path: root/content/technical/how-to-create-an-active-directory-domain-to-test-against.md

Title: How to create an Active Directory domain to test against
Date: 2012-08-03
Tags: technical, security
Slug: how-to-create-active-directory-domain

Many interested people want to help test the Active Directory work and
bug fixes we've been doing. But sadly there's no public Active Directory
servers that I know of. So here's how to setup a virtual machine with
your own Active Directory. It's not that hard.  
  

### 1. Preparation

-   Each Active Directory has a unique domain name. Choose one. You can
    choose a subdomain of a domain you own, or one that's completely
    made up. I chose `borg.thewalter.lan`
-   Download the evaluation edition of [Windows 2008 R2 Enterprise server][]. Click the *Get Started *button at that link to download
    it. The evaluation edition is valid for 180 days. You should end up
    with an ISO file named something
    like: `7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso`
-   We'll be using virt-manager in this tutorial, so install
    `virt-manager`, `libvirtd, qemu` and all their dependencies.

### 2. Create a virtual network

-   The Active Directory server will need a static IP address. The
    `default` virtual network configured by libvirtd does not have any
    space for a static IP address, so we need to create a new virtual
    network.
-   Start `virt-manager` and make sure you're connected to the
    *localhost (QEMU)* connection.
-   Click on *localhost (QEMU)* and choose *Edit* \> *Connection
    Details* from the menu.
-   Choose the *Virtual Networks* tab in the dialog that pops up and
    click the add button.
-   Use settings like:  
   *Network Name*: ad  
   *Network*: `192.168.12.0/24`  
   *Enable DHCP*: checked  
   *Start*: `192.168.12.128`  
   *End*: `192.168.12.254`
-   Notice that we left some space between the start of the netblock and
    the first DHCP allocated address. Actually virt-manager does this by
    default for added virtual networks like this one.
-   You probably want to *Forward* (via *NAT*) to your physical network.
    That makes it easier to activate windows later and get updates.
-   Complete the wizard and you're done.

### 3. Create a new virtual machine

-   In the main virt-manager window, click the create button in the
    toolbar to create a new virtual machine.
-   Type the domain name you chose above as the virtual machine *Name*.
-   Choose *Local install media* and when prompted select the *ISO
    image* you downloaded above as the *install media*.
-   Set *OS type* to *Windows*, and *Version* to *Microsoft Windows
    Server 2008.*
-   512 MB of memory is enough, 1 CPU is enough. Feel free to set these
    higher if you like.
-   Create a new virtual disk with at least 10 GB of disk space.
-   On the last page of the *Create a new virtual machine* dialog,
    expand the *Advanced options* section and choose the network you
    created above.
-   Complete the dialog and the virtual machine should be created. Then
    the Windows install should begin.

### 4. Windows Server install

-   Choose whatever keyboard and language you want on the first dialog
    of the install.
-   On the next page choose *Install now*.
-   A list of types of Windows Server installs should show up. Choose
    *Windows Server 2008 R2 Standard (Full Installation)*and go to the
    next page.
-   Read and accept the license.
-   Choose *Custom (advanced)* when prompted how to install Windows.
-   Select the disk to install Windows on. There should only be one
    choice which is the virtual disk you configured when you created the
    virtual machine.
-   Windows Server will proceed to install, and will reboot a couple
    times in the process.
-   Once the system is ready, you will be prompted to change the
    *Administrator* password. This is actually setting the password for
    the first time. This is the password for the *Administrator* account
    on the server itself, not the administrator of the Active Directory
    domain, which you'll set later. You can use the same password for
    both, since this is a test install.
-   If all goes well you should be logged into your new server at this
    point. A bunch of helpful windows will pop up, but you don't need to
    do anything with them.

### 5. Set the IP address

-   An Active Directory server acts as an LDAP and DNS server, and needs
    a static IP address.
-   Click *Start* \> *Network,*and then click the *Change adapter
    settings* link in the window that comes up. Another window should
    appear.
-   Right click on the *Local Area Connection* item and choose
    *Properties* in the menu.
-   Click on the *Internet Protocol Version 4 (TCP/IPv4)* item and then
    click the *Properties* button. A dialog for setting the addresses
    comes up.
-   Choose *Use the following IP address.*Then set the relevant fields.
    The settings here are based on the virtual network you created
    above, if you used a different netblock then modify as appropriate:  
   *IP Address*: `192.168.12.10`  
   *Subnet mask*: `255.255.255.0`  
   *Default gateway*: `192.168.12.1`  
   *Preferred DNS Server*: `192.168.12.1`
-   Click OK or Close in the various dialogs to complete things.

