Friday, August 3, 2012

How to create an Active Directory domain to test against

Many interested people want to help test the Active Directory work and bug fixes we've been doing. But sadly there's no public Active Directory servers that I know of. So here's how to setup a virtual machine with your own Active Directory. It's not that hard.

1. Preparation

  • Each Active Directory has a unique domain name. Choose one. You can choose a subdomain of a domain you own, or one that's completely made up. I chose borg.thewalter.lan
  • Download the evaluation edition of Windows 2008 R2 Enterprise server. Click the Get Started button at that link to download it. The evaluation edition is valid for 180 days. You should end up with an ISO file named something like: 7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso
  • We'll be using virt-manager in this tutorial, so install virt-manager, libvirtd, qemu and all their dependencies.

2. Create a virtual network

  • The Active Directory server will need a static IP address. The default virtual network configured by libvirtd does not have any space for a static IP address, so we need to create a new virtual network.
  • Start virt-manager and make sure you're connected to the localhost (QEMU) connection.
  • Click on localhost (QEMU) and choose Edit > Connection Details from the menu.
  • Choose the Virtual Networks tab in the dialog that pops up and click the add button.
  • Use settings like:
    Network Name: ad
    Network: 192.168.12.0/24
    Enable DHCP: checked
    Start: 192.168.12.128
    End: 192.168.12.254
  • Notice that we left some space between the start of the netblock and the first DHCP allocated address. Actually virt-manager does this by default for added virtual networks like this one.
  • You probably want to Forward (via NAT) to your physical network. That makes it easier to activate windows later and get updates.
  • Complete the wizard and you're done.

3. Create a new virtual machine

  • In the main virt-manager window, click the create button in the toolbar to create a new virtual machine.
  • Type the domain name you chose above as the virtual machine Name.
  • Choose Local install media and when prompted select the ISO image you downloaded above as the install media.
  • Set OS type to Windows, and Version to Microsoft Windows Server 2008.
  • 512 MB of memory is enough, 1 CPU is enough. Feel free to set these higher if you like.
  • Create a new virtual disk with at least 10 GB of disk space.
  • On the last page of the Create a new virtual machine dialog, expand the Advanced options section and choose the network you created above.
  • Complete the dialog and the virtual machine should be created. Then the Windows install should begin.

4. Windows Server install

  • Choose whatever keyboard and language you want on the first dialog of the install.
  • On the next page choose Install now.
  • A list of types of Windows Server installs should show up. Choose Windows Server 2008 R2 Standard (Full Installation) and go to the next page.
  • Read and accept the license.
  • Choose Custom (advanced) when prompted how to install Windows.
  • Select the disk to install Windows on. There should only be one choice which is the virtual disk you configured when you created the virtual machine.
  • Windows Server will proceed to install, and will reboot a couple times in the process.
  • Once the system is ready, you will be prompted to change the Administrator password. This is actually setting the password for the first time. This is the password for the Administrator account on the server itself, not the administrator of the Active Directory domain, which you'll set later. You can use the same password for both, since this is a test install.
  • If all goes well you should be logged into your new server at this point. A bunch of helpful windows will pop up, but you don't need to do anything with them.

5. Set the IP address

  • An Active Directory server acts as an LDAP and DNS server, and needs a static IP address.
  • Click Start > Network, and then click the Change adapter settings link in the window that comes up. Another window should appear.
  • Right click on the Local Area Connection item and choose Properties in the menu.
  • Click on the Internet Protocol Version 4 (TCP/IPv4) item and then click the Properties button. A dialog for setting the addresses comes up.
  • Choose Use the following IP address. Then set the relevant fields. The settings here are based on the virtual network you created above, if you used a different netblock then modify as appropriate:
    IP Address192.168.12.10
    Subnet mask255.255.255.0
    Default gateway192.168.12.1
    Preferred DNS Server: 192.168.12.1
  • Click OK or Close in the various dialogs to complete things.

6. Set the machine name

  • An Active Directory server should have a well known DNS name, you don't need to set it in DNS, but just name the server appropriately and then Active Directory will do the rest.
  • Click Start > Computer, and a window should come up.
  • In the left pane of the window, there's an item called Computer. Right click on it and choose Properties from the menu. Another window should show up.
  • Click Change Settings, and a dialog will come up.
  • In the Computer Name tab click the Change... button, which displays another dialog.
  • Set DC as the Computer name or another name of your choice. Don't worry about the Member of Domain or Workgroup stuff yet.
  • Click OK and/or Close to complete the changes. You'll be prompted to restart, so go ahead and do that.

