TP subject

Goals
The objective of this lab is to create a forest made up of 2 domains as illustrated in the figure below. This
architecture will be implemented using virtual machines under VMWare. The DC1 and DC2 machines will be
configured as domain controllers. The Win8-1 machine is a client machine, attached to the rt2groupe1.lan domain.

Win ( Win 10)

DC1 ( WinS-2012R2): ADDS, DNS

192.168.1.10/24

rt2groupe1.lan

DC2 ( WinS-2012R2): ADDS, DNS

192.168.1.20/24

conta.rt2groupe1.lan

1
1. Configuring Active Directory on a virtual machine

Goals :
• Installing VMPlayer
• Creating a virtual machine (VM) and installing a Windows Server 2012 R2 OS
• Installation of DNS and Active Directory roles on the VM

• Promote the VM as a domain controller

Minimum specifications for a virtual machine

A virtual machine requires minimal resources on the host machine. These constraints are specified below.

• RAM: minimum 1 GB for the host machine

• RAM: minimum 1 GB per virtual machine
• Processor: 1.4 GHz minimum
• disk space: minimum 10 GB

Record of the characteristics of the working machine

To ensure the proper functioning of virtual machines on the work computer, it is necessary to record their
characteristics.

1. RAM and processor:

at. Control Panel \ System and Security \ System

2. Disk, Shares, Users and Groups:

at. Control Panel \ System and Security \ Administrative Tools -> Computer Management

RAM:

Processor:

Disk space:

What is the maximum number of virtual machines that you can install?

The main stages of installation and configuration

The main steps for installation are described below. These steps are detailed in the following sections.

• Install Windows Server 2012 R2.

• Rename the machine.
• Configure the machine in fixed IP.

• Configuring the DNS role: defining the forest and domain

2
 • To avoid certain problems, you must:
o deactivate the firewall (replication),
o IPV6 (may generate error msg when configuring the controller
field)
• Configure the AD DS role
• Promote the new server as a Domain Controller

Installation of VMWare Player and VMWindows Server 2012

1. Installation VMWare Workstation Player 12.0.0 (or 12.5.0) for Win 64-bits Creation of a virtual
2. machine and installation of the OS Windows 2012 Server R2

• IF VM installation problem, it is necessary to modify the options in the BIOS

at. enable "Intel VT-x" (enable virtualization technology)

b. disable "Trusted execution"
3. During this installation an "elev" user account, without password, must be created. At the end of the OS
4. installation, the installation of VMWare Tools starts automatically.
Otherwise, you must install VMWare Tools explicitly, to take full advantage of the features of VMWare
Player.
5. The virtual machine created, with its minimum configuration, can be copied and duplicated.
by simply copying the directory in which it was installed.
6. It will be recognized by VMWare as a copy by VM.
7. The name that will appear in VMWare can be modified, by modifying the field
displayName = in the file :
"VM installation directory" /Windows-2012.vmx
displayName = "Windows8-2012"
This example concerns the VM called "Windows8-2012"
8. You can copy the created virtual machine before installing AD roles. You would need to configure a child
domain.
9. On the other hand, for a virtual machine with another operating system, the VM installation procedure
would have to be redone.

Configuring the Windows Server 2012 VM as a Domain Controller

At the moment you have only one VM under Windows Server 2012 R2. This VM will have the role of controller of a domain

called rt2groupeX.lan.

The characteristics of the VMWindows Server 2012

Before starting the new virtual machine (VM), you must check the characteristics of the VM in VMWare.

1. "Edit virtual machine settings"

o configure automatic update of VMtools
o minimum 1GB RAM (if you have the possibility you can increase the RAM)

3
 o minimum 1 processor
o maximum 30 GB Network adapter
o hard drive
• Bridged: connected to physical network
• NAT: used to share the host's IP address

• Host-only: private network shared with the host Custom

• (specific virtual LAN)
• LAN segment

Post-installation configuration of the VMWindows Server 2012

1. Starting the VMWindows Server 2012 machine
2. Login as Administrator logout from the initial
• account
• login as Administrator
• Password configuration Administrator :
123Admin

Any virtual machine can be duplicated by simply copying the directory in which it has
been installed.

