Greetings, today we are going to modify the Default Policy Group Policy Object to set domain member computers to automatically request a machine certificate.
This assumes you already have a Domain and Certificate Services setup and ready to use for this. If you need to setup your domain or certificate services still, please refer to my other posts for steps to do so.
Click start and type Group and then select Group Policy Management
Expand Forest, Domains, lab, then right-click Default Domain Policy then select Edit
Expand Computer Configuration, Policies, Windows Settings, Security Settings, then click on Public Key Policies
Double-click on Certificate Services Client – Certificate Enrollment Policy. Change Configuration model from Not Configured to Enabled. Leave the defaults and select OK
Double-click Certificate Services Client – Auto-Enrollment and change Configuration Model from Not Configured to Enabled. Then check the Renew expired certificates and Update certificates check blocks. Select OK
Go to a server you can test with, right-click start, then select Windows PowerShell (admin)
Type in “gpupdate /force” and hit enter
Click start and type in certlm.msc, then select the result
Expand Personal and Certificates, you should now see the appropriate certs for your system.
Congrats, you now have a default setup to get certs out to your clients. Have a good one.
Greetings, this time we are going to be creating a Certificate Template for VMware Certificate Authority (VMCA). This would allow you to use VMCA to issue certificates for your VMware environment.
Expand Root-CA01, then right-click Certificate Templates and select Manage
Find and right-click the Subordinate Certification Authority, then select Duplicate Template
Change Certification Authority to Windows Server 2012 and Certificate Recipient to Windows 7/Server 2008 R2
Go to the General Tab and enter your preferred name for the Template. I would recommend a name that indicates its purpose.
Also select Publish certificate in Active Directory
Go to the Extensions tab, select Basic Constraints, click Edit and make sure that Make this extension critical is enabled. Select OK if changes were made, choose cancel if not.
Go down to Key Usage, click Edit and verify that Digital signature, Certificate signing, and CRL signing are all enabled. Also check to make sure Make this extension critical is enabled as well.
Click OK if changes were made, cancel if not.
Select OK
Authorize Template to be issued
Go back to Certificate Management, right-click Certificate Templates, hover over New, and Select Certificate Template to Issue
Scroll down to VMware VMCA (or whatever it may have been named) and select OK
Note: This is a subordinate Certificate Authority Level CA. Guard usage of this template very careful as misuse\unintended issue can cause significate issues if control is lost of it.
Now you have your certificate template to issue certs from VMware Certificate Authority. Have a good one.
Greetings, today we are going to be setting up an Offline Depot using Windows and IIS. This is going to assume you have already deployed an Windows Server.
You will want an additional drive added with 1TB of space for current and future downloads.
You will need:
1TB added drive. If your limited on space, you can probably get away with 200GB, but you will need to more actively manage your space usage with future downloads.
The VCF Download Tool. Instructions will be below for downloading it.
Something that can unzip tar.gz files, I will be using 7zip for this
Login, Select My Downloads, then enter “foundation” in the search bar, select Show Results, and then Select VMware Cloud Foundation
Select VMware Cloud Foundation 9, then select 9.0.1.0
Select Drivers & Tools
Select VCF Download Tool
Select the Download Icon and save the Download Tool.
From here we will pivot to the Windows Server to setup IIS and get ready for the download tool.
Deployment config
So this will not require extensive compute resources so I’m setting up with 2 CPU, 4GB RAM, 50GB Disk 1, 1TB Disk 2.
Format 1TB Drive
Once your Windows Server is deployed and ready, go to Disk Management
Right-click Disk 1 and select Online
Right-click Disk 1 again and select Initialize Disk
Select ok
Right-click the lined area next to Disk 1 and select New Simple Volume
Select Next
Select Next
Select your desired drive letter and select Next
Enter your desired Volume Label and select Next
Select Finish
Now we have a formatted drive to store the data on
Install IIS Now we will start the process to install IIS.
In Server Manager, Select Add roles and features
Select Next
Select Next
Select Next
Select Web Server (IIS)
Select Add Features
Select Next
Select Next
Select Next
Scroll down to Security and select Basic Authentication and select Next
Select Install
Once finished, select Close
Configure IIS
Now that we have IIS installed, we will need to provide it an SSL certificate.
