ICO wiki - User contributions [en]

Category:I804 Linux Windows administration

2017-11-09T09:50:34Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Instructor: Belgin TAŞTAN

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options

* Printer Configuration

How to Configure a Printer in Windows

Setting up Printers via Group Policy

Setting as a default printer

How to use Group Policy settings to control printers in Active Directory

* Virtual Private Network

Configure VPN in Windows Server

Configure DHCP Relay Agent

Configure and Enable Routing and Remote Access

Creating VPN Connection

Client Connectivity Testing

4. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered by
the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 24th of May at 24:00 Homework suppose
to include screen capture and explanation with your own words in pdf format. Name_Surname.pdf format email it as an attachment
to belgin.tastan@itcollege.ee
Install and configure VPN in Windows Server and show client connectivity.

* Mimikatz

One of the most interesting tools in a penetration tester’s arsenal is mimikatz. Mimikatz is a tool that scrapes the memory of the process responsible for Windows authentication(LSASS) and reveals cleartext passwords and NTLM hashes that an attacker can use to pivot around a network. From that point they escalate privilege either by authenticating with the clear text credentials or passing the hash.

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-24T12:27:33Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options

* Printer Configuration

How to Configure a Printer in Windows

Setting up Printers via Group Policy

Setting as a default printer

How to use Group Policy settings to control printers in Active Directory

* Virtual Private Network

Configure VPN in Windows Server

Configure DHCP Relay Agent

Configure and Enable Routing and Remote Access

Creating VPN Connection

Client Connectivity Testing

4. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered by
the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 24th of May at 24:00 Homework suppose
to include screen capture and explanation with your own words in pdf format. Name_Surname.pdf format email it as an attachment
to belgin.tastan@itcollege.ee
Install and configure VPN in Windows Server and show client connectivity.

* Mimikatz

One of the most interesting tools in a penetration tester’s arsenal is mimikatz. Mimikatz is a tool that scrapes the memory of the process responsible for Windows authentication(LSASS) and reveals cleartext passwords and NTLM hashes that an attacker can use to pivot around a network. From that point they escalate privilege either by authenticating with the clear text credentials or passing the hash.

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-18T10:58:56Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options

* Printer Configuration

How to Configure a Printer in Windows

Setting up Printers via Group Policy

Setting as a default printer

How to use Group Policy settings to control printers in Active Directory

* Virtual Private Network

Configure VPN in Windows Server

Configure DHCP Relay Agent

Configure and Enable Routing and Remote Access

Creating VPN Connection

Client Connectivity Testing

4. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered by
the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 24th of May at 24:00 Homework suppose
to include screen capture and explanation with your own words in pdf format. Name_Surname.pdf format email it as an attachment
to belgin.tastan@itcollege.ee
Install and configure VPN in Windows Server and show client connectivity.

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-15T08:35:13Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options

* Printer Configuration

How to Configure a Printer in Windows

Setting up Printers via Group Policy

Setting as a default printer

How to use Group Policy settings to control printers in Active Directory

* Virtual Private Network

Configure VPN in Windows Server

Configure DHCP Relay Agent

Configure and Enable Routing and Remote Access

Creating VPN Connection

Client Connectivity Testing

4. Assignment;

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-15T08:34:21Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options

* Printer Configuration

How to Configure a Printer in Windows

Setting up Printers via Group Policy

Setting as a default printer

How to use Group Policy settings to control printers in Active Directory

* Virtual Private Network

Configure VPN in Windows Server

Configure DHCP Relay Agent

Configure and Enable Routing and Remote Access

Creating VPN Connection

Client Connectivity Testing

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-15T08:30:05Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options

* Printer Configuration

How to Configure a Printer in Windows

Setting up Printers via Group Policy

Setting as a default printer

How to use Group Policy settings to control printers in Active Directory

* Virtual Private Network

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-15T08:27:41Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options

* Printer Configuration
* Virtual Private Network

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-15T08:27:16Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options
* Printer Configuration
* Virtual Private Network

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-15T08:26:34Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Exchange Server Installation

Configure Exchange Server to Send and Receive Outside Email

Configuring Outlook for Users

Edge Transport Server Role—Establishing Perimeter Security

Client Access Server Role—Providing User Connectivity

Hub Transport Servers—Routing the Mail

Unified Messaging Servers—Combining All the Data

Mailbox Servers—What It’s All About

Mailbox High Availability

Disaster Recovery

Storage Options
* Printer Configuration
* Virtual Private Network

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-15T08:19:29Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server

Mailbox High Availability

Disaster Recovery

Storage Options
* Printer Configuration
* Virtual Private Network

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-13T18:27:03Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Exchange Server
* Printer Configuration
* Virtual Private Network

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-09T06:14:24Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered

by the deadline, the assignment is considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-09T06:09:33Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;
Grading criteria for each assignment will be provided with the instructions for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 15 th of May at 24:00

Homework suppose to include screen capture and explanation with your own words in pdf format.

Name_Surname.zip format email it as an attachment to belgin.tastan@itcollege.ee

Deploy Windows 7 with Office 2010

- Deployment Share folder is with student name.
- Task Sequence ID is with student (ID) number.
- Internet explorer name is with student blog-web name.
- User credentials is with student name.

Deploy an MSI Package with GPO

- OU name is with student name_OU
- MSI Package is 7 zip or winrar

Total: Please add your both Windows 7 with Office 2010 and MSI Package file in to zip folder.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-08T06:41:02Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

3. Assignment;

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-08T06:37:03Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

Installation and Configuration DHCP

* Installing and Configuring WDS (Windows Deployment Services): Full Images Deployment

* Installing and Configuring Microsoft Deployment Toolkit (MDT): Deploying Windows 7 + Office 2010

* Deploying Software Using Group Policy : MSI Packages

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-08T06:31:16Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol

What is DHCP, and when & where is it used?

Components of DHCP

BOOTP and DHCP relation

DHCP message format

DHCP procedures

-allocating new address

-lease renewal

State machine

Questions & answers re. DHCP

Benefits of DHCP

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-08T06:30:13Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* DHCP: Dynamic Host Configuration Protocol
What is DHCP, and when & where is it used?
Components of DHCP
BOOTP and DHCP relation
DHCP message format
DHCP procedures
allocating new address
lease renewal
State machine
Questions & answers re. DHCP
Benefits of DHCP

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-05-07T15:05:21Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mendatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-24T06:00:09Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mandatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operations Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-24T05:56:30Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mandatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operationa Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller; Child domains can represent geographical entities (for example, the United States and Europe), administrative entities within the organization (for example, sales and marketing departments), or other organization-specific boundaries, according to the needs of the organization. Domains are created below the root domain to minimize Active Directory replication and to provide a means for creating domain names that do not change.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-24T05:54:25Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mandatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Active Directory

Groups; Global Groups, Universal Groups, Domain Local Groups.

Organizational Units; Geographicall or Business Based.

One way - Two way Trust.

Sites

Forest - wide operationa Master Roles (FSMO); Schema and Domain Naming Master Roles.

Domain - wide Operations Master Roles; Primary Domain Controller (PDC), Relative ID (RID), Infrastructure master role.

* Domain Controller

* Additional Domain Controller

* Read Only Domain Controller; Read Only Active Directory Database and GC PASS, Only allowed user passwords are stored on RODC, Uniderectional Replication, Role Seperation.
Increase security for remote Domain Controllers where physical security cannot be guaranteed.