You can copy the created virtual machine before installing AD roles. You would need to configure a child
domain.

3. Objective 1: the characteristics of the VMWin server 2012 that must be configured

• Computer Name: DC1

• Features:

• Domain Controller of the domain rt2groupeX.lan ( X being 1, 2, 3, etc)

• DNS server
• Active Directory Server
• Operating system: Windows server 2012 R2 Installed
• roles:
• Active Directory

• DNS

• IP Config:

• @IP: 192.168.1.10; mask: 255.255.255.0

• Primary DNS server: 192.168.1.10
• Secondary DNS server: nothing yet

4. Changing the "Computer name"

• Server Manager -> Configure this local server -> Computer name -> Edit
• New Name: DC1
• The server will restart after the name change

5. Network configuration @ fixed IPv4

• in VM DC1, right click on the network icon, to the left of the time display
• open the "Network and Sharing Center"

4
 • click on "Modify the card parameters"
• click on the network card, then choose "Properties", then "IPv4 Protocol"
• you must configure the @ IP, the mask and the primary @ DNS according to the previous information

6. The "Server Manager" utility

• "Dashboard": allows to have a global vision on the services of the local server as well as on the
other servers
• "Local server": allows to have a vision on the characteristics of the local server If in the
• "Dashboard" there are problems on the services:
o click on the services line, then
o position yourself on the service concerned, right click and choose start the service and validate

o update the display: menu "Display" in the Dashboard or "CTRL + O"

7. The
"Tools" menu in the "Dashboard" provides access to a set of
consoles:

• Computer manager
• Services

• Windows Firewall etc memory diagnostic

•

8. Objective 2: Installing roles on the VM - the DNS and Active Directory role

• Server Manager -> Add Roles and Features => Install the DNS role
at. In the "Server Manager" \ Tools \ DNS
b. Choose the DC1 server and in the "Action" menu choose "New zone"
vs. Create a "Main Zone" as a "Direct Search Zone"
i. The name of the zone must be: rt2groupeX.lan ( where X represents a number

single group within the framework of this TP)

d. Then choose "Create a new file" named: rt2groupeX.lan.dns

e. Then choose "Allow both secure and non-secure dynamic updates" (After integration in AD,
this option can be changed to "Allow only secure dynamic updates")

f. Then choose "Finish"

• Server Manager -> Add Roles and Features => Install the Active Directory / AD DS role

• Follow the installation steps ....

• Once the roles are installed ....
• On the top menu bar, on the "Server Manager" window click on the flag with an exclamation mark.

• To choose : " Promote this server as a domain controller "

at. choose "Add a new forest"
b. Enter the name of the root domain: rt2groupeX.lan ( where X represents a number
single group within the framework of this TP)

5
 vs.
The functional level of the drill and the domain must be "Windows Server 2012 R2" The functionalities of
d.
the domain controller to be installed must be: "DNS Server" and "Global Catalog"

e.
The "Read-only domain controller" option must not be checked
f.
Choose the password for Directory Services Restore Mode (DSRM): Pa $$
w0rd
g.

h.
Do not check the "Create a DNS delegation" box
Check the NetBIOS name: it will be RT2GROUPEX, or X will represent the group number given
i.
previously.
The following options should remain unchanged:
i. Database folder: "C: \ WINDOWS \ NTDS"
ii. Log files folder: "C: \ WINDOWS \ NTDS"
j.
iii. SYSVOL folder: "C: \ WINDOWS \ SYSVOL"

Next ... The installation to promote the server as a "Domain Controller" begins ....
k.

You should have a result similar to the window below ....

l. Choose "Install" .... reboots. the installation takes a few minutes and the server

9. At this stage you have a functional domain controller managing Active Directory.

10. In the "Server Manager \ Tools" menu choose "Active Directory Administration Center"

6
 11. Explore the different parts of the created domain.

at. Users
b. Domain Controllers
12. In the menu "Server Manager \ Tools" choose "Windows Firewall ...", Properties of Windows Firewall

• If not properly configured, the firewall can cause problems when replicating domains

• disable the firewall for each of the existing profiles Domain, Private, Public.

