Adding an Active Directory Forest

In this guide, we’ll go through setting up an Active Directory forest in Proxmox. This guide will be broken up into several parts:

- Windows Server 2019 Installation – The server running Active Directory that acts as the domain controller

- Setting up DHCP and DNS services on the domain controller

- Adding users to the domain manually and through Powershell

- Windows 10 Enterprise Installation – Computers to connect to the domain

- Implement Group Policy Object (GPO) – Method that allows for creating settings for systems and groups of users

Active Directory Overview

At a high level, Active Directory centralizes the management of network resources and users in Windows environments. In an organization, you can have hundreds or thousands of users, computers, and devices such as printers and networking equipment that need to be managed. Being able to manage all of these resources from one interface is what makes their management possible at a large scale.

Some of the more important aspects of managing these resources includes maintaining the authentication and authorization policies for users and computers and keeping the software on computers up to date. Using the management of users as an example, by default, users shouldn’t be able to access every network resource or even every feature on a computer. That access should be based on the role of the user. Rather than assigning privileges on an individual basis, with Active Directory, you can create pre-configured categories of roles of varying privileges and then place users in the appropriate category.

Windows Server Installation

Download Windows Server 2019 Iso

Download the evaluation copy: https://info.microsoft.com/ww-landing-windows-server-2019.html

You can use dummy information on the form.

Download the 64-bit version and upload it to Proxmox.

We also need the VirtIO drivers. The direct download for the latest stable version is here:

https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso

The links for the iso can also be found in the Proxmox docs: (**it also explains why we need VirtIO driver for Windows**)

https://pve.proxmox.com/wiki/Windows_VirtIO_Drivers#Wizard_Installation

Create VM

Create a new VM for Windows 2019 server.

Choose the Windows Server 2019 iso. Select Microsoft Windows as the OS. And version 2016/2019

Click Next an check Qemu agent. If you don’t see the option, make sure the advanced box is checked on the bottom of the window.

Choose “SCSI” as the bus device. Select “Write Back” for cache and check the “Discard” box. Disk should be at least 20GB

Click next and select how many CPU you need. I've selected 4 Cpu and 8192Mb memory . Minimum CPU needed 2 and memory needed 2048.

Click next and on Network select vmbr1 as the bridge and tag 100 as this machine is our domain controller.

Change the “Model” to “VirtIO (paravirtualized). Then finish making the VM. Don’t start it yet.

Choose the virtio iso that was downloaded earlier. Now, start the machine.

Click on the WindowsServer2019 node that was just made. Click on “Hardware” and then add a new CD/DVD drive.

Installation

Choose next at the first screen then choose install.

Choose the Desktop Experience of Windows Server 2019. Accept the license terms.

Choose "Custom Install."

Choose browse at the next screen. Go to the drive with the virtio driver. Go to the "vioscsi" folder. Under that folder, open the "2k19" folder and click on the amd64 folder. Then click OK.

At the next screen, you won’t see a hard drive to choose. That’s normal. Click “Load Driver” from the options at the bottom.

You should see a driver highlighted in the window now. Click next.

Back at the main screen, you should see there’s a hard drive now. Before continuing, we need to install the network drivers. Click “Load Driver” again.

This time, navigate to the "NetKVM" folder of the virtio iso. Go to the "2k19" folder and highlight amd64. Hit okay and you should see another driver in the window. Click next.

Click next. Wait for the installation to finish.

Make an admin password. Remember the password as we need it in future for everything.

You should now be at the login screen. On Proxmox, to hit ctrl + alt +delete, click the menu arrow on the left side of the screen. This brings up a menu. Press the first button on the top, then the bottom button of the next menu that comes up.

Log in with the password you created.

Active Directory Configuration

Configure Network Settings

Since DHCP isn’t configured on this interface, we need to manually configure the network settings.

Click the network icon on the bottom right of the screen. Then click “Network & Internet Settings.”

Click “Change adapter options.”

Click “Ethernet Instance 0.”

Click “Properties”, then “Internet Protocol Version 4 (TCP/IP).”

This machine is on the 10.10.20.1/28 network. We’ll give it an IP address of 10.10.20.2, the subnet mask is 255.255.255.240, and the default gateway is 10.10.20.1. Since this server will serve as the DNS server for this network as well, the preferred DNS will reference the machine itself.

Press OK and to exit the menus and a prompt to connect to the network should show up. Choose “yes."

Rename the Server

Click the start button, then click “settings.” In the search bar, type “About PC.

