Professional Documents
Culture Documents
Goals
The objective of this lab is to create a forest made up of 2 domains as illustrated in the figure below. This
architecture will be implemented using virtual machines under VMWare. The DC1 and DC2 machines will be
configured as domain controllers. The Win8-1 machine is a client machine, attached to the rt2groupe1.lan domain.
192.168.1.10/24
rt2groupe1.lan
192.168.1.20/24
conta.rt2groupe1.lan
1
1. Configuring Active Directory on a virtual machine
Goals :
• Installing VMPlayer
• Creating a virtual machine (VM) and installing a Windows Server 2012 R2 OS
• Installation of DNS and Active Directory roles on the VM
at. Control Panel \ System and Security \ Administrative Tools -> Computer Management
RAM:
Processor:
Disk space:
What is the maximum number of virtual machines that you can install?
2
• To avoid certain problems, you must:
o deactivate the firewall (replication),
o IPV6 (may generate error msg when configuring the controller
field)
• Configure the AD DS role
• Promote the new server as a Domain Controller
At the moment you have only one VM under Windows Server 2012 R2. This VM will have the role of controller of a domain
called rt2groupeX.lan.
3
o minimum 1 processor
o maximum 30 GB Network adapter
o hard drive
• Bridged: connected to physical network
• NAT: used to share the host's IP address
Any virtual machine can be duplicated by simply copying the directory in which it has
been installed.
You can copy the created virtual machine before installing AD roles. You would need to configure a child
domain.
3. Objective 1: the characteristics of the VMWin server 2012 that must be configured
• DNS server
• Active Directory Server
• Operating system: Windows server 2012 R2 Installed
• roles:
• Active Directory
• DNS
• IP Config:
4
• click on "Modify the card parameters"
• click on the network card, then choose "Properties", then "IPv4 Protocol"
• you must configure the @ IP, the mask and the primary @ DNS according to the previous information
7. The
"Tools" menu in the "Dashboard" provides access to a set of
consoles:
• Computer manager
• Services
8. Objective 2: Installing roles on the VM - the DNS and Active Directory role
• Server Manager -> Add Roles and Features => Install the DNS role
at. In the "Server Manager" \ Tools \ DNS
b. Choose the DC1 server and in the "Action" menu choose "New zone"
vs. Create a "Main Zone" as a "Direct Search Zone"
i. The name of the zone must be: rt2groupeX.lan ( where X represents a number
5
vs.
The functional level of the drill and the domain must be "Windows Server 2012 R2" The functionalities of
d.
the domain controller to be installed must be: "DNS Server" and "Global Catalog"
e.
The "Read-only domain controller" option must not be checked
f.
Choose the password for Directory Services Restore Mode (DSRM): Pa $$
w0rd
g.
h.
Do not check the "Create a DNS delegation" box
Check the NetBIOS name: it will be RT2GROUPEX, or X will represent the group number given
i.
previously.
The following options should remain unchanged:
i. Database folder: "C: \ WINDOWS \ NTDS"
ii. Log files folder: "C: \ WINDOWS \ NTDS"
j.
iii. SYSVOL folder: "C: \ WINDOWS \ SYSVOL"
Next ... The installation to promote the server as a "Domain Controller" begins ....
k.
l. Choose "Install" .... reboots. the installation takes a few minutes and the server
9. At this stage you have a functional domain controller managing Active Directory.
10. In the "Server Manager \ Tools" menu choose "Active Directory Administration Center"
6
11. Explore the different parts of the created domain.
at. Users
b. Domain Controllers
12. In the menu "Server Manager \ Tools" choose "Windows Firewall ...", Properties of Windows Firewall
• If not properly configured, the firewall can cause problems when replicating domains
• disable the firewall for each of the existing profiles Domain, Private, Public.
