Windows server 2019 and active directory

[Bruinator]

Hi,

I installed windows server 2019 on virtual box and installed AD and promoted it to a domain controller by following the step from this link

https://computingforgeeks.com/how-to-install-active-directory-domain-services-in-windows-server/

What are the next steps do I need to take in order to learn Active Directory basics plz?

I have virtualbox installed on my win 10 Pro laptop. If someone can help me with the next steps needed to achieve this i would greatly appreciate it. I am not looking for a step by step instructions just the next steps needed to accomplish this as I can google how to do it.

TIA

[Bruinator]

Back when I was in school several years ago these where the steps to follow

1. Install and build a DHCP scope.

2. Install a wins server and automate delivery through DHCP

3. Create group in AD

4. Create users in AD

5. Adding users to groups

6. Set up a domain wide account policy

7. Join a computer to the domain

8. Setup and implement roaming profile for each user

9. Setup and implement home directory for each user

10. Create a mild group policy

11. Install exchange server on win 2019 server and add users

12, Create multiple shares on network and link through DFS to share data with users.

 

If things have changed since then, feel free to add or remove steps needed or not needed.

 

Thx again

 

[Nick H. Supervisor]

The question doesn't make much sense, or is too broad. You need to know what you're trying to achieve if you want to learn how to do it.

 

Create a user? Add an object? Set a password expiration?

 

EDIT: Ok, just saw your second post. That makes a bit more sense, I guess you could look in to how to perform those steps to start with.

[Bruinator]

1 hour ago, Nick H. said:

The question doesn't make much sense, or is too broad. You need to know what you're trying to achieve if you want to learn how to do it.

 

Create a user? Add an object? Set a password expiration?

 

EDIT: Ok, just saw your second post. That makes a bit more sense, I guess you could look in to how to perform those steps to start with.

Nick or others,

 

When setting up a dhcp scope for home server what should i put start IP and end IP? Can I add this 192.168.150.1 for start and 192.168.150.40 for end? Then for exclusions, 192.168.150.1 to 192.168.150.20? Is this OK? i am pretty sure it dont matter as this is just for learning purposes. Can someone confirm this for me plz.

 

Sorry for the question as I am new to this.

 

TIA

Edited January 18, 2021 by Bruinator

[Bruinator]

ignore question above plz

[Circaflex]

I am under the asumption this is a homelab you have setup for the sole intention of learning new things? 

 

Here is a short list of AD subjects I focused on while hunting for job a few years back:

 

FSMO Roles - know and explain

Understanding Group Policy Precedence

Understand sites and how to configure

DNS is where I struggled, things like DHCP integration, delegation, etc

Learn the common advanced features and how you would enable them

Domain levels

Tools like dcdiag

 

 

This was a Reddit post I had saved:

 

Quote

Before you do anything, you need to construct a closed network. I used VMware workstation to accomplish this and this assumes Server 2012R2. Also, for this purposes of this lab, turn off the windows firewall. In real life, you'll need to open ports as you see fit. In some networks, it's standard that all servers have their firewalls turned off. It really depends on your environment and what rules they follow.

Create two networks/VLANs (desktops and servers)

Install Windows Server (VM or standard hardware dealer's choice) GUI Mode.

Set up the server as a basic router between the two networks. You'll need 2 NICs to accomplish this (NOTE: unless you have a really good reason for this, you will never do this in a production environment. But because this is a lab situation in VMware workstation and because the product does not support routing between networks, you'll need to put something in place very basic. Windows routing will get the job done and will be on an MCP exam)

Install another server, single NIC on the server VLAN

Create your first active directory domain controller. Install this in GUI mode

Create another server but this time make it a core server. Make it a domain controller

Test AD replication via the gui and cmd.

Create an OU for your workstations, create an OU for your users, and an OU for groups. From now on, any new computer or new user account must go into their respective OU. DO NOT MOVE THE DOMAIN CONTROLLERS FROM THE DOMAIN CONTROLLER OU.

Check out DNS. Do you have a reverse look up zone? No? Then set it up.

Check out DNS. Records can get old and out of date and will screw up name to ip resolution. Make it so that scavenging happens automatically.

You need to block facebook.com via windows DNS. Make it so that when a DNS look up is performed, computers use a loop back address. Test this via cmd to make sure it resolves as expected.

Set up DHCP on the first domain controller.

Set up a scope to hand out IPs for the Desktop VLAN. Make it so that this DHCP scope will be able to give endpoints the information they need networking wise to join a domain

Install a Windows 7 or newer PC on the desktop VLAN

Your desktop's aren't getting IPs. Why? (hint: it's a routing/broadcast/relay issue)

Join that desktop to the domain

Now that you're getting IPs from your DHCP server, configure DHCP clustering. Loadbalancing or failover is your choice. Now test it.

