We installed and configured a VM to host Active Directory services, DNS, DHCP, NTP, and to be a certificate authority. In addition, we created a golden VM for virtual desktops and applied registry edits to ensure testing executed correctly. All these functions are necessary to run our testing.
Installing Active Directory Domain Services
- Log into the vSphere client as administrator@vsphere.local.
- On the infrastructure server, deploy a Windows Server 2019 VM named DC1, and log in as an administrator.
- Launch Server Manager.
- Click Manage > Add Roles and Features.
- At the Before you begin screen, click Next.
- At the Select installation type screen, leave Role-based or feature-based installation selected, and click Next.
- At the Server Selection Screen, select the server from the pool, and click Next.
- At the Select Server Roles screen, select Active Directory Domain Services.
- When prompted, click Add Features, and click Next.
- At the Select Features screen, click Next.
- At the Active Directory Domain Services screen, click Next.
- At the Confirm installation selections screen, check Restart the destination server automatically if required, and click Install.
Configuring Active Directory and DNS services on DC1
- After the installation completes, a screen should pop up with configuration options. If a screen does not appear, click the Tasks flag in the upper-right section of Server Manager.
- Click Promote this server to a Domain Controller.
- At the Deployment Configuration screen, select Add a new forest.
- In the Root domain name field, type test.local and click Next.
- At the Domain Controller Options screen, leave the default values, and enter a password twice.
- To accept default settings for DNS, NetBIOS, and directory paths, click Next four times.
- At the Review Options screen, click Next.
- At the Prerequisites Check dialog, allow the check to complete.
- If there are no relevant errors, check Restart the destination server automatically if required, and click Install.
- When the server restarts, log on using test\Administrator and the password you chose in step 5.
Configuring the Windows time service on DC1
To ensure reliable time, we pointed our Active Directory server to an upstream NTP server.
- Open a command prompt.
- Type the following:
W32tm /config /syncfromflags:manual /manualpeerlist:"<ip address of a NTP server>" W32tm /config /reliable:yes
W32tm /config /update W32tm /resync
Net stop w32time Net start w32time
Setting up DHCP services on DC1
- Open Server Manager.
- Select Manage, and click Add Roles and Features.
- Click Next twice.
- At the Select server roles screen, select DHCP Server.
- When prompted, click Add Features, and click Next.
- At the Select Features screen, click Next.
- Click Next.
- Review your installation selections, and click Install.
- Once the installation completes, click Complete DHCP configuration.
- On the Description page, click Next.
- On the Authorization page, use the Domain Controller credentials (TEST\Administrator), and click Commit.
- On the Summary page, click Close.
- In the Add Roles and Features Wizard, click Close.
- In Server Manager, click Tools > DHCP.
- In the left pane, double-click your server, and click IPv4.
- In the right pane, under IPv4, click More Actions, and select New Scope.
- Click Next.
- Enter a Name and Description for the scope, and click Next.
- Enter the following values for the IP Address Range:
a. Start IP address: 172.16.10.1
b. End IP address = 172.16.100.254
c. Length = 16
d. Subnet mask = 255.255.0.0 - Click Next.
- At the Add Exclusions and Delay page, leave defaults, and click Next.
- Set the Lease Duration to 30 days, and click Next.
- At the Configure DHCP Options page, leave Yes selected, and click Next.
- At the Router (Default Gateway) page, enter the gateway IP address, and click Next.
- For the parent domain, at the Specify IPv4 DNS Settings screen, type test.local.
- Type the preferred DNS server and IPv4 address, and click Next.
- At the WINS Server page, leave the fields empty, and click Next.
- At the Activate Scope page, leave Yes checked, and click Next.
- Click Finish.
Installing and configuring SSL Certificate in Microsoft Active Directory on DC1
- Log onto DC1 as administrator@test.local.
- Open server manager.
- Select Manage, and click add Roles and Features.
- When the Add Roles and Features Wizard begins, click Next.
- Select Role-based or feature-based installation, and click Next.
- Select DC1.test.local, and click Next.
- At the server roles menu, expand Active Directory Certificate Services.
- Select Certification Authority, Certificate Enrollment Web Service, and Certification Authority Web Enrollment.
- When prompted, click Add Features, and click Next.
- Leave Select features as is, and click Next.
- At the Active Directory Certificate Services introduction page, click Next.
- Select Certificate Authority and Certificate Authority Web Enrollment.
- When prompted, click Add Features, and click Next.
- Click Next two times, click Install, and click Close.
- In the server manager, click the yellow triangle titled Post-deployment configuration.
- On the destination server, click Configure Active Directory Certificate Services.
- Leave credentials as test\administrator, and click Next.
- Select Certification Authority, Certificate Enrollment Web Service, Certification Authority Web Enrollment, and click Next.
- Select Enterprise CA, and click Next.
- Select Root CA, and click Next.
- Select Create a new private key, and click Next.
- Select SHA256 with a 2048 Key length, and click Next.
- Leave the names fields and defaults, and click Next.
- Change expiration to 10 years, and click Next.
- Leave Certificate database locations as default, and click Next.
- Click Configure.
- When finished configuring, click Close.
- Open a command prompt, and type ldp.
- Click Connection, and connect.
- For server, type dc1.test.local
- Change the port to 636.
- Check SSL, and click OK.
Configuring secure LDAP on DC1.test.local on DC1
- Open administrative tools, and select Certification Authority.
- Click test-DC1-CA > Certificate Templates.
- Right-click Manage.
- Right-click Kerberos Authentication, and select Duplicate Template.
- Click General.
- Rename the template and its display name.
- Click Request Handling.
- Check the box for Allow private key to be exported, and click OK.
- Right-click the new template, and rename it LDAPoverSSL
- Return to the Certificates console.
- In the right pane, right-click New Certificate Template to Issue.
- Select LDAPoverSSL, and click OK.
Joining VMware vCenter to Active Directory
- In the vSphere client, click the Menu dropdown, and select Administration.
- Under Single Sign On, select Configuration.
- In the Identity Provider tab, select Active Directory Domain.
- Select the vCenter, and click Join AD.
- Enter the AD administrator credentials, and click OK.