Request Certificate
Click start, type certlm.msc, then select certlm.msc
Select Yes
As you can see, we have no certificates at all for this machine.
Right-click Personal, hover over All Tasks, then Select Request New Certificate
Select Next
Select Next
Select the blue line to provide more information for the Web Server Template
Change the Subject name Type to Common name and Alternative name Type to DNS
Add your Common name, I prefer to use the Fully Qualified Domain Name (FQDN), and click Add. For DNS I prefer to do FQDN and short names. After adding those, change Alternative name Type to IP address (v4) and add the IP address.
Enter the friendly name, I again prefer the FQDN here, then select OK
Check the block for Web Server then select Enroll
Once completed you should see the above success screen. Select Finish
Now we have a certificate
Click Start, type IIS, then select IIS Manager
Expand wdeploy, then expand Sites, select Default Web Site then click Bindings on the right side pane
Select Add
Change Type to https
Change SSL certificate to the one we just made
It should look like this. Select OK
Select Close
Setup the web directory
Since were already in IIS, select Basic Settings on the right-side pane
Select the …
Scroll down and select your added drive, then select Make New Folder
Name your folder, I am going with www in this case
Select OK
When attempting to access the path, you will get the above error
Back in IIS, select Directory Browsing
In Directory Browsing, Select Enable on the right-side pane
In this case I created a test folder in e:\www to validate it will display
Select Default Web Site again, then double-click Authentication
Select Basic Authentication, then click Enable
Go back to Default Web Site, then double-click SSL Settings
Check the block for Require SSL and then select Apply on the right-side pane
Download the VCF Binaries
Now that we have the structure setup, its time to download the VCF Binaries that we will be hosting for the VCF Installer
So go grab your VCF Download Tool we downloaded earlier and copy it over to this system.
Right-click the VCF Download tool, hover over 7-Zip, then Extract To “path”
Then repeat with the .tar file
In that folder, right-click the open area, hover over New, then select Folder
Name it vcf-download-tool
Copy the other folders into vcf-download-tool
Move the vcf-download-tool folder to e:\www
In the vcf-download-tool folder, right-click the open area, hover over New, and select Text Document
Name the document downloadtoken.txt. I have show file extensions enabled to verify that its .txt for the file type. In this folder you will need to populate only your download token. This is specific to each customer so I will not be showing the file contents.
Note: I’m pretty positive the downloadtoken.txt needs to be named in lowercase.
Move the downloadtoken.txt file to www
Right-click Start and select Windows PowerShell (Admin)
In PowerShell, change directory to e:\www\vcf-download-tool
CD into \bin, since I am downloading for VCF 9.0.1 I am running the command with that specified, I am including the test directly below for easier copying.
Now that we have IIS installed on our CA Server, it’s time to setup a certificate for HTTPS connections
Login, click the Start Menu and type certlm.msc. You can also right-click start and select Run to do the same.
Expand Personal and then click on Certificates. Notice there is only the Root-CA’s Cert here, we don’t want that as the cert for our certsrv page cert.
Right-click either the Certificates folder, or in the white area on the right, hover over All Tasks, then select Request New Certificates
Select Next
Select Next
Now I want the Web Server template which is not shown here. That is because I’m using an account with privileges that isn’t authorized for that template. Were going to go fix that. So go ahead and select Cancel.
Select Start, type cert, then click Certification Authority
Expand Root-CA01 then select Certificate Templates, you can see Web Server is here. Next is to change the permissions.
Right-click Certificate Templates and select Manage
Scroll down the middle section and right-click Web Server, then select properties
Go to the Security tab and notice the permissions. Since this is a lab I’m just going to give authenticated users enroll permissions.
