DC Creation
The first task in this milestone is the creation of a Domain Controller VM on the ESXi host.
VM Creation
A Windows Server Core 2019 ISO was uploaded to the ESXi host for this VM. For this machine, the following VM settings were used (see here for details on VM creation):
- Name:
dc1 - Compatibility:
ESXi 8.0 virtual machine - Guest OS:
Windows / Windows Server 2019 (64-bit) - CPU:
2 - Memory:
4096 MB(4 GB) - Hard disk:
30 GB- Thin provisioned
- Network adapter:
VM Network - CD/DVD: Windows Server 2019 Core ISO
- VM Options
- Ensure that Boot Options → Firmware is set to EFI
- This should be the default if ESXi was installed w/ EFI
Windows Server Installation
Base Installation
After starting the VM and loading the console, boot into the ISO via EFI and simply ‘Install now.’ Within the setup dialog, the following options were changed:
- OS: Windows Server 2019 Standard (Desktop Experience)
- Default is Core, w/o GUI
- Custom install → Whole disk
Windows Server will then install to the VM. Do not set the Administrator password, as this will make system prep more difficult. Instead, enter Audit Mode with Ctrl + Shift + F3, and this will bypass the need to set an Administrator password.
Initial Configuration
Open a PowerShell window, and enter sconfig for initial configuration. The following settings are changed from sconfig:
- Windows Updates Settings: Manual updates
- Date and Time: Set correct time zone (e.g. UTC -5)
Once those have been changed, select Download and Install Updates (6) within sconfig, and then (A)ll updates in the resultant window. This may reboot several times. After a reboot, ensure there are no remaining updates. If there are, check for updates again and repeat.
VMware Tools Installation
To install VMware tools, Right click the VM in ESXi → Guest OS → Install VMware tools. This will mount a drive in the Windows VM, the setup should be run and completed as normal.
Windows Server Sysprep
The following script is downloaded to the VM to prepare the system:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
# a good time to complete via remote ssh
Set-Service -Name sshd -StartupType 'Automatic'
Set-ItemProperty "HKLM:\Software\Microsoft\Powershell\1\ShellIds" -Name ConsolePrompting -Value $true
New-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
#Write-Host "Create a deployer user: Enter Password"
#$pw = Read-Host -AsSecureString
#New-LocalUser -Name deployer -Password $pw -AccountNeverExpires -PasswordNeverExpires:$true
#Add-LocalGroupMember -Group Administrators -Member deployer
Write-Host "Pull down unattend.xml and then sysprep the box"
wget https://raw.githubusercontent.com/gmcyber/RangeControl/main/src/scripts/base-vms/windows/unattend.xml -Outfile C:\Unattend.xml
C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /unattend:C:\unattend.xml
Write-Host "Set Power to High Performance"
powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635cThe script is available at this GitHub link, or at https://tinyurl.com/480sysprep. If using the wget alias in PowerShell, be sure to specify -OutFile prep.ps1 to save the file.
Prior to execution, uncomment the 4 lines that create a deployer user: these steps will be run on the VM. Additionally, comment the final line that sets High Performance mode. This is desirable on a workstation, but will not be needed for this server.
Lastly, unblock the file and change the execution policy so the script can be run. A breakdown of all steps is as follows:
wget "https://tinyurl.com/480sysprep" -OutFile prep.ps1
notepad prep.ps1 # Make changes (comment/uncomment)
Unblock-File .\prep.ps1
Set-ExecutionPolicy RemoteSigned
.\prep.ps1Tip
If the system is still in sysprep mode (with the sysprep dialog open), sysprep will fail to start during script execution. Close the existing sysprep dialog prior to running the script to avoid this, or re-run the sysprep execution steps after closing the open window. If it still fails, reboot, close the dialog, then re-run the sysprep execution command from the above script.
Unattend XML
The Unattend.XML file downloaded using the sysprep script above has the following contents, also available here:
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<OOBE>
<HideEULAPage>true</HideEULAPage>
<HideLocalAccountScreen>true</HideLocalAccountScreen>
<HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
<HideOnlineAccountScreens>true</HideOnlineAccountScreens>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<NetworkLocation>Home</NetworkLocation>
<ProtectYourPC>3</ProtectYourPC>
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
<UnattendEnableRetailDemo>false</UnattendEnableRetailDemo>
</OOBE>
</component>
</settings>
</unattend>ESXi Post Configuration
After sysprep is complete, the VM should automatically power off.
Remove ISO Drive
Open the VM options and remove the ISO disk drive.
Snapshot Creation
Create a snapshot of the VM with the name Base, for consistency across snapshots.
Environment-Specific Configuration
After the base snapshot has been created, the machine can be configured to become a domain controller for this environment.
Network Adapter
The VM’s network adapter should be changed to 480-WAN.
Administrator Password
As the Administrator password was not set during initial setup, it must be set on first login.
