Skip to content

astuk/windows-domain-controller-vagrant

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
provision
provision
 
 
test-node-one
test-node-one
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 

Repository files navigation

This is an example on how to create a Windows Domain Controller using Vagrant and PowerShell.

This also shows how to add a Computer to an existing domain using PowerShell.

This will create an example.com Active Directory Domain Forest.

This will also install a Certification Authority with a GPO to automatically enroll computers with a certificate signed by the trusted domain CA, Remote Desktop users will therefore see and use trusted certificates.

This setup will use the following static IP addresses:

IP Hostname Description
192.168.56.2 dc.example.com Domain Controller Computer
192.168.56.3 test-node-one.example.com Test Computer

NB these are hardcoded in several files. Find then with grep -r 192.168.56. ..

Install the base box.

Install the required Vagrant plugins:

vagrant plugin install vagrant-reload
vagrant plugin install vagrant-windows-sysprep

Start by launching the Domain Controller environment:

vagrant up

Launch the Test Node One Computer environment:

cd test-node-one
vagrant up

Sign-in on the Test Node One Computer with one of the following accounts:

  • Username john.doe and password HeyH0Password.
    • This account is also a Domain Administrator.
  • Username jane.doe and password HeyH0Password.
  • Username Administrator and password HeyH0Password.
    • This account is also a Domain Administrator.
  • Username .\vagrant and password password.
    • NB you MUST use the local vagrant account. because the domain also has a vagrant account, and that will mess-up the local one...

Active Directory LDAP

You can use a normal LDAP client for acessing the Active Directory.

It accepts the following Bind DN formats:

  • <userPrincipalName>@<DNS domain>, e.g. jane.doe@example.com
  • <sAMAccountName>@<NETBIOS domain>, e.g. jane.doe@EXAMPLE
  • <NETBIOS domain>\<sAMAccountName>, e.g. EXAMPLE\jane.doe
  • <DN for an entry with a userPassword attribute>, e.g. CN=jane.doe,CN=Users,DC=example,DC=com

NB sAMAccountName MUST HAVE AT MOST 20 characters.

Some attributes are available in environment variables:

Attribute Environment variable Example
sAMAccountName USERNAME jane.doe
sAMAccountName USERPROFILE C:\Users\jane.doe
NETBIOS domain USERDOMAIN EXAMPLE
DNS domain USERDNSDOMAIN EXAMPLE.COM

You can list all of the active users using ldapsearch as:

ldapsearch \
  -H ldap://dc.example.com \
  -D jane.doe@example.com \
  -w HeyH0Password \
  -x -LLL \
  -b CN=Users,DC=example,DC=com \
  '(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' \
  sAMAccountName userPrincipalName userAccountControl displayName cn mail

For TLS, use -H ldaps://dc.example.com, after creating the ldaprc file with:

openssl x509 -inform der -in tmp/ExampleEnterpriseRootCA.der -out tmp/ExampleEnterpriseRootCA.pem
cat >ldaprc <<'EOF'
TLS_CACERT tmp/ExampleEnterpriseRootCA.pem
TLS_REQCERT demand
EOF

NB For TLS troubleshoot use echo | openssl s_client -connect dc.example.com:636.

About

Example Windows Domain Controller

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 92.9%
  • HTML 4.5%
  • Ruby 2.6%