Now that enroll has been granted, select OK
Go back to your certlm window, and right-click the open area, hover over All Tasks and select Request New Certificate
Select Next
Select Next
And now we have the Web Server template as an option, click the blue line to enter your information
Change the Subject name drop down from Full DN to Common Name and Type from Directory name to DNS
For Common name, I prefer to enter the Fully Qualified Domain Name (FQDN), and for DNS I prefer to do both the FQDN and the short name. Once you enter them in the lines on the left, click the corresponding Add button to add them. Then change Type from DNS to IP Address (v4) (or v6 if needed) and enter the IP address.
Once it looks like this, go to the general tab
I generally will use the FQDN for the Friendly name as well. Select the Private Key tab
As a note, under Key Options you can mark the private key as exportable, if this cert is for another server, or perhaps is for a VIP or multiple servers, you would select this so that the cert can be exported\imported to those other servers. Once complete, select OK
Now that the blue line is gone, you can select the Web Server template and click Enroll
Once complete you should receive this window
Adding Certificate to IIS
Click start, type IIS and select IIS Manager
Expand Sites and click Default Web Site, then select Bindings on the right side
Select https and click Edit
Change SSL certificate from Root-CA01 to ca01.lab.scottbell.me. There are more options that can be selected from a security standpoint like specifying the IP, hostname, and Disabling Legacy TLS. Select options as appropriate for your environment. Then select OK
Select Close
Select Restart on the right side pane
Go to a browser and enter the address of your website with /CertSrv at the end. You should not get a untrusted website alert (assuming the client accessing the site trusts the Root CA) and a username\password prompt.
Once you enter account information that has access to the website, you should see the above and are now able to request certificates as you need. Congrats and have a good day.
Today we are going to be setting up a Certificate Server for the new domain in my home lab. This is part of the systematic rebuild of the lab so that I can write these articles to document the process to potentially help others and for a record of my own on the next rebuild.
The new lab so far has just two domain controllers. I need certificate services to continue with other functions such as the offline depot for VCF, the new jump box I will end up building, and VCF itself with its components.
This will be based on the assumption that you have already deployed a Windows Server, have named it, given it an IP, and domain joined it.
Installing Certificate Services
Select Add roles and features
Select Next
Select Next
Select Next
Select Active Directory Certificate Services
Select Add Features
Select Next
Please read this page before selecting Next, the note does matter
Select Certification Authority Web Enrollment, and Certificate Enrollment Web Service
Once you select Certificate Enrollment Web Service, this window will pop up, select Add Features
Once the selection matches the above, select Next
Read and select Next
Scroll down to Security section and select Basic Authentication, this is to support VCF functions later. Select Next
Review the selections and then select Install
Once the install is finished, select Configure Active Directory Certificate Services
Use your intended account if different than what’s pre-populated based on the logged in account. Then select Next
You can only setup the first two at the same time. We will have to come back after for the Certificate Enrollment Web Service after the Certificate Authority is setup. Select Next
In my case with it being a lab, I will do Enterprise CA where it stays online. If your doing a proper CA in the real world, I would suggested a Standalone Root CA that stays offline when not in use and an Domain-Joined Subordinate CA. Select Next
Again, since this is a lab environment, this will just be a Root CA. Select Next
Since this is a new server and not a transfer\upgrade\recovery, I will Create a new private key and select Next
I am going to stick with the defaults here, I am not using anything that needs the admin interaction for extra security so I will leave it unchecked.
I have changed the Common name to be more what I want, but I am leaving the rest the default format. Select Next
Use whatever timeframe is suitable for you. As this is a lab, it wont survive 5 years so I will leave it at that.
Security needs may require these locations to be moved to a different location\drive. I’m not operating under those requirements so I will be leaving them default. Select Next
Review the summary and select Configure
Once complete, select Close
Select Yes
Same thing, change account if needed then select Next
Select Certificate Enrollment Web Services and select Next
Select Next
This I will leave as default for Windows integrated authentication. Select Next
I’m not going to bother with a service account in this case and select the Use the built-in application pool identity.
I will indeed use the Root-CA01 as the default selection here. You will need to actually select (click) on the certificate and then select Next
Review the options and if everything is as expected, select Configure
Now we are completed for this configuration. Select Close
Select Close again
Click start and type IIS, then select IIS Manager
In IIS, expand CA01, then Sites, Then Default Web Site, click CertSrv, and double-click Authentication
Select Basic authentication, then click Enable
Please go to part 2 for setting up an Certificate in IIS for the CA Server. Have a good day.
