Configuring the CA, DNS, Active Directory, GPO and DHCP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
and we're back so I've went ahead and adjusted my diagram to include an a SAV at the egress and that's going to be what I have VPN into in later videos and also I added Active Directory in this video this is what we're actually going to be configuring today because that's going to be acting as my ntp server dns dhcp certificate authority so let's go ahead and start on that now so the first thing i did before i added any server roles is besides giving it an IP address I went ahead and made adjustments to the the name automatically when you spin up a new server it's given some gobbledygook name that just it just Chris creates automatically so unless you want to have to go through and make changes changes to DNS and ad after you've already created the server role I would recommend you change it right away and at that point you can start creating the roles and it'll it won't be a problem so another thing I also did is in server manager I went to local server and since this is a lab I'm not really worrying about I'm going to be browsing so I turned off I enhanced security configuration configuration that's the one that kind of annoys the hell out of you when you go to it you go to a website and it starts saying are you sure you want this are you sure you want to say sure you want to go to this site and it you have to sit there manually click a thousand times to be able to have every aspect of that site come up it's a security enhancement to make sure your domain controller or a server is not compromised by browsing to the wrong website but again this is a lab and I don't necessarily want to want to be bothering with that another thing I also enabled was remote desktop connection so I can RDP into this a you know later modules or videos so right off the bat and I gave it an IP address so everything in my my my LAN is going to be in the 10.1 100.0 / 24 range so this is going to be dot 40 so let's go ahead and start adding rolls on this excuse me a little bit sick today so I'm trying to get my head up so go ahead and first thing I want to do is I want to go ahead and create an Active Directory domain so let's go ahead and create add 80 domain services I'm going to pause the video while this installs so active directory finished installation so we're going to go ahead and configure it now I'm going to go ahead and promote this server to a domain controller and we're going to create a new forest so it's going to be security demo net or whatever whatever domain you want want it to be I'm just doing this one your two second and up by the way I also didn't add a DNS DNS service because it already goes out it goes ahead and increase that as you're walking through this I'll show you what I'm done but let me go ahead and create my password so there's four directory services or store mode [Music] and if you guys hear any noise in the background that's my cat he's kind of wandering around and randomly meowing so give it a moment it's just doing its checks right now so as you can see here it's saying that it doesn't see a DNS server that's doing me some changes I could do if I wanted to be more secure but again this is a lab so I'm not going to really worry about it all prerequisites passed successfully so it's going to go ahead and install the domain services the DNS and the directory services role if I click install so I'm going to give it a minute to do so and pause the video while it while it takes that time to do it alright I'm about to be signed out because it's going to be it's going to be restarting so give it a moment while it does that and when it restarts I'll be in the security demo net domain long at it I'm going to go ahead and go over so I have a jump PC I like to use the idea of this is I've got two Nick's on here once look locally what one Nick is attached to the the land and the other is a IP address I can remote into remote from anywhere so I'm going to go ahead and start configuring this because I haven't even haven't even configured it yet believe I installed I already installed uh everything I needed so this is a another freshservice just for jump purposes give me a moment why I starts configuration here it's a lot of what I did in terms of turning off I II security enhanced the ie ie enhanced security configuration I'm going to do over here as well because again the lab and there's going to be stuff I need to download from the internet and I don't want to be annoyed to death while I do so so give me a moment to configure that I also get most definitely want to want to have remote desktop connection and go ahead and start i peeing this so I've got two Nicks and if I remember correctly I think the first one is attached to to the land and the second one is the land so I'm going to first configure the land and give it the same subnet range so let's go ahead and go one 145 two five two five two five I'm not going to put a default gateway on that because I don't need to but I will go ahead and let it use the the disguise to do it as a DNS server next I'm going to go ahead and give it this so ten ninety five sixty one sixty eight two four five and this is just an IP address for my purposes so I can so I can remote into it and go ahead and do that so give me mullets my ad server just restarted you'll see that ad and DNS has been to sugar now so as I was saying before DNS will automatically be configured and started I'm going to also go ahead and add DHCP reason being is I'm going to have that wireless I'm going to be having that Wireless configuration that we're going to be testing in later videos so DHCP is definitely necessary there so go ahead and make sure that's configured as well yeah I don't think this is going to need to restart but go ahead and have that and while I'm at it I might as well join this guy to a domain the jump PC well first thing first I'm going to change the name of it to something a little more manageable so jump PC so I know what it is change that first so I was going to make new restart sure thing and then so we've got the HP and I'm going to configure that for that subnet and since we're going to be doing VPN we're going to be using VPN later I'm going to make sure it's a different block than my VPN range so I'm not going to have any any issues HP perfect so let's go ahead and create a new scope