sprint 1 documentation - drewwbikk/capstone GitHub Wiki
Configuring pfsense starts on fw01's command line.
- Assign WAN & LAN ports
- Assign WAN & LAN IP addresses
- Be sure to also assign WAN gateway IP address
- LAN IP: 10.0.0.2/24
Configuration can then move to the GUI-Based web interface.
- Default credentials are admin/pfsense
- Reset the admin password
- Set the system hostname
- Set primary DNS (8.8.8.8 is Google's DNS and a good choice)
Configure manual networking using Powershell and sconfig (IP: 10.0.0.5, Gateway 10.0.0.2, DNS 10.0.0.2 (for now))
Run through all available Windows updates (in sconfig as well).
In this environment, ad01 is running Windows Server Core. This means that there is no GUI. While it may seem much more difficult without a GUI, PowerShell commands and command-lets are intuitive and it is easy to start configuring through PowerShell commands.
- Configure Network Services using
sconfigcommand - Add ADDS (Active Directory Domain Services) role to ad01
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools- Install the Forest
Install-ADDSForest -DomainName yourname.localYou will want to add two users: yourname and yourname-adm. yourname will be the account you use normally on the domain, while yourname-adm will be the account that is a Domain Admin, and you will use that account's credentials when it is necessary to perform tasks that need administrator permissions. Do not use your -adm account when you don't need to. While staying logged on to your -adm account unnecessarily can be a security risk depending on how your environment is setup, the bigger risk is making accidental changes to the domain that either cannot be reversed, or will take an exorbitant amount of time to fix. The simple separation of your administrator privileges can help prevent issues like these.
- Create the User
# Create the accounts
New-ADUser yourname
New-ADUser yourname-adm
# Set the passwords for the accounts
Set-ADAccountPassword -Identity yourname
Set-ADAccountPassword -Identity yourname-adm
# Enable the accounts (Note: You can only do this after setting the password)
Enable-ADAccount yourname
Enable-ADAccount yourname-adm
# Add the -adm account to the Domain Admins group
Add-ADGroupMember -Identity "Domain Admins" - Members yourname-admConfigure manual networking using Powershell and sconfig (IP: 10.0.0.10, Gateway 10.0.0.2, DNS 10.0.0.5)
Run through all available windows updates.
Using sconfig again, join the domain and restart. Log in as the named domain admin.
The local server page should look like the following when done:
Add ad01 as a managed server through Manage -> Add servers. It should look like the following when done:
Using Manage -> Add Roles and Features, install remote management tools for AD DS and DNS.
Then, go to Tools -> DNS. The DNS server is running on ad01. Create a reverse lookup zone, and then A and PTR records for all servers.
It should look like the following when complete:
Now, install DHCP role for ad01 and remote management tools for mgmt01 using Manage -> Add Roles and Features. Complete DHCP configuration using the GUI.
Open up the DHCP manager, and create a new DHCP scope, with IPs in the range of 10.0.0.50-10.0.0.100. It should look like this when complete:
If you're using wks01 to configure pfSense on the GUI, set a static IP for now. Otherwise, DHCP will already be setup and it should grab an IP address.
Now, it's time to join wks01 to the domain. Do this through the Control Panel -> System and Security -> System -> Change Settings. Change the hostname and join the machine to the domain. It will prompt a restart.
After restarting, you should be able to log in as your named domain user.
Use the following commands to configure the network adapter:
nmcli con mod ens192 ipv4.address 10.0.0.15/24
nmcli con mod ens192 ipv4.gateway 10.0.0.2
nmcli con mod ens192 ipv4.dns 10.0.0.5
nmcli con mod ens192 ipv4.method manual
Use the following commands to setup a basic apache web server:
yum -y install httpd
nano /var/www/html/index.html #Create index page
nano /etc/httpd/conf.d/welcome.conf #Comment out every line in the file
systemctl start httpd
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload
You should now be able to browse to web01's IP (or hostname) with port 80.
Configure manual networking using Powershell and sconfig (IP: 10.0.0.20, Gateway 10.0.0.2, DNS 10.0.0.5)
Run through all available Windows updates (in sconfig as well).
Using sconfig again, join the domain, set the hostname, and restart. Be sure you can log into fs01 with a named domain account.
Now, the rest will be done on mgmt01. Add fs01 as a managed server, just like how you did for ad01.
Manage -> Add Roles and Features -> fs01
Under Roles -> File and Storage Services -> File and iSCSI Services, select File Server and BranchCache for Network Files.
Be sure to install the management tools as well.
Then, under File and Storage Services, select Shares, right-click and select New share.
Select an SMB Share - Quick
Location is fs01-andrew, and create a folder in the C drive called default_share. Set the share name to what you wish (for this, it will be File Server).
Add desired permissions for Domain Admins, Domain Users, or any specific Organizational Units you may have. Create the share.
You should now be able to navigate to the share in File Explorer:
Under Active Directory Users and Computers, create a new Security Group called File Server Users, and add your named users to it.
Ensure the group policy management feature is installed on mgmt01.
Using Group Policy Management, create a new GPO in the domain called Users - Mapped Drives.
Right-click the GPO and edit it.
Navigate to User Configuration -> Preferences -> Windows Settings -> Drive Maps
Right-click Drive Maps and select New Mapped Drive.
Then, input the location of the file share and select a drive letter to use.
Select Run in logged on user's security context.
Select Item-level targeting, and click the Targeting button.
Select New Item, and select the Security Group called File Server Users.
Then, click Ok and Ok again to close the New Mapped Drive Properties. On wks01, run gpupdate /force (or restart the computer), and log out and log back in. The mapped drive should be there.