Networking Settings
Within the VM, the following network settings should be set via sconfig or ncpa.cpl:
- IP Address:
10.0.17.4/24 - DNS & Gateway:
10.0.17.2
Via Commands
These networking settings can also be configured via the following commands:
netsh interface ipv4 set address name="<interface>" static <IP> <subnet> <gateway>
netsh interface ipv4 set dns name="<interface>" static <DNS server>The default interface is named Ethernet0, which can be found using:
netsh interface ipv4 show configAlternatively, PowerShell can be used:
Get-NetIPInterface # View InterfaceIndex (ifIndex) value
New-NetIPAddress -InterfaceIndex <index> -IPAddress <IP> -PrefixLength <CIDR e.g. 24> -DefaultGateway <gateway>Hostname
The hostname should be set to dc1. This can be done via PowerShell, after which the VM can be restarted to apply the name change:
Rename-Computer -NewName "dc1"The remainder of the configuration should be performed via SSH as deployer from xubuntu-wan, once networking is configured. The below sections will detail the relevant PowerShell commands used.
Install ADDS
Installing Active Directory Domain Services (ADDS) can be done as follows:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementToolsCreate Domain & Install DNS
Once ADDS is installed, the domain can be created and this VM made a domain controller. The command to create a forest also allows for DNS server installation, so this will be accomplished during this step as well. The following PowerShell step is performed to accomplish this:
Install-ADDSForest -DomainName "reed.local" -InstallDNSThis will prompt for a DSRM password. Set one, then select [A] to auto-accept all following prompts.
Base DNS Configuration
Primary Zone
Although DNS was installed and enabled in the previous step, it must still be configured. A reverse lookup zone (for PTR records) is created as follows:
Add-DNSServerPrimaryZone -NetworkID 10.0.17.0/24 -ZoneFile "10.0.17.4.in-addr.arpa.dns"Forwarding Address
In the event that DNS servers were previously configured for the VM, they may already be set as forwarding addresses for DNS. Otherwise, use the following command to set the forwarding address:
Add-DnsServerForwarder -IPAddress 10.0.17.2 -PassThruCreate DNS Entries
Once the forest is created and the new DC has been restarted, additional DNS entries for preexisting hosts must be added. The following commands create both A and PTR records for each host:
Add-DnsServerResourceRecordA -CreatePtr -Name "vcenter" -ZoneName "reed.local" -IPv4Address "10.0.17.3"
Add-DnsServerResourceRecordA -CreatePtr -Name "480-fw" -ZoneName "reed.local" -IPv4Address "10.0.17.2"
Add-DnsServerResourceRecordA -CreatePtr -Name "xubuntu-wan" -ZoneName "reed.local" -IPv4Address "10.0.17.100"
Add-DnsServerResourceRecordPtr -Name "4" -ZoneName "17.0.10.in-addr.arpa" -PtrDomainName "dc1"The A record for dc1 already exists, so only the PTR record needs to be created.
Enable RDP
RDP is enabled with the following two commands:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"Install DHCP
Install-WindowsFeature DHCP -IncludeManagementToolsCreate DHCP Security Groups
netsh dhcp add securitygroups
Restart-Service dhcpserverSet DHCP Scope
Add DHCP Scope
The DHCP scope can be created using PowerShell:
Add-DHCPServerv4Scope -Name "<name>" -StartRange <start IP> -EndRange <end IP> -SubnetMask <subnet> -State ActiveThe range is from 10.0.17.101 - 150. The subnet is 255.255.255.0.
Set Scope Lease Duration
The milestone’s proof video states that the lease time should be “1 hour,” but the system displays 1 day. As such, the lease duration is set to 1 day with the following command (default is 8):
Set-DhcpServerv4Scope -ScopeId <network IP> -LeaseDuration 1.00:00:00Configure Scope
The DHCP server is then configured to operate in the domain with the following command:
Set-DHCPServerv4OptionValue -ScopeID <network IP> -DnsDomain <domain> -DnsServer <DNS IP> -Router <gateway>The network IP will be 10.0.17.0. The domain is reed.local and the DNS server is the DC, 10.0.17.4. The gateway is still 10.0.17.2, our firewall.
Add DHCP to DC
Lastly, the DHCP server is added to the DC:
Add-DhcpServerInDC -DnsName <domain> -IpAddress <DC IP>The domain is unchanged (reed.local) and the DC IP is 10.0.17.4. After configuration is complete, restart the service:
Restart-Service dhcpserverCreate Named Domain Administrator
A new domain user can be created and added to the Domain Admins group as follows:
New-ADUser -Name "<username>" -AccountPassword (Read-Host -AsSecureString "Password") -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members <username>DNS Server Updates
After DNS server creation and configuration on dc1, the DNS server on other machines in the environment (excepting the firewall) can be updated to 10.0.17.4.