7. Setting up Active Directory

  • Click Start > Run and type DCPROMO in the dialog that comes up.
  • A progress window will come up which explains about installing some components. This takes a while.
  • A wizard will eventually show up. Click through the introduction and warnings.
  • Choose Create a new domain in a new forest.
  • On the next page enter the domain you chose earlier, like borg.thewalter.lan
  • Choose the Forest functional level. You can choose whichever one you like. Choosing 2008 R2 is a decent choice. You can test against various Active Directory servers with different levels to simulate different domains you might encounter in the wild.
  • Make sure DNS Server is chosen on the next page.
  • Once you complete that, a dialog will come up warning you about how the DNS delegation cannot be created. We'll do that manually below, so this is nothing to worry about. Choose Yes.
  • Leave the default paths for database and log files.
  • Choose a domain Administrator password. Logically this is different from the local server Administrator account you set the password for above. But you can use the same password to keep things simple.
  • Review the selections if you're interested, and then click Next to complete things.
  • Wait for a while for installation and configuration, Finish. 
  • You'll need to Restart Now.
  • The reboot after installing Active Directory will take a while as it does a bunch of stuff on the first boot.

8. Setup DNS to work with Active Directory

  • Back on your linux box you'll want to be able to connect to Active Directory. To do this you need to setup DNS. Active Directory comes with its own DNS server, you just need to tell your local host where it is. To do this we'll install a local caching name server.
  • Install bind. If you're on Fedora you can use a command like: 
    # yum install caching-nameserver
  • After the install completes, edit /etc/named.conf and add the following line to your main options section:
    forwarders { 8.8.8.8; /* ... or the address of your ISP DNS server */ };
    
  • And add this to the end of /etc/named.conf. Modify for your domain name or server static IP address assigned above:
    zone "borg.thewalter.lan" {
            type stub;
            masters { 192.168.12.10; };
    };
    
  • Restart the named service with: # systemctl restart named.service
  • Before configuring your host to use the local caching nameserver, test it with commands like:
    # host borg.thewalter.lan 127.0.0.1
    # host dc.borg.thewalter.lan 127.0.0.1
    # host google.com 127.0.0.1
    
  • Once you know it's working, use nm-connection-editor to edit your connection. Choose your connection, and on the IPv4 Settings tab, choose Automatic (DHCP) addresses only. Now set 127.0.0.1 as the DNS servers.
  • You should now be able to test you local server with commands like:
    # host borg.thewalter.lan
    # host dc.borg.thewalter.lan
    # host google.com

9. Test the Active Directory domain works

  • On your host linux box you should now be able to get a kerberos ticket.
  • If you have a custom configured /etc/krb5.conf, you may need to remove or move it. There is no real need for this file with a modern kerberos domain like Active Directory.
  • Run this command. Make sure the domain is upper case here:
    $ kinit Administrator@BORG.THEWALTER.LAN
    
  • You'll be prompted for the domain Administrator password. The one you typed in the Setting up Active Directory step above.
  • If successful kinit will show no output. You can use the klist command to see your ticket.
That's it. You're done. 

You can add additional Active Directory users via the Active Directory Users and Computers tool in the Administrative Tools section of the Start menu in the Windows Server virtual machine.

You may be prompted to Activate your Windows install. You won't need any special information or keys or anything. Just go ahead with it. The install you have is valid for 180 days, and will say in the lower left corner how long you have left.

4 comments:

  1. I got the clock skew error, and I had to follow the below instructions before my kerberos authentication was accepted.

    I think it might be caused my Windows not using UTC in the real time clock, and this Windows was a VM on my Linux KVM server. Manually adjusting the Windows clock through the gui did not work.


    http://support.microsoft.com/kb/816042#method2

    ReplyDelete
  2. That's odd. Usually I manage to just adjust the Windows Server time through the UI.

    Unfortunately we don't yet have the fixes on the client side kerberos libraries which remove the need for syncing time.

    But either way, adjusting the time should work.

    ReplyDelete
  3. Thank you for a step by step, its driving me nuts not having a proper test environment and this helped me immensely.

    ReplyDelete
  4. Thanks for the blog post.

    When I do:

    $ host borg.thewalter.lan 127.0.0.1

    I correctly get:

    borg.thewalter.lan has address 192.168.12.10

    But, when I do:

    $ host dc.borg.thewalter.lan 127.0.0.1

    I get:

    Host dc.borg.thewalter.lan not found: 3(NXDOMAIN)

    Any idea what the problem could be?

    ReplyDelete