for DHCP and this is going to be you know names can be VLAN 100 this is going to be used for new wired and wireless clients so start IP range is going to be 1/100 let's go ahead and do 150 to 199 and of course going to be flash 24 I'm going to worry about exclusions let's give it six out of one hour because again this is a lab and I might be testing different things and wanting those DHCP packets during that time so default gateway is going to be my future CSR so it's going to be 254 domain problem perfect and we will go ahead and activate the scope now so the HCP scope is already created at that point and jumping back to the jumpy see real quick I'm going to go ahead and join it to the domain so again going back here to the properties of PC and we're going to be domain is going to be security demo oh definit now it's going to restart one more time perfect so the last thing I'm going to role I'm going to create now is going to be my I'm going to add certificate services so that one is going to be right here add features we're going to go ahead and select all these guys right here and restart if needed I don't think this one will require restart but test it out and also a good thing to do before you get too far down this path is make sure your time is a is synced correctly if you're using an NTP server or something or uh or anything of the like make sure it's the right year date to time because it's going to be a pain if you have to go back and generate a new certificate or you know Ison and a DS CA server are all on sync even if you correct change it later you might have to wait for you know the ad or ice clock to to to catch up because nothing like having your your see a server be a couple hours ahead and and find out that ice is you know getting the correct time saying hey this is invalid the time the timestamp is uh hasn't even happened yet so you'd have to wait or regenerate certificates which again for a lab I like to cut out the extra time just do it as quick and dirty as possible so again and then and again in production you're fine with this you're probably going to have everything set up on NTP but I'm trying to do this as quickly as possible and not not lead you into any into any mess-ups that require you to just go back and redo work so taking a look at this 80 certificate services is installed so now we have to go ahead and go through and configure it so one thing I also like to do is go to users and computers and make sure that have a account that will be used for the iis service in reality you probably will be do it using a service scam for this but this is again a lab and I just want it quick and easy so you have to make sure that there's a user or service account with iis underscore AI users that will be used for this so the first thing I'm going to configure is just the certificate authority and some web enrollment stuff I can I'll go through and configure this afterwards it's going to be a pricey a and it's going to be a root CA in production they're probably going to have a CA server that you initially bring online issue certificates the sub CAS and then take offline but and that's the best practice to do it you should not have your root server connected and continuously connected to your network or not have some sort of certificate hierarchy but in your lab you don't really need to adhere to those rules unless you just really wanted to try it out but you know in this case I'm just I'm going with quick and easy over probably what reality would be I'm going to change it to sha-256 as well because I like to be a little bit more secure than sha-1 this looks good valid validity period of five years configure so this will generate the root certificate and this you know that's kind of what signs threat that's the private keys that's will sign the certificates that are issued to everything else and I'm going to go ahead and configure the other services now that you had to have a search of a root certificate in order to really configure these correctly so that's why I do them separately so it's asking me for that account with the with the IAS users up here and go through again and again don't in production don't use your administrator account and hopefully you don't have an administrator account named administrator but andit that you have escalated accounts for just you know just administrative duties but it's a lab and I'm not really adhering to the normal rules so this is the CA Server CA certificate that we created in the last step ba the first three options that we created or we configured so it's using that for the remaining services so if you in a moment while you'll have goes ahead and configures that and she's going to pause this video while it goes ahead and configures itself so I don't take a lot of time just doing nothing all right I'm back I'm going to go ahead before I move any further I'm going to go ahead and make sure that remote access is working on here real quickly so let's go ahead and join a user would help us like to type today all right first let's go ahead and make sure remote desktop is enabled my administrator can't get it can get in and just purposes of a I'm going to turn off the firewall on this one because it's just a jump box and I'll be doing I use it for TFTP and other things in my lab so I don't really want to have to worry about firewall issues trying to get into it so I'm going to try to remote over to this guy real quick awesome so from there I can jump over to this guy and give you guys a little better of a view of what I'm configuring go ahead and remote desktop just in my remote desktop connection hopefully I didn't fat-finger that password again loans flow side odd because it's locally connected they're on the same post alright looks like I'm in so we're back at our domain controller now and I'm going to tune this guy so it disappears so let's go ahead and start configuring some of our certificates shall we I'm going to go to certificate authority go to switch if you get templates and then manage I'm going to make a copy of this user certificate template this is going to be for group policy so it's going to be GPO user not going to allow the private key to be exported we're going to add domain users and for domain users we're going to allow readwrite and auto enroll and subject name will be that would need to be email just one UPN s or DNS name I think would be good