{"id":14986160,"url":"https://github.com/rgl/windows-domain-controller-vagrant","last_synced_at":"2025-04-04T22:08:30.000Z","repository":{"id":54657491,"uuid":"57603119","full_name":"rgl/windows-domain-controller-vagrant","owner":"rgl","description":"Example Windows Domain Controller","archived":false,"fork":false,"pushed_at":"2024-10-12T18:59:48.000Z","size":127,"stargazers_count":140,"open_issues_count":1,"forks_count":36,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-28T21:08:48.634Z","etag":null,"topics":["domain-controller","vagrant","windows"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-01T15:04:12.000Z","updated_at":"2025-01-26T00:48:50.000Z","dependencies_parsed_at":"2023-12-13T06:27:06.567Z","dependency_job_id":"89f2649d-22a1-4c59-b953-59aca21ed50e","html_url":"https://github.com/rgl/windows-domain-controller-vagrant","commit_stats":{"total_commits":80,"total_committers":3,"mean_commits":"26.666666666666668","dds":"0.025000000000000022","last_synced_commit":"94c2872c010193cb8191fdffde48c4af1472e1c1"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fwindows-domain-controller-vagrant","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fwindows-domain-controller-vagrant/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fwindows-domain-controller-vagrant/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fwindows-domain-controller-vagrant/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgl","download_url":"https://codeload.github.com/rgl/windows-domain-controller-vagrant/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247256115,"owners_count":20909240,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["domain-controller","vagrant","windows"],"created_at":"2024-09-24T14:12:27.669Z","updated_at":"2025-04-04T22:08:29.986Z","avatar_url":"https://github.com/rgl.png","language":"PowerShell","readme":"# About\r\n\r\nThis is an example on how to create a Windows Domain Controller using Vagrant and PowerShell.\r\n\r\nThis also shows how to add a Computer to an existing domain using PowerShell.\r\n\r\nThis will create an `example.com` Active Directory Domain Forest.\r\n\r\nThis will also install a Certification Authority with a GPO to automatically enroll\r\ncomputers with a certificate signed by the trusted domain CA, Remote Desktop users\r\nwill therefore see and use trusted certificates.\r\n\r\nThis will also set the user photo with a GPO.\r\n\r\nThis will also set the Remote Desktop Users group with a GPO.\r\n\r\nThis will also setup the `whoami` group Managed Service Account (gMSA).\r\n\r\nThis setup will use the following static IP addresses:\r\n\r\n| IP           | Hostname            | Description                |\r\n|--------------|---------------------|----------------------------|\r\n| 192.168.56.2 | dc.example.com      | Domain Controller Computer |\r\n| 192.168.56.3 | windows.example.com | Test Windows Computer      |\r\n| 192.168.56.4 | ubuntu.example.com  | Test Ubuntu Computer       |\r\n\r\n**NB** these are hardcoded in several files. Find then with `grep -r 192.168.56. .`.\r\n\r\n# Usage\r\n\r\nInstall the [Windows 2022 base box](https://github.com/rgl/windows-vagrant).\r\n\r\nInstall the [Ubuntu 22.04 base box](https://github.com/rgl/ubuntu-vagrant).\r\n\r\nInstall the required Vagrant plugins:\r\n\r\n```bash\r\nvagrant plugin install vagrant-windows-sysprep\r\nvagrant plugin install vagrant-reload\r\n```\r\n\r\nStart by launching the Domain Controller environment:\r\n\r\n```bash\r\n# or --provider=hyperv (first see the Hyper-V Usage section bellow).\r\n# or --provider=virtualbox\r\nvagrant up --provider=libvirt\r\n```\r\n\r\nLaunch the test nodes:\r\n\r\n```bash\r\ncd test-nodes\r\n# or --provider=hyperv\r\n# or --provider=virtualbox\r\nvagrant up --provider=libvirt\r\n```\r\n\r\nSign-in on the test nodes with one of the following accounts:\r\n\r\n* Username `john.doe` and password `HeyH0Password`.\r\n  * This account is also a Domain Administrator.\r\n* Username `jane.doe` and password `HeyH0Password`.\r\n* Username `Administrator` and password `HeyH0Password`.\r\n  * This account is also a Domain Administrator.\r\n* Username `.\\vagrant` and password `password`.\r\n  * **NB** you MUST use the **local** `vagrant` account. because the domain also has a `vagrant` account, and that will mess-up the local one...\r\n\r\nYou can login at the machine console.\r\n\r\nYou can login with remote desktop, e.g.:\r\n\r\n```bash\r\nxfreerdp \\\r\n  /v:dc.example.com \\\r\n  /u:john.doe \\\r\n  /p:HeyH0Password \\\r\n  /size:1440x900 \\\r\n  /dynamic-resolution \\\r\n  +clipboard\r\n```\r\n\r\n**NB** For an headless RDP example see the [winps repository](https://github.com/rgl/winps).