Skip to main content

Active Directory Playground, Active Directory Certificate Services (ADCS), LDAPS

1474 words·
Windows Domain Controller Active Directory Active Directory Certificate Services Root CA Certificate LDAPS
Table of Contents

Windows Server
#

This is a tutorial to set up a small Active Directory Playground for testing purposes.


License Key
#

Remove the License Key from the old server in case you want transfer it from one server to another. Run both commands from PowerShell as Administrator.

Remove the License Key:
slmgr.vbs /upk

Activate new license, replace “LIZENZKEY” with your license key:
dism /online /set-edition:ServerStandard /productkey:LIZENZKEY /accepteula


Remote Desktop Services
#

To enable Remote Desktop Services open the Settings Menu and search for “Remote Desktop Services”:


Network Discovery
#

Turn on Network Discovery:


Active Directory
#

Static IP
#

Define a static IPv4 address and the default gateway / router:


ADDS and DNS
#

Select “Add a new forest” for first DC or “Add a domain controller to an existing domain” for the secondary DC. Define the Domain Name:

Wait till the NetBIOS name auto completes and change if necessary (less then 15 characters):

Optional: Define path for AD database on dedicated partition

  • Install Active Directory
  • After the installation the Server reboots
  • Login with Domain\Administrator, in my example it’s JKLUG\Administrator

Add Client to Domain
#

Define the Domain Controller IPv4 Address as DNS server:

Reboot the Client


DNS Server
#

After the Client was added to the Domain it’s also listed in the DNS Manager (Server Manager / Tools / DNS):


Root CA Certificate, LDAP & LDAPS
#

Install Active Directory Certificate Services (ADCS)
#

Server Manager > Add roles and features

Installation Type: Role-based or feature-based installation

Server Selection: (Select target server)

Server Roles: Active Directory Certiticate Services > Add Features

AD CS / Role Services: Certification Authority > Add Features

Confirmation: Check Restart the destination server automatically if required > Install

  • Wait till “Feature installation” is finished

AD CS Configuration
#

Server Manager > Post-deployment Configuration > Configure Active Directory Certificate Services on the destination server

Credentials: JKLUG\Administrator

Role Services: Certification Authority

Setup Type: Enterprise CA

CA Type: Root CA

Private Key: Create a new private key

Cryptography: (Default)

CA Name: (Default)

Validity Period: 5 Years (Default)

Certificate Database: (Default)

Convirmation > Configure

Results > Close


Certification Authority
#

Create Certificate Template
#

  • Open Certificate Templates Console, run: certtmpl.msc

Certificate Templates > Kerberos Authentication > Duplicate Template

General > Templates display name: LDAPS-JKL

General > Validity period: 1 years

General > Check: Publish certificate in Active Directory

Request Handling > Check: Allow private key to be explorted

Subject Name > Check: DNS name

Apply > OK

Issue Certificate Template
#

  • Open Certification Authority, run: certsrv.msc

Certification Authority (Local) > jklug-WIN2022-1-CA >

Certificate Tamplates > (RM) > New > Certificate Template to Issue

Enable Certificate Templates > Select: LDAPS-JKL > OK


MMC Request new Certificate
#

  • Run: mmc

File > Add/Remove Snap-in… > Certificate > Add

Certificates snap-in > Select: Computer account > Next

Select Computer > Select: Local Computer > Finish

Console Root > Certificates (Local Computer) > Personal > Certificates

(RM)All Tasks > Request New Certificate…

Select Certificate Enrollment Policy: Active Directory Enrollment Policy > Next

Request Certificates: Select LDAPS-JKL > Enroll > Finish


Active Directory
#

Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore “ldap:///CN=jklug-WIN2022-1-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=jklug,DC=local?cACertificate?base?objectClass=certificationAuthority” (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root.

# Check if root CA certificate is published in Active Directory
certutil -viewstore "ldap:///CN=jklug-WIN2022-1-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=jklug,DC=local?cACertificate?base?objectClass=certificationAuthority"

Windows Client
#

# Update Group Policy
gpupdate /force

Export & Import CA Certificate
#

Export Certificate
#

Certificates (Local Computer) > Personal > Certificates

Select: jklug-WIN2022-1-CA > (RM) All Tasks > Export

Select: No, do not export the private key > Next

Export File Format: Base-64 encoded X.509 (.CER) > Next

File to Export: C:\tmp\jklug-WIN2022-1-CA.cer

Import Certificate
#

  • Run PowerShell as Administrator
# Import Root CA on Windows client (If not delpoyed with GPO)
certutil -addstore "Root" .\jklug-WIN2022-1-CA.cer

Ldp: Test LDAP Connection
#

Ldp is already installed on Windows Server, but not on the clients.

