Lab 3 - Active Directory

Group

• Liam Gérard
• Baris Ozcelik
• Théo Mertens
• Edward Gay

Use of AI for formatting the wiki and translation.

---

Introduction

This third laboratory will allow you to explore the Active Directory service by deploying a Windows Server 2025 domain controller and configuring a complete domain environment.

---

Prerequisites

Storage Modification

As part of this lab, you will need storage space to place relatively large ISOs. We recommend that you:

• Empty the storage space previously created on the local disks of your hypervisors

• Remove the ZFS storage space on these two disks

• Create a new Directory-type storage:

  • By creating a directory on the hypervisor itself
  • Then, by creating a directory at the Datacenter level
  • Warning: Make sure to enable the “ISO image” content

Windows Installation

For this lab, deploy two virtual machines with Windows Server 2025:

• One VM as server (domain controller)
• One VM as client workstation

These two VMs must be in separate subnets.

Important Points

• Disk Space: Do not allocate more than 50 GB of virtual disk

• Virtio Drivers: Required if you attach virtio hardware

  • Driver ISO: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso

---

Domain Configuration

Domain Controller Preparation (DC01)

1. Rename the server (e.g., DC01)

2. Set the time zone: Brussels

3. Configure a static IP:

   • IP: 10.16.0.10
   • Subnet mask: according to plan
   • DNS: 10.16.0.10 (self)

Role Installation

Install these roles:

• Active Directory Domain Services (AD DS)
• DNS Server
• DHCP Server
• File Sharing

Procedure

1. Open Server Manager
2. Go to Manage > Add Roles and Features
3. Install the above roles

Domain Controller Promotion

1. Promote the server to Domain Controller

2. Use a domain name in .lab (e.g. example.lab)

3. Restart the server

Post-Installation Verification

Run in Command Prompt:

dcdiag

dcdiag /test:DNS

Explore DNS and DHCP consoles.

---

AD Management with ADUC

Open Active Directory Users and Computers (ADUC) in the Tools menu.

Creating Organizational Units (OUs)

Create these OUs:

• users
• groups
• computers

Creating Users and Groups

1. Create a user with your name in users
2. Create a group named students in groups
3. Add your user to the students group

---

Client Workstation Configuration

Domain Join

1. Set the AD server as DNS on the client

2. Join the domain

Then:

3. Move the client machine into the computers OU

4. Log in using the domain user

---

Domain Management with GPOs

Implement Group Policy Objects for:

1. NTP Configuration

Configure network time synchronization.

2. Password Complexity Policy

Define password requirements: minimum length, complexity, etc.

3. RDP Authorization

Allow Remote Desktop access for the students group.

---

Questions

1. What does “FSMO” stand for?

FSMO = Flexible Single Master Operations

Some AD operations must be done by one unique Domain Controller to avoid conflicts. These are called FSMO roles.

Forest-level roles:

1. Schema Master
2. Domain Naming Master

Domain-level roles: 3. RID Master 4. PDC Emulator 5. Infrastructure Master

---

2. What is a GPO?

A Group Policy Object (GPO) is a set of rules applied automatically to users and computers in a domain.

Uses:

• Security policies
• System configuration
• User experience customization
• Access control (e.g., RDP)

Application levels:

• Site
• Domain
• OU

---

3. Security Group vs Distribution Group + Scopes

Security Groups

• Grant permissions
• Can also be used for email

Distribution Groups

• Email only
• Cannot grant permissions

---

Scopes of Security Groups

1. Domain Local Group (DLG)

• Can contain: anyone from forest
• Permissions: local domain only

2. Global Group (GG)

• Can contain: users from same domain
• Permissions: any domain

3. Universal Group (UG)

• Can contain: anyone
• Permissions: any domain
• Heavy replication traffic

---

Best Practice: A-G-DL-P

1. Accounts → Global Groups
2. Global Groups → DLGs
3. DLGs → Permissions

---

Addressing Plan

Equipment	IP Address
DC01	10.21.0.216
DNS (on DC01)	10.21.0.216
Client Workstation	DHCP or static in another subnet

---

Topology Summary

• 1 Windows Server 2025 VM (DC01)
• 1 Windows client VM
• DC static IP: 10.21.0.101
• Server and client on separate subnets
• Virtio drivers installed