lotte/ChamplainTechJournals
1
Code Activity

migrate to git.charlotte.sh

Browse source
This commit is contained in:
Charlotte Croce 2025-04-19 23:42:08 -04:00
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

51
sysadmin-ii-sys265/labs/lab00-environment-setup.md Normal file
View file

@ -0,0 +1,51 @@
# Lab00 - Routing and Windows
Our goal is to build a realistic server environment consisting of a routed network (LAN and WAN) as well as introduce Server 2019 Desktop and Core and the systems required to manage them.
## FW01 and WKS01
- [use this doc](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/sysadmin-i-sys255/lab01-environment-setup.md), configuration is exactly the same
## AD01
- (admin password is `password123!`)
- `sconfig` \
![image](../assets/b42fc4c4-07fe-44e1-ae48-59a1ea275408.png)
- Invoke powershell and install Active Directory: `Install-WindowsFeature AD-Domain-Services -IncludeManagementTools` \
![image](../assets/2a087f38-8b59-4497-9162-1631205d0150.png)
- Install the Forest: `Install-ADDSForest -DomainName charlotte.local` \
![image](../assets/b295e94c-3da4-4dbe-98d5-45f25a4da00a.png)
- You should be in a domain now \
![image](../assets/73076712-88fa-4c39-866b-da138c52002d.png)
### creating domain users (one user, one admin):
- `net user charlotte.croce password123! /ADD /DOMAIN`
- `net user charlotte.croce-adm password123! /ADD /DOMAIN`
- `net group "Domain Admins" charlotte.croce-adm /ADD /DOMAIN`
## MGMT01
MGMT01 is a Server 2019 with GUI. Its job will be to remotely manage any server core systems.
password: `password123!` \
![image](../assets/b752ce4c-f831-4619-b563-9a2ff9eb57c5.png)
to join domain:
- `sconfig` -> 1 -> D -> charlotte.local -> Administrator -> type Administrator password in prompt -> restart
- login as the charlotte.croce-adm domain user
adding ad01 to management scope
- server manager - add roles and features
- add the following features: \
![image](../assets/25634b91-4a27-4ff5-a218-337fab157561.png)
![image](../assets/f1b9d632-2664-4209-beae-3ee167b93a76.png)
- create DNS records: [use this doc](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/sysadmin-i-sys255/lab02-dns%2Badds-role.md)
- note: it's easier to create the reverse lookup zone first, as PTR records will be created automatically when you create a new A record, although you will still have to manually create some PTRs
![image](../assets/1fc7982f-2d40-49d2-8264-356db5fb0d8c.png)
![image](../assets/d750c565-6a8c-4867-8da3-949046bb5a1e.png)
- finally, join wks01 to the domain
- before doing so, we must change the DNS server to 10.0.5.5, to recognize charlotte.local
![image](../assets/f7c0d739-296c-4fab-96b2-4afe4439aee6.png)

63
sysadmin-ii-sys265/labs/lab01-network-management.md Normal file
View file

@ -0,0 +1,63 @@
# lab01- Network Management
## nmon1-charlotte
- setup with hostname, username, networking (10.0.5.11, remember: add `charlotte.local` to search domain)
- add record to DNS manager \
![image](../assets/40d632c5-18c8-42b0-a938-19f6aabce1d0.png)
```
I had trouble reaching the internet on nmon1, then realized fw01 couldn't reach the internet as well.
idk what happened but I rebooted fw01 and it worked again
```
## enable SNMP services on pfSense
- web dashboard (10.0.5.2)
- services -> SNMP \
![image](../assets/27e9470d-e84b-4e8b-8076-cfcbc9b54dea.png) \
![image](../assets/bcdeb3dd-1245-4fc0-aff3-0a84cb383c8f.png)
- restart SNMP service \
![image](../assets/727824d9-510f-4235-8e62-7360a41ebae2.png)
## Install and Test SNMP Client on nmon01
- `sudo yum install net-snmp-utils` \
![image](../assets/c2924ebd-c975-4cbf-9b0e-b26e36954fdb.png)
## Install SNMPD (a SNMP Server) on web01
- set up web01 (10.0.5.12, you know the drill by now)
- `sudo yum install net-snmp-utils net-snmp`
- The default snmp configuration does not suit our purpose. Make a backup copy of /etc/snmp/snmpd.conf and create a new/blank version.
- `sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup` \
![image](../assets/38e9d23f-a37a-4e61-948c-b949cbb19acc.png)
- allow 161/udp through firewall
```
sudo firewall-cmd --add-port=161/udp --permanent`
sudo firewall-cmd --reload`
```
- enable/start snmpd
```
sudo systemctl enable snmpd
sudo systemctl start snmpd
```
## install the SNMP Service Feature on AD01 using Server Manager on MGMT
## install the SNMP-Tools Remote Administration Feature on MGM01
![image](../assets/545f45bb-c125-4f69-9447-b605773f26be.png) \
![image](../assets/f62408cf-24bd-4947-9277-df5637f800e5.png)
## Enable Remote Management on AD01
Remote Computer Management does not work immediately for our remote AD01 Server due to firewall restrictions as seen in the error message. \
![image](../assets/f6c94f07-746a-4cc1-8f09-db5eb76f08a5.png) \
You will need to fix this by invoking a remote PowerShell session with AD01 from mgmt01. \
![image](../assets/b60a950e-bc09-424d-93cc-38c55deb0105.png)
## SNMP Service Security Properties on AD01
- Adjust the SNMP service properties on AD01 to add the SYS265 community string and limit queries to those from nmon01. \
![image](../assets/2629d201-965b-4a1e-8afe-7b88ebcbddd9.png)
- Restart the SNMP Service on ad01
## Capturing snmp packets nmon01->web01
- on web01: `tcpdump -i ens192 port 161 -c10 -AAA`
- on nom01: `snmpwalk -Os -c SYS265 -v2c web01-charlotte system`