### 6. Set the machine name

-   An Active Directory server should have a well known DNS name, you
    don't need to set it in DNS, but just name the server appropriately
    and then Active Directory will do the rest.
-   Click *Start* \> *Computer*, and a window should come up.
-   In the left pane of the window, there's an item called
    *Computer.*Right click on it and choose *Properties* from the menu.
    Another window should show up.
-   Click *Change Settings*, and a dialog will come up.
-   In the *Computer Name* tab click the *Change...* button, which
    displays another dialog.
-   Set `DC` as the *Computer name* or another name of your choice.
    Don't worry about the *Member of Domain or Workgroup* stuff yet.
-   Click OK and/or Close to complete the changes. You'll be prompted to
    restart, so go ahead and do that.

### 7. Setting up Active Directory

-   Click *Start \>* *Run* and type `DCPROMO` in the dialog that comes
    up.
-   A progress window will come up which explains about installing some
    components. This takes a while.
-   A wizard will eventually show up. Click through the introduction and
    warnings.
-   Choose *Create a new domain in a new forest*.
-   On the next page enter the domain you chose earlier, like
    `borg.thewalter.lan`
-   Choose the *Forest functional level*. You can choose whichever one
    you like. Choosing *2008 R2* is a decent choice. You can test
    against various Active Directory servers with different levels to
    simulate different domains you might encounter in the wild.
-   Make sure *DNS Server* is chosen on the next page.
-   Once you complete that, a dialog will come up warning you about how
    the DNS delegation cannot be created. We'll do that manually below,
    so this is nothing to worry about. Choose *Yes*.
-   Leave the default paths for database and log files.
-   Choose a domain *Administrator* password. Logically this is
    different from the local server *Administrator* account you set the
    password for above. But you can use the same password to keep things
    simple.
-   Review the selections if you're interested, and then click *Next* to
    complete things.
-   Wait for a while for installation and configuration, *Finish. *
-   You'll need to *Restart Now*.
-   The reboot after installing Active Directory will take a while as it
    does a bunch of stuff on the first boot.

### 8. Setup DNS to work with Active Directory

-   Back on your linux box you'll want to be able to connect to Active
    Directory. To do this you need to setup DNS. Active Directory comes
    with its own DNS server, you just need to tell your local host where
    it is. To do this we'll install a local caching name server.
-   Install bind. If you're on Fedora you can use a command
    like: `# yum install caching-nameserver`
-   After the install completes, edit `/etc/named.conf` and add the
    following line to your main *options* section:  

        :::text
        forwarders { 8.8.8.8; /* ... or the address of your ISP DNS server */ };

-   And add this to the end of `/etc/named.conf`. Modify for your domain
    name or server static IP address assigned above:  

        :::text
        zone "borg.thewalter.lan" { type stub; masters { 192.168.12.10; }; };

-   Restart the named service with: `# systemctl restart named.service`
-   Before configuring your host to use the local caching nameserver,
    test it with commands like:   

        :::text
        # host borg.thewalter.lan 127.0.0.1
        # host dc.borg.thewalter.lan 127.0.0.1
        # host google.com 127.0.0.1

-   Once you know it's working, use `nm-connection-editor` to edit your
    connection. Choose your connection, and on the *IPv4 Settings* tab,
    choose *Automatic (DHCP) addresses only.*Now set `127.0.0.1` as the
    *DNS servers*.
-   You should now be able to test you local server with commands like:  

        :::text
        # host borg.thewalter.lan
        # host dc.borg.thewalter.lan
        # host google.com

### 9. Test the Active Directory domain works

-   On your host linux box you should now be able to get a kerberos
    ticket.
-   If you have a custom configured `/etc/krb5.conf`, you may need to
    remove or move it. There is no real need for this file with a modern
    kerberos domain like Active Directory.
-   Run this command. Make sure the domain is upper case here:

        :::text
        $ kinit Administrator@BORG.THEWALTER.LAN

-   You'll be prompted for the domain *Administrator* password. The one
    you typed in the *Setting up Active Directory* step above.
-   If successful `kinit` will show no output. You can use the `klist`
    command to see your ticket.

That's it. You're done. 

You can add additional Active Directory users via the *Active Directory
Users and Computers* tool in the *Administrative Tools* section of the
*Start* menu in the Windows Server virtual machine.

You may be prompted to Activate your Windows install. You won't need any
special information or keys or anything. Just go ahead with it. The
install you have is valid for 180 days, and will say in the lower left
corner how long you have left.

  [Windows 2008 R2 Enterprise server]: http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx