Lab 00 - jude-lindale/Wiki GitHub Wiki

  • Using sconfig from command prompt, make updates manual
  • MGMT01 should have the IP address of 10.0.5.10
  • gateway of 10.0.5.2
  • DNS should be set to the IP of ad01 (10.0.5.5)
  • Hostname should be mgmt01-firstname
  • Join it to yourname.local
  • Internet Protocal Version 4 (TCP/IPv4) Propterties
    • Open settings and choose network and internet
    • Click on change adapter options
    • Right click the adapter and choose properties
    • Look for the check box that says 'Internet Protocal Version 4 (TCP/IPv4) and click on it
    • Click the properties tab, if not already done:
      • Put the IP address as 10.0.5.100
      • Put the Subnet mask as 255.255.255.0
      • Put the Default gateway and Preferred DNS server as 10.0.5.1 then press ok

Purpose:

The goal of this lab is to build a realistic server environment consisting of a routed network (LAN and WAN) as well as introduce Server 2019 Desktop and Core and the systems required to manage them.

Working Notes:

This environment is a server that is modeled after a Basic Routed Network with WAN and LAN. In this model, the wks01 using the IP address 10.0.5.100 connects to its host studentx on 10.0.5.0/24, which connects wks01 to fw01 using the upstream gateway address of 10.0.5.2. The firewall uses IP address 10.0.17.106 that was assigned by the instructor to connect to the SYS255-WAN host using the IP address 10.0.17.0 which connects to another firewall using another default gateway of 10.0.17.2 which uses the IP address 192.168.4.52 to connect to its host CYBER on 192.168.4.0/24 to finally be connected to the cloud. In setting up this environment I configured the firewall and windows 10 VM's to connect and communicate with one another so that the windows 10 VM could connect to the internet. Furthermore, this lab also required the setting up of a server core using the command terminal. As I had to do the initial server setup, installing the adds role, configuring the DNS, and prepare and connect the wks01 to join the DNS. As well as making sure all machines had proper connectivity

FW01:

Firewall 1 is a pfSense virtual router that was configure first in order to route traffic between the private network and the SYS265-WAN. FW01 has two network interfaces. One that is connected to SYS265-WAN and the other to [SYS265-LAN-your.name](http://sys265-lan-your.name/) where the other systems are hosted.

Configuration:

Step 1:

Go to the settings of the virtual machine in vsphere and make sure that network adapter 1 is set to SYS265-A-WAN and add another network adapter and set it to SYS265-A-LAN-Jude.Lindale

Step 2:

Once the machine has been powered it is time to configure.

  • In the configuration console select 2 to set interface IP Adress
    • Select 1 to set the WAN interface
    • Do not use DHCP for WAN IPv4 address
    • Set IP address to assigned IP address (in this case 10.0.17.106)
    • Set subnet mask to be 24 bit = 255.255.255.0
    • Set the WAN upstream gateway to 10.0.17.2
    • Do not use IPv6 when asked about DHCP
    • Press [ENTER] to bypass IPv6 configuration
    • Press [n] when asked about HTTP for GUI
  • Select 2 again to set the other interface IP Adress
    • Select 2 for the LAN interface
    • Do not use DHCP for LAN IPv4 address
    • The LAN IP Address is 10.0.5.2
    • Set subnet mask to 24 bit = 255.255.255.0
    • Do not enter LAN upstream gateway, press [ENTER]
    • Do not use DHCP
    • Press [ENTER] to bypass IPv6 configuration
    • Do not enable LAN DHCP Server
    • Do not revert to HTTP

Step 3:

  • Choose option 8

WKS-01:

This is a windows box that uses SYS265-A-LAN-Jude.lindale

Configuration:

Step 1:

  • Set Network adapter 1 to LAN ie. SYS255-03-jude.lindale

Step 2:

  • Open File Explorer
    • Right-click on “This PC”
    • Click “Properties”
    • Click on “Change Settings”
    • Click “Change” next to “To rename this computer…”
    • Then type: wks01-yourfirstname id. wsk01-jude
    • Check “firstname” to your real first name

Step 3:

  • Set up a new local administrator account
    • Search for lusrmgr.msc in search bar
    • Choose user folder
    • add new user
    • User name jude.lindale-loc
    • Full name jude.lindale-loc
    • set passowrd
    • check off password never expires
    • left click on the newly created user and choose properties
    • Choose Member of tab
    • Select groups for object type
    • Set WKS01-Jude for From this location
    • Set WKS01-Jude\Administrators for Enter the object names
    • logout and login again

Step 4:

  • Internet Protocal Version 4 (TCP/IPv4) Propterties
    • Open settings and choose network and internet
    • Click on change adapter options
    • Right click the adapter and choose properties
    • Look for the check box that says 'Internet Protocal Version 4 (TCP/IPv4) and click on it
    • Click the properties tab, if not already done:
      • Put the IP address as 10.0.5.100
      • Put the Subnet mask as 255.255.255.0
      • Put the Default gateway and Preferred DNS server as 10.0.5.2 then press ok

FW01 GUI Configuration:

Step 1:

  • Open Explorer and put the default gateway in the search bar (http://10.0.5.2/)
  • When prompted sign in to pfsense
  • Use the setup wizard
  • System Wizard: General Information
    • Hostname: fw01-jude
    • Domain: jude.local
    • Primary DNS: 8.8.8.8 (Google)
  • System Wizard: Configure WAN Interface
    • Set IP Address to 10.0.17.106
    • Set Subnet mask to 24
    • Set Upstream gateway to 10.0.5.2
    • RFC1918 Networks: Uncheck "Block private networks from entering via WAN"

AD01 - Server Core:

Step: 1

  • In vSphere find and edit ad01's network adapter options
  • Network adapter 1 should be changed to, if not already, SYS255-02-LAN-jude.lindale
  • Use default settings with the following exceptions
    • Product Key -> Do this later
    • Administrator Password

Step 2:

  • Change and record the new administrator password for the Server Core machine.

Using sconfig, configure the following:

  • Network Settings
  • IP:  10.0.5.5
  • Netmask: 255.255.255.0
  • Gateway: 10.0.5.2
  • Preferred DNS: 10.0.5.2
  • computer Name:  ad01-jude
  • Manual Windows Update
  • Then reboot

Step 3:

  • Installing AD on Server Core
    • invoke Powershell
    • Run the command Intsall-WindowsFeatures AD-Domain-Services -IncludeManagmentTools
  • Install The Forest
    • Install-ADDSForest -DomainName jude.local
    • press Y and then it will start

Configure MGMT01:

MGMT01 is a Server 2019 with GUI. Its job will be to remotely manage any server core systems. It should be configured with Network Adapter 1 on [SYS265-LAN-your.name](http://sys265-lan-your.name/) just like the other LAN-based VMs.

Step 1:

  • Using sconfig from command prompt, make updates manual
  • MGMT01 should have the IP address of 10.0.5.10
  • gateway of 10.0.5.2
  • DNS should be set to the IP of ad01 (10.0.5.5)
  • Hostname should be mgmt01-jude
  • Join it to jude.local
    • Username: Administrator

Step 2:

  • after rebooking login as the user to the domain and not the local host.
  • Open server manager
  • Open Server Manager. From the Manage menu, select Add Roles and Features
  • Skip over the section saying Before You Begin
  • Use Role-Based or feature-based installation
    • choose remote server administration tools
      • role administration tools
        • DHCP Server tools
        • File Service tools
  • Select the server
  • From Server Roles select Active Directory Domain Services->Add Features
  • Pick Active Directory Domain
  • Choose the restart destination server option, and select yes on the confirmation dialog

Step 3:

  • Using Server Manager on mgmt01, add ad01 to the list of managed servers.

DNS Error

Because we gave our environment a .local top level domain(TLD), an error is indicated during installation. Valid top level domains are domains like .com, .gov, .edu, .net. Because this is an internal domain, we will leave it as is. The naming of local domains is the subject of many debates among systems administrators.

Installation will take a few minutes and a reboot. When you log back in, you will be logging in as the Domain Administrator (with credentials in Active Directory) as opposed to the Local Administrator (credentials stored locally within Windows OS credentials & not in AD domain credentials).

DNS

After installation and a lengthy reboot, the ad01 server's network configuration has changed somewhat. The DNS server now points to 127.0.0.1 (which is the local loopback adapter for ad01, i.e. it’s pointing back to itself), and DNS queries not handled locally are forwarded to fw01 which will in turn forward to its DNS Server.

Adding a DNS Record

  1. First, on ad01 run the commands:
    • hostname
    • ping 10.0.5.2
    • ping fw01-jude
  2. Find and invoke DNS Manager from the Server Manager/DNS/AD01 context menu
  3. Find and expand the forward lookup zone for the new domain
  4. There should be an entry for ad01.yourname. This allows to ping ad01 by hostname and/or domain name
  5. From the DNS Manager, select New Host (A or AAAA name):
    • Host: fw01-jude
    • FQDN: fw01-jude.jude.local
    • Ip address: 10.0.5.2
  6. Add a reference to fw01, go ahead and check "Create associated (PTR) record"

When host is added, the capability to resolve a host by its hostname is enabled. The reverse is not true. We cannot get a hostname by IP address until we create a reverse lookup zone.

Reverse DNS

  1. Add a reverse primary lookup for all IP addresses in the 10.0.5.0/24 Network by selecting the New Zone options from the right-click context menu as shown below. Use the defaults, and add a Network ID for 10.0.5.
  2. Create a new PTR record from the A record of fw01-yourname and ad01-yourname by unchecking, applying checking the update PTR record check box, and re-applying fw01's properties.
  • Host: fw01-jude
  • FQDN: fw01-jude.jude.local
  • IP address: 10.0.5.2
  1. The reverse dns entry for fw01 and ad01 should now be in the 5.0.10 reverse lookup zone. May need to refresh from the DNS option on the left
  2. as well as for Wks-01 and mgmt01

Create Named Domain Users on ad01

It is very easy to become confused between local accounts on either WKS1 and AD01 and domain accounts that are available on every system in the domain. We are going to create a named domain administrator account as well as a named non-privileged user account.

  1. On AD01, find the Active Directory Users and Computers option

  2. Under the Domain's user folder, add a new User

  3. This user (first.lastname-adm) will be a Domain Administrator and will have a distinct suffix (ADM) to show this

  4. Uncheck user must change password at next login

  5. On the user just made left click and choose Add to a group

    • Enter the object names to select: Domain Admins
  6. Create a non-privileged account (Skip the addition to Domain Admins) for user first.lastname

Terms/Topics:

  • PTR - This is a DNS point record that provides the domain name associated with an IP Address. A DNS PTR record is the opposite of the ‘A’ record, that provides an IP address that is associated with a domain name. PTR records are used in reverse DNS lookups
  • Forest - this is the highest level of organization within an Active Directory. Each forest shares a single database, global address list, and a security boundary. A user or administrator in one forest cannot access another forest.
  • Ways to leverage active directory
    • connect the active directory to the cloud
    • use single sign-on
    • automate user lifecycle management
    • use of SSL encryption
    • Use of MFA