CCIE Security lab: Active Directory domain setup

This is a bit of a jump, I had originally planned to concentrate on the upper part of the topology, but this is just a quick post, as I set up a core component – the Active Directory server. This will be needed for authenticating to devices, website access through proxy rules, and a whole bunch of other stuff.

One of the things I love about UNetLab is that you can create a folder, chuck in a cdrom.iso file, create a harddisk, and it will install (OK, for the most-part. Windows 10 doesn’t seem happy yet) – but I can quickly roll out my Active Directory server.

root@unl01:/opt/unetlab/addons/qemu# mkdir win-2008R2
root@unl01:/opt/unetlab/addons/qemu# cd win-2008R2/
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# mv 2008.R2.SP1.iso cdrom.iso
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# /opt/qemu/bin/qemu-img create -f qcow2 hda.qcow2 40G
Formatting 'hda.qcow2', fmt=qcow2 size=42949672960 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls
cdrom.iso  hda.qcow2
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls -lah
total 3.3G
drwxr-xr-x  2 root root 4.0K Aug 13 09:58 .
drwxr-xr-x 36 root root 4.0K Aug 13 09:49 ..
-rwx------  1 root root 3.3G Aug 13 09:56 cdrom.iso
-rw-r--r--  1 root root 193K Aug 13 09:58 hda.qcow2
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

You don’t magically get the ISO file once you create the folder, I copied it over using FileZilla. Renamed it to cdrom.iso, created a 40G harddisk, and ran the wrapper.

Install starts:

Windows 2008R2 running in UNetLab

After a while, a few clicks of “next” and the install is completed, and I can start the Active Directory installation. Running Windows 2008 R2 on UNetLab really is that easy:

Active Directory promo

I have given this server, which will be my primary AD box the IP address, which means that I have also added another component to my internal network structure – the network.

So why did I use this particular address? Well, it’s a geek thing – if you can work it out then you win 10 points*.

Windows 2008R2 running in UNetLab

I have used CCIELAB as the AD domain as it wouldn’t let me use 802101.local. 🙁

OK, so now let’s add this bit of the network (VLAN 10) to the switches.

It really doesn’t make sense that as I go forward I add each VLAN to each switch, so let’s set up VTP on SW3 and SW4

SW3(config)#vtp domain CCIELAB
Changing VTP domain name from NULL to CCIELAB
SW3(config)#vtp pass ccielab
Setting device VTP password to ccielab
SW3(config)#vtp mode ser
Device mode already VTP Server for VLANS.
SW3(config)#vtp ver 2

SW4(config)#vtp dom CCIELAB
Domain name already set to CCIELAB.
SW4(config)#vtp mo cli
Setting device to VTP Client mode for VLANS.
SW4(config)#vtp pass ccielab
Setting device VTP password to ccielab

SW3(config)#vlan 10
SW3(config-vlan)#name AD VLAN
SW3(config)#int vlan 10
SW3(config-if)#ip add
SW3(config-if)#no sh
SW3(config)#int gi 2/2
SW3(config-if)#swi mode acc
SW3(config-if)#swi acc vl 10

SW4(config)#do sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
                                                Gi1/2, Gi1/3, Gi2/0, Gi2/1
                                                Gi2/2, Gi2/3, Gi3/1, Gi3/2
10   AD VLAN                          active    
42   VLAN0042                         active    Gi1/0, Gi1/1
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW4(config)#do sh int trun

Port        Mode             Encapsulation  Status        Native vlan
Gi3/0       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi3/0       1-4094

Port        Vlans allowed and active in management domain
Gi3/0       1,10,42

Port        Vlans in spanning tree forwarding state and not pruned
Gi3/0       1,10,42

What we need now, in the words of my children, is some peoples to play with. Within my Active Directory I will need at least two user accounts and two security groups.

UserA will be an admin for all things, he’ll have access to the routers and ASAs, the switches, all the websites, and everything you can think of. UserA will be in the Admins group.

UserB will not have the same level of access, it will have access to one website, but not another – still not sure where these websites will be, exactly, but we’ll cross that bridge when we come to it. UserB won’t have admin access to the routers, ASAs etc, and I am sure I can find some other ways to be Captain Buzzkill for this imaginary user!

Scripting is a bit more interesting than screenshots, it also makes it easier to cut and paste if you are following along at home.

First we need to create an OU (called Staff), and two users (UserA and UserB):

dsadd ou "ou=Staff, dc=CCIELAB, dc=local"
dsadd user "cn=UserA, ou=Staff, dc=CCIELAB, dc=local"
dsadd user "cn=UserB, ou=Staff, dc=CCIELAB, dc=local"

Now we are going to create an OU (called RBAC), and add a couple of groups to it (Admins and Basic):

dsadd ou "ou=RBAC, dc=CCIELAB, dc=local"
dsadd group cn=Admins,ou=RBAC,dc=CCIELAB,dc=local
dsadd group cn=Basic,ou=RBAC,dc=CCIELAB,dc=local

Users need passwords, and they need to be activated, so lets do this:

dsmod user "CN=UserA,OU=Staff,DC=CCIELAB,DC=local" -pwd Cisco123! -mustchpwd no
dsmod user "CN=UserB,OU=Staff,DC=CCIELAB,DC=local" -pwd Cisco123! -mustchpwd no
dsmod user "CN=UserA,OU=Staff,DC=CCIELAB,DC=local" -disabled no
dsmod user "CN=UserB,OU=Staff,DC=CCIELAB,DC=local" -disabled no

Lastly, let’s add then to the RBAC groups:

dsmod group cn=Admins,ou=RBAC,dc=CCIELAB,dc=local -addmbr CN=UserA,OU=Staff,DC=CCIELAB,DC=local
dsmod group cn=Basic,ou=RBAC,dc=CCIELAB,dc=local -addmbr CN=UserB,OU=Staff,DC=CCIELAB,DC=local

A quick check on the GUI and we can confirm that the users are where they should be in Active Directory:

Windows 2008R2 running in UNetLab

Although I do seem to be jumping around the topology a tad, this was more of a side-step. But doing quick things like this earlier on will allow a more rapid approach later. It also helps me plan how the network will run, from both the top-down (IP addressing) and bottom-up (services and integration).

I hope. That’s the plan at least.

802101 point system

All points awarded on are purely for entertainment value and do not represent any physical currency. They can be redeemed against an odd assortment of things I might have laying around, or I’ll buy you a drink if I happen to bump into you.


  1. Anonymous April 13, 2016
  2. Stuart Fordham April 13, 2016
  3. Anonymous April 14, 2016
  4. Stuart Fordham April 14, 2016