https://github.com/rgl/windows-domain-controller-vagrant

Example Windows Domain Controller
https://github.com/rgl/windows-domain-controller-vagrant

domain-controller vagrant windows

Last synced: 7 days ago
JSON representation

Example Windows Domain Controller

• Host: GitHub
• URL: https://github.com/rgl/windows-domain-controller-vagrant
• Owner: rgl
• Created: 2016-05-01T15:04:12.000Z (almost 9 years ago)
• Default Branch: master
• Last Pushed: 2024-10-12T18:59:48.000Z (4 months ago)
• Last Synced: 2025-01-25T16:06:23.943Z (14 days ago)
• Topics: domain-controller, vagrant, windows
• Language: PowerShell
• Homepage:
• Size: 124 KB
• Stars: 141
• Watchers: 7
• Forks: 36
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# About

This is an example on how to create a Windows Domain Controller using Vagrant and PowerShell.

This also shows how to add a Computer to an existing domain using PowerShell.

This will create an `example.com` Active Directory Domain Forest.

This will also install a Certification Authority with a GPO to automatically enroll

computers with a certificate signed by the trusted domain CA, Remote Desktop users

will therefore see and use trusted certificates.

This will also set the user photo with a GPO.

This will also set the Remote Desktop Users group with a GPO.

This will also setup the `whoami` group Managed Service Account (gMSA).

This setup will use the following static IP addresses:

| IP           | Hostname            | Description                |

|--------------|---------------------|----------------------------|

| 192.168.56.2 | dc.example.com      | Domain Controller Computer |

| 192.168.56.3 | windows.example.com | Test Windows Computer      |

| 192.168.56.4 | ubuntu.example.com  | Test Ubuntu Computer       |

**NB** these are hardcoded in several files. Find then with `grep -r 192.168.56. .`.

# Usage

Install the [Windows 2022 base box](https://github.com/rgl/windows-vagrant).

Install the [Ubuntu 22.04 base box](https://github.com/rgl/ubuntu-vagrant).

Install the required Vagrant plugins:

```bash

vagrant plugin install vagrant-windows-sysprep

vagrant plugin install vagrant-reload

```

Start by launching the Domain Controller environment:

```bash

# or --provider=hyperv (first see the Hyper-V Usage section bellow).

# or --provider=virtualbox

vagrant up --provider=libvirt

```

Launch the test nodes:

```bash

cd test-nodes

# or --provider=hyperv

# or --provider=virtualbox

vagrant up --provider=libvirt

```

Sign-in on the test nodes with one of the following accounts:

* Username `john.doe` and password `HeyH0Password`.

  * This account is also a Domain Administrator.

* Username `jane.doe` and password `HeyH0Password`.

* Username `Administrator` and password `HeyH0Password`.

  * This account is also a Domain Administrator.

* Username `.\vagrant` and password `password`.

  * **NB** you MUST use the **local** `vagrant` account. because the domain also has a `vagrant` account, and that will mess-up the local one...

You can login at the machine console.

You can login with remote desktop, e.g.:

```bash

xfreerdp \

  /v:dc.example.com \

  /u:john.doe \

  /p:HeyH0Password \

  /size:1440x900 \

  /dynamic-resolution \

  +clipboard

```

**NB** For an headless RDP example see the [winps repository](https://github.com/rgl/winps).

You can login with ssh, e.g.:

```bash

ssh [email protected]

```

# Active Directory LDAP

You can use a normal LDAP client for accessing the Active Directory.

It accepts the following _Bind DN_ formats:

* `@`, e.g. `[email protected]`

* `@`, e.g. `jane.doe@EXAMPLE`

* `\`, e.g. `EXAMPLE\jane.doe`

* ``, e.g. `CN=jane.doe,CN=Users,DC=example,DC=com`

**NB** `sAMAccountName` MUST HAVE AT MOST 20 characters.

Some attributes are available in environment variables:

| Attribute        | Environment variable | Example             |

|------------------|----------------------|---------------------|

| `sAMAccountName` | `USERNAME`           | `jane.doe`          |

| `sAMAccountName` | `USERPROFILE`        | `C:\Users\jane.doe` |

| `NETBIOS domain` | `USERDOMAIN`         | `EXAMPLE`           |

| `DNS domain`     | `USERDNSDOMAIN`      | `EXAMPLE.COM`       |

You can list all of the active users using [ldapsearch](http://www.openldap.org/software/man.cgi?query=ldapsearch) as:

```bash

ldapsearch \

  -H ldap://dc.example.com \

  -D [email protected] \

  -w HeyH0Password \

  -x -LLL \

  -b CN=Users,DC=example,DC=com \

  '(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' \

  sAMAccountName userPrincipalName userAccountControl displayName cn mail

```

**NB** To have `ldapsearch` you can install the [msys2 mingw-w64-openldap package](https://github.com/msys2/MINGW-packages/tree/master/mingw-w64-openldap) with `pacman -Sy mingw-w64-x86_64-openldap`.

For TLS, use `-H ldaps://dc.example.com`, after creating the `ldaprc` file with:

```bash

openssl x509 -inform der -in tmp/ExampleEnterpriseRootCA.der -out tmp/ExampleEnterpriseRootCA.pem

cat >ldaprc <<'EOF'

TLS_CACERT tmp/ExampleEnterpriseRootCA.pem

TLS_REQCERT demand

EOF

```

Troubleshoot TLS with:

```bash

# see the TLS certificate validation result:

echo | openssl s_client -connect dc.example.com:636 -servername dc.example.com -CAfile tmp/ExampleEnterpriseRootCA.pem

# see the TLS certificate being returned by the server:

echo | openssl s_client -connect dc.example.com:636 -servername dc.example.com | openssl x509 -noout -text -in -

```

# Active Directory DNS

You can update the DNS zone using the computer principal credentials, e.g.:

```bash

kinit --keytab=/etc/sssd/sssd.keytab 'ubuntu$'

nsupdate -g <<'EOF'

server dc.example.com

zone example.com.

update delete ubuntu.example.com. in A

update add ubuntu.example.com. 60 in A 192.168.56.4

update delete ubuntu.example.com. in TXT

update add ubuntu.example.com. 60 in TXT "hello world"

send

EOF

kdestroy

```

# Hyper-V Usage

Follow the [rgl/windows-vagrant Hyper-V Usage section](https://github.com/rgl/windows-vagrant#hyper-v-usage).

Create the required virtual switches:

```bash

PowerShell -NoLogo -NoProfile -ExecutionPolicy Bypass <<'EOF'

@(

  @{Name='windows-domain-controller'; IpAddress='192.168.56.1'}

) | ForEach-Object {

  $switchName = $_.Name

  $switchIpAddress = $_.IpAddress

  $networkAdapterName = "vEthernet ($switchName)"

  $networkAdapterIpAddress = $switchIpAddress

  $networkAdapterIpPrefixLength = 24

  # create the vSwitch.

  Hyper-V\New-VMSwitch -Name $switchName -SwitchType Internal | Out-Null

  # assign it an host IP address.

  $networkAdapter = Get-NetAdapter $networkAdapterName

  $networkAdapter | New-NetIPAddress `

    -IPAddress $networkAdapterIpAddress `

    -PrefixLength $networkAdapterIpPrefixLength `

    | Out-Null

}

# remove all virtual switches from the windows firewall.

Set-NetFirewallProfile `

  -DisabledInterfaceAliases (

        Get-NetAdapter -name "vEthernet*" | Where-Object {$_.ifIndex}

    ).InterfaceAlias

EOF

```