Lab # 1: Modifying the Base Configuration TLG

Lab Overview
In this lab we will modify Microsoft's Base Configuration Test Lab Guide to:

1. Remind customers to change their passwords 30 days before expiration
2. Set up a network login banner for the domain clients
3. Assign the 10.0.0.0/24 Subnet to the Default AD Site
4. Rename the Default AD Site to CorpHQ
5. Create A records for the Unix/Linux hosts
6. Create a Reverse-lookup Zone for the corp.contoso.com  (10.0.0./24)
7. Install and enable the Remote Server Administration Tools (RSAT) for Windows 7 SP1 on CLIENT1
8. Install PuTTY and WinSCP on CLIENT1 
9. Create a sample users
10. Obtain and copy the Centrify Server suite and Agents to the Files share in APP1

The purpose roles of the TLG stay the same:

• DC1 is the domain controller, DNS, DHCP server and Certificate Authority 
• APP1 is the first application server, it hosts the certificate revocation list for the CA (file and web)
• CLIENT1 is a client.  For our purposes, this will be the workstation for Unix/Linux administrators.  They will use PuTTY to access the systems via SSH.  Additionally, the Centrify Access Manager tools will be installed there.

Lab Requirements

• The requirements of the base Test Lab Guide (for DC1, APP1 and CLIENT1)

Modify Domain GPOs and Site

On DC1
To Prompt users to change the password 30 days before it expires

1. Click Start, click Administrative Tools, and then click Group Policy Management.
2. In the console tree, open Forest: corp.contoso.com\Domains\corp.contoso.com.
3. In the details pane, right-click Default Domain Policy, and then click Edit.
4. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
5. In the details pane, double-click Interactive Logon: Prompt user to change password before expiration
6. On the Security Policy Setting tab, select Define this policy setting, type 30 (days) and then click OK.

To Set up a network login banner

1. Double-click the Interactive logon:  Message text for users attempting to log on GPO 
2. Check the box to define the policy and paste the following text:
   "This computer system is for authorized use only. Users have no explicit or implicit expectation of privacy.Any or all uses of this system and all data on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized sites and law enforcement personnel, as well as authorized officials of other agencies. By using this system, the user consent to such disclosure at the discretion of authorized site personnel"
3. Press OK and close the Group Policy Editor.

To Rename the AD Site

1. Click Start, click Administrative Tools, and then click Active Directory Sites and Services.
2. On the left pane, expand sites and click and right-click Subnets.
3. In the New Object - Subnet window, Under prefix, type: 10.0.0.0/24 and click the "Default-First-Site-Name" then press OK.
4. On the left pane, expand sites, and right click the "Default-First-Site-Name" site, then select Rename.
5. Rename it to CorpHQ
6. Close Active Directory Sites and Services

Create a DNS Reverse-lookup zone for the 10.0.0.0 subnet.

1. Click Start, click Administrative Tools, and then click DNS Manager.
2. On the left pane, expand the DC1 server and right click Reverse-lookup zones and select  New Zones.
3. Click Next on the wizard. and Next on the Zone Type (Primary / Stored in AD), Next in the Replication Scope, Next on the Reverse-lookup Type (IPV4)
4. In the Network ID, type 10.0.0 and click Next
5. Click Next on the Dynamic Update Page and Click Finish.
6. Leave DNS Manager open to perform the next tasks

Create A records for the Unix/Linux hosts

The IP Addresses for the UNIX systems are:

Hostname	IP Address	Role
CEN1	10.0.0.151	Database Server
SUSE1	10.0.0.152	Web Server
SOL1	10.0.0.153	Utilities Server

Click Start, click Administrative Tools, and then click DNS Manager.

1. On the left pane, expand the DC1 server and expand the Forward-lookup Zones
2. On the left pane, right-click on the corp.contoso.com zone and select New Host (A or AAA)
3. In the New Host window, type the name of the UNIX host (e.g. CEN1)
4. Type the IP Address in the corresponding field  (e.g. 10.0.0.151)
5. Check the Create associated pointer (PTR) record and click the Add Host button
6. Repeat until you have created all three records
7. Close DNS Manager and log-off

Install and enable the Remote Server Administration Tools (RSAT) for Windows 7 SP1 on CLIENT1

1. Log on to CLIENT1 with an administrative account from CORP
2. Download the RSAT SP1
   http://download.microsoft.com/download/4/F/7/4F71806A-1C56-4EF2-9B4F-9870C4CFD2EE/Windows6.1-KB958830-x64-RefreshPkg.msu 
3.  Double click the installer and click Yes when prompted.  
4. Click the I Accept button to start the installation.  When the installation is complete, click close.
5. To enable the RSAT Tools  (ADUC, GPMC, etc), open the Control Panel and click Programs and Features
6. On the left pane, click "Turn Windows features on or off
7. Expand Feature Administration Tools and check Group Policy Management
8. Expand the Remote Server Administration Tools/Role Administration Tools/AD DS and AD LDS Tools and check:
   AD DS Snap-ins and command-line tools
   AD LDS Snap-ins and command-line tools
9. Press OK
10. Stay logged into CLIENT1 to complete the next tasks

Download and Install PuTTY and WinSCP on CLIENT1

1.  Download PuTTY
2. Install PuTTY, follow the instructions.
3. In the Select Additional tasks window, check the Create Desktop Icons for all users.
4. Download WinSCP
5. Install WinSCP, follow the instructions.
   Make sure you don't select any component in the Google Chrome page.
6. Stay logged into CLIENT1

Create Sample Users
 First, Create the Staff OU

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers
2. On the left pane, right click the corp.contoso.com domain, select New->Organizational Unit
3. In the New Object window, Name field, call it Staff and Press OK.

Create the Users in the Staff OU

1. Right-click the Staff OU, select New->User
2. Fill out the First Name, Last Name based on the list below, in the user logon name, use the following format:  <firstname>.<lastname> 
   E.g. bryant.wheeler  and click next.
3. In the next window, set a password and uncheck "user must change password at next logon"
4. Optionally, set it to not expire.
5. Click next and finish.

List of sample users:

Name	Title	AD Groups
Bryant Wheeler	Windows Administrator	Domain Admins Domain Users
Jessie Matthews	UNIX Administrator	Domain Users
Cora Rodriguez	IT Security Analyst	Domain Users
Courtney Larson	IT Manager	Domain Users
Jeremy Silva	DBA UNIX	Domain Users
Ramon Jimenez	DBA UNIX	Domain Users
Doyle Russell	Web Administrator	Domain Users
Matt Sims	Web Administrator	Domain Users
Cassandra Lindsey	External Auditor	Domain Users
Ralph Baldwin	Internal Auditor	Domain Users

 Make Bryant a member of the Domain Admins group.

1. Open the Staff OU
2. Double-click Bryant Wheeler's user and go to the Member of tab.
3. Press the Add button and type Domain Admins in the box and press OK twice.
4. Close Active Directory Users and Computers.

 Obtain and copy the Centrify Server Suite software

1. To obtain access to download the software you have to contact Centrify and request a trial.
2. Download the Centrify Software:
   a) Centrify Consoles:  http://www.centrify.com/support/package-info.asp?fn=centrify-suite-2013.3-mgmt-ent-win64.zip
   b) Agent for CentOS 64bit: http://www.centrify.com/support/download.asp?asset=centrify-suite-2013.3-rhel3-x86_64.tgz
   c) Agent for Solaris x86: http://www.centrify.com/support/download.asp?asset=centrify-suite-2013.3-sol9-x86.tgz
   d) Agent for SUSE 64bit: http://www.centrify.com/support/download.asp?asset=centrify-suite-2013.3-suse9-x86_64.tgz
3. When you have the software, log on to APP1
4. Copy the consoles and agents c:\Files folder.  This will make it available via the \\app1\files share.