Brought old blog over

1 files changed, 229 insertions, 0 deletions

diff --git a/content/technical/how-to-create-an-active-directory-domain-to-test-against.md b/content/technical/how-to-create-an-active-directory-domain-to-test-against.md
new file mode 100644
index 0000000..db1e330
--- /dev/null
+++ b/content/technical/how-to-create-an-active-directory-domain-to-test-against.md
@@ -0,0 +1,229 @@
+Title: How to create an Active Directory domain to test against
+Date: 2012-08-03
+Tags: technical, security
+Slug: how-to-create-active-directory-domain
+
+Many interested people want to help test the Active Directory work and
+bug fixes we've been doing. But sadly there's no public Active Directory
+servers that I know of. So here's how to setup a virtual machine with
+your own Active Directory. It's not that hard.  
+  
+
+### 1. Preparation
+
+-   Each Active Directory has a unique domain name. Choose one. You can
+    choose a subdomain of a domain you own, or one that's completely
+    made up. I chose `borg.thewalter.lan`
+-   Download the evaluation edition of [Windows 2008 R2 Enterprise server][]. Click the *Get Started *button at that link to download
+    it. The evaluation edition is valid for 180 days. You should end up
+    with an ISO file named something
+    like: `7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso`
+-   We'll be using virt-manager in this tutorial, so install
+    `virt-manager`, `libvirtd, qemu` and all their dependencies.
+
+### 2. Create a virtual network
+
+-   The Active Directory server will need a static IP address. The
+    `default` virtual network configured by libvirtd does not have any
+    space for a static IP address, so we need to create a new virtual
+    network.
+-   Start `virt-manager` and make sure you're connected to the
+    *localhost (QEMU)* connection.
+-   Click on *localhost (QEMU)* and choose *Edit* \> *Connection
+    Details* from the menu.
+-   Choose the *Virtual Networks* tab in the dialog that pops up and
+    click the add button.
+-   Use settings like:  
+   *Network Name*: ad  
+   *Network*: `192.168.12.0/24`  
+   *Enable DHCP*: checked  
+   *Start*: `192.168.12.128`  
+   *End*: `192.168.12.254`
+-   Notice that we left some space between the start of the netblock and
+    the first DHCP allocated address. Actually virt-manager does this by
+    default for added virtual networks like this one.
+-   You probably want to *Forward* (via *NAT*) to your physical network.
+    That makes it easier to activate windows later and get updates.
+-   Complete the wizard and you're done.
+
+### 3. Create a new virtual machine
+
+-   In the main virt-manager window, click the create button in the
+    toolbar to create a new virtual machine.
+-   Type the domain name you chose above as the virtual machine *Name*.
+-   Choose *Local install media* and when prompted select the *ISO
+    image* you downloaded above as the *install media*.
+-   Set *OS type* to *Windows*, and *Version* to *Microsoft Windows
+    Server 2008.*
+-   512 MB of memory is enough, 1 CPU is enough. Feel free to set these
+    higher if you like.
+-   Create a new virtual disk with at least 10 GB of disk space.
+-   On the last page of the *Create a new virtual machine* dialog,
+    expand the *Advanced options* section and choose the network you
+    created above.
+-   Complete the dialog and the virtual machine should be created. Then
+    the Windows install should begin.
+
+### 4. Windows Server install
+
+-   Choose whatever keyboard and language you want on the first dialog
+    of the install.
+-   On the next page choose *Install now*.
+-   A list of types of Windows Server installs should show up. Choose
+    *Windows Server 2008 R2 Standard (Full Installation)*and go to the
+    next page.
+-   Read and accept the license.
+-   Choose *Custom (advanced)* when prompted how to install Windows.
+-   Select the disk to install Windows on. There should only be one
+    choice which is the virtual disk you configured when you created the
+    virtual machine.
+-   Windows Server will proceed to install, and will reboot a couple
+    times in the process.
+-   Once the system is ready, you will be prompted to change the
+    *Administrator* password. This is actually setting the password for
+    the first time. This is the password for the *Administrator* account
+    on the server itself, not the administrator of the Active Directory
+    domain, which you'll set later. You can use the same password for
+    both, since this is a test install.
+-   If all goes well you should be logged into your new server at this
+    point. A bunch of helpful windows will pop up, but you don't need to
+    do anything with them.
+
+### 5. Set the IP address
+
+-   An Active Directory server acts as an LDAP and DNS server, and needs
+    a static IP address.
+-   Click *Start* \> *Network,*and then click the *Change adapter
+    settings* link in the window that comes up. Another window should
+    appear.
+-   Right click on the *Local Area Connection* item and choose
+    *Properties* in the menu.
+-   Click on the *Internet Protocol Version 4 (TCP/IPv4)* item and then
+    click the *Properties* button. A dialog for setting the addresses
+    comes up.
+-   Choose *Use the following IP address.*Then set the relevant fields.
