1. Install Active Directory Domain Services
# Example syntax to install AD DS using NewLabDomain.ps1
# Run from host running Hyper-V

$Parameters = @{
    LabName                       = LAB01
    VMHostname                    = LAB01DC01A
    Username                      = Administrator
    Password                      = 'bf1456b8-a91f-4a41-92a8-8388ff07dd6d'
    DomainName                    = lab01.domain.tld
    DomainNetBIOSName             = LAB01
    SafeModeAdministratorPassword = 'bf1456b8-a91f-4a41-92a8-8388ff07dd6d'
    Verbose                       = $true
}

.\NewLabDomain.ps1 @Parameters
  1. Configure Active Directory Domain Services
# Example syntax to install AD DS using ConfigureLabDomain.ps1
# Run from within your domain controller VM
# This script will prompt for 4 account passwords; domain admin, server admin, workstation admin, and normal account

$Parameters = @{
    ReverseZoneNetworkId = 192.168.1.0/24
    BaseUsername         = jxs
    GivenName            = John
    Initial              = X
    Surname              = Smith
    Verbose              = $true
}

.\ConfigureLabDomain.ps1 @Parameters
  1. Configure security baselines
# Example syntax to configure security baselines using ConfigureSecurityBaselines.ps1
# Run from within your domain controller VM
# This script requires no input; it will automatically download, extract, import, and link various security baseline GPOs

.\ConfigureSecurityBaselines.ps1
  1. Manually Configure GPOs:
  • GPO: Server - ConfigMgr
    • User Rights Assignments
      • “Lock pages in memory”: DOMAIN\svc_CM_SQL$
      • “Log on as a service”: DOMAIN\svc_CM_SQL$
    • Windows Firewall
      • New Custom Inbound Rule
        • All Programs
        • Local TCP ports: 1433, 4022
        • Source: ConfigMgr Server IP Address
        • Destination: ConfigMgr Server IP Address
        • Allow
        • All profiles
        • Name: ConfigMgr - SQL Traffic
    • New Local Group Preference
      • Add AD group CM_Admins to Administrators
      • Set group description to GPO-Enforced Group
  • GPO: Server - Default Security Policy
    • New Local Group Preference
      • Add AD group LocalAdmin_Servers to Administrators
      • Set group description to GPO-Enforced Group
      • Enable Delete all member users and Delete all member groups
  • GPO: Workstation - Default Security Policy
    • New Local Group Preference
      • Add AD group LocalAdmin_Workstations to Administrators
      • Set group description to GPO-Enforced Group
      • Enable Delete all member users and Delete all member groups