Install & open Ldp
#

  • Run: optionalfeatures

  • Install Active Directory Lightweight Directory Services

  • Open PS or CMD as Administrator

  • Start ldp.exe

Test Connection
#

LDAP
#

Server: 192.168.70.2 Port: 389

Connection > Connect…

ld = ldap_open("192.168.70.2", 389);
Established connection to 192.168.70.2.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=jklug,DC=local; 
currentTime: 03.11.2023 22:02:52 Mitteleuropäische Zeit; 
defaultNamingContext: DC=jklug,DC=local; 
dnsHostName: win2022-1.jklug.local; 
domainControllerFunctionality: 7 = ( WIN2016 ); 
domainFunctionality: 7 = ( WIN2016 ); 
dsServiceName: CN=NTDS Settings,CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local; 
forestFunctionality: 7 = ( WIN2016 ); 
highestCommittedUSN: 20506; 
isGlobalCatalogReady: TRUE; 
isSynchronized: TRUE; 
ldapServiceName: jklug.local:win2022-1$@JKLUG.LOCAL; 
namingContexts (5): DC=jklug,DC=local; CN=Configuration,DC=jklug,DC=local; CN=Schema,CN=Configuration,DC=jklug,DC=local; DC=DomainDnsZones,DC=jklug,DC=local; DC=ForestDnsZones,DC=jklug,DC=local; 
rootDomainNamingContext: DC=jklug,DC=local; 
schemaNamingContext: CN=Schema,CN=Configuration,DC=jklug,DC=local; 
serverName: CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local; 
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=jklug,DC=local; 
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 ); 
supportedControl (40): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255 = ( SET_OWNER ); 1.2.840.113556.1.4.2256 = ( BYPASS_QUOTA ); 1.2.840.113556.1.4.2309 = ( LINK_TTL ); 1.2.840.113556.1.4.2330; 1.2.840.113556.1.4.2354; 
supportedLDAPPolicies (20): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxDirSyncDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent; 
supportedLDAPVersion (2): 3; 2; 
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5; 

-----------
0x0 = ldap_unbind(ld);

LDAPS
#

Server: win2022-1.jklug.local Port: 636 Check: SSl

Connection > Connect…

ld = ldap_sslinit("win2022-1.jklug.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to win2022-1.jklug.local.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=jklug,DC=local; 
currentTime: 31.10.2023 22:49:41 Mitteleuropäische Zeit; 
defaultNamingContext: DC=jklug,DC=local; 
dnsHostName: win2022-1.jklug.local; 
domainControllerFunctionality: 7 = ( WIN2016 ); 
domainFunctionality: 7 = ( WIN2016 ); 
dsServiceName: CN=NTDS Settings,CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local; 
forestFunctionality: 7 = ( WIN2016 ); 
highestCommittedUSN: 20647; 
isGlobalCatalogReady: TRUE; 
isSynchronized: TRUE; 
ldapServiceName: jklug.local:win2022-1$@JKLUG.LOCAL; 
namingContexts (5): DC=jklug,DC=local; CN=Configuration,DC=jklug,DC=local; CN=Schema,CN=Configuration,DC=jklug,DC=local; DC=DomainDnsZones,DC=jklug,DC=local; DC=ForestDnsZones,DC=jklug,DC=local; 
rootDomainNamingContext: DC=jklug,DC=local; 
schemaNamingContext: CN=Schema,CN=Configuration,DC=jklug,DC=local; 
serverName: CN=WIN2022-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=jklug,DC=local; 
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=jklug,DC=local; 
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 ); 
supportedControl (40): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255 = ( SET_OWNER ); 1.2.840.113556.1.4.2256 = ( BYPASS_QUOTA ); 1.2.840.113556.1.4.2309 = ( LINK_TTL ); 1.2.840.113556.1.4.2330; 1.2.840.113556.1.4.2354; 
supportedLDAPPolicies (20): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxDirSyncDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent; 
supportedLDAPVersion (2): 3; 2; 
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;