+    The settings here are based on the virtual network you created
+    above, if you used a different netblock then modify as appropriate:  
+   *IP Address*: `192.168.12.10`  
+   *Subnet mask*: `255.255.255.0`  
+   *Default gateway*: `192.168.12.1`  
+   *Preferred DNS Server*: `192.168.12.1`
+-   Click OK or Close in the various dialogs to complete things.
+
+### 6. Set the machine name
+
+-   An Active Directory server should have a well known DNS name, you
+    don't need to set it in DNS, but just name the server appropriately
+    and then Active Directory will do the rest.
+-   Click *Start* \> *Computer*, and a window should come up.
+-   In the left pane of the window, there's an item called
+    *Computer.*Right click on it and choose *Properties* from the menu.
+    Another window should show up.
+-   Click *Change Settings*, and a dialog will come up.
+-   In the *Computer Name* tab click the *Change...* button, which
+    displays another dialog.
+-   Set `DC` as the *Computer name* or another name of your choice.
+    Don't worry about the *Member of Domain or Workgroup* stuff yet.
+-   Click OK and/or Close to complete the changes. You'll be prompted to
+    restart, so go ahead and do that.
+
+### 7. Setting up Active Directory
+
+-   Click *Start \>* *Run* and type `DCPROMO` in the dialog that comes
+    up.
+-   A progress window will come up which explains about installing some
+    components. This takes a while.
+-   A wizard will eventually show up. Click through the introduction and
+    warnings.
+-   Choose *Create a new domain in a new forest*.
+-   On the next page enter the domain you chose earlier, like
+    `borg.thewalter.lan`
+-   Choose the *Forest functional level*. You can choose whichever one
+    you like. Choosing *2008 R2* is a decent choice. You can test
+    against various Active Directory servers with different levels to
+    simulate different domains you might encounter in the wild.
+-   Make sure *DNS Server* is chosen on the next page.
+-   Once you complete that, a dialog will come up warning you about how
+    the DNS delegation cannot be created. We'll do that manually below,
+    so this is nothing to worry about. Choose *Yes*.
+-   Leave the default paths for database and log files.
+-   Choose a domain *Administrator* password. Logically this is
+    different from the local server *Administrator* account you set the
+    password for above. But you can use the same password to keep things
+    simple.
+-   Review the selections if you're interested, and then click *Next* to
+    complete things.
+-   Wait for a while for installation and configuration, *Finish. *
+-   You'll need to *Restart Now*.
+-   The reboot after installing Active Directory will take a while as it
+    does a bunch of stuff on the first boot.
+
+### 8. Setup DNS to work with Active Directory
+
+-   Back on your linux box you'll want to be able to connect to Active
+    Directory. To do this you need to setup DNS. Active Directory comes
+    with its own DNS server, you just need to tell your local host where
+    it is. To do this we'll install a local caching name server.
+-   Install bind. If you're on Fedora you can use a command
+    like: `# yum install caching-nameserver`
+-   After the install completes, edit `/etc/named.conf` and add the
+    following line to your main *options* section:  
+
+        :::text
+        forwarders { 8.8.8.8; /* ... or the address of your ISP DNS server */ };
+
+-   And add this to the end of `/etc/named.conf`. Modify for your domain
+    name or server static IP address assigned above:  
+
+        :::text
+        zone "borg.thewalter.lan" { type stub; masters { 192.168.12.10; }; };
+
+-   Restart the named service with: `# systemctl restart named.service`
+-   Before configuring your host to use the local caching nameserver,
+    test it with commands like:   
+
+        :::text
+        # host borg.thewalter.lan 127.0.0.1
+        # host dc.borg.thewalter.lan 127.0.0.1
+        # host google.com 127.0.0.1
+
+-   Once you know it's working, use `nm-connection-editor` to edit your
+    connection. Choose your connection, and on the *IPv4 Settings* tab,
+    choose *Automatic (DHCP) addresses only.*Now set `127.0.0.1` as the
+    *DNS servers*.
+-   You should now be able to test you local server with commands like:  
+
+        :::text
+        # host borg.thewalter.lan
+        # host dc.borg.thewalter.lan
+        # host google.com
+
+### 9. Test the Active Directory domain works
+
+-   On your host linux box you should now be able to get a kerberos
+    ticket.
+-   If you have a custom configured `/etc/krb5.conf`, you may need to
+    remove or move it. There is no real need for this file with a modern
+    kerberos domain like Active Directory.
+-   Run this command. Make sure the domain is upper case here:
+
+        :::text
+        $ kinit Administrator@BORG.THEWALTER.LAN
+
+-   You'll be prompted for the domain *Administrator* password. The one
+    you typed in the *Setting up Active Directory* step above.
+-   If successful `kinit` will show no output. You can use the `klist`
+    command to see your ticket.
+
+That's it. You're done. 
+
+You can add additional Active Directory users via the *Active Directory
+Users and Computers* tool in the *Administrative Tools* section of the
+*Start* menu in the Windows Server virtual machine.
+
+You may be prompted to Activate your Windows install. You won't need any
+special information or keys or anything. Just go ahead with it. The
+install you have is valid for 180 days, and will say in the lower left
+corner how long you have left.
+
+  [Windows 2008 R2 Enterprise server]: http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx