Saturday, January 30, 2016

Unable to Resolve Any Host Within

 on  with No comments 
In ,  
I'm bringing this one back up for my own reference. I don't have IPv6 going at home yet (soon, very soon.....) so it's a great reminder. I'm sure isn't the only domain doing whatever it is that they're doing.

A little while back, I was doing a little work within my lab domain, and found that I was unable to download Microsoft's Web Platform Installer. After digging into this a little bit, I realized it was a DNS resolution issue, as I couldn't resolve any hosts from Microsoft. No other domains were causing me any grief (none that I used while labbing that day anyway). This was completely reproducible from very virtual machine I had running at the time, so I initially thought it was something with VirtualBox, since the host machine didn't have the problem.

I headed off to Google and eventually found a newsgroup post from someone having the same issue. Their workaround was to stop the DNS Client service on the machine, and sure enough that worked in my environment as well. I guess I have some more to learn about Microsoft's DNS Client implementation because I'm just not seeing how disabling something actually makes it START working. But anyway, I had a temporary fix, but I'm not satisfied with that answer, so I kept digging.

Eventually I tried disabling IPv6 on the interfaces in all of the VM's (including both Domain Controllers, which are acting as DNS servers for all of the effected machines), and after a reboot, the problem went away without stopping any services. Any ideas what Microsoft is doing differently than everyone else on the Internet? Regardless, I've been disabling IPv6 on all of my VMs because this behavior followed me to work as well.

Saturday, January 23, 2016

Generating Test Users

 on  with No comments 
In , ,  
In setting up an Active Directory environment, you often need test users that are part of test groups and test Organizational Units. In a post at TechExams, Slowhand presents a script that will take a csv file containing names and departments of some dummy users, then creates an OU structure based on a couple of questions.  The users will be created based on the names in the file, and each user will be added into a group with the name of their department.  

Because I always subscribe to the theory of overkill, I used this site to generate a much longer list of names.  Tell it to generate 50 names, and then once they are generated, scroll down to the bottom and click List in text area, then you can copy/paste them out into a text file.  Run it as many times as you wish to generate longer lists. Don't forget to replace the space in between the first and last name with a comma, and then add another comma after the last name, followed by a department. They can all be the same department if you don't care to separate them.

Somehow this post was eaten, so I've rewritten it.

Saturday, January 16, 2016

Building the Domain

 on  with No comments 
In , ,  
Edit: This post has been updated with a new walkthrough as I changed my mind on a few things.   Most notably, I'll be working with a new isolated domain rather than a child domain off of my production domain.

In this post, I'll go through the steps of building an Active Directory domain.  I'll assume you already have Windows Server installed, a host name set and a static IP address assigned to the network interface.  Here, I'm using Windows Server 2016 Technical Preview 4, just because I want to kick the tires on the lastest bits.  The process should be pretty much the same in any other Technical Preview build or Server 2012/2012R2 but has changed vastly from Windows Server 2008R2 and earlier.  Server Manager is vastly different, and the dcpromo command is only there to process an answer file at this point, everything is done via Server Manager.

This is going to be a long post with a lot of screen shots.

When you log into the server, you'll see Server Manager pop up.  In the main field, you'll see common steps numbered from 1 - 5. We're looking for number 2, Add roles and features.

Next, it asks if you want to perform a role-based/feature-based installation, or a remote desktop services installation. Leave the default selected.

Next, you will be asked to select which server you wish to install roles or features on.  One of the nice additions to Server 2012 is the ability to manage multiple servers from a common instance of Server Manger. You can add additional servers to be managed in, and from here install roles and features on other servers in your environment. And if you install the latest Windows Management Framework for Server 2008 or Server 2008R2, you can manage those (although more limited) from Server 2012/2012R2 as well.

In this case, we're don't have a domain set up yet, so the local host should be the only server appearing on the list. Click Next.

Next, you'll want to tick the box next to Active Directory Domain Services.  A box will then pop up labeled Add Roles and Features wizard that informs you of any additional prerequisite roles and features for what you just selected for installation.  Click Add Feature to install these additional options.

Once you have Active Directory selected, do the same for DNS Server.  DNS is an integral part of Active Directory and simply cannot be left out. I've read conflicting reports on whether or not non-Windows DNS Servers can be used, but I've never gotten it working with recent versions of Windows Server if it is indeed still possible.  I'm not really studying advanced Windows Server topics, so I never kept at it.  Has anyone gotten it to work?

Select any other roles you care to install as well.

Here you can select various features to install if your server isn't going to be limited to a domain controller, but I'm not adding anything that hasn't already been automatically selected so I'm just clicking Next again.

Next you'll see this informational box on ADDS.  Feel free to read it, or don't, your call. Click Next.

Another similar box for DNS.  Again, read it or don't and click next.

Here is the final confirmation of what you've chosen to install, and a checkbox at the top selecting whether or not you want the server to reboot if required once the installation has completed, if necessary. Obviously for a production machine that is performing other tasks, you'll want to hold off until a scheduled maintenance window, but in the lab go ahead and let it reboot. Click Install when you're ready to let it begin.  Interestingly enough, this server didn't reboot after installing the Active Directory bits. 

One you let it begin, it's going to take some time to complete, especially if this is in a virtual machine so go ahead and grab a sandwich.