double-checking and one other thing I wanted to do was I wanted to make sure that I am change the extension really quickly for application policies I want to make sure that I have that I also add a server authentication so right here this is just what the the what the certificate can be used for next thing I'm going to do is we're going to copy from workspace work for station authentication and this is going to read just GPO computer again domain computers we're going to do read/write in rato and role I'm going to also change this to include server authentication let's go ahead and use the UPN as well another thing I want to do is I want to go ahead and create a a px red certificate reason being is we will use this in later subsequent requests so I take a copy of the web web server are the subsequent video sorry and this is going to be our PX grid template care about Auto enrolling it definitely don't need that excuse me make sure this isn't set up for auto enrollment for anything perfect extensions we want to make sure it's got a server and client for the application policies client authentication perfect and only other thing I believe I need to make sure is that it says supply and request so we're good to go there we're just going to close this out and go to new certificate template to issue give it a second to pop up and this is where we under our certificate templates we add the guys that we just picked or just created so now they're available for use now from here we're going to go over to our group policy and make some changes real oh there it is your policy management now you can go ahead and have group policy for a specific oh you under here or just an overarching one I'm just going to go ahead and create a new group policy just we're going to call this security really quickly and this is the reason why we have a group policy for this is because reality is you don't want to touch every single client and issue certificates manually it's it would be a nightmare to manage that and also there's just easier ways to do that if you have a domain you can do it automatically and have the endpoints NIC card configure the certificates pushed down and it's it should be seamless to the client and in fact it helps you improve user experience because you can you can go ahead and configure in there that they should connect to this SSID automatically and to them they never have to enter a password they're just by signing into their computer it's it's allowing them to you know use that computer certificate to jump on to the wireless and they never have to select anything if they don't want to so let's go ahead and make some changes to this so the first thing I want to change is I'm going to go down to Windows settings security settings and let's go ahead and start configuring our wires wireless arm sorry our wired network so I'm going to create a new wired network this is going to be del 1x this is the dot 1x configuration for corporate TCS and under here this is where we configure our 802 dot 1x settings so I'm going to leave it at user or computer authentication I also like to make sure that we enforce the 802 dot 1x settings and under peep first thing I'm going to do is make sure that my my ad root certificate is what's trusted and I'm going to mschap is where you're using where you're in that tunnel you're tunneling the username and password and that's the credentials that dot 1 X is authenticating against but by changing it to smart card or other certificate what it will do is it will it will use epls so it's using a certificate as the inter authentication method and so it's a little bit more secure and it's using Chris instead of just a simple username and password it's using a cryptography to to authenticate against that certificate that's it been issued to the client so I'm going to go ahead and again we're going to trust these root certificates are those are these root CAS which is the same one but one's a user and ones for Peter I just click both of them and let the rest aside okay so we've ready configure that and now we're going to do one for creating a wireless policy so this is going to be a corpse actually security demo corpse this is the policy for my sure or my corporate wireless it's going to be infrastructure and security Corp to study actually security demo and add that as the name of the SSID you can this is one of those things for you use better user experience connect automatically when the network is not in range you know connect even if some networks not broadcasting you can you can choose a couple different ways of doing that and and over here is the same thing as we configured before in for state or two dot 1x settings okay peeps just our root certificates change it over to UM TLS again there we go done but you know we're not really done we have to actually compare a few more things so this is a computer configuration so we're gonna first thing first we're going to go ahead and make some changes to client services this is are we going to allow it to auto enroll for certificates this goes back to that template we created and that we issued that allows domain computers to automatically enroll at the beginning of this video so with that we're going to if we hit enable it's going to automatically when they join or next time they update their group policy they're going to go ahead and automatically be enrolled with computer certificate so we're going to do that one other thing I would want to make sure we change in this is for wire dot 1x to work there's a service service in the background called wired Auto config that we need to make sure is is it ready is running at all time so let me take a look it's a system services ok system services and by default it's turned off so you don't you'll never see an authentication tab on your wired set at your wired NIC settings if you don't turn this on so see wired Auto config let's go ahead and define this policy and automatic done so next thing we're going to get the user tab automatically have in our a a certificate issued to them we're going to go through to the user configuration right here go to public key policies the same thing auto enrollments we're going to enable that and go ahead and you know renew expired certificates remove revoke revoke loans update certificates that use certificate templates easy easy there so I think that's all we have to do for right now and we're