* Child Domain Controller

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-18T09:56:39Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mandatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-18T09:56:20Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mandatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-18T09:56:04Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Exam Dates:

26 May 2017 Lab Exam %50 Mandatory

29 May 2017 Lab Exam %50 People who failed previous examination

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-17T10:23:28Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu
OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local
Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings
for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8
characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of
this time users have to log off.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-17T10:22:11Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment; Grading criteria for each assignment will be provided with the instructions
for the assignment. If the assignment is not delivered by the deadline, the assignment is
considered to be failed. Plagiarism is not allowed. Deadline is 24 th of April

Name_Surname.pdf format email it as an attachment to belgin.tastan@itcollege.ee

Active Directory runs on Windows Server 2012 R2, Domain Name suppose to be surname of student. There should be Central, Tartu and Parnu OUs. There should be at least 2 users in each OUs. There has to be at least one pc in this domain. Group Policy settings; Reset Local Administrator Password, Windows Firewall with Advanced Security for client machine. User Account Control (UAC), Password Policy settings for users. Password Policy; Central OU is with 13 characters and complex. Tartu OU is with 10 characters and complex. Parnu OU is with 8 characters and not complex. Users of Tartu and Parnu OUs should logon to their computers during work time which is 09:00-18:00 instead of this time users have to log off.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-11T10:26:37Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment;

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-11T10:25:50Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment;

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-11T10:24:23Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

2. Assignment;

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-11T10:21:59Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Installing and Configuring Active Directory on Server 2012 R2, Server 2016.

- Creating Organizational Units and users.

* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-03T07:53:09Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s

- GPO Components

- GPO Work Steps

- Modifying Group Policy Processing

- WMI Filter

- Loopback Processing

- Backup and Restore GPO

- Fine-grained passwords

* Remotely configuring workstations
* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-03T07:21:17Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

- To join computers running Windows Server 2008 R2

* Setting up GPO-s
* Remotely configuring workstations
* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-03T07:04:48Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

- Creating new user accounts

* Setting up GPO-s
* Remotely configuring workstations
* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-04-03T06:42:20Z

Btastan: /* General information */

=Linux/Windows administration=

==General information==

In this course we will take a look at how Linux and Windows machines are administered.

Assume that from previous courses there is familiarity with: basic virtualization, networks, partitions, filesystems, BIND9.

sharing document: https://onedrive.live.com/?authkey=%21AFAxtpKI_r5cX6c&id=93040B43356F2D88%21116648&cid=93040B43356F2D88

Windows:

* IP Configuration & Subnetting
-IP Adresses and Classes

-Subnet Mask

-Subnetting

-Loopback IP Adress

-Public and Private IP Adresses

* Windows Client Configuration
-Introduction to Editions & Features

-Create John, Elena and Steve users. John suppose to logon same computer Monday-Friday at 08:00-18:00, Elena Saturday-Sunday at 08:00-18:00,
Steve Monday-Friday at 18:00-02:00.

-Group Policy Object Editor Examples; All users can't configure IP. Password Length must be 7 characters.
Password must meet complexity requirements. Internet home page must be www.itcollege.ee . No more USB drivers. No usage of Control Panel. No CMD.
I want to see as an Administrator who logged into my computer and when with different user credentials. No changes in system time.

-Sharing Folder Examples;
Create a new folder name with "Sharing Folder" John and Elena Read Permission, Steve Read/Write Permission. Back Up Operating System chose target as "Sharing Folder".

-Bitlocker to Go USB drive increption.

-Bitdefender virus/malware protection configuration.

-Powershell code examples; Get-Service,
Get-Process, Get-ExecutionPolicy, ping www.google.com , Get-Process | Format-List, Get-Job, Get-ScheduledJob, Get-Module –ListAvailable, Test-Connection localhost, Get-EventLog system, Clear-EventLog.

-Direct Access Configuration.

-Hyper-V Installing.

* Windows Server Configuration

-Introduction to Editions & Features ( 2008 R2, 2012 R2, 2016 )

-Initial Configuration with Task Wizard ( Time, Name, IP, Update )

* Hyper-V Configuration

-Introduction of Hyper-V Manager ( Create New Machine, Import Virtual Machine, Edit Disk, Import Disk, Virtual Network Manager, Save&Pause States, Hyper-V Settings )

-Live Migration Process

-Fail over Cluster Manager ( Cluster Shared Volume, Cluster Storage )

-Overview of System Center Virtual Machine Manager

-Disk Configuration ( Fixed Size, Dynamically Expanding, Differencing )

-PowerShell codes for managing Hyper-V objects, including VMs, network adapters and VHDs.