13. In the "Server Manager \ Tools" menu choose "Computer Management \ Services and Applications
\ Services"
• Activate the "Computer explorer" service => configure the automatic start
• This service is used to maintain the list of machines in the network neighborhood
Goals :
Creation of user accounts, computer accounts and their attachment to Active Directory
Configuration:
User accounts can be:
• premises - stored in a local SAM database ( Security Account Manager or security account manager)
7
5. Disable the firewall
6. Check the network connectivity between the domain controller and the Windows 8 machine through the
configuration of VMWare: "Edit Virtual Machine Settings / Network Adapter / Host Only"
You can copy the virtual machine created, before any configuration.
User accounts
Connect to the Domain Controller DC1 as Administrator. If the account has not yet been created, it must be
created with a password: 123Admin.
• Enter a telephone number and an email address, the home address. Specify a range of access times (for
• example from 12 p.m. to 2 p.m.) and check the validity of this configuration. Change this range
and recheck the feasibility of the connection.
• Give an account validity date and check that this criterion is taken into account! Give it the right to
• connect to all computers in the domain. In the "Telephone" section, enter a telephone number
•
• Ask a inactive session limit at 1 minute followed by a disconnection from the session and check that
this configuration is taken into account.
• Add this user in the "Domain users" group ("Member of ..." pane) in the properties of the user
8
o Delete the group " Everybody" from the list of authorized groups.
o The name of the share will thus be "\\ DC1 \ Profiles-itinerants"
• In First name, type the user's first name. In Last name, type the name of the user. Edit the Full
• Name to add initials or reverse the order of the name and surname.
•
• In User login name, type the user's logon name, click the UPN (Primary User Name) suffix from
the drop-down list, and then click Next.
• In Password and Confirm password, enter the user's password, and then select the appropriate
password options.
If the user account from which the new user account was copied is disabled, click Account is
deactivated to activate the new account.
A group is a collection of user and / or computer accounts, and / or other groups that can be managed as a
single unit. Users and computers that belong to a particular group represent the members of the group.
Groups in Active Directory Domain Services (AD DS) are directory objects that reside in a domain and in
organizational unit container objects. AD DS provides a default group set at installation. It also provides an
option to create groups.
9
You can use groups in AD DS to:
• Delegate administration by assigning user rights to a group using Group Policy. You can then add
members to the group to whom you want to assign the same rights as the group.
• The scope of a group determines the degree of application of the group within a domain or forest:
local, global domain and universal.
• The group type
o security groups: to assign permissions for a resource
shared
o distribution groups: to create electronic distribution lists
There are also groups which you cannot modify and are managed by the system. They represent different
users at different times, depending on the circumstances. For example, the group Everybody represents all
current users of the network, including guests and users in other domains.
Anonymous login
This group represents users and services who access a computer and its resources through a network
without using an account name, password, or domain name. On computers that are running Windows
Server 2008 R2, Windows Server 2008, or Windows Server 2003, the Anonymous Logon group is not a
default member of the Everyone group.
Everybody
This group represents all current users on the network, including guests and users in other domains. Each
time a user connects to the network, the user is automatically added to the Everyone group.
Network
This group represents users who access a given resource on the network, as opposed to users who
access a resource by logging on locally to the computer containing the resource. Each time a user
accesses a given resource on the network, the user is automatically added to the Network group.
Interactive
This group represents all users who are currently logged on to a particular computer and are accessing a
given resource on that computer, as opposed to users who are accessing the resource on the network.
Each time a user accesses a given resource on the computer they are logged on to, they are
automatically added to the Interactive group.
1
Creation of a new group
In the tool " Active Directory Users and Computers ", you can create a new group
• In the console tree, in the local domain rt2groupeX.lan, right-click on the folder under which to
create a new group, for example the folder " Users ".
For the group thus created, right-click to access the properties. In the Members pane add the user u1.
• In the console tree, in the local domain rt2groupeX.lan, right-click on the folder under which to
create a new group, for example the folder " Users ".
• click the folder that contains the user account for which you want to view group membership,
including u1.
• Right click on the user account u1, then click on Properties.
• Click on the tab Member of.
