Sunday, December 15, 2013

Lab # 1: Modifying the Base Configuration TLG

Lab Overview
In this lab we will modify Microsoft's Base Configuration Test Lab Guide to:
  1. Remind customers to change their passwords 30 days before expiration
  2. Set up a network login banner for the domain clients
  3. Assign the Subnet to the Default AD Site
  4. Rename the Default AD Site to CorpHQ
  5. Create A records for the Unix/Linux hosts
  6. Create a Reverse-lookup Zone for the  (10.0.0./24)
  7. Install and enable the Remote Server Administration Tools (RSAT) for Windows 7 SP1 on CLIENT1
  8. Install PuTTY and WinSCP on CLIENT1 
  9. Create a sample users
  10. Obtain and copy the Centrify Server suite and Agents to the Files share in APP1
The purpose roles of the TLG stay the same:
  • DC1 is the domain controller, DNS, DHCP server and Certificate Authority 
  • APP1 is the first application server, it hosts the certificate revocation list for the CA (file and web)
  • CLIENT1 is a client.  For our purposes, this will be the workstation for Unix/Linux administrators.  They will use PuTTY to access the systems via SSH.  Additionally, the Centrify Access Manager tools will be installed there.
Lab Requirements
  • The requirements of the base Test Lab Guide (for DC1, APP1 and CLIENT1)
Modify Domain GPOs and Site

On DC1
To Prompt users to change the password 30 days before it expires
  1. Click Start, click Administrative Tools, and then click Group Policy Management.
  2. In the console tree, open Forest:\Domains\
  3. In the details pane, right-click Default Domain Policy, and then click Edit.
  4. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
  5. In the details pane, double-click Interactive Logon: Prompt user to change password before expiration
  6. On the Security Policy Setting tab, select Define this policy setting, type 30 (days) and then click OK.

To Set up a network login banner
  1. Double-click the Interactive logon:  Message text for users attempting to log on GPO 
  2. Check the box to define the policy and paste the following text:
    "This computer system is for authorized use only. Users have no explicit or implicit expectation of privacy.Any or all uses of this system and all data on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized sites and law enforcement personnel, as well as authorized officials of other agencies. By using this system, the user consent to such disclosure at the discretion of authorized site personnel"
  3. Press OK and close the Group Policy Editor.
To Rename the AD Site
  1. Click Start, click Administrative Tools, and then click Active Directory Sites and Services.
  2. On the left pane, expand sites and click and right-click Subnets.
  3. In the New Object - Subnet window, Under prefix, type: and click the "Default-First-Site-Name" then press OK.
  4. On the left pane, expand sites, and right click the "Default-First-Site-Name" site, then select Rename.
  5. Rename it to CorpHQ
  6. Close Active Directory Sites and Services
Create a DNS Reverse-lookup zone for the subnet.
  1. Click Start, click Administrative Tools, and then click DNS Manager.
  2. On the left pane, expand the DC1 server and right click Reverse-lookup zones and select  New Zones.
  3. Click Next on the wizard. and Next on the Zone Type (Primary / Stored in AD), Next in the Replication Scope, Next on the Reverse-lookup Type (IPV4)
  4. In the Network ID, type 10.0.0 and click Next
  5. Click Next on the Dynamic Update Page and Click Finish.
  6. Leave DNS Manager open to perform the next tasks
Create A records for the Unix/Linux hosts

The IP Addresses for the UNIX systems are:

IP Address
Database Server
Web Server
Utilities Server

Click Start, click Administrative Tools, and then click DNS Manager.
  1. On the left pane, expand the DC1 server and expand the Forward-lookup Zones
  2. On the left pane, right-click on the zone and select New Host (A or AAA)
  3. In the New Host window, type the name of the UNIX host (e.g. CEN1)
  4. Type the IP Address in the corresponding field  (e.g.
  5. Check the Create associated pointer (PTR) record and click the Add Host button
  6. Repeat until you have created all three records
  7. Close DNS Manager and log-off

Install and enable the Remote Server Administration Tools (RSAT) for Windows 7 SP1 on CLIENT1
  1. Log on to CLIENT1 with an administrative account from CORP
  2. Download the RSAT SP1 
  3.  Double click the installer and click Yes when prompted.  
  4. Click the I Accept button to start the installation.  When the installation is complete, click close.
  5. To enable the RSAT Tools  (ADUC, GPMC, etc), open the Control Panel and click Programs and Features
  6. On the left pane, click "Turn Windows features on or off
  7. Expand Feature Administration Tools and check Group Policy Management
  8. Expand the Remote Server Administration Tools/Role Administration Tools/AD DS and AD LDS Tools and check:
    AD DS Snap-ins and command-line tools
    AD LDS Snap-ins and command-line tools
  9. Press OK
  10. Stay logged into CLIENT1 to complete the next tasks
Download and Install PuTTY and WinSCP on CLIENT1
  1.  Download PuTTY
  2. Install PuTTY, follow the instructions.
  3. In the Select Additional tasks window, check the Create Desktop Icons for all users.
  4. Download WinSCP
  5. Install WinSCP, follow the instructions.
    Make sure you don't select any component in the Google Chrome page.
  6. Stay logged into CLIENT1
Create Sample Users
 First, Create the Staff OU
  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers
  2. On the left pane, right click the domain, select New->Organizational Unit
  3. In the New Object window, Name field, call it Staff and Press OK.
Create the Users in the Staff OU
  1. Right-click the Staff OU, select New->User
  2. Fill out the First Name, Last Name based on the list below, in the user logon name, use the following format:  <firstname>.<lastname> 
    E.g. bryant.wheeler  and click next.
  3. In the next window, set a password and uncheck "user must change password at next logon"
  4. Optionally, set it to not expire.
  5. Click next and finish.
List of sample users:

AD Groups
Bryant Wheeler
Windows Administrator
Domain Admins
Domain Users
Jessie Matthews
UNIX Administrator
Domain Users
Cora Rodriguez
IT Security Analyst
Domain Users
Courtney Larson
IT Manager
Domain Users
Jeremy Silva
Domain Users
Ramon Jimenez
Domain Users
Doyle Russell
Web Administrator
Domain Users
Matt Sims
Web Administrator
Domain Users
Cassandra Lindsey
External Auditor
Domain Users
Ralph Baldwin
Internal Auditor
Domain Users

 Make Bryant a member of the Domain Admins group.
  1. Open the Staff OU
  2. Double-click Bryant Wheeler's user and go to the Member of tab.
  3. Press the Add button and type Domain Admins in the box and press OK twice.
  4. Close Active Directory Users and Computers.
 Obtain and copy the Centrify Server Suite software
  1. To obtain access to download the software you have to contact Centrify and request a trial.
  2. Download the Centrify Software:
    a) Centrify Consoles:
    b) Agent for CentOS 64bit:
    c) Agent for Solaris x86:
    d) Agent for SUSE 64bit:
  3. When you have the software, log on to APP1
  4. Copy the consoles and agents c:\Files folder.  This will make it available via the \\app1\files share.

No comments:

Post a Comment