Deploy Windows Server 2022 and Build Active Directory Part 2
Greetings, today in part 2 we will be building the Active Directory Domain using the new name for my lab which will be lab.scottbell.me.
Lets get to it
Snapshot
First, login and take a snapshot of the VM just in case.
Now that we have our short term safety net, lets continue. Please remember though, snapshots are not backups.
Login to the system, for now I’m using the VMware web console to do so
Add Role
Select Add roles and features
Select Next
Keep the default selection of Role-based or feature-based installation and select Next
Select Next
Select Active Directory Domain Services
Select Add Features
Select Next
Select Next
Select Next
Select Install
Select Close
Select the flag with the Yellow Triangle and select Promote this server to a domain controller
Configure Active Directory
Select Add a new forest and enter the name you’re planning to use
Unless you have a reason, you should stick with the default Windows Server 2016 Forest and Domain functional levels, Enter a password for Directory Services Restore Mode and make sure its not lost. Ideally using a password vault\manager.
I will leave the default NetBIOS name as is and select Next
If you have security requirements mandating it, relocated the files to a suitable place. I will be leaving the defaults in this case and select Next.
Review your choices and go back to make changes if needed
Once the Pre-checks have been passed, read the warnings as shown and then select Install
Once complete you will get the following warning for the system rebooting after a successful install of the Active Directory role.
Validate Install
After the reboot, login
Congrats. Active Directory has been installed. Now we will run through adding the second Domain Controller to the Domain.
Add Second Domain Controller
Login to the second Domain Controller
Repoint DNS
Right-click the start menu and select Network Connections
Select Network and Sharing Center
Select Ethernet0 on the right side of the window
Select Properties
Click on Internet Protocol Version 4 (TCP/IPv4) and select Properties
Change DNS to point to the new Domain Controller and select OK
Add Role
Select Add roles and features
Select Next
Select Role-based or feature-based installation
Were not doing a remote server so leave it selected for itself and select Next
Select Active Directory Domain Services
Select Add Features
Select Next
Select Next
Select Next
Select Install
Now that the install is done, select Promote this server to a domain controller.
Join Existing Domain
Enter the information for the new domain, the click select
Provide an account from the domain.
Select your domain and click OK
Select Next
We have not created any sites and this is not a Read Only Domain Controller, so I will leave this at default settings and enter the Directory Services Restore Mode (DSRM) password and select Next.
Select Next
Theres only one DC in this domain so I will leave it with Any domain controller selected. Select Next.
Again, since this isn’t an hardened type install and I have no requirements to move the directories, I will leave the default locations and Select Next.
Review the details and go back to change if needed. Then Select Next.
Once the prechecks are done, review the warnings and Select Install.
Once the install is completed, the system will reboot.
Validate Joining Active Directory
Login
Congrats. You now have a domain with two Domain controllers. Now you can customize as needed for your environment. Have a good one.
This will be the start of a series of articles for the rebuild of my lab to properly document the build process.
This will start here with Active Directory on Windows Server 2022, building a new Certificate Server on 2022, then continue into VCF oriented steps such as the offline depot, deploying the VCF installer, linking the two, and then deployment of VCF and its components.
To start I will be installing Windows Server 2022 with 2x Cores, 4GB RAM, and 50gb HDD. All storage used is NVME so it will be more than fast enough for our needs.
Deployment
I’m going to start with building the shell by right clicking my ESX host and selecting New Virtual Machine
We will select Create a new virtual machine and then Next
Enter the virtual Machine name and its location then select Next
Select the compute resource for where the VM will run
Select the storage location then select Next
Select the appropriate compatibility level for your environment. For me, that will be ESXi 8.0U2 and later then select Next
Now we get to set the OS version we will be running in this VM. I’m using Windows Server 2022 so that’s what I choose, then select Next.
Note: This matters as the wrong setting can lead to performance\stability issues if there’s enough of an instruction set difference.