13. In the "Server Manager \ Tools" menu choose "Computer Management \ Services and Applications
\ Services"
• Activate the "Computer explorer" service => configure the automatic start
• This service is used to maintain the list of machines in the network neighborhood

2. Configuration of user accounts in Active Directory

Goals :
Creation of user accounts, computer accounts and their attachment to Active Directory

Configuration:
User accounts can be:

• premises - stored in a local SAM database ( Security Account Manager or security account manager)

• domain - stored in Active Directory

Windows Server 2012 virtual machine configuration (done previously)

You must already have a working Windows Server 2012 R2 VM promoted as a domain controller.

Windows 8 machine configuration

You must configure a virtual machine under Windows 8. Below are the characteristics to configure.

1. Machine name: Win8-1;

2. The machine must be a member of the domain: rt2groupeX.lan ( it must be in the same

domain as the domain controller configured previously)

3. Operating system: Windows 8
4. Config IP of the machine must be:

• @IP: 192.168.1.100; mask: 255.255.255.0

• Primary DNS server: 192.168.1.10
• Secondary DNS server: nothing yet

7
 5. Disable the firewall
6. Check the network connectivity between the domain controller and the Windows 8 machine through the
configuration of VMWare: "Edit Virtual Machine Settings / Network Adapter / Host Only"

You can copy the virtual machine created, before any configuration.

User accounts
Connect to the Domain Controller DC1 as Administrator. If the account has not yet been created, it must be
created with a password: 123Admin.

Create a new user on the rt2groupeX.lan domain.

• Using the Active Directory Users and Computers manager, on the domain created in the previous lab rt2groupeX.lan,
you have to choose the "Users" system folder and then right click,

choose New User. Create a user u1 without password.

• Check if you can log in as u1. Explain.

• Configure a password: Pa $$ wordu1.

• Check the user's connection to the domain. Reconfigure the user's account u1 and ask for the password
• change the next time you log on.

• Enter a telephone number and an email address, the home address. Specify a range of access times (for
• example from 12 p.m. to 2 p.m.) and check the validity of this configuration. Change this range
and recheck the feasibility of the connection.

• Give an account validity date and check that this criterion is taken into account! Give it the right to
• connect to all computers in the domain. In the "Telephone" section, enter a telephone number
•
• Ask a inactive session limit at 1 minute followed by a disconnection from the session and check that
this configuration is taken into account.

• Add this user in the "Domain users" group ("Member of ..." pane) in the properties of the user

Creation of a roaming profile:

• On the server create a directory: " C: \ Users \ Profiles-itinerants ".

• Share it under the same name

o in the pane " advanced sharing " give access to the group " Domain users ",
read / write
o delete the share for "Everyone" in the "pane" Security, also add the group " Domain users " and
o give "Full Control" Permissions

8
 o Delete the group " Everybody" from the list of authorized groups.
o The name of the share will thus be "\\ DC1 \ Profiles-itinerants"

• In the tool: "Active Directory Users and Computers"

o access the Properties user u1, in the shutter Profile and at field level “ Profile path “, Indicate:

o \\ DC1.rt2groupeX.lan \ Profiles-itinerants \% username% (where rt2groupeX.lan must be the domain you

created)
o From the client machine Win-8, log in with the account u1 for which the roaming profile
is configured.
o On the DC1 server, in the " C: \ Users \ Profiles-itinerants \ " you will see the directory associated
with the user appear u1.

Duplicate a user account

To create user accounts with similar attributes, you can duplicate an already configured account and make minimal
changes.

• In the tool: "Active Directory Users and Computers"

• In the domain tree, click Users.
• In the details pane, right-click the user account to copy, here u1, then click on To copy.

• In First name, type the user's first name. In Last name, type the name of the user. Edit the Full
• Name to add initials or reverse the order of the name and surname.
•

• In User login name, type the user's logon name, click the UPN (Primary User Name) suffix from
the drop-down list, and then click Next.

• In Password and Confirm password, enter the user's password, and then select the appropriate
password options.

If the user account from which the new user account was copied is disabled, click Account is
deactivated to activate the new account.