going to click enforce so that's starting to be enforced and then go ahead and go to command prompt and gpupdate force awesome so let's go ahead and test this out really quickly it's possible I may have missed something I'm only human on in that regard so I want a first thing I want to do is start testing out core PCs see if I can actually join them to a domain so bear with me I'm going to actually configure the ports they're on or try to figure out which ports they're on so I'm going to change this so you can see it a little bit better all right we're going to enable show interfaces description see if I labeled it probably not so let's go to the first core PC just check the NIC there or on this guy I haven't joined it to the domain obviously because we just configured domain services we'll start going to be a little hard to have an IP it's probably getting DHCP that's why so it looks like it's on 16 so go ahead and give us a static IP really quickly because I want to make sure that I know exactly what my IP is in my eye peas are in my lab so 10 1 100 I'm going to call this one fifty one two five five five zero five four and let's go ahead and make sure the port is configured face1 tht you know sixteen will see really quickly if this is the right port or not yep see it came on plug do you show run or fifty once a share so sixteen so there's nothing to figure it on this port so we're going to go ahead and give it a description of Corp PC which port load access switch port access VLAN 100 spanning tree for fast shut do right then all right it's on the same so let's go ahead and join this to the domain really quickly no IP conflict anymore I'm going to go ahead and do and security demo net we're going to jump back to the domain controller as well and create some test accounts right now I only have administrator setup all right let me start now so while it's restarting let's go ahead and go back here and create some users actually some groups - so see go ahead and create a group for employees one for vendors demo go ahead and then create users so first we'll create me if I can type my name such myself so username no I don't want it change password password never expires at some point probably at a a ESA into this but for now I won't let's go ahead and make sure in part of the prize domain admins and and domain admins okay new user so it's going to be demo user demo user I don't want to knit them to ever have to change it now we're just going to go ahead and make sure there are a number of demo and you know maybe a domain admin too so I can do some stuff there and let's go ahead and create an employee and a and a vendor account so I don't know if anyone else watches or you know likes comic books but I'm a little bit of a nerd so I'm going to go with comic book characters if anyone has ever been to a Cisco EBC executive briefing conference in San Jose you'll you'll notice a lot of people who do those demos have the same kind of interest because you see a lot of Tony Stark or or all our things like that there so we're going to go with Jessica Jones and she's going to be our employee probably the worst employee in the world if you've ever watched you've ever watched that Netflix series but we're going to go with it and I'll make sure that she is a JK Jones at security demo dotnet number of employee Tony's dark teeth dark g-star good security demo dotnet and he's going to be my our vendor for right awesome so let's go ahead and exit out of this guy minimize it and see if our certificates automatically get get sent down to both the user in the computer so first we're going to do JD jones into the password go ahead and close this guy so a couple of different ways if you want to take a look from the end points I'd open up an MMC and go to add remove snap on go to certificates first thing we'll on check for is users user certificate and then since it's it's not a domain computer problem or admin it's probably not going to let me do that but check more than the user certificate but right now let's see I don't see any personal certificates so let's see let's do a GP update real quick GP update 8/4 so it's not showing the user but we can let's take a look over here real quick so let's go back to certificate authority and under here if there's issued certificates we'll see it and they've declined for any reason we'll also see that so issued certificates we don't see any things been issued so far we see a computer certificate has that one probably did let's see why it was something failed so DNS happy added subject name and this is what our I'm sorry this is probably a Jessica Jones one right here so I'm having a problem with this thing wanting to expand itself so it was my bad I think I actually put DNS under the username and I didn't need to do that so going back here it's just me changing my template real quickly give it a moment so we'll manage that will go to GPO user again this is good for troubleshooting because you get to see kind of so I put DNS name didn't need to do that so I'm going to go ahead and put remove that for at least for the user side because it's the users not going to need a not going to have a DNS name so let's let's try this again now that we now that we've corrected that see if the issues are certificate this time when I do a group policy update a this time it issued it so yeah that was the issue so you see they're Group Policy user and strange is not showing here but up there we go Jessica Jones now as now has a certificate and if we go look at the network adapter setting we should see our dot 1x configuration push down so these settings are managed by your system administrator means basically group policy but here we see it's p p-- ETLs and it's trusting the ad certificate authority server so yeh we've at this point we've gone through and we've configured certificate authority we've created the group policy we've create a couple users at joins some things to domain so i think this is a good stopping point for the first week the first real labbing video thank you guys so much for listening and hopefully that wasn't too much of a mess as i was kind of jumping around at different things
Info
Channel: Katherine McNamara
Views: 29,545
Rating: 4.9852943 out of 5
Keywords:
Id: hxMSCWJ-MUY
Channel Id: undefined
Length: 46min 4sec (2764 seconds)
Published: Sun Feb 05 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.