Alan Baugher

IMAG:  Active Directory Lab Env. with SSL/TLS Certs

Discussion created by Alan Baugher Employee on Aug 8, 2016
Latest reply on Sep 28, 2016 by Alan Baugher

Team,

 

To stay proficient with the broad security space and integration with the client/server world + cloud apps.; it is very valuable to setup your own lab environments, not only of CA solutions but likely userstores/applications that would be managed for customer use-cases.   A very common use-case, is management of one or many ADS domains, with or without an Exchange Domain.

 

If you don't have access to a MSDN license or a company approved server key, you can leverage MS 180-day license for MS Window Servers or even the unlimited licenses for Hyper-V or Release Candidates (later versions).

 

Example:  MS Windows 2012 R2

 

Try Windows Server 2012 R2 | TechNet Evaluation Center

 

You may use Vmware Workstation / ESXi  or  MS VHD Server to deploy a clean image of MS Windows OS.

 

1) After installing the OS, you may wish to declare this OS to be your base OS; and update it accordingly with MS Windows Updates & MS Defender (or other A/V solution).

-     With this base image, I like to install a 2nd local Admin Account &  a few adjustments

net user  idmadmin Password01 /add

net localgroup administrators idmadmin /add

..\windows_2003_resource_kit\ntrights.exe -u idmadmin +r SeServiceLogonRight

-    Add a 2nd NIC to the OS Image (Create a Vmware network host-only network w/o dhcp & address 10.10.10.x)

-    Download and deploy MS Sysinternals Suite, especailly both ProcExplore (replace TaskManager) & BgInfo (Stamp the background image with hostname/ip/boottime) & ProcMonitor (to debug 3rd party installs)

Sysinternals Suite

-    Deploy .NetFramework 3.51  (use by both embedded CA components as a pre-req and for MS-SQL)

DISM /Online /Enable-Feature /FeatureName:NetFx3  /All

-    Deploy a 3rd party openssl binary for MS Windows x64  [Goal:  Speed up process to build certs for lab]

          https://slproweb.com/products/Win32OpenSSL.html 

 

2) Making a clone of the MS Windows server requires an addtional step of MS SysPrep tool

     - This tool will reinitialize the MS Windows Image, to allow it to be joined to an AD domain with no impacts.

    -  If you don't plan on making more than one image, you can skip this step; and only use the base OS image you deployed.

-  Example:     C:\Windows\System32\Sysprep\Sysprep.exe  /generalize  /quiet   /reboot

 

3)  After your MS Windows image is rebooted, you will answer a few localization questions (language/date/etc.), then be presented with the logon prompt.   Upon Logon, rename the hostname of the image

-  Example:

::Rename Hostname Options

set NEWHOSTNAME=dc001

::wmic method

wmic computersystem where name="%COMPUTERNAME%" call rename name="%NEWHOSTNAME%"

::Requires a reboot action

shutdown /r /t 30

::netdom alternative method

::netdom renamecomputer  "%COMPUTERNAME%"  /NetName:"%NEWHOSTNAME%"  /Force /Reboot

 

 

4) After the reboot, update the IP address from DHCP to STATIC and to 10.10.10.x address

- Example:

::Update from DHCP IP to Static IP Address Options

set NIC_ADP_NAME=Ethernet1

:: set NIC_ADP_NAME=Local Area Connection

set IP_ADDR=10.10.10.3

set IP_MASK=255.255.255.0

set IP_GW=10.10.10.2

set DNS=10.10.10.3

::netsh method #1

:: Display Config

netsh interface ip show config

:: Save Before State

netsh -c interface dump > c:\%COMPUTERNAME%_NIC_before_state.txt

:: Update IP Address

netsh interface ip set address name=%NIC_ADP_NAME% static %IP_ADDR%  %IP_MASK%  %IP_GW%  1

::Netsh method to update DNS to static addresses

netsh interface ip set dns %NIC_ADP_NAME% static %DNS%

netsh interface ip set wins %NIC_ADP_NAME% static %DNS%

 

 

5) No reboot is required for the ip refresh; after the above step, lets ensure that MS Windows Update is working correctly.

- Example:

::Scan & find latest patches

wuauclt.exe  /DectectNow   /ReportNow

::Force update after scan

Wuauclt.exe  /UpdateNow  

::Show Update GUI

Wuauclt.exe    /ShowWU

 

 

6)  Create a new MS Active Directory Domain on the MS Windows OS.   Update the DomainMode/ForestMode if desired; and replace the DomainName & DomainNetbiosNames for the correct domain name.

::Installing AD DS by Using Windows PowerShell

::Beginning with Windows Server 2012 , you can install AD DS using Windows PowerShell.

Install-ADDSForest `-CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012" ` -DomainName "exchange.lab" ` -DomainNetbiosName "EXCHANGE" ` -ForestMode "Win2012" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true

 

7) Reboot, then login with Administrator account; validate the server now reports it is now a DC and is a member of a domain.   Use the new MS ADS tools, of ADUC (Active Directory Users and Computers) and view the DC OU.

 

8) Check if TCP 636 is listening with a certificate.   Use MS tool ldp.exe to connect via SSL to port 636.

Alternatively, use:   openssl s_client -connect hostname:636 -showcerts

 

9a) Create a CA root certificate and a signed server certificate using openssl and MS tool certreq.exe.  Goal:  Avoid using the "blackbox" wizard use of MS Certificate Authority and/or Enterprise Certificate, to allow better understanding of how certificates may be created and used for AD Domain Controller.

