From 0968f903fe66f9bb8957b8d01e35f3743c74404b Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Tue, 4 Nov 2014 11:31:31 +0100 Subject: Brought old blog over --- ...e-an-active-directory-domain-to-test-against.md | 229 +++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 content/technical/how-to-create-an-active-directory-domain-to-test-against.md (limited to 'content/technical/how-to-create-an-active-directory-domain-to-test-against.md') diff --git a/content/technical/how-to-create-an-active-directory-domain-to-test-against.md b/content/technical/how-to-create-an-active-directory-domain-to-test-against.md new file mode 100644 index 0000000..db1e330 --- /dev/null +++ b/content/technical/how-to-create-an-active-directory-domain-to-test-against.md @@ -0,0 +1,229 @@ +Title: How to create an Active Directory domain to test against +Date: 2012-08-03 +Tags: technical, security +Slug: how-to-create-active-directory-domain + +Many interested people want to help test the Active Directory work and +bug fixes we've been doing. But sadly there's no public Active Directory +servers that I know of. So here's how to setup a virtual machine with +your own Active Directory. It's not that hard. + + +### 1. Preparation + +- Each Active Directory has a unique domain name. Choose one. You can + choose a subdomain of a domain you own, or one that's completely + made up. I chose `borg.thewalter.lan` +- Download the evaluation edition of [Windows 2008 R2 Enterprise server][]. Click the *Get Started *button at that link to download + it. The evaluation edition is valid for 180 days. You should end up + with an ISO file named something + like: `7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso` +- We'll be using virt-manager in this tutorial, so install + `virt-manager`, `libvirtd, qemu` and all their dependencies. + +### 2. Create a virtual network + +- The Active Directory server will need a static IP address. The + `default` virtual network configured by libvirtd does not have any + space for a static IP address, so we need to create a new virtual + network. +- Start `virt-manager` and make sure you're connected to the + *localhost (QEMU)* connection. +- Click on *localhost (QEMU)* and choose *Edit* \> *Connection + Details* from the menu. +- Choose the *Virtual Networks* tab in the dialog that pops up and + click the add button. +- Use settings like: + *Network Name*: ad + *Network*: `192.168.12.0/24` + *Enable DHCP*: checked + *Start*: `192.168.12.128` + *End*: `192.168.12.254` +- Notice that we left some space between the start of the netblock and + the first DHCP allocated address. Actually virt-manager does this by + default for added virtual networks like this one. +- You probably want to *Forward* (via *NAT*) to your physical network. + That makes it easier to activate windows later and get updates. +- Complete the wizard and you're done. + +### 3. Create a new virtual machine + +- In the main virt-manager window, click the create button in the + toolbar to create a new virtual machine. +- Type the domain name you chose above as the virtual machine *Name*. +- Choose *Local install media* and when prompted select the *ISO + image* you downloaded above as the *install media*. +- Set *OS type* to *Windows*, and *Version* to *Microsoft Windows + Server 2008.* +- 512 MB of memory is enough, 1 CPU is enough. Feel free to set these + higher if you like. +- Create a new virtual disk with at least 10 GB of disk space. +- On the last page of the *Create a new virtual machine* dialog, + expand the *Advanced options* section and choose the network you + created above. +- Complete the dialog and the virtual machine should be created. Then + the Windows install should begin. + +### 4. Windows Server install + +- Choose whatever keyboard and language you want on the first dialog + of the install. +- On the next page choose *Install now*. +- A list of types of Windows Server installs should show up. Choose + *Windows Server 2008 R2 Standard (Full Installation)*and go to the + next page. +- Read and accept the license. +- Choose *Custom (advanced)* when prompted how to install Windows. +- Select the disk to install Windows on. There should only be one + choice which is the virtual disk you configured when you created the + virtual machine. +- Windows Server will proceed to install, and will reboot a couple + times in the process. +- Once the system is ready, you will be prompted to change the + *Administrator* password. This is actually setting the password for + the first time. This is the password for the *Administrator* account + on the server itself, not the administrator of the Active Directory + domain, which you'll set later. You can use the same password for + both, since this is a test install. +- If all goes well you should be logged into your new server at this + point. A bunch of helpful windows will pop up, but you don't need to + do anything with them. + +### 5. Set the IP address + +- An Active Directory server acts as an LDAP and DNS server, and needs + a static IP address. +- Click *Start* \> *Network,*and then click the *Change adapter + settings* link in the window that comes up. Another window should + appear. +- Right click on the *Local Area Connection* item and choose + *Properties* in the menu. +- Click on the *Internet Protocol Version 4 (TCP/IPv4)* item and then + click the *Properties* button. A dialog for setting the addresses + comes up. +- Choose *Use the following IP address.