Windows Server #
This is a tutorial to set up a small Active Directory Playground for testing purposes.
License Key #
Remove the License Key from the old server in case you want transfer it from one server to another. Run both commands from PowerShell as Administrator.
Remove the License Key:
slmgr.vbs /upk
Activate new license, replace “LIZENZKEY” with your license key:
dism /online /set-edition:ServerStandard /productkey:LIZENZKEY /accepteula
Remote Desktop Services #
To enable Remote Desktop Services open the Settings Menu and search for “Remote Desktop Services”:
Network Discovery #
Turn on Network Discovery:
Active Directory #
Static IP #
Define a static IPv4 address and the default gateway / router:
ADDS and DNS #
Select “Add a new forest” for first DC or “Add a domain controller to an existing domain” for the secondary DC.
Define the Domain Name:
Wait till the NetBIOS name auto completes and change if necessary (less then 15 characters):
Optional: Define path for AD database on dedicated partition
- Install Active Directory
- After the installation the Server reboots
- Login with Domain\Administrator, in my example it’s JKLUG\Administrator
Add Client to Domain #
Define the Domain Controller IPv4 Address as DNS server:
Reboot the Client
DNS Server #
After the Client was added to the Domain it’s also listed in the DNS Manager (Server Manager / Tools / DNS):
Root CA Certificate, LDAP & LDAPS #
Install Active Directory Certificate Services (ADCS) #
Server Manager > Add roles and features
Installation Type: Role-based or feature-based installation
Server Selection: (Select target server)
Server Roles: Active Directory Certiticate Services > Add Features
AD CS / Role Services: Certification Authority > Add Features
Confirmation: Check Restart the destination server automatically if required > Install
- Wait till “Feature installation” is finished
AD CS Configuration #
Server Manager > Post-deployment Configuration > Configure Active Directory Certificate Services on the destination server
Credentials: JKLUG\Administrator
Role Services: Certification Authority
Setup Type: Enterprise CA
CA Type: Root CA
Private Key: Create a new private key
Cryptography: (Default)
CA Name: (Default)
Validity Period: 5 Years (Default)
Certificate Database: (Default)
Convirmation > Configure
Results > Close
Certification Authority #
Create Certificate Template #
- Open Certificate Templates Console, run:
certtmpl.msc
Certificate Templates > Kerberos Authentication > Duplicate Template
General > Templates display name: LDAPS-JKL
General > Validity period: 1 years
General > Check: Publish certificate in Active Directory
Request Handling > Check: Allow private key to be explorted
Subject Name > Check: DNS name
Apply > OK
Issue Certificate Template #
- Open Certification Authority, run:
certsrv.msc
Certification Authority (Local) > jklug-WIN2022-1-CA >
Certificate Tamplates > (RM) > New > Certificate Template to Issue
Enable Certificate Templates > Select: LDAPS-JKL > OK
MMC Request new Certificate #
- Run:
mmc
File > Add/Remove Snap-in… > Certificate > Add
Certificates snap-in > Select: Computer account > Next
Select Computer > Select: Local Computer > Finish
Console Root > Certificates (Local Computer) > Personal > Certificates
(RM)All Tasks > Request New Certificate…
Select Certificate Enrollment Policy: Active Directory Enrollment Policy > Next
Request Certificates: Select LDAPS-JKL > Enroll > Finish
Active Directory #
Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore “ldap:///CN=jklug-WIN2022-1-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=jklug,DC=local?cACertificate?base?objectClass=certificationAuthority” (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root.
# Check if root CA certificate is published in Active Directory
certutil -viewstore "ldap:///CN=jklug-WIN2022-1-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=jklug,DC=local?cACertificate?base?objectClass=certificationAuthority"
Windows Client #
# Update Group Policy
gpupdate /force
Export & Import CA Certificate #
Export Certificate #
Certificates (Local Computer) > Personal > Certificates
Select: jklug-WIN2022-1-CA > (RM) All Tasks > Export
Select: No, do not export the private key > Next
Export File Format: Base-64 encoded X.509 (.CER) > Next
File to Export: C:\tmp\jklug-WIN2022-1-CA.cer
Import Certificate #
- Run PowerShell as Administrator
# Import Root CA on Windows client (If not delpoyed with GPO)
certutil -addstore "Root" .\jklug-WIN2022-1-CA.cer
Ldp: Test LDAP Connection #
Ldp is already installed on Windows Server, but not on the clients.
Install & open Ldp #
-
Run:
optionalfeatures -
Install
Active Directory Lightweight Directory Services -
Open PS or CMD as Administrator
-
Start
ldp.exe
Test Connection #
LDAP #
Server: 192.168.70.2 Port: 389
Connection > Connect…
ld = ldap_open("192.168.70.2", 389);
Established connection to 192.168.70.2.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=jklug,DC=local;
currentTime: 03.11.2023 22:02:52 Mitteleuropäische Zeit;
defaultNamingContext: DC=jklug,DC=local;
dnsHostName: win2022-1.jklug.local;
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( WIN2016 );
dsServiceName: CN=NTDS Settings,CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local;
forestFunctionality: 7 = ( WIN2016 );
highestCommittedUSN: 20506;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: jklug.local:win2022-1$@JKLUG.LOCAL;
namingContexts (5): DC=jklug,DC=local; CN=Configuration,DC=jklug,DC=local; CN=Schema,CN=Configuration,DC=jklug,DC=local; DC=DomainDnsZones,DC=jklug,DC=local; DC=ForestDnsZones,DC=jklug,DC=local;
rootDomainNamingContext: DC=jklug,DC=local;
schemaNamingContext: CN=Schema,CN=Configuration,DC=jklug,DC=local;
serverName: CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=jklug,DC=local;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (40): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255 = ( SET_OWNER ); 1.2.840.113556.1.4.2256 = ( BYPASS_QUOTA ); 1.2.840.113556.1.4.2309 = ( LINK_TTL ); 1.2.840.113556.1.4.2330; 1.2.840.113556.1.4.2354;
supportedLDAPPolicies (20): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxDirSyncDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
-----------
0x0 = ldap_unbind(ld);
LDAPS #
Server: win2022-1.jklug.local Port: 636 Check: SSl
Connection > Connect…
ld = ldap_sslinit("win2022-1.jklug.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to win2022-1.jklug.local.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=jklug,DC=local;
currentTime: 31.10.2023 22:49:41 Mitteleuropäische Zeit;
defaultNamingContext: DC=jklug,DC=local;
dnsHostName: win2022-1.jklug.local;
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( WIN2016 );
dsServiceName: CN=NTDS Settings,CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local;
forestFunctionality: 7 = ( WIN2016 );
highestCommittedUSN: 20647;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: jklug.local:win2022-1$@JKLUG.LOCAL;
namingContexts (5): DC=jklug,DC=local; CN=Configuration,DC=jklug,DC=local; CN=Schema,CN=Configuration,DC=jklug,DC=local; DC=DomainDnsZones,DC=jklug,DC=local; DC=ForestDnsZones,DC=jklug,DC=local;
rootDomainNamingContext: DC=jklug,DC=local;
schemaNamingContext: CN=Schema,CN=Configuration,DC=jklug,DC=local;
serverName: CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=jklug,DC=local;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (40): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255 = ( SET_OWNER ); 1.2.840.113556.1.4.2256 = ( BYPASS_QUOTA ); 1.2.840.113556.1.4.2309 = ( LINK_TTL ); 1.2.840.113556.1.4.2330; 1.2.840.113556.1.4.2354;
supportedLDAPPolicies (20): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxDirSyncDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;