IR 310: Making a Domain Controller (10 pts)
What You Need for this Project
Purpose
To prepare an environment like that used in real enterprises,
appropriate for security projects.
Creating a Windows Cloud Server
Create a server with the largest possible SSD (65 GB),
4 cores, and 15 GB RAM, running Windows 2016 Server,
as shown below.
Connect with RDP and log in with the account Google Cloud
created, as usual.
When a blue "Networks" bar appears at the right
of your desktop,
click Yes.
Adding the "Active Directory Domain Services" Role
If Server Manager is not open,
click Start, "Server Manager"
to open it.
In "Server Manager", make these selections:
- Click "2 Add roles and features"
In the "Before you begin" page, click Next
- In the "Select installation type" page,
accept the default selection of
"Role-Based or feature-based installation"
and click Next.
- In the "Select destination server" page,
accept the default selection,
and click Next.
- In the "Select server roles" page,
click the box next to
"Active Directory Domain Services".
- An "Add Roles and Features Wizard" box pops up. Click the
"Add Features" button.
- In the "Select server roles" page,
click Next.
- In the "Select features" page,
click Next.
- In the "Active Directory Domain Services" page,
click Next.
- In the "Confirm installation selections" page,
verify that your screen matches the image below,
and click Install.
A progress bar move across the window.
When it finishes, it shows a gray message
near the top saying
"Configuration required".
Click Close
Promoting the Server
At the top right of the
Server Manager window,
click the yellow triangle.
Click
"Promote this server to a
domain controller",
as shown below.
In the "Active Directory Domain Services
Configuration Wizard", make these selections:
- In the "Deployment configuration" page,
click the
"Add a new forest" button.
Enter a Root domain name of
hackme.com and
click Next.
- In the "Domain controller options" page,
accept the default selections. When the page finishes
loading,
enter P@ssw0rd in both
password boxes and
click Next.
(You may prefer to choose a more secure password.)
- The "DNS options" page has a yellow
message saying "A delegation for this DNS
server cannot be created...". That's normal.
Click Next.
- In the "Additional options" page,
accept the default NetBIOS
domain name,
and
click Next.
- In the "Paths" page,
accept the default options,
and click Next.
- In the "Review Options" page,
verify that your screen matches the image below,
and click Next.
A red bar appears, saying
"One or more prerequisites failed...".
In the lower right, the problem is explained:
the administrator password does not meet
requirements,
as shown below,
Assigning an Administrator Password
At the lower left of the desktop,
right-click the Start button.
Click "Command Prompt (Admin)".
In the User Account Control box,
click Yes.
In the Administrator Command Prompt
window, execute
this command:
net user administrator P@ssw0rd123
(You may prefer to choose a more secure password.)
Close the Administrator Command Prompt window.
In the "Active Directory Domain Services
Configuration Wizard",
on the "Prerequisites Check" page,
at the top center, in small blue type,
click "Rerun prerequisites check".
Now the check passes,
as shown below.
Click Install.
The server installs software and
restarts.
Logging In
Connect again via RDP.
Log in with these credentials:
- Username: HACKME\Administrator
- Password: P@ssw0rd123
The login process takes several minutes,
waiting for the Group Policy Client.
Creating the Wally Account
We'll need a non-administrator
domain user
named "Wally".
If Server Manager is not open,
click Start, "Server Manager"
to open it.
In Server Manager, in the top right,
click Tools,
"Active Directory Users and Computers".
In the left pane, expand hackme.com
and right-click Users.
Click New, User,
as shown below.
In the "New Object - User" box,
enter these values, as shown below.
- First name: Wally
- User logon name: wally
Click Next.
In the next screen,
enter these values, as shown below.
- Password: W@lly123
- Confirm password: W@lly123
- User must change password at next login: Clear
- User cannot change password: Clear
- Password never expires: Check
- Account is disabled: Clear
Click Next.
Click Finish.
Flag IR 310.1: Site (10 pts)
In
"Active Directory Users and Computers",
in the left pane, click
"Domain Controllers".
The flag is covered by a green box in the image below.
Posted 10-26-19 9:41 am