LAB Setup
Our basic LAB setup will include the following
Modem for internet connection with local IP address [192.168.100.1] and public OP address from ISP [internet service provider ]Firewall pfsense to control traffic between three networks
- X0 WAN with IP address 192.168.100.11 /24
- X1 LAN with IP address 172.16.100.11 /16
- X2 Servers Farm with IP address 172.17.100.11 /16
Windows 2016 server in servers farm to act as [ADDS ] and [DNS] server
- with IP address 172.16.100.101 /16
Three windows-10 client computers in LAN subnet as the following :
- HR121 with IP address 172.17.100.121 /16
- IT123 with IP address 172.17.100.123 /16
- Finance124 with IP address 172.17.100.124 /16
ALL client computers will have
DNS server IP address : 172.16.100.101
default gateway IP address 172.17.100.11
Firewall between LAN and servers Farm
At first glance à we will notice that client reside on different subnet of domain controller [DC101.Pioneers.com] , since client computers in subnet LAN [172.17.x.x/16] while DC101 in subnet servers farm [172.16.x.x./16]
This will require us to configure PFsense firewall to allow communication between computers and domain controller
We can open all communication between two subnet , but this is NOT secure à so for best practice we need to open ONLY required ports
- RPC endpoint mapper: port 135 TCP, UDP
- NetBIOS name service: port 137 TCP, UDP
- NetBIOS datagram service: port 138 UDP
- NetBIOS session service: port 139 TCP
- SMB over IP (Microsoft-DS): port 445 TCP, UDP
- LDAP: port 389 TCP, UDP
- LDAP over SSL: port 636 TCP
- Global catalog LDAP: port 3268 TCP
- Global catalog LDAP over SSL: port 3269 TCP
- Kerberos: port 88 TCP, UDP
- DNS: port 53 TCP, UDP
- WINS resolution: port 1512 TCP, UDP
- WINS replication: 42 TCP, UDP
- RPC: Dynamically-assigned ports TCP, unless restricted
You may wonder if I can open ALL ports , then why I have to struggle with this step ?
The answer : yes you can open ALL port , but doing that look like that you have put DC101 server in same LAN network , which is NOT secure at ALL
prepare client computers
This first step of Preparing computers involve create new security identifier SID
Since we are using virtual machine [VMware or Hyper-V or even Virtual Box ] : then we have to make sure that VM has unique security identifier [SID]
Use Sysprep , to create new SID for any VM and to avoid conflict when join computers to domain
After that we need to assign IP address for each computer Control Panel\Network and Internet\Network Connections then change adapter properties –> Ethernet –> TCP/IPv4 –> properties à then set IP for each computer as the following :
HR121 image
Finance 123 image
IT124 image
The next is for preparation is to rename computer
Of course you are fully FREE to rename computer , but you can follow My technique for computer naming which is [computer Role + last digit from IP address ]
For example HR121 meaning that computer in HR department and IP address 172.17.100.121
Also Finaince123 meaning that computer in Finance department and IP address 172.17.100.123
Please note configuring IP address of default gateway and DNS server is very important since any wrong number will NOT enable computer to connect to domain controller DC101
as you know that we have cover ALL three steps with images in previous article [prepare domain controller ]
join client computers to AD
NOW joining computer to Active Directory is very straight forward process
- Open my computer then
- my computer properties
- TAB computer name you will notice that currently computer belong to work-group called [ workgroup ]
- in domain field provide domain name either NetBIOS [Pioneers] or full name [ Pioneers.lab ] then press OK
- Computer will send request to DC101 to join and register in Active Directory called Pioneers.com
- DCD101 will ask for credential domain user and password ] to allow computer join to Active directory
- Currently we have only one domain account to join active directory which administrator@pioneers.lab but later we will make some delegation to provide other domain users the ability to join active Directory [Mostly IT users ]
- Once credential approved then computer join to Active directory with message [ welcome to Pioneers.lab ]
- restart computer to take effect
Verify join computers to AD
Joining computer to AD could be verified by three areas
This first step to verify that computer has joined active directory in active directory it self à
- In DC101 : from control panel –> administrative tools open active directory users and computers
- Select container called [ computers ]
- You should see computer in that container as seen below
Second step by DNS :
- As we have verified computers in AD console à also we have to verify computer record in DNS zone
- Open DNS console : either from administrative tools or by run dnsmgmt.msc
- Select forward zone àlab à computer name should be registered with IP address [Name to IP ]
- Moreover select revers zone à17 network à IP address of computer should be registered with computer name [IP to name]
The third step is verify on computer it self
- When computer restart à net-login screen appear asking you to provide credential with wither local account or domain account à we can login using any domain account in active directory