*Then set the relevant fields. + The settings here are based on the virtual network you created + above, if you used a different netblock then modify as appropriate: + *IP Address*: `192.168.12.10` + *Subnet mask*: `255.255.255.0` + *Default gateway*: `192.168.12.1` + *Preferred DNS Server*: `192.168.12.1` +- Click OK or Close in the various dialogs to complete things. + +### 6. Set the machine name + +- An Active Directory server should have a well known DNS name, you + don't need to set it in DNS, but just name the server appropriately + and then Active Directory will do the rest. +- Click *Start* \> *Computer*, and a window should come up. +- In the left pane of the window, there's an item called + *Computer.*Right click on it and choose *Properties* from the menu. + Another window should show up. +- Click *Change Settings*, and a dialog will come up. +- In the *Computer Name* tab click the *Change...* button, which + displays another dialog. +- Set `DC` as the *Computer name* or another name of your choice. + Don't worry about the *Member of Domain or Workgroup* stuff yet. +- Click OK and/or Close to complete the changes. You'll be prompted to + restart, so go ahead and do that. + +### 7. Setting up Active Directory + +- Click *Start \>* *Run* and type `DCPROMO` in the dialog that comes + up. +- A progress window will come up which explains about installing some + components. This takes a while. +- A wizard will eventually show up. Click through the introduction and + warnings. +- Choose *Create a new domain in a new forest*. +- On the next page enter the domain you chose earlier, like + `borg.thewalter.lan` +- Choose the *Forest functional level*. You can choose whichever one + you like. Choosing *2008 R2* is a decent choice. You can test + against various Active Directory servers with different levels to + simulate different domains you might encounter in the wild. +- Make sure *DNS Server* is chosen on the next page. +- Once you complete that, a dialog will come up warning you about how + the DNS delegation cannot be created. We'll do that manually below, + so this is nothing to worry about. Choose *Yes*. +- Leave the default paths for database and log files. +- Choose a domain *Administrator* password. Logically this is + different from the local server *Administrator* account you set the + password for above. But you can use the same password to keep things + simple. +- Review the selections if you're interested, and then click *Next* to + complete things. +- Wait for a while for installation and configuration, *Finish. * +- You'll need to *Restart Now*. +- The reboot after installing Active Directory will take a while as it + does a bunch of stuff on the first boot. + +### 8. Setup DNS to work with Active Directory + +- Back on your linux box you'll want to be able to connect to Active + Directory. To do this you need to setup DNS. Active Directory comes + with its own DNS server, you just need to tell your local host where + it is. To do this we'll install a local caching name server. +- Install bind. If you're on Fedora you can use a command + like: `# yum install caching-nameserver` +- After the install completes, edit `/etc/named.conf` and add the + following line to your main *options* section: + + :::text + forwarders { 8.8.8.8; /* ... or the address of your ISP DNS server */ }; + +- And add this to the end of `/etc/named.conf`. Modify for your domain + name or server static IP address assigned above: + + :::text + zone "borg.thewalter.lan" { type stub; masters { 192.168.12.10; }; }; + +- Restart the named service with: `# systemctl restart named.service` +- Before configuring your host to use the local caching nameserver, + test it with commands like: + + :::text + # host borg.thewalter.lan 127.0.0.1 + # host dc.borg.thewalter.lan 127.0.0.1 + # host google.com 127.0.0.1 + +- Once you know it's working, use `nm-connection-editor` to edit your + connection. Choose your connection, and on the *IPv4 Settings* tab, + choose *Automatic (DHCP) addresses only.*Now set `127.0.0.1` as the + *DNS servers*. +- You should now be able to test you local server with commands like: + + :::text + # host borg.thewalter.lan + # host dc.borg.thewalter.lan + # host google.com + +### 9. Test the Active Directory domain works + +- On your host linux box you should now be able to get a kerberos + ticket. +- If you have a custom configured `/etc/krb5.conf`, you may need to + remove or move it. There is no real need for this file with a modern + kerberos domain like Active Directory. +- Run this command. Make sure the domain is upper case here: + + :::text + $ kinit Administrator@BORG.THEWALTER.LAN + +- You'll be prompted for the domain *Administrator* password. The one + you typed in the *Setting up Active Directory* step above. +- If successful `kinit` will show no output. You can use the `klist` + command to see your ticket. + +That's it. You're done.  + +You can add additional Active Directory users via the *Active Directory +Users and Computers* tool in the *Administrative Tools* section of the +*Start* menu in the Windows Server virtual machine. + +You may be prompted to Activate your Windows install. You won't need any +special information or keys or anything. Just go ahead with it. The +install you have is valid for 180 days, and will say in the lower left +corner how long you have left. + + [Windows 2008 R2 Enterprise server]: http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx -- cgit v1.2.3