Once the roles and features have finished installing, note the yellow exclamation mark at the top of Server Manger trying to get your attention. If you click that, you'll see the following box indicating that your server is ready to be promoted to a domain controller. Click on "Promote this server to a domain controller" to begin.

The first thing that comes up will ask you about the environment. I'm building a new domain here and naming it (clever, eh?), so I selected Add a new forest and entered the name.  Fill in the boxes appropriately for you, and then click next.  A bit of a wait here, and a command prompt comes and goes without warning. 

Next it will ask you some questions regarding this domain controller. The first is the FFL and DFL of the domain. Since this is a lab domain, I'm going to select the highest avaiable to ensure I have all the latest/greatest bits to experiment with.  We need to check off DNS and Global Catalog since its the first domain controller in the domain.  Finally, give it a DSRM password that you'll be able to remember. Or not, because in the lab you'll probably be better off just rolling back to a snapshot of this server than trying to fix an problem of the magnitude necessary to use Directory Service Restore Mode.

Next is the DNS Options. Nothing to change here as it is the first domain controller for the domain.

Next is the Additional Options, which consists of nothing more than the NetBIOS domain name. Whatever comes up as the default is fine because who uses NetBIOS anymore?

Next is the directory paths for various parts of Active Directory. Spread the love around to multiple spindels in production, but the defaults are fine in the lab.

Finally we have a summary of all the options selected. If this were a domain controller for an existing domain, you could click view script to get a PowerShell script to run on any additional servers you want to promote to domain controllers.  Click Next again.

Prerequisites will be checked here. There shouldn't be anything stopping you from proceeding at this point, but it will tell you if there is. The one warning is letting you know about a default cryptography option that is not best practice, but chosen for compatibility reasons.  This can be fixed in group policy later if you care to lock this setting down.

Click Install to begin the promotion.

The process will run for some time, and the server will reboot once it's done. The local administrator will be converted to the domain administrator once the process has completed.  There are no local user accounts on a domain controller.


Friday, January 8, 2016

The Current Lab

 on  with No comments 
In ,  
Here's what is currently setup in the lab.

  • 2 Hyper-V servers, each hosting a number of virtual machines and both running GNS3.  Each has a quad core AMD A4-5000 APU with 16GB of RAM.
  • Another server that I will be putting ESXi on soon.  This machine has a pair of quad core AMD Opteron 4122's. I'm unsure about the RAM because I borrowed a few sticks for my new desktop.
  • My 42U rack, full of various routers, switches, firewalls, wireless access points and other devices. I'm not even trying to keep track any more. 
  • A Half-Top (laptop with a broken screen) running Windows Server 2012R2 acting as a domain controller, DNS and DHCP server to my home network.  
  • Separating the home network from the lab network is a Extreme Networks 400-48t switch. This just recently replaced another unit that failed to power back up after a recent trip out of town.
  • At the edge, between my network and the ISP is a Sonicwall TZ210. This will be replaced soon as I have plans going forward that it's incapable of.
  • My current desktop.  It's an i5 with 8GB of RAM and a pair of SSDs in RAID0 running OpenSuse Leap 42.1 and Virtualbox.
Moving forward with the studies, I will be building out a child domain off of my home network.  My immediate plans are to build the following and document the steps:
  • A domain controller on Windows Server 2012R2
  • A two tier Certification Authority (root and issuing CAs), both on Windows Server 2012R2.
  • An NTP server on NetBSD
  • An NPS server on Windows Server 2012R2 for RADIUS.
The 10 or so posts that this will take me through should be a sufficient foundation and then I'll start on 300-206 SENSS material.

Friday, January 1, 2016

New Year, New Focus

 on  with No comments 
This blog started out with the intent of being networking focused, Cisco networking in particular.  However, competing interests from work and hobbies have led it to contain content that's all over the map.  While all over the map is still an active representation of where I'm at both professionally and personally and probably always will be, it's time to reel it in and get focused again.

What will be here here moving forward:
  • CCNP Security topics - what I'm actively pursuing.
  • VoIP and Wireless topics - not pursuing any certifications (yet), but I need to increase my knowledge in these areas both for professional and eventual cert goals.
  • MCSA 2016 - I'll be tackling the upgrade to this certification when the exam is released.
  • CISSP - The capstone of my Masters Degree program, I will be doing this certification at some point in the very near future.
  • CCIE Security - Those elusive digits is the ultimate goal.
And then all that "other stuff" that I hope will not outnumber the above posts:
  • Work Topics - I'm not going to disclose exactly what I'm doing or where I'm doing it at, but on occasion I come across a topic on the job that is of interest. Things I want to know more about or just rant about.
  • The Facebook CCNA Group - I'm the admin of the largest CCNA related Facebook group, and occasionally write an impulsive post based on the groups activity.  Those posts find their way here so I can keep them handy and not answer the same question with the same answer a hundred times.  If you don't participate in that group, I apologize for the distraction and you may safely ignore those posts.  There will be no quiz at the end. 
  • Misc Off Topic Posts - I'm hoping that the general geeking out posts will be fewer and farther between, but they'll still be there from time to time and probably more often that I really want.  But if it's of interest to me, maybe it'll be of interest to someone else.  And for a writer, continuing to write, ANYTHING is a good thing.
Stay tuned!