In this lab we will modify Microsoft's Base Configuration Test Lab Guide to:
- Remind customers to change their passwords 30 days before expiration
- Set up a network login banner for the domain clients
- Assign the 10.0.0.0/24 Subnet to the Default AD Site
- Rename the Default AD Site to CorpHQ
- Create A records for the Unix/Linux hosts
- Create a Reverse-lookup Zone for the corp.contoso.com (10.0.0./24)
- Install and enable the Remote Server Administration Tools (RSAT) for Windows 7 SP1 on CLIENT1
- Install PuTTY and WinSCP on CLIENT1
- Create a sample users
- Obtain and copy the Centrify Server suite and Agents to the Files share in APP1
- DC1 is the domain controller, DNS, DHCP server and Certificate Authority
- APP1 is the first application server, it hosts the certificate revocation list for the CA (file and web)
- CLIENT1 is a client. For our purposes, this will be the workstation for Unix/Linux administrators. They will use PuTTY to access the systems via SSH. Additionally, the Centrify Access Manager tools will be installed there.
- The requirements of the base Test Lab Guide (for DC1, APP1 and CLIENT1)
On DC1
To Prompt users to change the password 30 days before it expires
- Click Start, click Administrative Tools, and then click Group Policy Management.
- In the console tree, open Forest: corp.contoso.com\Domains\corp.contoso.com.
- In the details pane, right-click Default Domain Policy, and then click Edit.
- In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
- In the details pane, double-click Interactive Logon: Prompt user to change password before expiration
- On the Security Policy Setting tab, select Define this policy setting, type 30 (days) and then click OK.
To Set up a network login banner
- Double-click the Interactive logon: Message text for users attempting to log on GPO
- Check the box to define the policy and paste the following text:
"This computer system is for authorized use only. Users have no explicit or implicit expectation of privacy.Any or all uses of this system and all data on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized sites and law enforcement personnel, as well as authorized officials of other agencies. By using this system, the user consent to such disclosure at the discretion of authorized site personnel" - Press OK and close the Group Policy Editor.
To Rename the AD Site
- Click Start, click Administrative Tools, and then click Active Directory Sites and Services.
- On the left pane, expand sites and click and right-click Subnets.
- In the New Object - Subnet window, Under prefix, type: 10.0.0.0/24 and click the "Default-First-Site-Name" then press OK.
- On the left pane, expand sites, and right click the "Default-First-Site-Name" site, then select Rename.
- Rename it to CorpHQ
- Close Active Directory Sites and Services
- Click Start, click Administrative Tools, and then click DNS Manager.
- On the left pane, expand the DC1 server and right click Reverse-lookup zones and select New Zones.
- Click Next on the wizard. and Next on the Zone Type (Primary / Stored in AD), Next in the Replication Scope, Next on the Reverse-lookup Type (IPV4)
- In the Network ID, type 10.0.0 and click Next
- Click Next on the Dynamic Update Page and Click Finish.
- Leave DNS Manager open to perform the next tasks
The IP Addresses for the UNIX systems are:
Hostname
|
IP
Address
|
Role
|
CEN1
|
10.0.0.151
|
Database
Server
|
SUSE1
|
10.0.0.152
|
Web
Server
|
SOL1
|
10.0.0.153
|
Utilities
Server
|
Click Start, click Administrative Tools, and then click DNS Manager.
- On the left pane, expand the DC1 server and expand the Forward-lookup Zones
- On the left pane, right-click on the corp.contoso.com zone and select New Host (A or AAA)
- In the New Host window, type the name of the UNIX host (e.g. CEN1)
- Type the IP Address in the corresponding field (e.g. 10.0.0.151)
- Check the Create associated pointer (PTR) record and click the Add Host button
- Repeat until you have created all three records
- Close DNS Manager and log-off
Install and enable the Remote Server Administration Tools (RSAT) for Windows 7 SP1 on CLIENT1
- Log on to CLIENT1 with an administrative account from CORP
- Download the RSAT SP1
http://download.microsoft.com/download/4/F/7/4F71806A-1C56-4EF2-9B4F-9870C4CFD2EE/Windows6.1-KB958830-x64-RefreshPkg.msu - Double click the installer and click Yes when prompted.
- Click the I Accept button to start the installation. When the installation is complete, click close.
- To enable the RSAT Tools (ADUC, GPMC, etc), open the Control Panel and click Programs and Features
- On the left pane, click "Turn Windows features on or off
- Expand Feature Administration Tools and check Group Policy Management
- Expand the Remote Server Administration Tools/Role Administration Tools/AD DS and AD LDS Tools and check:
AD DS Snap-ins and command-line tools
AD LDS Snap-ins and command-line tools - Press OK
- Stay logged into CLIENT1 to complete the next tasks
- Download PuTTY
- Install PuTTY, follow the instructions.
- In the Select Additional tasks window, check the Create Desktop Icons for all users.
- Download WinSCP
- Install WinSCP, follow the instructions.
Make sure you don't select any component in the Google Chrome page. - Stay logged into CLIENT1
First, Create the Staff OU
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers
- On the left pane, right click the corp.contoso.com domain, select New->Organizational Unit
- In the New Object window, Name field, call it Staff and Press OK.
- Right-click the Staff OU, select New->User
- Fill out the First Name, Last Name based on the list below, in the user logon name, use the following format: <firstname>.<lastname>
E.g. bryant.wheeler and click next. - In the next window, set a password and uncheck "user must change password at next logon"
- Optionally, set it to not expire.
- Click next and finish.
Name
|
Title
|
AD
Groups
|
Bryant Wheeler
|
Windows Administrator
|
Domain
Admins
Domain
Users
|
Jessie Matthews
|
UNIX Administrator
|
Domain
Users
|
Cora Rodriguez
|
IT
Security Analyst
|
Domain
Users
|
Courtney Larson
|
IT
Manager
|
Domain
Users
|
Jeremy Silva
|
DBA
UNIX
|
Domain
Users
|
Ramon Jimenez
|
DBA
UNIX
|
Domain
Users
|
Doyle Russell
|
Web
Administrator
|
Domain
Users
|
Matt Sims
|
Web
Administrator
|
Domain
Users
|
Cassandra Lindsey
|
External
Auditor
|
Domain
Users
|
Ralph Baldwin
|
Internal
Auditor
|
Domain
Users
|
Make Bryant a member of the Domain Admins group.
- Open the Staff OU
- Double-click Bryant Wheeler's user and go to the Member of tab.
- Press the Add button and type Domain Admins in the box and press OK twice.
- Close Active Directory Users and Computers.
- To obtain access to download the software you have to contact Centrify and request a trial.
- Download the Centrify Software:
a) Centrify Consoles: http://www.centrify.com/support/package-info.asp?fn=centrify-suite-2013.3-mgmt-ent-win64.zip
b) Agent for CentOS 64bit: http://www.centrify.com/support/download.asp?asset=centrify-suite-2013.3-rhel3-x86_64.tgz
c) Agent for Solaris x86: http://www.centrify.com/support/download.asp?asset=centrify-suite-2013.3-sol9-x86.tgz
d) Agent for SUSE 64bit: http://www.centrify.com/support/download.asp?asset=centrify-suite-2013.3-suse9-x86_64.tgz - When you have the software, log on to APP1
- Copy the consoles and agents c:\Files folder. This will make it available via the \\app1\files share.
No comments:
Post a Comment