PKI for Network Engineers (2/4): Directory Services

Contents

Greetings dear readers,

In this blog post, we’re going to build the active directory infrastructure needed to build out our PKI.  In part 1, we went over some theory and background information. It’s not necessary to read that post to continue on, however since understanding the fundamentals of how PKI works is an objective of the series, I recommend it.

If you’re already familiar with active directory administration you can check out the lab info for the build and set it up.  For everyone else I’ve stepped through setting up our domain controller and joining a workstation to the domain.

This was supposed to be a three part series, but the AD setup resulted in a fairly sizable post on it’s own.  So this now a four part series. 🙂

Table of contents:

  • Lab Hardware
  • Lab Topology
  • Active Directory Domain Services
  • DHCP
  • Join workstation to domain

Lab Hardware, operating systems used:

This lab is being run on an Intel NUC running VMWare ESXi 6. It has 32gb of ram and a 500gb m.2 SSD

2016-07-31 16.30.40.jpg

These little guys are great.  They’re silent, fast, portable, and use very little power.  If you want to build one for yourself, here’s the parts list on Amazon:

https://www.amazon.com/gp/registry/wishlist/A65HYLGFKYSZ

As of this writing, the build cost is approx. $635.00

ESXi is a free download from vmware.com.  If you want to run vcenter (which is very nice to have), you can either download the evaluation version, or join VMUG Advantage.  VMUG Advantage is $200.00 a year and you get a pretty impressive list of toys to play with for the money. If you’re labbing at home a lot and want to run more than one ESXi host, I think it’s a good deal.  That can be found at https://www.vmug.com/Advantage/.

The windows VMs were spun up using Windows 2012r2 for the servers and Windows 10 Enterprise for the management station.  You can download evaluation versions of these images from https://www.microsoft.com/en-us/evalcenter/.

Lab Topology:

part2.topo

Lab topology

Here’s the list of the machines, and what functions they’re going to serve:

  • dc01: active directory domain controller, DNS, DHCP
  • pki01: standalone root CA.  Not domain joined
  • pki02: enterprise issuing CA.  website for hosting CDP and AIA.  Network device enrollment service.
  • nps01: network policy server.  This will function as a radius server.
  • pc01: management station.

The domain should have two OUs created:

  • Densemode users
  • Densemode computers

In the densemode users ou, create an account called user1 with a password of Pass123.

The administrator password on all machines will be Pass123.

The steps to set everything up follow, so don’t worry if you’re sure what do to.

Setting up Active Directory Domain Services (ADDS)

Prior to setting up ADDS, please ensure the dc01 machine has the following settings applied:

  • Computer Name: dc01
  • IP address: 10.1.1.201
  • Network mask: 255.255.255.0
  • Default gateway: 10.1.1.1
  • DNS Server 10.1.1.201

These items can be verified and configured from the local server pane of Server  Manager:

svrmgr0

svrmgr1

Once that’s done, we’re ready to configure ADDS and DHCP.

With the local server selected, click manage, Add roles and features.

svrmgr2

Click Server Selection:

svrmgr3

Click Server Roles, select Active Directory Domain Services:

svrmgr4

Make sure ‘include management tools’  is selected, and click add features:

svrmgr5

Click Confirmation, then Install :

svrmgr6

When the ADDS role has been installed, the screen will look like this:

svrmgr7.png

Note the text under the installation progress bar.  Click Close.

Server Manager will now have a Yellow Triangle in the notification area.  Click on the flag and click ‘promote this serve to a domain controller’

svrmgr8

At the deployment configuration screen, select ‘add a new forest’, and type in a root domain name.  Then click next:

svrmgr9

At the Domain Controller Options scree, enter a Directory Services Restore Mode (DSRM) password.  My suggestion for labbing purposes is to use Pass123.  Then click Next:

svrmgr10

You’ll see a warning on the DNS options screen that can be safely ignored. Click Next:

svrmgr11

Accept the NetBIOS domain name, and click Next:

svrmgr12

On the Paths screen click next:

svrmgr13

On the review options screen, click Next:

svrmgr14.png

On the Prerequisites check screen, you’ll see some yellow triangles.  They’re informational in nature.  Go ahead and click install:

svrmgr15

Once the installation is complete the machine will reboot.  This is normal. Go ahead and log back in once windows has restarted. Server manager should launch automatically.  If it doesn’t go ahead and launch it by clicking on it’s pinned icon on the task bar.

Let’s verify that our domain controller is functioning correctly.