\r\n\r\nYou can login with ssh, e.g.:\r\n\r\n```bash\r\nssh john.doe@dc.example.com\r\n```\r\n\r\n# Active Directory LDAP\r\n\r\nYou can use a normal LDAP client for accessing the Active Directory.\r\n\r\nIt accepts the following _Bind DN_ formats:\r\n\r\n* `\u003cuserPrincipalName\u003e@\u003cDNS domain\u003e`, e.g. `jane.doe@example.com`\r\n* `\u003csAMAccountName\u003e@\u003cNETBIOS domain\u003e`, e.g. `jane.doe@EXAMPLE`\r\n* `\u003cNETBIOS domain\u003e\\\u003csAMAccountName\u003e`, e.g. `EXAMPLE\\jane.doe`\r\n* `\u003cDN for an entry with a userPassword attribute\u003e`, e.g. `CN=jane.doe,CN=Users,DC=example,DC=com`\r\n\r\n**NB** `sAMAccountName` MUST HAVE AT MOST 20 characters.\r\n\r\nSome attributes are available in environment variables:\r\n\r\n| Attribute        | Environment variable | Example             |\r\n|------------------|----------------------|---------------------|\r\n| `sAMAccountName` | `USERNAME`           | `jane.doe`          |\r\n| `sAMAccountName` | `USERPROFILE`        | `C:\\Users\\jane.doe` |\r\n| `NETBIOS domain` | `USERDOMAIN`         | `EXAMPLE`           |\r\n| `DNS domain`     | `USERDNSDOMAIN`      | `EXAMPLE.COM`       |\r\n\r\nYou can list all of the active users using [ldapsearch](http://www.openldap.org/software/man.cgi?query=ldapsearch) as:\r\n\r\n```bash\r\nldapsearch \\\r\n  -H ldap://dc.example.com \\\r\n  -D jane.doe@example.com \\\r\n  -w HeyH0Password \\\r\n  -x -LLL \\\r\n  -b CN=Users,DC=example,DC=com \\\r\n  '(\u0026(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' \\\r\n  sAMAccountName userPrincipalName userAccountControl displayName cn mail\r\n```\r\n\r\n**NB** To have `ldapsearch` you can install the [msys2 mingw-w64-openldap package](https://github.com/msys2/MINGW-packages/tree/master/mingw-w64-openldap) with `pacman -Sy mingw-w64-x86_64-openldap`.\r\n\r\nFor TLS, use `-H ldaps://dc.example.com`, after creating the `ldaprc` file with:\r\n\r\n```bash\r\nopenssl x509 -inform der -in tmp/ExampleEnterpriseRootCA.der -out tmp/ExampleEnterpriseRootCA.pem\r\ncat \u003eldaprc \u003c\u003c'EOF'\r\nTLS_CACERT tmp/ExampleEnterpriseRootCA.pem\r\nTLS_REQCERT demand\r\nEOF\r\n```\r\n\r\nTroubleshoot TLS with:\r\n\r\n```bash\r\n# see the TLS certificate validation result:\r\necho | openssl s_client -connect dc.example.com:636 -servername dc.example.com -CAfile tmp/ExampleEnterpriseRootCA.pem\r\n# see the TLS certificate being returned by the server:\r\necho | openssl s_client -connect dc.example.com:636 -servername dc.example.com | openssl x509 -noout -text -in -\r\n```\r\n\r\n# Active Directory DNS\r\n\r\nYou can update the DNS zone using the computer principal credentials, e.g.:\r\n\r\n```bash\r\nkinit --keytab=/etc/sssd/sssd.keytab 'ubuntu$'\r\nnsupdate -g \u003c\u003c'EOF'\r\nserver dc.example.com\r\nzone example.com.\r\nupdate delete ubuntu.example.com. in A\r\nupdate add ubuntu.example.com. 60 in A 192.168.56.4\r\nupdate delete ubuntu.example.com. in TXT\r\nupdate add ubuntu.example.com. 60 in TXT \"hello world\"\r\nsend\r\nEOF\r\nkdestroy\r\n```\r\n\r\n# Hyper-V Usage\r\n\r\nFollow the [rgl/windows-vagrant Hyper-V Usage section](https://github.com/rgl/windows-vagrant#hyper-v-usage).\r\n\r\nCreate the required virtual switches:\r\n\r\n```bash\r\nPowerShell -NoLogo -NoProfile -ExecutionPolicy Bypass \u003c\u003c'EOF'\r\n@(\r\n  @{Name='windows-domain-controller'; IpAddress='192.168.56.1'}\r\n) | ForEach-Object {\r\n  $switchName = $_.Name\r\n  $switchIpAddress = $_.IpAddress\r\n  $networkAdapterName = \"vEthernet ($switchName)\"\r\n  $networkAdapterIpAddress = $switchIpAddress\r\n  $networkAdapterIpPrefixLength = 24\r\n\r\n  # create the vSwitch.\r\n  Hyper-V\\New-VMSwitch -Name $switchName -SwitchType Internal | Out-Null\r\n\r\n  # assign it an host IP address.\r\n  $networkAdapter = Get-NetAdapter $networkAdapterName\r\n  $networkAdapter | New-NetIPAddress `\r\n    -IPAddress $networkAdapterIpAddress `\r\n    -PrefixLength $networkAdapterIpPrefixLength `\r\n    | Out-Null\r\n}\r\n\r\n# remove all virtual switches from the windows firewall.\r\nSet-NetFirewallProfile `\r\n  -DisabledInterfaceAliases (\r\n        Get-NetAdapter -name \"vEthernet*\" | Where-Object {$_.ifIndex}\r\n    ).InterfaceAlias\r\nEOF\r\n```\r\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fwindows-domain-controller-vagrant","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgl%2Fwindows-domain-controller-vagrant","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fwindows-domain-controller-vagrant/lists"}