-Hyper-V Replica

* Virtualization

-Introduction to Server and Network Virtualization

* Disk Configuration

-Disk Management ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume )

1. Assignment; Windows Server 2008 R2 Disk Configuration and Hyper-V Configuration.
Implement Disk and Hyper-V Configurations with explanations and screen captures.

Disk Configuration ( Dynamic Disk, Master Boot Record, GUID Partition Table, Spanned Volume, Stripped Volume, Mirrored Volume, RAID-5 Volume, Extending a Volume, Shrinking a Volume, Adding a Mirror to a Volume ).

Hyper-V Configuration ( Cluster Shared Volumes, Live Migration )

Email to belgin.tastan@itcollege.ee

* Server Back-up

-Full Back Up

-Incremental Backup

-Differential Backup

* Items in Backup

-Bare Metal

-System State

-Full

-Individuals Volumes

-Files or Volumes

* Backup resources

- Shared folders

- Removable media

- Internal hard disk

- External hard disk

* Fail Over Cluster

-Creating Fail Over Cluster

-Adding Disks to a Cluster

-Creating a Cluster Shared Volume ( CSV )

* Redundant Array of Independent Disks ( RAID ) Types

- RAID 0

- RAID 1

- RAID 5

- RAID 10 ( 1+0 )

- RAID 6

- RAID 00

- RAID 50

- RAID 60

Exercises

-Adding 2 more disks and make it mirror disk. Take Bare Metal Backup in to this location.

-Adding 1 more disk and take Full Backup in to this location.

Exercises

- Local Admin Password changing with PowerShell.exe

Instructions
From a computer :

1.open Powershell as administrator

2.make sure that executionpolicy allow script execution

3.Type : resetlocalAdminpassword.ps1 -newpassword <password>
where <password> is the new value of your password

https://gallery.technet.microsoft.com/Reset-Local-Administrator-e3023c3a

- Firewall should disabled in Group Policy Object Editor

- Windows Defender should disabled in Group Policy Object Editor

- Windows Update should disabled in Group Policy Object Editor

- Smart Screen should disabled in Group Policy Object Editor

- User Account Control Settings should force to low level

- IPV6 should force to Up and Running in Group Policy Object Editor

- Audit Logs should force to disabled in Group Policy Object Editor

- C$ Restriction. User Configuration > Administrative Templates > Windows Components > Windows Explorer - "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer". Both are set to "Enabled" with the option "Restrict C drive only".

* DNS Configuration

- Understanding and Managing DNS

- Introduction to the DNS

- DNS Components;
The name space,
The servers,
The resolvers.

- DNS Structure and Hierarchy

- The DNS in Context

NOTE: Everyone will bring an example of Amplification attacks to talk about.

Resource Records and Records Types

Forward and Reverse Lookup Zone

DNS Replication

* Active Directory

- AD DS Physical Components

Domain Controllers,
Global Catalog Servers,
Data Store,
Replication,
Sites.

- AD DS Logical Components

AD DS Schema,
The Basics,
Trusts,
AD DS Objects.

- Protocol

- What is Authentication?

- What is Authorization?

- Why Deploy AD DS?

- Centralized Network Management

- Requirements for Installing AD DS

- Overview of AD DS and DNS

- Overview of AD DS Components

Installation and Management AD

Observe the installation of AD DS
Active Directory Users and Computers
Active Directory Administrative Center
Active Directory Sites and Services

* Setting up GPO-s
* Remotely configuring workstations
* Virtual Private Network
* Printer Configuration
* Exchange Server

https://www.itcollege.ee/tudengile/oppehoone/tehnika-kasutamine/#Microsoft

=Linux:=

* Configuration management using Puppet
* Setting up fileserver using Samba, identity mapping
* Setting up Samba as domain controller and/or joining Samba to AD domain
* Using samba-tool to manage user accounts and DNS records on domain controller
* Interacting with domain controller using LDAP
* Configuring Postfix and Dovecot servers for sending e-mail via SMTP and receiving e-mail over IMAP
* Creating service accounts and authenticating network services (gogs, wiki, etc) with LDAP
* Guidelines for hardening Ubuntu installation