All computers running any version of Windows that join a domain have a computer account. Like user
accounts, computer accounts are used to authenticate and audit access to the network and to domain
resources. Each computer account must be unique.
You can add, deactivate, reset and delete computer accounts using the software component " Active
Directory Users and Computers ".
• With the "Active Directory Users and Computers" tool, you must create a new " Organization unit
• ": in the left panel, right click on the domain and then New-> Organizational unit: the name of the
new OU will be Computers
• With a right click on the new OU created, Computers, choose New -> Computer
1
• Add computer Win-8 in the organizational unit Computers,
• To specify the user account or group that can join this computer to your domain, please click Edit.
An interface will allow you to select the user where the group can join this computer to the
domain.
o Choose the option "To rename this computer or to change its domaine ..."
choose button Exchange and declare it domain member
rt2groupeX.lan
• We will ask you for a login / password for a new user that you must create in Active Directory
• Using the "Active Directory Users and Computers" tool, choose the OU
Computers.
• In the right panel you can position yourself on the computer account to be deactivated.
• With the right button you can choose to deactivate, delete, deactivate the computer account or add
it to a group.
• For now choose to disable the Win-8 computer account.
• From the machine Win-8, log out the user u1, if it was ever connected. Try a new connection for
• user u1, on the domain, from the machine Win-8.
1
3. Installation of an AD child domain
Goals :
The DC2 server is a VM running “Windows server 2012” as the base OS.
The aim is to create a child domain of the domain "rt2groupeX.lan", of which DC2 will be the domain controller.
Win 10
192.168.1.10/24
rt2groupe1.lan
192.168.1.20/24
conta.rt2groupe1.lan
• First, the DC2 server must be attached to the “rt2groupeX.lan” domain, of which the DC1 server is
the domain controller.
• Then DC1 and DC2 must be grouped into a "group (pool) of servers". The installation of the ADDS role on DC2
• must be done from the DC1 domain controller. At the same time there will be the creation of the child domain.
• After installing the ADDS role on DC2, this server must be promoted as a controller of the child domain.
This operation is done from the DC2 server.
1
The configuration steps are described below.
• !!! If the VMDC2 is a copy of a VM already used for DC1, you must run the following script
• The server must have a fixed IPv4 address, according to the specifications at the start of the lab
o IPv4: 192.168.1.20 / 24
o DNS: 192.168.1.10 (DC1 server) Firewall
• configuration:
o activation of two rules (the selected rules) in "Authorized Applications"
from the firewall
1
o Disabling the firewall may be necessary if the server cannot
not be managed from DC1 afterwards !!!
1
On the DC1 server
this server is the domain controller server of the rt2groupeX.lan domain:
• in the server manager: add the DC2 server as a managed server at the domain level.
o on the line "all servers", the right button will open a menu
contextual and adding a new server.
1
• a group of servers must be created (servers pool)
o "Manage" menu -> "Create a group of servers" by adding DC2 and DC1 to the group
1
Installing AD DS on DC2, from the DC1 server
The installation of AD DS on the new DC2 server must be done from the DC1 server, the domain controller.
1
• In the "Features" pane, choose the necessary features (for our simple installation there is no need
for additional features)
1
2
• in the "Confirmation" page, check "Automatically restart the server if necessary"
• complete installation
2
On the DC2 server:
• you must connect to the DC2 server as Domain Administrator with the account
• to choose :
o
"Adding a new domain to an existing forest" Type of
o
domain: "Child domain"
o
Parent domain name: "rt2prof.lan" New
o
domain name: "conta"
o
If necessary, modify the user authorized to make changes to the new domain (currently it is
rt2prof.lan \ Administrator)
2
• in the "domain controller options", choose:
o Functional level: Windows 2012 Server
o DNS Server
2
• in the "DNS Options"
o the option: "Create a DNS delegation", is grayed out and checked
2
• Access path
o accept paths
2
o After this update of the MDP of the local account "dc2 \ Administrator",
installation can be completed