{"id":1826,"date":"2023-04-23T17:05:13","date_gmt":"2023-04-23T21:05:13","guid":{"rendered":"https:\/\/ithinkvirtual.com\/?p=1826"},"modified":"2023-04-28T08:49:08","modified_gmt":"2023-04-28T12:49:08","slug":"nested-vsphere-home-lab-part-2-active-directory-certificate-authority","status":"publish","type":"post","link":"https:\/\/ithinkvirtual.com\/2023\/04\/23\/nested-vsphere-home-lab-part-2-active-directory-certificate-authority\/","title":{"rendered":"Nested vSphere Home Lab – Part 2 – Active Directory & Certificate Authority"},"content":{"rendered":"\n

intro<\/h2>\n\n\n\n

Welcome back! In my previous<\/a> post, I covered the deployment and configuration of a virtual Sophos XG Firewall<\/a> router appliance to provide routing services for the nested lab environment.<\/p>\n\n\n\n

Active Directory<\/h3>\n\n\n\n

Next, I will cover the way I like to quickly configure my Active Directory Server and respective services.  Typically, I leverage Windows Server Core<\/a> OS for my needs but as this server will also serve as a “jump host” for the nested lab, I decided to install the Desktop Experience (GUI) version of Windows Server 2022<\/a> Datacenter Edition.<\/p>\n\n\n

\n
\"\"<\/a><\/figure><\/div>\n\n\n

Note:<\/strong> The following section(s) assume that you have a working Windows Server virtual machine as creating a Windows Server VM is out-of-scope for this post, so I will not cover that.<\/p>\n\n\n\n

As mentioned, since I typically use Core versions of Windows Server, thus it is managed via PowerShell commands so to set up my server as a Domain Controller, I’ll run the following from an elevate PowerShell session.<\/p>\n\n\n\n

<\/path><\/path><\/svg><\/span>
###1st DC###<\/span><\/span>\nImport-Module<\/span> ServerManager<\/span><\/span>\nAdd-WindowsFeature<\/span> -Name RSAT-AD-Tools<\/span><\/span>\n<\/span>\nInstall-WindowsFeature<\/span> -Name AD-Domain-Services, DNS -IncludeManagementTools -Verbose<\/span><\/span>\n<\/span>\nImport-Module<\/span> ADDSDeployment -Verbose<\/span><\/span>\n<\/span>\n# Create password<\/span><\/span>\n$Password<\/span> = <\/span>Read-Host<\/span> -Prompt <\/span>'Enter SafeMode Admin Password'<\/span> -AsSecureString <\/span><\/span>\n<\/span>\nInstall-ADDSForest<\/span> -CreateDnsDelegation:<\/span>$false<\/span> -DatabasePath <\/span>"C:\\Windows\\NTDS"<\/span> -DomainMode <\/span>"WinThreshold"<\/span> -DomainName <\/span>"demo.lab"<\/span> -DomainNetbiosName <\/span>"DEMO"<\/span> -ForestMode <\/span>"WinThreshold"<\/span> -InstallDns:<\/span>$true<\/span> -LogPath <\/span>"C:\\Windows\\NTDS"<\/span> -NoRebootOnCompletion:<\/span>$true<\/span> -SysvolPath <\/span>"C:\\Windows\\SYSVOL"<\/span> -SafeModeAdministratorPassword <\/span>$Password<\/span> -Force:<\/span>$true<\/span> -Verbose<\/span><\/span>\n<\/span>\n# Install DHCP<\/span><\/span>\nInstall-WindowsFeature<\/span> DHCP -IncludeManagementTools -Verbose<\/span><\/span>\nnetsh dhcp add securitygroups<\/span><\/span>\nRestart-Service<\/span> dhcpserver -Verbose<\/span><\/span>\n<\/span>\nAdd-DhcpServerInDC<\/span> -DnsName <\/span>"dc1.demo.lab"<\/span> -Verbose<\/span><\/span>\nGet-DhcpServerInDC<\/span><\/span>\n<\/span>\nSet-ItemProperty<\/span> -Path registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ServerManager\\Roles\\<\/span>12<\/span> -Name ConfigurationState -Value <\/span>2<\/span><\/span>\n<\/span>\nSet-DhcpServerv4DnsSetting<\/span> -ComputerName <\/span>"dc1.demo.lab"<\/span> -DynamicUpdates <\/span>"Always"<\/span> -DeleteDnsRRonLeaseExpiry <\/span>$True<\/span><\/span>\n<\/span>\n$Credential<\/span> = <\/span>Get-Credential<\/span><\/span>\nSet-DhcpServerDnsCredential<\/span> -Credential <\/span>$Credential<\/span> -ComputerName <\/span>"dc1.demo.lab"<\/span><\/span>\n<\/span>\n# Enable Sysvol for GPO shared store<\/span><\/span>\nGet-Itemproperty<\/span> -path <\/span>'HKLM:SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters'<\/span> -Name <\/span>'SysVolReady'<\/span> -Verbose<\/span><\/span>\nSet-Itemproperty<\/span> -path <\/span>'HKLM:SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters'<\/span> -Name <\/span>'SysVolReady'<\/span> -Value <\/span>'1'<\/span> -Verbose<\/span><\/span>\n<\/span>\n# Enable Recycle Bin<\/span><\/span>\n$Params<\/span> = <\/span>@<\/span>{<\/span><\/span>\n    <\/span>"Identity"<\/span> = <\/span>'Recycle Bin Feature'<\/span><\/span>\n    <\/span>"Scope"<\/span>    = <\/span>'ForestOrConfigurationSet'<\/span><\/span>\n    <\/span>"Target"<\/span>   = <\/span>'demo.lab'<\/span><\/span>\n  }<\/span><\/span>\n  <\/span><\/span>\nEnable-ADOptionalFeature<\/span> <\/span>@Params<\/span> -Verbose<\/span><\/span><\/code><\/pre>PowerShell<\/span><\/div>\n\n\n\n
As I mentioned previously, this lab will use a single server for all Active Directory services but in my physical lab, I tend to run (2) Domain Controllers so if you’d like to configure a second server for the nested lab, you can do so by standing up a 2nd Windows Server OS and running the following on the 2nd server (DC2):<\/p>\n\n\n\n
Note<\/strong>: Be sure to modify the IP’s and Domain Name.<\/em><\/p>\n\n\n\n
<\/path><\/path><\/svg><\/span>
###2nd DC###<\/span><\/span>\nImport-Module<\/span> ServerManager<\/span><\/span>\nAdd-WindowsFeature<\/span> -Name RSAT-AD-Tools<\/span><\/span>\n<\/span>\nInstall-WindowsFeature<\/span> -Name AD-Domain-Services, DNS -IncludeManagementTools -Verbose<\/span><\/span>\n<\/span>\nImport-Module<\/span> ADDSDeployment -Verbose<\/span><\/span>\n<\/span>\n# Create password<\/span><\/span>\n$Password<\/span> = <\/span>Read-Host<\/span> -Prompt <\/span>'Enter SafeMode Admin Password'<\/span> -AsSecureString<\/span><\/span>\n<\/span>\nGet-DnsClientServerAddress<\/span> <\/span><\/span>\n<\/span>\n#Set the correct InterfaceIndex from previous command<\/span><\/span>\nSet-DnsClientServerAddress<\/span> -InterfaceIndex <\/span>5<\/span> -ServerAddresses (<\/span>"10.100.1.10"<\/span>,<\/span>"127.0.0.1"<\/span>) -Verbose <\/span><\/span>\n<\/span>\nInstall-ADDSDomainController<\/span> -NoGlobalCatalog:<\/span>$false<\/span> -CreateDnsDelegation:<\/span>$false<\/span> -Credential (<\/span>Get-Credential<\/span> <\/span>"LAB\\Administrator"<\/span>) -CriticalReplicationOnly:<\/span>$false<\/span> -DatabasePath <\/span>"C:\\Windows\\NTDS"<\/span> -DomainName <\/span>"demo.lab"<\/span> -InstallDns:<\/span>$true<\/span> -LogPath <\/span>"C:\\Windows\\NTDS"<\/span> -NoRebootOnCompletion:<\/span>$true<\/span> -SiteName <\/span>"Default-First-Site-Name"<\/span> -ReplicationSourceDC <\/span>"dc1.demo.lab"<\/span> -SysvolPath <\/span>"C:\\Windows\\SYSVOL"<\/span> -SafeModeAdministratorPassword <\/span>$Password<\/span> -Force:<\/span>$true<\/span> -Verbose<\/span><\/span>\n<\/span>\n# Install DHCP Services<\/span><\/span>\nInstall-WindowsFeature<\/span> DHCP -IncludeManagementTools -Verbose<\/span><\/span>\nnetsh dhcp add securitygroups<\/span><\/span>\nRestart-Service<\/span> dhcpserver -Verbose<\/span><\/span>\n<\/span>\nAdd-DhcpServerInDC<\/span> -DnsName <\/span>"dc2.demo.lab"<\/span> -Verbose<\/span><\/span>\nGet-DhcpServerInDC<\/span><\/span>\n<\/span>\nSet-ItemProperty<\/span> -Path registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ServerManager\\Roles\\<\/span>12<\/span> -Name ConfigurationState -Value <\/span>2<\/span><\/span>\n<\/span>\nSet-DhcpServerv4DnsSetting<\/span> -ComputerName <\/span>"dc2.demo.lab"<\/span> -DynamicUpdates <\/span>"Always"<\/span> -DeleteDnsRRonLeaseExpiry <\/span>$True<\/span><\/span>\n<\/span>\n$Credential<\/span> = <\/span>Get-Credential<\/span><\/span>\nSet-DhcpServerDnsCredential<\/span> -Credential <\/span>$Credential<\/span> -ComputerName <\/span>"dc2.demo.lab"<\/span><\/span>\n<\/span>\n# Enable Sysvol for GPO shared store<\/span><\/span>\nGet-Itemproperty<\/span> -path <\/span>'HKLM:SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters'<\/span> -Name <\/span>'SysVolReady'<\/span> -Verbose<\/span><\/span>\nSet-Itemproperty<\/span> -path <\/span>'HKLM:SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters'<\/span> -Name <\/span>'SysVolReady'<\/span> -Value <\/span>'1'<\/span> -Verbose<\/span><\/span><\/code><\/pre>PowerShell<\/span><\/div>\n\n\n\n
Then switch back to DC1 and run the following so set its DNS configuration to point to DC2 as the primary and itself as the secondary, this way bother servers are pointing to the opposite server as it’s primary:<\/p>\n\n\n\n
<\/path><\/path><\/svg><\/span>
###1st DC###<\/span><\/span>\nGet-DnsClientServerAddress<\/span><\/span>\n<\/span>\n#Set the correct InterfaceIndex from previous command<\/span><\/span>\nSet-DnsClientServerAddress<\/span> -InterfaceIndex <\/span>5<\/span> -ServerAddresses (<\/span>"10.100.1.20"<\/span>,<\/span>"127.0.0.1"<\/span>) -Verbose<\/span><\/span><\/code><\/pre>PowerShell<\/span><\/div>\n\n\n\n
 <\/p>\n\n\n\n
Certificate Authority<\/h3>\n\n\n\n
In this lab setup, I am also going to configure this Jumpbox \/ Active Directory Domain Controller to serve as an Enterprise Root Certificate Authority, but in a traditional lab, I would separate this on it’s own VM.<\/p>\n\n\n\n
To configure the server as a Certificate Authority for the lab, I will run the following PowerShell commands while logged in as the domain “Administrator” account:<\/p>\n\n\n\n
<\/path><\/path><\/svg><\/span>
Get-DnsClientServerAddress<\/span><\/span>\n<\/span>\n# Set the correct InterfaceIndex from previous command<\/span><\/span>\nSet-DnsClientServerAddress<\/span> -InterfaceIndex <\/span>5<\/span> -ServerAddresses (<\/span>"127.0.0.1"<\/span>) -Verbose<\/span><\/span>\n<\/span>\n# Run the following if you have an external CA with (2) DNS Servers<\/span><\/span>\nSet-DnsClientServerAddress<\/span> -InterfaceIndex <\/span>5<\/span> -ServerAddresses (<\/span>"10.100.1.10"<\/span>,<\/span>"10.100.1.20"<\/span>) -Verbose<\/span><\/span>\n<\/span>\n# Join pc to domain if needed<\/span><\/span>\nAdd-Computer<\/span> -DomainName <\/span>"demo.lab"<\/span> -Credential (<\/span>Get-Credential<\/span> <\/span>"DEMO\\Administrator"<\/span>) -Restart -Confirm:<\/span>$false<\/span> -Verbose<\/span><\/span>\n<\/span>\nImport-Module<\/span> ServerManager<\/span><\/span>\nAdd-WindowsFeature<\/span> -Name RSAT-AD-Tools<\/span><\/span>\n<\/span>\n#region<\/span><\/span>\n# Install IIS Remote Mgmt if CA is installed on Server Core OS<\/span><\/span>\nInstall-WindowsFeature<\/span> Web-Mgmt-Service<\/span><\/span>\nEnable-NetFirewallRule<\/span> -DisplayGroup <\/span>"Windows Remote Management"<\/span><\/span>\nSet-ItemProperty<\/span> -Path HKLM:\\SOFTWARE\\Microsoft\\WebManagement\\Server -Name EnableRemoteManagement -Value <\/span>1<\/span><\/span>\nSet-Service<\/span> -Name WMSVC -StartupType Automatic<\/span><\/span>\nStart-Service<\/span> WMSVC <\/span><\/span>\n<\/span>\n# Run