==Linux==

===Interacting with domain controller===

Video recording of the lecture/lab here: https://echo360.e-ope.ee/ess/echo/presentation/a5a41d62-f6b3-4a6a-9a3b-6049dfbea5c9

If you're attempting to run these commands on a blank Ubuntu box you need to install couple packages:

apt install nmap dnsutils krb5-user ldap-utils libsasl2-modules-gssapi-mit samba-common cifs-utils
pip install pyldap

Figure out what are the host name(s) of the domain controller(s) for INTRA.ITCOLLEGE.EE realm:

dig -t SRV _ldap._tcp.intra.itcollege.ee

Figure out which ports are open on the domain controller?

nmap ...

Attempt to query information about your user account from the domain controller.
Where is the e-mail being forwarded to?
What is the security identifier for the user?
What script is being executed when the user logs in to Windows workstation?

ldapsearch -H ldap://... -W -D your-username@itcollege.ee -b ... samaccountname=target-username

Download and install Apache Directory Studio. Configure connection to the domain controller for browsing graphically.

===Kerberos client commands===

List Kerberos tickets:

klist

Flush credentials:

kdestroy

Obtain new credentials. What is the error message returned upon incorrect password? What tickets were initialized by the command? What is the lifetime of the tickets?

kinit your-username@INTRA.ITCOLLEGE.EE

Try to renew:

krenew

Attempt same LDAP queries as you did before but now with Kerberos credentials by substituing -W -D ... flags with -Y GSSAPI:

ldapsearch -H ldap://... -Y GSSAPI -b ... samaccountname=target-username

List Kerberos tickets again. What changed? Query the same information from another domain controller. What changed now?

Attempt the same query using Python, make modifications as necessary:

<source lang="python">
import ldap, ldap.sasl
l = ldap.initialize('ldap://...')
l.set_option(ldap.OPT_REFERRALS, 0)
l.sasl_interactive_bind_s('', ldap.sasl.gssapi())
filter = '(&(objectClass=user)(objectCategory=person)(samaccountname=target-username))'
r = l.search_s('dc=...,dc=...,dc=...',ldap.SCOPE_SUBTREE,filter,['cn','mail'])
for dn,entry in r:
if not dn: continue
full_name, = entry["cn"]
mail, = entry["mail"]
print full_name, mail
</source>

===Browsing file shares===

Using Samba client tools list filesystem shares from domain controller:

smbclient -k ... -L

List Kerberos tickets again. What changed?

List files in the NETLOGON share:

smbclient -k //.../netlogon -c ls

Download the login script whose filename was previously figured out with LDAP query.

smbclient -k //.../netlogon -c "get ..."

What commands are executed when Windows workstation logs in?

Attempt to browse shares from the fileserver using smbclient.

Open graphical filesystem browser of Ubuntu (nautilus).
Press Ctrl-L to open up address bar.
Attemp to browse shares at domain controller using smb:// scheme at fileserver.

===Setting up domain controller===

Video recording available here: https://echo360.e-ope.ee/ess/echo/presentation/9c28f070-0aee-4d34-930b-b043938beca8?ec=true

Samba 4.x is a software suite that provides functionality very close to Microsoft's Active Directory.
This allows you to centrally manage user accounts, DNS records and Windows workstations.
Samba is integral part of several Linux distributions such as [http://www.zentyal.org/ Zentyal], [https://www.univention.com/products/ucs/ Uninvention Corporate Server] which are specifically targeted to
small/medium sized enterprises.

Samba can also be installed on any other Linux distribution in which case some manual configuration is necessary and this is what following is about.

In this case domain controller is set up at dc1.mycorp.lan
Make sure /etc/hosts and /etc/hostname correspond to your setup.
Change arguments as necessary.