Now we get to see everything together and verify the choices.
In this case I will need to change networking to the proper Port Group for my environment, change the HDD from 90GB to 50GB, and also add the ISO to the CD/DVD Drive.
Once finished, select Next.
Review the settings on Ready to complete and change if needed on the previous page. If no changes are needed, select Next.
Once its finished, make sure to go edit the settings and enable the Connect At Power On option for the CD/DVD Drive so that it actually uses the ISO when you power the VM up for the first time
Select Power on and then select Launch Remote Console
Operating System Install
Change the default Language/Time/Keyboard options if desired
Select Install Now
Select the desired edition. I will be using Standard Evaluation (Desktop Experience) in this case as I still like my GUI. Select Next
Read, and if you agree to the terms, accept the license terms, and select Next
I selected Custom to make sure it shows the correct hard drive info. Select Next
It will now run through the installation
Either wait or select the Restart Now to restart the system
Windows will then reboot and start getting ready for use
Configure Operating System
After configuration you will provide the initial Administrator password
Once you have set the password you will be brought to the login screen, login
Install VMware Tools
Once you have logged in, go back to your ESX host and select Install VMware Tools
Select Mount
Go back to your console for the VM and open File Explorer and Select the DVD Drive (D:)
Run setup
Select Next
Select Typical unless you have specific parts you want to install or deselect
Select Install
When complete, select restart
Login after reboot
Configure IP Information
Right click the Internet icon (the wire globe in this case) and select Network & Internet settings
I prefer the old control panel so I will select Network and Sharing Center
Select Ethernet0 on the right side of the window
Select Properties
Select Internet Protocol Version 4 (TCP/IPv4) and select Properties
Enter your information for the IP and DNS, for now use an actual DNS. This will change later when this is promoted to being a Domain Controller, but that is not yet.
Select OK
You will be asked if you want the PC to be discoverable by other devices, make the appropriate choice for your environment
Windows Updates
Select the start menu in the lower left and then settings
Scroll down and select Update & Security
It should have automatically started checking and downloading updates, if not, select the Check for Updates option
These downloads can take a while depending on your internet.
Once everything is at Status: Pending install, select Install now
Now you get to wait for Updates.
Go to system and select Rename this PC
Enter the desired name
select Restart now
Provide the reason for the restart, I went with Other (Planned)
Once complete, run through these steps again to build a second server that will become the secondary Domain Controller for redundancy.
Make sure to go back into ESX, edit settings on the VM and set CD/DVD Drive back to Client Device so the ISO doesn’t cause problems later.
This will be the end of Part 1 of deploying Active Directory, building the Servers.
So this will evolve over time as I add more to it and organize it
Brownfield Import of multiple vCenters\Clusters
To do a brownfield import of an existing set of vCenters. The vCenters need to be colocated with the hosts it manages.
So having 2 vCenters with both in one cluster will work for the first vCenter, but will fail for the second.
Reverse DNS Error during deployment validation
If you receive the following error when there is a child domain involved, please verify conditional forwarders are working in both directions.
“Reverse DNS Lookup failed for IP ___. Unknown IP or record mismatch.
Remediation: Provide valid FQDN {1} for IP ___”
DNS/FQDN Mismatch
DNS and hostnames names should be in lowercase whenever possible. From what I’ve learned with Linux systems, they tend to care much more about the case of letters in names, paths and such.
VMware software runs on Linux and the same principle applies.
Windows Admins (I’m guilty of this as well) will commonly use all caps for names and records.
Please try to use all lowercase for both names and DNS to minimize issues.
Fresh ESX 9 install must use a certificate that includes its name
When freshly installed. ESX will use a cert with the name localhost. This will fail the validation check with the VCF installer. Please use the following KB to generate a self-signed cert that meets requirements. While a proper cert can be provided, the installation for VCF will replace the cert as it builds the environment.
When doing the deployment validation pre-checks. NTP configuration and drift from the installer will be checked. In the ESXi Host Client, please configure at least 1 NTP server and set the service to start\stop with host, go to Manage -> Services, select ntpd and start the service