Setting up a group account

A group is a collection of user and / or computer accounts, and / or other groups that can be managed as a
single unit. Users and computers that belong to a particular group represent the members of the group.

Groups in Active Directory Domain Services (AD DS) are directory objects that reside in a domain and in
organizational unit container objects. AD DS provides a default group set at installation. It also provides an
option to create groups.

9
You can use groups in AD DS to:

• Simplify administration by assigning permissions on a shared resource to a group rather than to

individual users. Assigning permissions to a group grants the same access to the resource to all
members of that group.

• Delegate administration by assigning user rights to a group using Group Policy. You can then add
members to the group to whom you want to assign the same rights as the group.

• Create electronic distribution lists.

Groups are characterized by their size and type.

• The scope of a group determines the degree of application of the group within a domain or forest:
local, global domain and universal.
• The group type
o security groups: to assign permissions for a resource
shared
o distribution groups: to create electronic distribution lists

There are also groups which you cannot modify and are managed by the system. They represent different
users at different times, depending on the circumstances. For example, the group Everybody represents all
current users of the network, including guests and users in other domains.

Anonymous login
This group represents users and services who access a computer and its resources through a network
without using an account name, password, or domain name. On computers that are running Windows
Server 2008 R2, Windows Server 2008, or Windows Server 2003, the Anonymous Logon group is not a
default member of the Everyone group.

Everybody
This group represents all current users on the network, including guests and users in other domains. Each
time a user connects to the network, the user is automatically added to the Everyone group.

Network

This group represents users who access a given resource on the network, as opposed to users who
access a resource by logging on locally to the computer containing the resource. Each time a user
accesses a given resource on the network, the user is automatically added to the Network group.

Interactive

This group represents all users who are currently logged on to a particular computer and are accessing a
given resource on that computer, as opposed to users who are accessing the resource on the network.
Each time a user accesses a given resource on the computer they are logged on to, they are
automatically added to the Interactive group.

1
Creation of a new group
In the tool " Active Directory Users and Computers ", you can create a new group

• In the console tree, in the local domain rt2groupeX.lan, right-click on the folder under which to
create a new group, for example the folder " Users ".

• Point to New, then click on Group.

• Type the name of the new group: groupX
• In Scope of the group, click on "Global". In Group
• type, click on "Security".

For the group thus created, right-click to access the properties. In the Members pane add the user u1.

Finding groups to which a user belongs

• In the tool " Active Directory Users and Computers ", you can create a new group

• In the console tree, in the local domain rt2groupeX.lan, right-click on the folder under which to
create a new group, for example the folder " Users ".

• click the folder that contains the user account for which you want to view group membership,
including u1.
• Right click on the user account u1, then click on Properties.
• Click on the tab Member of.

Configuration of a computer account on the rt2groupeX.lan domain

All computers running any version of Windows that join a domain have a computer account. Like user
accounts, computer accounts are used to authenticate and audit access to the network and to domain
resources. Each computer account must be unique.

You can add, deactivate, reset and delete computer accounts using the software component " Active
Directory Users and Computers ".

• With the "Active Directory Users and Computers" tool, you must create a new " Organization unit
• ": in the left panel, right click on the domain and then New-> Organizational unit: the name of the
new OU will be Computers

• With a right click on the new OU created, Computers, choose New -> Computer

1
 • Add computer Win-8 in the organizational unit Computers,

• To specify the user account or group that can join this computer to your domain, please click Edit.
An interface will allow you to select the user where the group can join this computer to the
domain.

• On the machine Win-8: change your membership to the domain rt2group.lan

o Control Panel \ System and Security \ System => Change Settings =>

o Choose the option "To rename this computer or to change its domaine ..."
choose button Exchange and declare it domain member
rt2groupeX.lan

• We will ask you for a login / password for a new user that you must create in Active Directory

Deactivation / Deletion of a computer account

• Using the "Active Directory Users and Computers" tool, choose the OU
Computers.
• In the right panel you can position yourself on the computer account to be deactivated.