Set up a blank Ubuntu 16.04 server machine.

Install packages:

apt-get install samba samba-vfs-modules smbclient winbind krb5-user ldap-utils

Provision domain controller using Samba, note that capitalization matters:

rm -fv /etc/samba/smb.conf
samba-tool domain provision --server-role=dc --domain=MYCORP --realm=MYCORP.LAN

Reconfigure Kerberos client configuration:

rm -fv /etc/krb5.conf
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

Set domain administrator account password:

samba-tool user setpassword administrator

Reconfigure password expiration, in this case password expiration is disabled:

samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-age=0

Open /etc/samba/smb.conf and in the [global] section specify upstream DNS server:

dns forwarder = 8.8.8.8

Start services:

service smbd stop
service nmbd stop
service samba-ad-dc stop
service samba-ad-dc start

===Reconfiguring DHCP options===

Now usually at this point you would reconfigure your router to serve:

* the IP address of the domain controller as the DNS server (DHCP option 6)
* the correct domain suffix, which in this case is mycorp.lan (DHCP option 15)
* the correct search domain, again in this case mycorp.lan (DHCP option 119)

When working with VirtualBox and not wanting to set up a whole virtual machine for routing you can use VirtualBox's NatNetwork feature with DHCP disabled and install DHCP server on the domain controller instead. In VirtualBox main menu click Preferences and create a new NATNetwork with DHCP disabled:

[[File:Configure-virtualbox-as-router.png]]

Configure a static IP address for the domain controller in /etc/network/interfaces and reboot the box:

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2
dns-nameservers 127.0.0.1
dns-domain mycorp.lan
dns-search mycorp.lan

At the domain controller install ISC DHCP server package:

apt install isc-dhcp-server

Remove existing configuration file:

rm /etc/dhcp/dhcpd.conf

In the same file configure the DHCP server:

subnet 10.0.2.0 netmask 255.255.255.0 {
range 10.0.2.100 10.0.2.200;
option domain-name "mycorp.lan";
option domain-search "mycorp.lan";
option domain-name-servers 10.0.2.15;
option routers 10.0.2.2;
}

Save the file and restart service:

systemctl restart isc-dhcp-server

===Joining workstations to domain===

Download [http://upload.itcollege.ee/iso/Win10_1607_EnglishInternational_x64.iso Windows 10 ISO], install it and [https://wiki.samba.org/index.php/Joining_a_Windows_Client_or_Server_to_a_Domain#Joining_a_Windows_Client_or_Server_to_a_Domain join it to domain]. Proceed to install [https://wiki.samba.org/index.php/Installing_RSAT Microsoft Remote Server Administration Tools] to manage your domain controller. Log in with Other user and specify either mycorp\administrator or administrator@mycorp.lan as username. Verify that file shares at \\dc1.mycorp.lan are browseable.

Boot [http://upload.itcollege.ee/iso/ubuntu-mate-16.04.1-desktop-amd64.iso Ubuntu MATE LiveCD] and install Ubuntu on the harddisk. Join it to domain using realmd and afterwards try to interact with the domain controller as shown in previous session:

apt install realmd
realm --verbose join mycorp.lan
pam-auth-update # Tick "Create home directory on login" and press enter

Try to log out and log in with administrator@mycorp.lan and the domain administrator password.

Category:I804 Linux Windows administration

2017-03-20T07:35:58Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-20T07:35:25Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-20T07:35:03Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-20T07:34:41Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-20T07:34:13Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-20T07:33:52Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-20T07:33:27Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-20T07:32:40Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-17T09:38:19Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-17T09:26:28Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-17T09:25:46Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-17T09:13:15Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-13T09:14:36Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-13T09:12:16Z

Btastan: /* General information */

Category:I804 Linux Windows administration

2017-03-13T09:11:32Z

Btastan: /* Practice 13 March */

Category:I804 Linux Windows administration

2017-03-13T09:09:24Z

Btastan: /* General information */