Welcome back! In my previous post, I covered the deployment and configuration of a virtual Sophos XG Firewall router appliance to provide routing services for the nested lab environment.
Next, I will cover the way I like to quickly configure my Active Directory Server and respective services. Typically, I leverage Windows Server Core OS for my needs but as this server will also serve as a “jump host” for the nested lab, I decided to install the Desktop Experience (GUI) version of Windows Server 2022 Datacenter Edition.
Note: The following section(s) assume that you have a working Windows Server virtual machine as creating a Windows Server VM is out-of-scope for this post, so I will not cover that.
As mentioned, since I typically use Core versions of Windows Server, thus it is managed via PowerShell commands so to set up my server as a Domain Controller, I’ll run the following from an elevate PowerShell session.
As I mentioned previously, this lab will use a single server for all Active Directory services but in my physical lab, I tend to run (2) Domain Controllers so if you’d like to configure a second server for the nested lab, you can do so by standing up a 2nd Windows Server OS and running the following on the 2nd server (DC2):
Then switch back to DC1 and run the following so set its DNS configuration to point to DC2 as the primary and itself as the secondary, this way bother servers are pointing to the opposite server as it’s primary:
###1st DC###Get-DnsClientServerAddress#Set the correct InterfaceIndex from previous commandSet-DnsClientServerAddress -InterfaceIndex 5 -ServerAddresses ("10.100.1.20","127.0.0.1") -Verbose
In this lab setup, I am also going to configure this Jumpbox / Active Directory Domain Controller to serve as an Enterprise Root Certificate Authority, but in a traditional lab, I would separate this on it’s own VM.
To configure the server as a Certificate Authority for the lab, I will run the following PowerShell commands while logged in as the domain “Administrator” account:
Get-DnsClientServerAddress# Set the correct InterfaceIndex from previous commandSet-DnsClientServerAddress -InterfaceIndex 5 -ServerAddresses ("127.0.0.1") -Verbose# Run the following if you have an external CA with (2) DNS ServersSet-DnsClientServerAddress -InterfaceIndex 5 -ServerAddresses ("10.100.1.10","10.100.1.20") -Verbose# Join pc to domain if neededAdd-Computer -DomainName "demo.lab" -Credential (Get-Credential"DEMO\Administrator") -Restart -Confirm:$false -VerboseImport-Module ServerManagerAdd-WindowsFeature -Name RSAT-AD-Tools#region# Install IIS Remote Mgmt if CA is installed on Server Core OSInstall-WindowsFeature Web-Mgmt-ServiceEnable-NetFirewallRule -DisplayGroup "Windows Remote Management"Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WebManagement\Server -Name EnableRemoteManagement -Value 1Set-Service -Name WMSVC -StartupType AutomaticStart-Service WMSVC # Run the following on the remote system used to manage IIS# Desktop OSEnable-WindowsOptionalFeature -Online -FeatureName "IIS-WebServerManagementTools" -All -Verbose # Server OSInstall-WindowsFeature Web-Mgmt-Service -IncludeManagementTools -Verbose#endregion# Install ADCSInstall-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools -Verbose$CA_Name = "demo-lab-ca"$CP_Name = "RSA#Microsoft Software Key Storage Provider"Install-AdcsCertificationAuthority -CACommonName $CA_Name -CAType EnterpriseRootCa -CryptoProviderName $CP_Name -Credential (Get-Credential"DEMO\Administrator") -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 10 -Force -VerboseInstall-WindowsFeature ADCS-Web-Enrollment -IncludeManagementTools -VerboseInstall-AdcsWebEnrollment -Force -Verbose
At this point, if you navigate to the URL of the CA server at http://[IP or FQDN]/certsrv , you should be prompted to authenticate and see the following page(s).
From here, I usually download and install the CA Certificate locally and then create a GPO and push the certificate to all windows machines in the domain.
Right-click the downloaded certificate file and click Install Certificate. Choose Local Machine as the store location and click Next. Select Place all certificates in the following store: then Browse and select Trusted Root Certification Authorities, then click OK, Next, Finish.
To create a GPO, open the Group Policy Management utility. I already had the admin MMC console configured with this snap-in so I was able to access this quickly and setup a GPO.
This at least gets us started so we can hop back in and configure additional users, groups, GPOs, DNS record, DHCP Scopes, etc. as needed later on, but we’re not done just yet! I like to configure a secure connection to the Web Enrollment Server URL so to do so, I’ll need to configure that in IIS.
Open up IIS Manager on the CA Server, navigate to the Default Web Site and click on Bindings, then click Add. Set the Type to https, then select the SSL certificate that is named after the CA server from the dropdown menu, in my case dc.demo.lab and click OK, then Close. Next, CertSrv, then double-click SSL Settings. Enable the Require SSL checkbox, then click Apply. Afterwards, navigate again to the Web Enrollment Server URL, this time using https://[FQDN]/certsrv, Authenticate if asked to do so, and now we can see that we have a certificate securing our connection.
I also like to generate Certificate Signing Requests (CSRs) using the OpenSSL utility which is commonly used to generate CSRs or certificates for VMware products, so I will install via my favorite CLI driven application/package management tool…Chocolatey!
To install Chocolatey, from an elevated shell run the following:
Next, I will create a certificate template which will be used to sign CSRs with later on by following the instructions in VMware KB Article 2112009. And to round things off, the last thing I will do is enable certificate auto-enrollment following the instructions in this guide.
In the next post, I will cover how to deploy the nested ESXi VMs and vCenter Server.
I hope you’ve enjoyed the material thus far, and I thank you for reading!