rgl / Windows Domain Controller Vagrant
Programming Languages
Projects that are alternatives of or similar to Windows Domain Controller Vagrant
This is an example on how to create a Windows Domain Controller using Vagrant and PowerShell.
This also shows how to add a Computer to an existing domain using PowerShell.
This will create an example.com Active Directory Domain Forest.
This will also install a Certification Authority with a GPO to automatically enroll computers with a certificate signed by the trusted domain CA, Remote Desktop users will therefore see and use trusted certificates.
This will also set the user photo with a GPO.
This will also set the Remote Desktop Users group with a GPO.
This will also setup the whoami group Managed Service Account (gMSA).
This setup will use the following static IP addresses:
| IP | Hostname | Description |
|---|---|---|
| 192.168.56.2 | dc.example.com | Domain Controller Computer |
| 192.168.56.3 | windows.example.com | Test Windows Computer |
| 192.168.56.4 | ubuntu.example.com | Test Ubuntu Computer |
NB these are hardcoded in several files. Find then with grep -r 192.168.56. ..
Install the Windows 2019 base box.
Install the Ubuntu 20.04 base box.
Install the required Vagrant plugins:
vagrant plugin install vagrant-windows-sysprep
vagrant plugin install vagrant-reload
Start by launching the Domain Controller environment:
vagrant up --provider=virtualbox # or --provider=libvirt
Launch the test nodes:
cd test-nodes
vagrant up --provider=virtualbox # or --provider=libvirt
Sign-in on the test nodes with one of the following accounts:
- Username
john.doeand passwordHeyH0Password.- This account is also a Domain Administrator.
- Username
jane.doeand passwordHeyH0Password. - Username
Administratorand passwordHeyH0Password.- This account is also a Domain Administrator.
- Username
.\vagrantand passwordpassword.-
NB you MUST use the local
vagrantaccount. because the domain also has avagrantaccount, and that will mess-up the local one...
-
NB you MUST use the local
You can login at the machine console.
You can login with remote desktop, e.g.:
xfreerdp /v:192.168.56.2 /u:john.doe /p:HeyH0Password /size:1440x900 +clipboard
You can login with ssh, e.g.:
ssh [email protected]
Active Directory LDAP
You can use a normal LDAP client for acessing the Active Directory.
It accepts the following Bind DN formats:
-
<userPrincipalName>@<DNS domain>, e.g.[email protected] -
<sAMAccountName>@<NETBIOS domain>, e.g.[email protected] -
<NETBIOS domain>\<sAMAccountName>, e.g.EXAMPLE\jane.doe -
<DN for an entry with a userPassword attribute>, e.g.CN=jane.doe,CN=Users,DC=example,DC=com
NB sAMAccountName MUST HAVE AT MOST 20 characters.
Some attributes are available in environment variables:
| Attribute | Environment variable | Example |
|---|---|---|
sAMAccountName |
USERNAME |
jane.doe |
sAMAccountName |
USERPROFILE |
C:\Users\jane.doe |
NETBIOS domain |
USERDOMAIN |
EXAMPLE |
DNS domain |
USERDNSDOMAIN |
EXAMPLE.COM |
You can list all of the active users using ldapsearch as:
ldapsearch \
-H ldap://dc.example.com \
-D [email protected] \
-w HeyH0Password \
-x -LLL \
-b CN=Users,DC=example,DC=com \
'(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' \
sAMAccountName userPrincipalName userAccountControl displayName cn mail
NB To have ldapsearch you can install the msys2 mingw-w64-openldap package with pacman -Sy mingw-w64-x86_64-openldap.
For TLS, use -H ldaps://dc.example.com, after creating the ldaprc file with:
openssl x509 -inform der -in tmp/ExampleEnterpriseRootCA.der -out tmp/ExampleEnterpriseRootCA.pem
cat >ldaprc <<'EOF'
TLS_CACERT tmp/ExampleEnterpriseRootCA.pem
TLS_REQCERT demand
EOF
Troubleshoot TLS with:
# see the TLS certificate validation result:
echo | openssl s_client -connect dc.example.com:636 -servername dc.example.com -CAfile tmp/ExampleEnterpriseRootCA.pem
# see the TLS certificate being returned by the server:
echo | openssl s_client -connect dc.example.com:636 -servername dc.example.com | openssl x509 -noout -text -in -
Active Directory DNS
You can update the DNS zone using the computer principal credentials, e.g.:
kinit --keytab=/etc/sssd/sssd.keytab 'ubuntu$'
nsupdate -g <<'EOF'
server dc.example.com
zone example.com.
update delete ubuntu.example.com. in A
update add ubuntu.example.com. 60 in A 192.168.56.4
update delete ubuntu.example.com. in TXT
update add ubuntu.example.com. 60 in TXT "hello world"
send
EOF
kdestroy
Hyper-V Usage
Follow the rgl/windows-vagrant Hyper-V Usage section.
Create the required virtual switches:
PowerShell -NoLogo -NoProfile -ExecutionPolicy Bypass <<'EOF'
@(
@{Name='windows-domain-controller'; IpAddress='192.168.56.1'}
) | ForEach-Object {
$switchName = $_.Name
$switchIpAddress = $_.IpAddress
$networkAdapterName = "vEthernet ($switchName)"
$networkAdapterIpAddress = $switchIpAddress
$networkAdapterIpPrefixLength = 24
# create the vSwitch.
New-VMSwitch -Name $switchName -SwitchType Internal | Out-Null
# assign it an host IP address.
$networkAdapter = Get-NetAdapter $networkAdapterName
$networkAdapter | New-NetIPAddress `
-IPAddress $networkAdapterIpAddress `
-PrefixLength $networkAdapterIpPrefixLength `
| Out-Null
}
# remove all virtual switches from the windows firewall.
Set-NetFirewallProfile `
-DisabledInterfaceAliases (
Get-NetAdapter -name "vEthernet*" | Where-Object {$_.ifIndex}
).InterfaceAlias
EOF