Active Directory requires a SCHANNEL type SSL certificate as an option to function correctly.   To ensure this format is used, recommend having the following "request.inf" file ready, update the Subject line to the correct FQDN (dc001.exchange.lab):

 

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=dc001.exchange.lab"

;

KeySpec = 1

KeyLength = 1024

Exportable = TRUE

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

 

9b) Steps to create a CA root certificate and server certificate for AD Domain Controller.  Note, this script has variables to be updated; and it will auto-clean itself up when run every time, as long as the "names" match.

 

@echo on

:: Create a CA root Certificate

:: Set an initial openssl configuration file

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

set FQDN=dc001.exchange.lab

set PASSWORD=P$ssword01

 

:: Make a output folder

mkdir c:\temp\openssl

 

:: Clean up Certs from prior executions / stores

certutil -delstore  "Root" ###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###

certutil -delstore "My" %FQDN%

 

:: Update inf file with the latest FQDN name

copy ADS_server_cert_request.inf   c:\temp\openssl\ADS_server_cert_request.inf

 

:: Generate a private CA key

cd /d C:\OpenSSL-Win64\bin

openssl genrsa -des3 -passout pass:%PASSWORD%  -out  c:\temp\openssl\01.rootCA.key 1024

openssl rsa -in c:\temp\openssl\01.rootCA.key -passin pass:%PASSWORD%  -out c:\temp\openssl\02.rootCA_nopassword.key 

 

:: Create a self-signed x509 cert

openssl req -out c:\temp\openssl\03.rootCA.crt  -key c:\temp\openssl\02.rootCA_nopassword.key -new -x509 -days 7300 -subj "/CN=###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###"

 

:: Execute on the Active Directory Server (DC) only

certreq -f -new c:\temp\openssl\ADS_server_cert_request.inf  c:\temp\openssl\%FQDN%.csr

 

:: Sign the CSR with the private CA key

openssl x509 -req -days 3650 -in c:\temp\openssl\%FQDN%.csr  -CA c:\temp\openssl\03.rootCA.crt   -CAkey c:\temp\openssl\02.rootCA_nopassword.key  -set_serial 01 -out c:\temp\openssl\%FQDN%.crt

 

:: On both the AD & IMPS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates)

::   Use either the MS GUI tool of  certlm.msc  or use the MS CLI process with certutil

certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt

 

:: Only on the AD server, accept the signed cert.  This MUST PASS to SUCCEED

:: Cert will then be auto-copied to (Local Computer \ Personal \ Certificates )

certreq -accept  c:\temp\openssl\%FQDN%.crt

pause

 

 

9c)   Call out this step for clarity.     On all of the IMPS & CCS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates).    Use either the MS GUI tool of  certlm.msc  or use the MS CLI process with certutil

certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt

 

Note:   This is the public CA root cert that would be copied to other 3rd party LDAP client tools as well.

 

Note2:  Active Directory keystore has TWO (2) sections:   Current User and Local Computer.   Ensure that the public CA root certificates is published to Local Computer. 

 

10)  Done.  Validate TCP 636 is available with a SSL Cert; may use MS LDP.  Note:  DC may not need to be rebooted/bounced.   ldp.exe

 

11) Extra:   Create 120,000 accounts on your new AD domain with a for loop.  With example rates for commands:  dsadd user, dsmod user, net user:

 

:: Batch Version for 120K accounts, e.g. add START in front, if wish to call from this file.

 

:: Rate: 2 add/sec  - suggest parallel adds, e.g.  40K / 2 add/sec = 20K seconds /60  = 334 min = 5.6 hours

::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid aatestuser%%i -upn aatestuser%%i@exchange.dom -fn AATest -ln User%%i -display "AATest User%%i" -pwd P@ssw0rd -disabled no

::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid bbtestuser%%i -upn bbtestuser%%i@exchange.dom -fn AATest -ln User%%i -display "BBTest User%%i" -pwd P@ssw0rd -disabled no

::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid testuser%%i -upn testuser%%i@exchange.dom -fn Test -ln User%%i -display "Test User%%i" -pwd P@ssw0rd -disabled no

 

:: Rate: 30 mod/sec - suggest parallel mods, e.g. 40K / 30 mod/sec = 1334 seconds / 60 = 22 min

::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

 

:: Rate: 60 mod/sec - suggest parallel mods, e.g. 40K / 60 mod/sec = 667 seconds / 60 = 11 min

START FOR /L %%i in (1,1,40000) DO net user aatestuser%%i /comment:"NET USER"

START FOR /L %%i in (1,1,40000) DO net user bbtestuser%%i /comment:"NET USER"

START FOR /L %%i in (1,1,40000) DO net user testuser%%i /comment:"NET USER"

 

12)  Test this new domain with the following tools:

IMPS - Active Directory Endpoint (define and Explore/Correlate)

IMPS\bin\adsldapdiag.exe  (CLI tool)

IMPS\bin\ldapsearch.exe  (CLI tool)

openssl s_client -connect DC_FQDN:636  -showcerts   (CLI tool)

Jxplorer  (install/update)

Apache Directory Studio  (no install/update + csv export)

SoftTerra LDAPBrowser (install/read-only tool + csv export)

OpenLDAP ldapsearch (CLI tool)

ldp.exe  (MS ADS GUI tool)

ADUC (MS ADS GUI tool)

 

 

Let me know if this was valuable.

 

 

Cheers,

 

A.

 

 

Edit 8/16/2016  -  Added step 9c for clarity.  Where to copy the pubic CA root cert to, local computer (aka local machine via certlm.msc)

 

 

 

 

 

Edit:  9/28/2016  add in script to pull from current production active directory domain, to either assist with building a lab AD domain or for role engineering exercise.

Outcomes