Click Rename this PC and choose a new name for this machine. Restart the machine when prompted.

Install Domain Controller Services

Before continuing, take a snapshot of the machine.

When the machine restarts, in the server manager, choose “Manage,” then “Add Roles and Features.”

Choose “Next” at the first screen. Then select “Role-based Installation” the next.

No changes needed on this screen.

Add “Active Directory Domain Services” and “DNS Server.” Click “Add Features” when prompted after clicking the boxes. Then click “next.

Continue hitting next until you get the confirmation screen that lets you click “Install.” Click “Install.”

On the server manager, there should be a notification. Click on it and click “Promote this server to a domain controller.”

Choose “Add a new forest” and select a name for the root domain name. Select “Next.”

Leave the settings as is and make another password. Click “next.”

Leave this box unchecked and click “next.”

Wait for the NetBIOS name to fill in, then click “next.”

No changes are needed. Click “next” until you’re at the prerequisites check. Then “install.” Wait for the machine to restart then log back in.

Domain Controller DNS Services

The next step is to set our pfSense gateway as the downstream DNS resolver to handle any DNS queries the domain controller cannot resolve.

In the search bar, type in ‘DNS” and open the DNS app.

Click on the node of your domain, then double-click forwarders.

Click “edit,” then enter the IP of the default gateway.

Configure DHCP Server

Back in the server manager, click on “Add Roles and Features.”

Click “next” until you get to the screen to add features.

Click the box for “DHCP Server.” Click “Add Features” when the next screen pops up. Then click “next.”

Keep clicking “next” until you can click “install.” Then install.

After it’s done installing, click “Complete DHCP Configuration.”

Click “next” at the first screen, then “commit.” Close the windows.

On the start menu, search for the DHCP app, then open it.

Click on your domain controller node, right-click on “IPv4” in the middle window, then choose “New Scope.”

Click “next.” Add a description for the DHCP scope.

Enter the IP address range of your network, starting at the 3rd IP address of the range since the default gateway and this domain controller are using the first two IPs already.

No exclusions will be set for now. Click “next.”

Set the client leases for one year, the click “next.”

Configure the options now.

Enter the default gateway. Make sure you click “Add” and it shows up in the box. Hit next.

The parent domain name and IP address should be correct. Hit “next.”

There won’t be a WINS server on this network so just click “next.”

Make sure the option to activate the scope now is selected, then hit “next.” Then “finish.”

Adding Users and Computers to Domain

Add Users to Domain Manually

First, we’ll go through adding users the manual way as a demonstration. Back in the server manager, click “Tools” then “Active Directory Users and Computers.”

Right-click on your domain and choose “New” then “User.”

Our new user now appears in our list. We’ll leave the new user here for now since we’re about to create more.

Adding Users with Powershell

Download the Script

With Powershell, we can add several users at once instead of one at a time like we just did.

The script can be found here: https://github.com/joshmadakor1/AD_PS/archive/master.zip (Credit to Josh Madakor for making the script)

To better navigate I've downloaded Microsoft Edge browser. IE can give you lot of troubles unless you turn off “IE Enhanced Security Configuration” from the local server options temporarily.

Then, go to the following link inside the VM: https://github.com/joshmadakor1/AD_PS/archive/master. Download the file to your downloads folder.

Unzip the file.

Add in the user information. Then hit “Next.” Then enter the password and options.

Script Explanation

Open the text files to see it’s a list of names. These are the users the script will add our domain.

Right click on the “1_CREATE_USERS” to view the script.

Let’s go through what this script is doing:

The first section creates two variables. The first one is for the default user password. The second stores all of the names in the text file to $USER_FIRST_LAST_LIST.

The next section converts the password variable to a encrypted credential object and creates an OU (organization unit) called _USERS.

This section creates a loop that goes through the name list and combines the first initial of each name with the full last name. For example, Jhon Doe becomes jdoe.

The final section is automating the attributes of the users. BUT I want to remove options for " PasswordNeverExpires $True`" removed as I want my users to be able to setup their password when they initially logon.

Running the Script

Right click “1_CREATE_USERS” and click “Run with Powershell.”

Go back to the Server Manager. Check the Active Directory Users and Computers and you should see a new OU with the new users in it.

The script will start running and add users. You can press ctrl + c to stop the script early.

Select all users and right click then select "properties" and go to the "Account" tab. Please tick both boxes for "User must change password at next logon".

This is to confirm that any new users when they log in first, must need to input their password. We will set up the password policy next and connect new machines in the next part.