have access through the firewall
# The following line of code is all that we will use. (If the firewall is enabled it
# Will utilize the rule, if the firewall is disabled, this can be ignored
# Creating firewall rule for DTC
netsh advfirewall firewall set rule group="Distributed Transaction Coordinator" new enable=Yes | Out-Null
# ----------------------------------------
# END FIREWALL & SECURITY SETTINGS
# ----------------------------------------
# ----------------------------------------
# LOGON SERVICE SETTINGS
# ----------------------------------------
# Enabling Secondary Logon service
# If the 'Secondary Logon' service is not running, this will set the service to
# Automatic and start the service
Write-Host "Enabling Secondary Logon Service" -ForegroundColor Yellow
if ((Get-Service seclogon).Status -ne 'Running'){
Set-Service Seclogon -StartupType Automatic
Start-Service seclogon
Write-Host "Secondary Logon Service Enabled..." -ForegroundColor Yellow
}
# ----------------------------------------
# END LOGON SERVICE SETTINGS
# ----------------------------------------
# All Windows settings are now set for vCAC to install correctly
# After SQL Server is installed, make sure to enable TCP/IP and
# Restart the SQL services
Write-Host ""
Write-Host "Pre-Req settings have been completed." -foregroundcolor Green
Write-Host "Please run the prerequisite checker and verify. Proceed with SQL pre-reqs" -ForegroundColor Green
# ----------------------------------------
# END OF SCRIPT
# ----------------------------------------