the following on the remote system used to manage IIS<\/span><\/span>\n# Desktop OS<\/span><\/span>\nEnable-WindowsOptionalFeature<\/span> -Online -FeatureName <\/span>"IIS-WebServerManagementTools"<\/span> -All -Verbose <\/span><\/span>\n# Server OS<\/span><\/span>\nInstall-WindowsFeature<\/span> Web-Mgmt-Service -IncludeManagementTools -Verbose<\/span><\/span>\n#endregion<\/span><\/span>\n<\/span>\n# Install ADCS<\/span><\/span>\nInstall-WindowsFeature<\/span> Adcs-Cert-Authority -IncludeManagementTools -Verbose<\/span><\/span>\n<\/span>\n$CA_Name<\/span> = <\/span>"demo-lab-ca"<\/span><\/span>\n$CP_Name<\/span> = <\/span>"RSA#Microsoft Software Key Storage Provider"<\/span><\/span>\nInstall-AdcsCertificationAuthority<\/span> -CACommonName <\/span>$CA_Name<\/span> -CAType EnterpriseRootCa -CryptoProviderName <\/span>$CP_Name<\/span> -Credential (<\/span>Get-Credential<\/span> <\/span>"DEMO\\Administrator"<\/span>) -KeyLength <\/span>2048<\/span> -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits <\/span>10<\/span> -Force -Verbose<\/span><\/span>\n<\/span>\nInstall-WindowsFeature<\/span> ADCS-Web-Enrollment -IncludeManagementTools -Verbose<\/span><\/span>\n<\/span>\nInstall-AdcsWebEnrollment<\/span> -Force -Verbose<\/span><\/span><\/code><\/pre>PowerShell<\/span><\/div>\n\n\n\n
At this point, if you navigate to the URL of the CA server at http:\/\/[IP or FQDN]\/certsrv<\/code> , you should be prompted to authenticate and see the following page(s).<\/p>\n\n\n\n
\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n<\/figure>\n\n\n\n
From here, I usually download and install the CA Certificate locally and then create a GPO and push the certificate to all windows machines in the domain.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Right-click<\/strong> the downloaded certificate file and click Install Certificate<\/strong>. Choose Local Machine<\/strong> as the store location and click Next<\/strong>. Select Place all certificates in the following store:<\/strong> then Browse<\/strong> and select Trusted Root Certification Authorities<\/strong>, then click OK<\/strong>, Next<\/strong>, Finish<\/strong>.<\/p>\n\n\n\n
To create a GPO, open the Group Policy Management utility. I already had the admin MMC console configured with this snap-in so I was able to access this quickly and setup a GPO.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
This at least gets us started so we can hop back in and configure additional users, groups, GPOs, DNS record, DHCP Scopes, etc. as needed later on, but we’re not done just yet!  I like to configure a secure connection to the Web Enrollment Server URL so to do so, I’ll need to configure that in IIS.<\/p>\n\n\n\n
Open up IIS Manager<\/strong> on the CA Server, navigate to the Default Web Site<\/strong> and click on Bindings<\/strong>, then click Add<\/strong>.  Set the Type<\/strong> to https<\/strong>, then select the SSL certificate<\/strong> that is named after the CA server from the dropdown menu, in my case dc.demo.lab<\/strong> and click OK<\/strong>, then Close<\/strong>.  Next, CertSrv<\/strong>, then double-click SSL Settings<\/strong>.  Enable the Require SSL<\/strong> checkbox, then click Apply<\/strong>.  Afterwards, navigate again to the Web Enrollment Server URL, this time using https:\/\/[FQDN]\/certsrv<\/code>, Authenticate if asked to do so, and now we can see that we have a certificate securing our connection.<\/p>\n\n\n\n
\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n<\/figure>\n\n\n\n
