<# NPC Install - v2021.13 Scripted install for AutoCert to DC0x and all domain members. This script is to be executed as Domain Admin. This will enumerate all servers in the domain, and attempt to install AutoCert on those that would have certificates to replace - can optionally choose to not replace certificates if not needed. - Special install for PRX & SG (not domain member) #> # User running script should be domain admin $domainadmincheck = (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Domain Admins")) if ($domainadmincheck) { Write-Host "Account used to run Powershell is a domain admin, continuing replacement" } else { Write-Host "Account used to run Powershell is NOT a Domain Administrator, exiting script..." pause exit } # Set Tls1.2 to download files from Azure [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # Enumerate list of VMs in domain Import-Module ActiveDirectory if (!(Get-Module ActiveDirectory)) { Write-Host "ActiveDirectory module not installed - please run install script on DC01." pause exit } Write-Host "Checking for Domain Servers..." $ServerArray = 'DC0*','ADFS0*',"RDS*","CM*" $DomainServerArray = @() foreach ($server in $ServerArray){ $DomainServer = Get-ADComputer -filter {Name -like $server} | Select-Object Name $DomainServerArray += $DomainServer.name if ($domainserver){ Write-Host ""$domainserver.name" found. Will attempt replacement procedure." -Foregroundcolor white -Backgroundcolor Green } else { $ServerType = $server.replace("*","") Write-Host " No $ServerType servers found. Certificate replacement will NOT be run for this server type." -Foregroundcolor white -Backgroundcolor Red } } # Iterate through each server found foreach ($domainserver in $DomainServerArray) { # DC Task/ExpiryCheck Install if ($domainserver -like "DC0*" -or $domainserver -like "ADFS0*") { Write-Host "$domainserver is a DC server" $ValidPing = Test-NetConnection -ComputerName $domainserver -CommonTCPPort WINRM -ErrorAction SilentlyContinue -WarningAction SilentlyContinue $serverAvailable = $false if ($validPing.TcpTestSucceeded) { $ErrorActionPreference = 'Stop' try { $serverAvailable = [System.Net.Dns]::GetHostEntry($ValidPing.RemoteAddress.IPAddressToString).HostName -match $domainserver } catch [System.Management.Automation.MethodInvocationException] { # No reverse DNS zone, assume DNS is correct if ($_.Exception -match 'No such host is known') { $serverAvailable = $true } } $ErrorActionPreference = 'Continue' } if ($ValidPing.TcpTestSucceeded -and $serverAvailable) { Write-Host ("$domainserver is reachable, continuing replacement.") Invoke-Command -Computername "$domainserver" -ScriptBlock { # Set Tls1.2 to download files from Azure [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $CurrentServer = $env:computername Write-Host "Current computer name is $CurrentServer. This Certificate Package is meant for AD FS servers ONLY. Would you like to proceed?" $ReadHost = Read-host "(y/n)" $response = $false Switch ($ReadHost) { Y {Write-Host "You chose YES. Continuing with AD FS Automatic Certificate Replacement" -Foregroundcolor white -Backgroundcolor Green;$response=$true} N {Write-Host "You chose NO. Exiting AD FS Automatic Certificate Replacement script without making configuration changes." -Foregroundcolor white -Backgroundcolor Red;$response=$null;pause;break} Default {Write-Host "No option chosen for $CurrentServer. Exiting Script without making configuration changes." -Foregroundcolor white -Backgroundcolor Red;$response=$null;pause;break} } if ($response) { # Variable Assignment $DC_ExpiryCheck_URL = "https://npcurls.azurewebsites.net/Expiration-DC" $AutoCert_Task_URL ="https://npcurls.azurewebsites.net/Install-Task" $ExpiryCheck_Path = "c:\AutoCert\ExpiryCheck.ps1" $Task_XML_Path = "c:\AutoCert\AutoCert.xml" # Install AutoCert if (!(Test-Path C:\AutoCert)) {New-Item -ItemType directory -Path c:\AutoCert -erroraction SilentlyContinue | out-null} Invoke-WebRequest -Uri $AutoCert_Task_URL -outfile $Task_XML_Path Invoke-WebRequest -Uri $DC_ExpiryCheck_URL -outfile $ExpiryCheck_Path Unregister-ScheduledTask -TaskName "CertificateReplacement" -Confirm:$false -erroraction SilentlyContinue Schtasks /create /xml "c:\AutoCert\AutoCert.xml" /tn CertificateReplacement /ru SYSTEM Start-ScheduledTask -TaskName "CertificateReplacement" Remove-Item $Task_XML_Path } } } else { Write-Host ("$domainserver can NOT be reached.") -Foregroundcolor White -Backgroundcolor Red pause } } # RDS Task/ExpiryCheck Install if ($domainserver -like "RDS*") { Write-Host "$domainserver is a RDS server" $ValidPing = Test-NetConnection -ComputerName $domainserver -CommonTCPPort WINRM -ErrorAction SilentlyContinue -WarningAction SilentlyContinue $serverAvailable = $false if ($validPing.TcpTestSucceeded) { $ErrorActionPreference = 'Stop' try { $serverAvailable = [System.Net.Dns]::GetHostEntry($ValidPing.RemoteAddress.IPAddressToString).HostName -match $domainserver } catch [System.Management.Automation.MethodInvocationException] { # No reverse DNS zone, assume DNS is correct if ($_.Exception -match 'No such host is known') { $serverAvailable = $true } } $ErrorActionPreference = 'Continue' } if ($ValidPing.TcpTestSucceeded -and $serverAvailable) { Write-Host ("$domainserver is reachable, continuing replacement.") Invoke-Command -Computername "$domainserver" -ScriptBlock { # Set Tls1.2 to download files from Azure [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $CurrentServer = $env:computername Write-Host "The current server being updated is $CurrentServer. This Certificate Package is meant for RDS servers ONLY. Would you like to proceed?" $ReadHost = Read-host "(y/n)" $response = $false Switch ($ReadHost) { Y {Write-Host "You chose YES. Continuing with RDS Automatic Certificate Replacement" -Foregroundcolor white -Backgroundcolor Green;$response=$true} N {Write-Host "You chose NO. Exiting RDS Automatic Certificate Replacement script without making configuration changes." -Foregroundcolor white -Backgroundcolor Red;$response=$null;pause;exit} Default {Write-Host "No option chosen for $CurrentServer. Exiting Script without making configuration changes." -Foregroundcolor white -Backgroundcolor Red;$response=$null;pause;exit} } if ($response) { # Variable Assignment $RDS_ExpiryCheck_URL = "https://npcurls.azurewebsites.net/Expiration-RDS" $AutoCert_Task_URL ="https://npcurls.azurewebsites.net/Install-Task" $ExpiryCheck_Path = "c:\AutoCert\ExpiryCheck.ps1" $Task_XML_Path = "c:\AutoCert\AutoCert.xml" # Install AutoCert if (!(Test-Path C:\AutoCert)) {New-Item -ItemType directory -Path c:\AutoCert -erroraction SilentlyContinue | out-null} Invoke-WebRequest -Uri $AutoCert_Task_URL -outfile $Task_XML_Path Invoke-WebRequest -Uri $RDS_ExpiryCheck_URL -outfile $ExpiryCheck_Path Unregister-ScheduledTask -TaskName "CertificateReplacement" -Confirm:$false -erroraction SilentlyContinue Schtasks /create /xml "c:\AutoCert\AutoCert.xml" /tn CertificateReplacement /ru SYSTEM Start-ScheduledTask -TaskName "CertificateReplacement" Remove-Item $Task_XML_Path } } } else { Write-Host ("$domainserver can NOT be reached.") -Foregroundcolor White -Backgroundcolor Red pause } } # CM Task/ExpiryCheck Install if ($domainserver -like "CM0*") { Write-Host "$domainserver is a CM server" $ValidPing = Test-NetConnection -ComputerName $domainserver -CommonTCPPort WINRM -ErrorAction SilentlyContinue -WarningAction SilentlyContinue $serverAvailable = $false if ($validPing.TcpTestSucceeded) { $ErrorActionPreference = 'Stop' try { $serverAvailable = [System.Net.Dns]::GetHostEntry($ValidPing.RemoteAddress.IPAddressToString).HostName -match $domainserver } catch [System.Management.Automation.MethodInvocationException] { # No reverse DNS zone, assume DNS is correct if ($_.Exception -match 'No such host is known') { $serverAvailable = $true } } $ErrorActionPreference = 'Continue' } if ($ValidPing.TcpTestSucceeded -and $serverAvailable) { Write-Host ("$domainserver is reachable, continuing replacement.") Invoke-Command -Computername "$domainserver" -ScriptBlock { # Set Tls1.2 to download files from Azure [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $CurrentServer = $env:computername Write-Host "Current computer name is $CurrentServer. This Certificate Package is meant for Connection Manager (CM) servers ONLY. Would you like to proceed?" $ReadHost = Read-host "(y/n)" $response = $false Switch ($ReadHost) { Y {Write-Host "You chose YES. Continuing with CM Automatic Certificate Replacement" -Foregroundcolor white -Backgroundcolor Green;$response=$true} N {Write-Host "You chose NO. Exiting CM Automatic Certificate Replacement script without making configuration changes." -Foregroundcolor white -Backgroundcolor Red;$response=$null;pause;break} Default {Write-Host "No option chosen for $CurrentServer. Exiting Script without making configuration changes." -Foregroundcolor white -Backgroundcolor Red;$response=$null;pause;break} } if ($response) { # Variable Assignment $CM_ExpiryCheck_URL = "https://npcurls.azurewebsites.net/Expiration-CM" $AutoCert_Task_URL ="https://npcurls.azurewebsites.net/Install-Task" $ExpiryCheck_Path = "c:\AutoCert\ExpiryCheck.ps1" $Task_XML_Path = "c:\AutoCert\AutoCert.xml" # Install AutoCert if (!(Test-Path C:\AutoCert)) {New-Item -ItemType directory -Path c:\AutoCert -erroraction SilentlyContinue | out-null} Invoke-WebRequest -Uri $AutoCert_Task_URL -outfile $Task_XML_Path Invoke-WebRequest -Uri $CM_ExpiryCheck_URL -outfile $ExpiryCheck_Path Unregister-ScheduledTask -TaskName "CertificateReplacement" -Confirm:$false -erroraction SilentlyContinue Schtasks /create /xml "c:\AutoCert\AutoCert.xml" /tn CertificateReplacement /ru SYSTEM Start-ScheduledTask -TaskName "CertificateReplacement" Remove-Item $Task_XML_Path } } } else { Write-Host ("$domainserver can NOT be reached.") -Foregroundcolor White -Backgroundcolor Red pause } } }