Isolate a DC - Part 1: Configure the Network

Dragging a single Domain Controller by its nostril into an isolated network can be time consuming. For testing or disaster recovery, the steps are the same, and while well documented almost everywhere, there don’t seem to be any quick and dirty tools to do the steps for you. That is why I wrote this series of powershell functions that can be applied to a DC you have restored in your Virtual environment to get your test Forest up and running quickly.

Note that all these functions are design to work in Windows 2012 R2 or higher, and while they’ve been tested, they are designed to do serious damage to your test environment and should never be used in production.

Configure the Network

Configure the network card of your restored Domain Controller such that it points only to itself for DNS. Your Domain Controller needs to be able to locate itself when it is starting up to become healthy. So DNS and the network stack need to be operational. Make sure your Network is not connected externally. Having multiple DCs communicating on the same Name/IP Address/Domain Enviornment is unhealthy for your long term career prospects.

You’ll need to know your desired IP and subnet mask.

function ConfigureDCNetwork {
    [CmdletBinding(
    SupportsShouldProcess = $true,
    ConfirmImpact = 'High')]    
    param([parameter(mandatory=$true,
    HelpMessage="Enter the IP Address this server will use")][ValidatePattern('\b(?:\d{1,3}\.){3}\d{1,3}\b')][string]$IPAddress,
    [parameter(mandatory=$true,HelpMessage="Enter the number of bits in the subnet mask eg 24 = 255.255.255.0")][ValidateRange(2,30)]$CIDRSubnet,
    [parameter(mandatory=$true,HelpMessage="Enter the default gateway IP address")][ValidatePattern('\b(?:\d{1,3}\.){3}\d{1,3}\b')][string]$DefaultGateway)
    Write-Warning "Changing the IP address may result in lost network connectivity - ensure you have console access to this host"
    if ($pscmdlet.ShouldProcess($(&hostname))){  
        $netadapter = Get-NetAdapter | select -first 1
        Write-verbose "Disabling DHCP on first interface"
        $netadapter | Set-NetIPInterface -DHCP Disabled
        Write-verbose "Configuring Network Address and default gateway"
        $netadapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $IPAddress -PrefixLength $CIDRSubnet -Type Unicast -DefaultGateway $DefaultGateway
        Write-Verbose "Pointing Domain Controller at self for DNS"
        Set-DnsClientServerAddress -InterfaceAlias $netadapter.Name -ServerAddresses $IPAddress  
    }
}
#                 IP Address  Prefix Default Gateway
ConfigureDCNetwork 192.168.1.10 24 192.168.1.1

All the other parts of this series are available here

• Part 1: Configure the Network
• Part 2: Reset SYSVOL Sync State
• Part 3: Activate Administrator Account
• Part 4: Reset DSRM Password
• Part 5: Disable Global Catalog
• Part 6: Raise RID Pools
• Part 7: Seize all FSMO roles
• Part 8: Metadata cleanup all other DCs
• Part 9: Reset Intra-Forest trust passwords
• Part 10: Reset KrbTGT password twice