Skip to content

salderma/windows-domain-controller-vagrant

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This is an example on how to create a Windows Domain Controller using Vagrant and PowerShell.

This also shows how to add a Computer to an existing domain using PowerShell.

This will create an example.com Active Directory Domain Forest.

This will also install a Certification Authority with a GPO to automatically enroll computers with a certificate signed by the trusted domain CA, Remote Desktop users will therefore see and use trusted certificates.

This will also set the user photo with a GPO.

This will also set the Remote Desktop Users group with a GPO.

This will also setup the whoami group Managed Service Account (gMSA).

This setup will use the following static IP addresses:

IP Hostname Description
192.168.56.2 dc.example.com Domain Controller Computer
192.168.56.3 windows.example.com Test Windows Computer
192.168.56.4 ubuntu.example.com Test Ubuntu Computer

NB these are hardcoded in several files. Find then with grep -r 192.168.56. ..

Install the Windows 2022 base box.

Install the Ubuntu 20.04 base box.

Install the required Vagrant plugins:

vagrant plugin install vagrant-windows-sysprep
vagrant plugin install vagrant-reload

Start by launching the Domain Controller environment:

vagrant up --provider=virtualbox # or --provider=libvirt

Launch the test nodes:

cd test-nodes
vagrant up --provider=virtualbox # or --provider=libvirt

Sign-in on the test nodes with one of the following accounts:

  • Username john.doe and password HeyH0Password.
    • This account is also a Domain Administrator.
  • Username jane.doe and password HeyH0Password.
  • Username Administrator and password HeyH0Password.
    • This account is also a Domain Administrator.
  • Username .\vagrant and password password.
    • NB you MUST use the local vagrant account. because the domain also has a vagrant account, and that will mess-up the local one...

You can login at the machine console.

You can login with remote desktop, e.g.:

xfreerdp /v:192.168.56.2 /u:john.doe /p:HeyH0Password /size:1440x900 +clipboard

You can login with ssh, e.g.:

Active Directory LDAP

You can use a normal LDAP client for acessing the Active Directory.

It accepts the following Bind DN formats:

  • <userPrincipalName>@<DNS domain>, e.g. [email protected]
  • <sAMAccountName>@<NETBIOS domain>, e.g. jane.doe@EXAMPLE
  • <NETBIOS domain>\<sAMAccountName>, e.g. EXAMPLE\jane.doe
  • <DN for an entry with a userPassword attribute>, e.g. CN=jane.doe,CN=Users,DC=example,DC=com

NB sAMAccountName MUST HAVE AT MOST 20 characters.

Some attributes are available in environment variables:

Attribute Environment variable Example
sAMAccountName USERNAME jane.doe
sAMAccountName USERPROFILE C:\Users\jane.doe
NETBIOS domain USERDOMAIN EXAMPLE
DNS domain USERDNSDOMAIN EXAMPLE.COM

You can list all of the active users using ldapsearch as:

ldapsearch \
  -H ldap://dc.example.com \
  -D [email protected] \
  -w HeyH0Password \
  -x -LLL \
  -b CN=Users,DC=example,DC=com \
  '(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' \
  sAMAccountName userPrincipalName userAccountControl displayName cn mail

NB To have ldapsearch you can install the msys2 mingw-w64-openldap package with pacman -Sy mingw-w64-x86_64-openldap.

For TLS, use -H ldaps://dc.example.com, after creating the ldaprc file with:

openssl x509 -inform der -in tmp/ExampleEnterpriseRootCA.der -out tmp/ExampleEnterpriseRootCA.pem
cat >ldaprc <<'EOF'
TLS_CACERT tmp/ExampleEnterpriseRootCA.pem
TLS_REQCERT demand
EOF

Troubleshoot TLS with:

# see the TLS certificate validation result:
echo | openssl s_client -connect dc.example.com:636 -servername dc.example.com -CAfile tmp/ExampleEnterpriseRootCA.pem
# see the TLS certificate being returned by the server:
echo | openssl s_client -connect dc.example.com:636 -servername dc.example.com | openssl x509 -noout -text -in -

Active Directory DNS

You can update the DNS zone using the computer principal credentials, e.g.:

kinit --keytab=/etc/sssd/sssd.keytab 'ubuntu$'
nsupdate -g <<'EOF'
server dc.example.com
zone example.com.
update delete ubuntu.example.com. in A
update add ubuntu.example.com. 60 in A 192.168.56.4
update delete ubuntu.example.com. in TXT
update add ubuntu.example.com. 60 in TXT "hello world"
send
EOF
kdestroy

Hyper-V Usage

Follow the rgl/windows-vagrant Hyper-V Usage section.

Create the required virtual switches:

PowerShell -NoLogo -NoProfile -ExecutionPolicy Bypass <<'EOF'
@(
  @{Name='windows-domain-controller'; IpAddress='192.168.56.1'}
) | ForEach-Object {
  $switchName = $_.Name
  $switchIpAddress = $_.IpAddress
  $networkAdapterName = "vEthernet ($switchName)"
  $networkAdapterIpAddress = $switchIpAddress
  $networkAdapterIpPrefixLength = 24

  # create the vSwitch.
  Hyper-V\New-VMSwitch -Name $switchName -SwitchType Internal | Out-Null

  # assign it an host IP address.
  $networkAdapter = Get-NetAdapter $networkAdapterName
  $networkAdapter | New-NetIPAddress `
    -IPAddress $networkAdapterIpAddress `
    -PrefixLength $networkAdapterIpPrefixLength `
    | Out-Null
}

# remove all virtual switches from the windows firewall.
Set-NetFirewallProfile `
  -DisabledInterfaceAliases (
        Get-NetAdapter -name "vEthernet*" | Where-Object {$_.ifIndex}
    ).InterfaceAlias
EOF

About

Example Windows Domain Controller

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 87.4%
  • Shell 10.1%
  • HTML 1.9%
  • Makefile 0.6%