AD Test Network

I am setting up an Active Directory test network with VirtualBox. It will consist of the following components. Links are provided showing configuration information I referenced.

VirtualBox

Use these Network settings for all machines:

  • Adapter 1: Enabled
  • Attached to: NAT Network
  • Name: NatNetwork  (10.0.2.0/24 – DHCP & IPv6 disabled)
  • Adapter 2: Enabled
  • Attached to: Host-only Adapter
  • Name: VirtualBox Host-Only Ethernet Adapter (192.168.56.0/24)
  • DHCP Server: Enabled
  • DHCP Lower Address Bound: 192.168.56.101

Active Directory Domain Controller

Download Debian installation image and create the server in VirtualBox:

  • Name: DC1.samdom.example.com
  • Type: Linux
  • Version: Debian (64-bit)
  • RAM: 1024 MB
  • Virtual HD: 8.00 GB
  • HD Type: VDI, dynamically allocated

Change the Network settings to the NAT Network.

Attach the installation image to the server’s Optical Drive and start the server.

  • Hostname: DC1.samdom.example.com
  • Leave the root password blank.
  • Enter the desired user name and password for the admin (sudo) account.
  • Make your disk partition selections and write changes to disk.
  • Software selection: Only “SSH server” and “standard system utilities”.
  • Install the GRUB boot loader on /dev/sda
  • Finish the installation and reboot.

Login as the admin user and switch to root. Change to use static IP address. A second adapter will be enabled on Linux machines to enable SSH logins from the host machine. Make these changes to /etc/network/interfaces

# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet static
address 10.0.2.5/24
gateway 10.0.2.1
# The secondary network interface
allow-hotplug enp0s8
iface enp0s8 inet static
address 192.168.56.5/24

Make these changes for resolving DNS names to /etc/resolv.conf

domain samdom.example.com
search samdom.example.com
nameserver 8.8.8.8

Make these changes for resolving the local host name to /etc/hosts

127.0.0.1 localhost
10.0.2.5 DC1.samdom.example.com DC1

Reboot the machine to switch to the static IP address.

Change the default UMASK in /etc/login.defs
UMASK 002

Install Samba and packages needed for an AD DC. Use the FQDN for the server in the Kerberos setup. Also install some utility programs:

  • apt update
  • apt install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
  • apt install smbclient ldb-tools net-tools dnsutils git

Stop and disable all Samba processes,  and remove the default smb.conf file

  • systemctl stop smbd nmbd winbind
  • systemctl disable smbd nmbd winbind
  • rm /etc/samba/smb.conf

Provision the Samba AD:

samba-tool domain provision --use-rfc2307 --interactive
Realm=SAMDOM.EXAMPLE.COM
Domain=SAMDOM
Server Role=dc
DNS backend=SAMBA_INTERNAL
DNS forwarder IP address=8.8.8.8
Administrator password=Passw0rd

Make these changes for resolving DNS names to /etc/resolv.conf

domain samdom.example.com
search samdom.example.com
nameserver 10.0.2.5

Add these lines to the [global] section of /etc/samba/smb.conf (version < 4.6.0)

winbind nss info = rfc2307
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
protocol = SMB3
usershare max shares = 0

Use the Samba created Kerberos configuration file for your DC, enable the correct Samba services, and reboot to make sure everything works:

  • cp /var/lib/samba/private/krb5.conf /etc/
  • systemctl unmask samba-ad-dc
  • systemctl start samba-ad-dc
  • systemctl enable samba-ad-dc
  • reboot

Verify the File Server shares provided by the DC:

smbclient -L localhost -U%

Verify the DNS configuration works correctly:

  • host -t SRV _ldap._tcp.samdom.example.com.
  • host -t SRV _kerberos._udp.samdom.example.com.
  • host -t A dc1.samdom.example.com.

Verify Kerberos:

  • kinit administrator
  • klist

Install NTP Time Synchronization

apt install ntp

Configure NTP by editing these two lines in /etc/ntp.conf

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 10.0.2.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 10.0.2.255

Restart the NTP service and verify it is syncing with other servers

systemctl restart ntp.service
ntpq -p

Ease AD password restrictions, if desired:

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --min-pwd-length=6
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool user setexpiry administrator --noexpiry

 

Install WSD Daemon

As root, clone git repository and edit file:

git clone https://github.com/christgau/wsdd
cd wsdd
nano etc/systemd/wsdd.service

After=multi-user.target
Wants=multi-user.target
ExecStart=/usr/bin/wsdd -d SAMDOM -4 -s
User=daemon
Group=daemon

Copy the files to the correct locations, enable the service, and start it:

cp src/wsdd.py /usr/bin/wsdd
cp etc/systemd/wsdd.service /etc/systemd/system
systemctl daemon-reload
systemctl enable wsdd.service
systemctl start wsdd.service

Configure AD Accounts Authentication

Add winbind value for passwd and group lines in the /etc/nsswitch.conf configuration file:

passwd: compat winbind
group: compat winbind

Edit the file /usr/share/pam-configs/mkhomedir

Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required pam_mkhomedir.so

Enable  entries required for winbind service to automatically create home directories for each domain account at the first login:

pam-auth-update

Give sudo access to members of “domain admins”:

echo "%SAMDOM\\domain\ admins ALL=(ALL) ALL" > /etc/sudoers.d/SAMDOM
chmod 0440 /etc/sudoers.d/SAMDOM

Install DHCP Service

Install the server:

apt install isc-dhcp-server

Just use IPv4 on the NatNetwork with these edits to the /etc/default/isc-dhcp-server configuration file:

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s3"
#INTERFACESv6=""

Edit the /etc/dhcp/dhcpd.conf configuration file:

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
#
# option definitions common to all supported networks...
option domain-name "samdom.example.com";
option domain-name-servers DC1.samdom.example.com;
#
default-lease-time 600;
max-lease-time 7200;
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
#
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
#
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
#
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#
subnet 192.168.56.0 netmask 255.255.255.0 {
}
#
# This is a very basic subnet declaration.
#
subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.50 10.0.2.100;
option routers 10.0.2.1;
}

Restart the service:

systemctl start isc-dhcp-server.service

Test the AD DC

Create an AD account for yourself and add it to the “Domain Admins” group with the commands:

samba-tool user create ted
samba-tool group addmembers "Domain Admins" ted

Verify the domain users are shown by both commands:

wbinfo -u
getent passwd

Verify the domain groups are shown by both commands:

wbinfo -g
getent group

Verify the domain ownership on a test file:

touch /tmp/testfile
chown ted:"Domain Admins" /tmp/testfile
ls -l /tmp/testfile

Create a GPO  with the instructions at This Link.