From Server Manager click Tools, Active Directory Users and Computers (ADUC):
svrmgr16

Right click on the domain object, click New, Organizational Unit.

aduc1.png

Type in densemode users.  if you used a different domain name, go ahead and substitute densemode with the name you used.  Then click Ok:

aduc2.png

Click on the right facing triangle to the left of the domain object to expand the list of containers.  You should see the OU you created. Right click on it, and click new, user:

aduc3.png

Fill in the first name, last name, and user logon name, then click next:

aduc4

Use Pass123 as the password.  Uncheck ‘user must change password at next logon’, check ‘password next expires’.  NOTE:  You would never want to disable password expiration on a live network.  This is for labbing purposes only:

aduc5

Click Finish:

aduc6

PRACTICE:  Create an OU in your domain called ‘densemode computers’.  If you used a different domain name, use the one you created.  Then right click on the domain node and click refresh.  When you are done, you should have  <domain> users and <domain> computers OUs next to each other like this:

aduc7

As we move through later tasks, we’ll be making use of these containers.  This is a good time to point out that in Active Directory it’s always a good idea to use your own OUs for user and computer objects rather than the default users and computers OUs.  The reasons for this will become clearer later on when we get to using group policy objects.

Additionally, by creating these objects, we’ve verified that our domain controller is working.

Setting up DHCP

Another infrastructure service we’re going to want in our test environment is DHCP.  This will make it easy to add additional client devices.  It’s pretty easy to set up, just make sure not to run it on your actual home network.  Ideally you should run it on an isolated network.  In my lab, I’m a using vswitch that’s not backed by physical nic:

vswitch1

Let’s get started.

In Server Manager on dc01, click Manage, Add roles and Features

svrmgr2

Click Server Selection:

svrmgr3

Now click Server Roles, DHCP Server:

svrmgr17.png

Select add features:

svrmgr18

Select Confirmation, Restart the destination server if required, and click yes:
svrmgr19

Click Install:

svrmgr20

When installation is complete you will see the Configuration required/Installation Succeeded message. Click Close:

svrmgr21

Click the notification flag, then select Complete DHCP configuration:

svrmgr22

Click Next:

svrmgr23

Click commit to authorize the DHCP server service in AD:

svrmgr24

Click Close:

svrmgr25

Setting up the DHCP Scope

In server manager select tools, DHCP:

svrmgr26

In DHCP manager expand the server node, right click on ipv4, and select New Scope:

svrmgr27

Click next to begin the New Scope Wizard:

svrmgr28

For the name enter “subnet 1”, then click next:

svrmgr29

On the ip address range screen, enter a range of 10.1.1.50 to 10.1.1.99, with a subnet mask of 255.255.255.0.  Click next:

dhcp1

On the exclusions and delay screen, click next:

dhcp2

Change the lease duration to 8 hours.  Click next:

dhcp3

Select “yes I want to configure these options now”.  Click next:

dhcp4

For the router, enter 10.1.1.1, click add. Then click Next:

dhcp5

The DNS screen should pre-populated with the DNS suffix and DNS server.  The DNS server should be 10.1.1.201.  Verify the settings and click next:

dhcp6

Leave WINS servers blank.  Click Next:

dhcp7.png

Select “yes I want to activate this scope now”.  Click Next:

dhcp8

Click Finish:

dhcp9

Verify DHCP and join workstation to the domain

Now we’re going to verify DHCP by connecting our management station to the lab network and joining it to the domain.  This should be a clean installation of windows 10 in a virtual machine with vmware tools installed.

In the Cortana bar, type control panel and hit enter:

win10-1

Click the drop down next to view by: and select small icons:

win10-2

Double click on System:

win10-3

To the right of Computer name, domain, and workgroup settings click “change settings”

win10-4

Click Network ID:

win10-6

 

Select “this computer is part of a business network…” Click Next:

win10-7.png

 

Select “my company has a network with a domain”. click Next:

win10-8

On the information screen click next.

On the “Type your user name, password, and domain name, enter:

  • User: administrator
  • Password: Pass123
  • Domain: densemode.com

Click Next:

win10-9

On the type computer name and computer domain name screen, enter

  • Computer Name: pc01
  • Computer Domain: densemode.com

In the enter domain user name and password screen enter the following:

  • User: administrator
  • Password: Pass123
  • Domain: densemode.com

Click OK:

win10-11

If everything is working, you will be advised that you’ll need to restart your computer.  Click finish.

After complete the wizard, you will be place back at the system properties screen.  Click ok.

win10-12

Click Restart Now:

win10-13.png

After the computer restarts, Select other user at the logon screen:

win10-14

Log on using the account we created in the active directory domain services exercise:

(logon, password) user1/Pass123

win10-145.png

If you’re able to log on Congratulations!  You’ve built your basic infrastructure and We’re ready to start installing Active Directory Certificate Services.

In the next post, we’ll install Active Directory Certificate Services.

 

 

 

 

 

Leave a Reply