Create a non-domain admin account in AD. Fill out the whole profile once the account is created.

Login to that desktop as a regular AD user and an Admin user. Try to install software under the non-admin account first and then the admin account. What's the difference?

Create another non-admin account. Make this non-admin user a local admin on that computer. Who else is also a local admin before you make any changes,

Review the attributes of that account in AD. You'll need advanced features for this.

Create an AD group. Add the first non-admin account to this group.

On that desktop, install the RSAT tools so you can remotely manage another computer

Setup remote management on the core server so that it can be managed from the MMC of another computer (there are a number of ways to do this)

Find out what server is holding the FSMO roles via the gui and the command prompt.

Split the FSMO roles between the servers. Try to keep forest level and domain level roles together.

On one of the domain controllers, create a file share set it so that only administrators and the second non admin account have access to it. Create another folder and give only the AD group you created permissions.

Use group policy to map both shares as network drives as a computer policy to the desktops.

Login to the desktop as the first domain user. Do you see the network drive mapped in windows explorer? No? Use gpresult to find out why. If you do see it, try to access the drive. You should be denied if you set permissions correctly. Login as the second domain user, they should be able to open the mapped drive.

What if the account in the group tries to access the second drive? You should be able to get in.

login to the workstation as the second non-admin account. You should not have access to this drive because you are not in the group. Do not log off. Add this account to the group. Can you access the drive now? No? Logoff and login back in. Can you access the drive now?

Remove the share from the domain controller. We don't like putting shares on domain controllers if we don't have to.

Build out another two servers and join it to the domain as member servers.

Install DFS and File server roles/features on both servers.

Create a file share on bother servers with the same folder name. Create files on both servers. Make sure they are different. (i.e server1 will have "TextDoc01", server 2 will have "TextDoc02" in their shares).

Create a DFS name space. Add those shares to the name space.

On a domain joined work station, navigate to the DFS namespace you created. You should be able to see both files.

Create a DFS Replication group. Make it so that you have two way replication. You should now see both files on both servers. Make a change on one server and see if it replicates to another server. Does it work? Great. (you can shut down the file servers for now if you want or use them for the next step)

Create another server, join it to the domain, install Windows Deployment Service (WDS) and Windows Server Update Service (WSUS). You can choose to use the file servers you've already created instead of building out another VM. You only need one file server.

Configure WDS so that you can PXE boot to it on the network. Make any required changes to routing and DHCP if need be.

Upload an image to WDS for PXE deployment. Use WAIK and sysprep if you need to. (I haven't done this in the long time so you might not need sysprep anymore with WAIK, look it up)

Create a new desktop VM but do not install an OS on it. Instead tell it to perform a PXE boot when you turn it on, have it install the OS from here.

Configure WSUS so that you will only download Security updates for the desktop and server OS's ( highly recommend that you do not download any updates if you have access to the internet from this server)

Bonus points, install WSUS on another server and create a downstream server)

Create some groups in WSUS. Servers and workstations will do nicely.

Create a new group policy that points workstations into the WSUS workstation group, points to WSUS for updates, and stop workstations from automatically downloading updates.

read up on approving and pushing updates since the current assumption is that there are no updates to be pushed in this enclosed test network since there is no internet access to down load them. I believe there is a way to manually add updates to WSUS but I'm a bit foggy on that. Research it.

Do the same for servers.

create a new AD user via powershell.

Create a new AD group via powershell.

Print a list of all domain users and computers in powershell, names only

use powershell to pull a list of users who have new york as their office. If no users have new york listed as their office, use powershell to set that attribute and then pull users who have new york as their office.

remove a user account from AD using powershell

add a user to a group using powershell

Provision new AD users via a CSV in powershell

This is really only scratching the surface of a typical medium-large to enterprise level network. But this should be enough to get you started.

 

[Bruinator]

10 hours ago, Circaflex said:

I am under the asumption this is a homelab you have setup for the sole intention of learning new things? 

 

Here is a short list of AD subjects I focused on while hunting for job a few years back:

 

FSMO Roles - know and explain

Understanding Group Policy Precedence

Understand sites and how to configure

DNS is where I struggled, things like DHCP integration, delegation, etc

Learn the common advanced features and how you would enable them

Domain levels

Tools like dcdiag

 

 

This was a Reddit post I had saved:

 

 

Now that is a list. TYVM for that. I really appreciate it.