I also like to generate Certificate Signing Requests (CSRs) using the OpenSSL<\/a> utility which is commonly used to generate CSRs or certificates for VMware products, so I will install via my favorite CLI driven application\/package management tool…Chocolatey<\/a>!<\/p>\n\n\n\n
To install Chocolatey, from an elevated shell run the following:<\/p>\n\n\n\n
<\/path><\/path><\/svg><\/span>
Set-ExecutionPolicy<\/span> Bypass -Scope <\/span>Process<\/span> -Force; [<\/span>System.Net.ServicePointManager<\/span>]::SecurityProtocol = [<\/span>System.Net.ServicePointManager<\/span>]::SecurityProtocol -bor <\/span>3072<\/span>; iex ((<\/span>New-Object<\/span> System.Net.WebClient).DownloadString(<\/span>'https:\/\/community.chocolatey.org\/install.ps1'<\/span>))<\/span><\/span><\/code><\/pre>PowerShell<\/span><\/div>\n\n\n\n
Then, install OpenSSL with the following command:<\/p>\n\n\n\n
<\/path><\/path><\/svg><\/span>
# Optional<\/span><\/span>\nchoco feature enable -n allowGlobalConfirmation<\/span><\/span>\nchoco feature enalbe -n useRememberedArgumentsForUpgrades<\/span><\/span>\n<\/span>\n# Install OpenSSL<\/span><\/span>\nchoco install openssl<\/span><\/span>\n<\/span>\n# Install IIS Manager if remotely managing IIS<\/span><\/span>\nchoco install inetmgr<\/span><\/span><\/code><\/pre>PowerShell<\/span><\/div>\n\n\n\n
In the next post, I will cover how to deploy the nested ESXi VMs and vCenter Server.<\/p>\n\n\n\n
I hope you’ve enjoyed the material thus far, and I thank you for reading!<\/p>\n\n\n\n
–virtualex<\/p>\n
<\/div>
<\/path><\/svg><\/i> \"Loading\"<\/p>
<\/div>","protected":false},"excerpt":{"rendered":"
intro Welcome back! In my previous post, I covered the deployment and configuration of a virtual Sophos XG Firewall router appliance to provide routing services for the nested lab environment. Active Directory Next, I will cover the way I like to quickly configure my Active Directory Server and respective services.  Typically, I leverage Windows Server…<\/p>\n
<\/div>\n
<\/path><\/svg><\/i> \"Loading\"<\/p>\n
<\/div>\n","protected":false},"author":1,"featured_media":1837,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"Check out my latest post (Part 2) in my nested @VMwarevSphere #homelab series. @vExpert #vexpert","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[2,9],"tags":[4,11,43,56,19,33,52,55,29],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/i0.wp.com\/ithinkvirtual.com\/wp-content\/uploads\/2023\/04\/2023-04-23_16-29-33.png?fit=1024%2C595&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p7k0Z6-ts","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/posts\/1826"}],"collection":[{"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/comments?post=1826"}],"version-history":[{"count":21,"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/posts\/1826\/revisions"}],"predecessor-version":[{"id":1884,"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/posts\/1826\/revisions\/1884"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/media\/1837"}],"wp:attachment":[{"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/media?parent=1826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/categories?post=1826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ithinkvirtual.com\/wp-json\/wp\/v2\/tags?post=1826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Next, I will create a certificate template which will be used to sign CSRs with later on by following the instructions in VMware KB Article 2112009<\/a>.  And to round things off, the last thing I will do is enable certificate auto-enrollment following the instructions in this guide<\/a>.<\/p>\n\n\n\n