• With the right button you can choose to deactivate, delete, deactivate the computer account or add
it to a group.
• For now choose to disable the Win-8 computer account.
• From the machine Win-8, log out the user u1, if it was ever connected. Try a new connection for
• user u1, on the domain, from the machine Win-8.

• Normally the connection cannot be made.

• On the server, using the "Active Directory Users and Computers" tool, reactivate the computer
account Win-8. Check the user's login again u1 from the machine Win-8.

1
3. Installation of an AD child domain

Goals :
The DC2 server is a VM running “Windows server 2012” as the base OS.

The aim is to create a child domain of the domain "rt2groupeX.lan", of which DC2 will be the domain controller.

Win 10

DC1 ( WinS-2012R2): ADDS, DNS

192.168.1.10/24

rt2groupe1.lan

DC2 ( WinS-2012R2): ADDS, DNS

192.168.1.20/24

conta.rt2groupe1.lan

• First, the DC2 server must be attached to the “rt2groupeX.lan” domain, of which the DC1 server is
the domain controller.
• Then DC1 and DC2 must be grouped into a "group (pool) of servers". The installation of the ADDS role on DC2

• must be done from the DC1 domain controller. At the same time there will be the creation of the child domain.

• After installing the ADDS role on DC2, this server must be promoted as a controller of the child domain.
This operation is done from the DC2 server.

1
The configuration steps are described below.

On the DC2 server:

• The password of the local "Administrator" account must be updated: 123Admin.

• !!! If the VMDC2 is a copy of a VM already used for DC1, you must run the following script

o C: \ Windows \ System32 \ Sysprep \ sysprep.exe

• In the "Control Panel" / System

o change the name of the new server to: DC2
o attach it to the domain rt2groupeX.lan ( rt2prof.lan)

• The server must have a fixed IPv4 address, according to the specifications at the start of the lab

o IPv4: 192.168.1.20 / 24
o DNS: 192.168.1.10 (DC1 server) Firewall
• configuration:
o activation of two rules (the selected rules) in "Authorized Applications"
from the firewall

1
o Disabling the firewall may be necessary if the server cannot
not be managed from DC1 afterwards !!!

1
On the DC1 server
this server is the domain controller server of the rt2groupeX.lan domain:

• in the server manager: add the DC2 server as a managed server at the domain level.

o on the line "all servers", the right button will open a menu
contextual and adding a new server.

1
• a group of servers must be created (servers pool)
o "Manage" menu -> "Create a group of servers" by adding DC2 and DC1 to the group

1
Installing AD DS on DC2, from the DC1 server
The installation of AD DS on the new DC2 server must be done from the DC1 server, the domain controller.

• via "Adding roles and features"

• Choose the destination server

• choose as "Role": "ADDS"

1
• In the "Features" pane, choose the necessary features (for our simple installation there is no need
for additional features)

1
2
• in the "Confirmation" page, check "Automatically restart the server if necessary"

• complete installation

2
On the DC2 server:
• you must connect to the DC2 server as Domain Administrator with the account

o rt2groupe.lan \ Administrator (or rt2prof.lan \ Administrator)

o The password: 123Admin
• The server must be promoted as a domain controller (in the "" server manager "where you have
the exclamation point"! ")

• to choose :

o
"Adding a new domain to an existing forest" Type of
o
domain: "Child domain"
o
Parent domain name: "rt2prof.lan" New
o
domain name: "conta"
o
If necessary, modify the user authorized to make changes to the new domain (currently it is
rt2prof.lan \ Administrator)

2
• in the "domain controller options", choose:
o Functional level: Windows 2012 Server
o DNS Server

o the password for restoring directory services in the event of loss

the directory

2
• in the "DNS Options"
o the option: "Create a DNS delegation", is grayed out and checked

• in the "Additional options"

o accept the proposed NetBIOS name

2
• Access path
o accept paths

• Examine the options

• Checking the System Requirements

o If the local administrator account of the DC2 server does not have a password that conforms to security
policies, the configuration verification is not successful.
o In this case: you must log in as a local administrator on DC2 and change the password

• USER: dc2 \ Administrator

• MDP: 123Admin

2
o After this update of the MDP of the local account "dc2 \ Administrator",
installation can be completed