Sprint 1 Documentation - drewwbikk/capstone GitHub Wiki

Configure fw01

Configuring pfsense starts on fw01's command line.

  • Assign WAN & LAN ports
  • Assign WAN & LAN IP addresses
    • Be sure to also assign WAN gateway IP address
    • LAN IP: 10.0.0.2/24

fw01 setup

Configuration can then move to the GUI-Based web interface.

  • Default credentials are admin/pfsense
  • Reset the admin password
  • Set the system hostname
  • Set primary DNS (8.8.8.8 is Google's DNS and a good choice)

Configure ad01

Configure manual networking using Powershell and sconfig (IP: 10.0.0.5, Gateway 10.0.0.2, DNS 10.0.0.2 (for now))

Run through all available Windows updates (in sconfig as well).

Configure ADDS on ad01

In this environment, ad01 is running Windows Server Core. This means that there is no GUI. While it may seem much more difficult without a GUI, PowerShell commands and command-lets are intuitive and it is easy to start configuring through PowerShell commands.

  • Configure Network Services using sconfig command
  • Add ADDS (Active Directory Domain Services) role to ad01
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
  • Install the Forest
Install-ADDSForest -DomainName yourname.local

Add Initial Users to Domain

You will want to add two users: yourname and yourname-adm. yourname will be the account you use normally on the domain, while yourname-adm will be the account that is a Domain Admin, and you will use that account's credentials when it is necessary to perform tasks that need administrator permissions. Do not use your -adm account when you don't need to. While staying logged on to your -adm account unnecessarily can be a security risk depending on how your environment is setup, the bigger risk is making accidental changes to the domain that either cannot be reversed, or will take an exorbitant amount of time to fix. The simple separation of your administrator privileges can help prevent issues like these.

  • Create the User
# Create the accounts
New-ADUser yourname
New-ADUser yourname-adm

# Set the passwords for the accounts
Set-ADAccountPassword -Identity yourname
Set-ADAccountPassword -Identity yourname-adm

# Enable the accounts (Note: You can only do this after setting the password)
Enable-ADAccount yourname
Enable-ADAccount yourname-adm

# Add the -adm account to the Domain Admins group
Add-ADGroupMember -Identity "Domain Admins" - Members yourname-adm

Configure mgmt01

Configure manual networking using Powershell and sconfig (IP: 10.0.0.10, Gateway 10.0.0.2, DNS 10.0.0.5)

Run through all available windows updates.

Joining and managing the domain

Using sconfig again, join the domain and restart. Log in as the named domain admin.

The local server page should look like the following when done:

local server properties

Add ad01 as a managed server through Manage -> Add servers. It should look like the following when done:

managed servers

Using Manage -> Add Roles and Features, install remote management tools for AD DS and DNS.

add adds and dns remote server administration tools

Then, go to Tools -> DNS. The DNS server is running on ad01. Create a reverse lookup zone, and then A and PTR records for all servers.

It should look like the following when complete:

forward zone

reverse zone

Now, install DHCP role for ad01 and remote management tools for mgmt01 using Manage -> Add Roles and Features. Complete DHCP configuration using the GUI.

Open up the DHCP manager, and create a new DHCP scope, with IPs in the range of 10.0.0.50-10.0.0.100. It should look like this when complete:

dhcp scope

Configure wks01

If you're using wks01 to configure pfSense on the GUI, set a static IP for now. Otherwise, DHCP will already be setup and it should grab an IP address.

dhcp working on wks01

Now, it's time to join wks01 to the domain. Do this through the Control Panel -> System and Security -> System -> Change Settings. Change the hostname and join the machine to the domain. It will prompt a restart.

After restarting, you should be able to log in as your named domain user.

complete domain join wks01

Configure web01

Use the following commands to configure the network adapter:

nmcli con mod ens192 ipv4.address 10.0.0.15/24
nmcli con mod ens192 ipv4.gateway 10.0.0.2
nmcli con mod ens192 ipv4.dns 10.0.0.5
nmcli con mod ens192 ipv4.method manual

Use the following commands to setup a basic apache web server:

yum -y install httpd
nano /var/www/html/index.html #Create index page
nano /etc/httpd/conf.d/welcome.conf #Comment out every line in the file
systemctl start httpd
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload

You should now be able to browse to web01's IP (or hostname) with port 80.

Configure fs01

Configure manual networking using Powershell and sconfig (IP: 10.0.0.20, Gateway 10.0.0.2, DNS 10.0.0.5)

Run through all available Windows updates (in sconfig as well).

Using sconfig again, join the domain, set the hostname, and restart. Be sure you can log into fs01 with a named domain account.

Now, the rest will be done on mgmt01. Add fs01 as a managed server, just like how you did for ad01.

fs01 server on mgmt01

Install File Services

Source

Manage -> Add Roles and Features -> fs01

Under Roles -> File and Storage Services -> File and iSCSI Services, select File Server and BranchCache for Network Files.

Be sure to install the management tools as well.

Then, under File and Storage Services, select Shares, right-click and select New share.

Select an SMB Share - Quick

Location is fs01-andrew, and create a folder in the C drive called default_share. Set the share name to what you wish (for this, it will be File Server).

Add desired permissions for Domain Admins, Domain Users, or any specific Organizational Units you may have. Create the share.

You should now be able to navigate to the share in File Explorer:

file share

Mounting the file share using AD

Source

Under Active Directory Users and Computers, create a new Security Group called File Server Users, and add your named users to it.

Ensure the group policy management feature is installed on mgmt01.

Using Group Policy Management, create a new GPO in the domain called Users - Mapped Drives.

Right-click the GPO and edit it.

Navigate to User Configuration -> Preferences -> Windows Settings -> Drive Maps

Right-click Drive Maps and select New Mapped Drive.

Then, input the location of the file share and select a drive letter to use.

properties

Select Run in logged on user's security context.

Select Item-level targeting, and click the Targeting button.

Select New Item, and select the Security Group called File Server Users.

targeting

Then, click Ok and Ok again to close the New Mapped Drive Properties. On wks01, run gpupdate /force (or restart the computer), and log out and log back in. The mapped drive should be there.

mapped drive

fs on mapped drive