15
sysadmin-ii-sys265/labs/lab02-dhcp.md Normal file
View file

@ -0,0 +1,15 @@
# DHCP Lab
[reference from SYS255](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/sysadmin-i-sys255/lab08.5-configure-windows-dhcp-server.md)
ad01- add roles and features \
![image](../assets/57c507d3-202d-4f0b-a19e-3da3bf8f3450.png)
DNS Manager
Configurations:
- Scope: 10.0.5.150 - 10.0.5.175
- Subnet mask: /24
- Router: 10.0.5.2
- DNS: 10.0.5.5
on wks-01, set IP to acquire automatically \
![image](../assets/0dbd53ce-1e87-4aa7-8c4d-e592233d9f19.png)

181
sysadmin-ii-sys265/labs/lab03-docker.md Normal file
View file

@ -0,0 +1,181 @@
# Containerization with Docker
![image](https://git.charlotte.sh/lotte/ChamplaintechJournals/src/branch/main/assets/7a571e73-76f3-4efe-a4dd-644c0c856011.png)
## set up docker01 - Ubuntu 20.04 cloud server
IP Address: 10.0.5.12 (change web01 address to 10.0.5.20) \
Default Gateway: 10.0.5.2 \
DNS: 10.0.5.5 \
![image](https://git.charlotte.sh/lotte/ChamplaintechJournals/src/branch/main/assets/e8491101-e466-4046-be31-eb397ee2f159.png)
### changing hostname. it is different on Ubuntu Cloud
- in `/etc/cloud/cloud.cfg`:
```
preserve_hostname: true
hostname: docker01-charlotte (add this line under)
fqdn: docker01-charlotte.charlotte.local (add this line under)
```
- change hostname for 127.0.1.1 in `/etc/hosts` file
![image](https://git.charlotte.sh/lotte/ChamplaintechJournals/src/branch/main/assets/c921d829-5bc4-4048-a4fb-de42b1f413a7.png)
- finally, `sudo hostnamectl hostname docker01-charlotte`
- update DNS records on mgmt01 (remember to change web01 record too)
## docker installation
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04
update and install prerequisite packages, this will let apt use packages over HTTPS
```
sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common
```
add the GPG key
```
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
```
add docker repo to APT sources
```
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
```
validate installation is from docker repo. Notice that docker-ce is not installed,
but the candidate for installation is from the Docker repository for Ubuntu 20.04 (focal).
```
apt-cache policy docker-ce | head
```
![image](https://git.charlotte.sh/lotte/ChamplaintechJournals/src/branch/main/assets/bb0207b1-5010-4d36-9fdd-028ec450cc5e.png)
install docker
```
sudo apt install docker-ce
```
check status
```
sudo systemctl status docker
```
### executing the docker command without sudo:
add user to the docker group, apply the new group membership, and logout/log back in
```
sudo usermod -aG docker charlotte
su - charlotte
```
## using docker
### downloading images
search for images availabe on Docker Hub
```
docker search <image-name>
```
download from Dockuer Hub
```
docker pull <image-name>
```
see installed images
```
docker images
```
## docker-compose
- https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-compose-on-ubuntu-20-04
> "Docker Compose is a tool that allows you to run multi-container application environments based on definitions set in a YAML file."
download the 1.29.2 release and save the executable file at /usr/local/bin/docker-compose
```
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
```
make docker-compose executable:
```
sudo chmod +x /usr/local/bin/docker-compose
```
verify installation
```
docker-compose --version
```
The following command pulls down an Arch Linux based docker image, invokes it in a container, and runs /bin/echo "HELLO SYS265 SNOWY DAYS '' before deleting the container.
```
docker run --rm archlinux:latest /bin/echo "HELLO SYS265 SNOWY DAYS"
```
___
## docker run command syntax (example)
- e.g. The following command will pull down the image, application and dependencies associated with a simple python web application. `docker run -d -P training/webapp python app.py`
- `docker`: CLI for interacting with docker
- `run`: create and start a new container
- `-d` (or `--detach`): the container runs in the background.
- useful for non-interactive services, like webservers and databases
- `-P` (or `--publich-all`): automatically publishes all exposed ports of the container to random host ports.
- This allows external access to the services running in the container without having to specify port mappings manually.
- `training/webapp`: the docker image from which the container is created
- In this case, an image named `webapp` that is located in the `training` repository
- `python`: command that will be executed inside the container once it starts
- `app.py`: argument passed to the python command
- the Python script `app.py` should be executed by the Python interpreter when the container starts.
- `docker run httpd` will automatically set up an apache web server in the container
### to stop docker process
```
docker stop <container ID>
```
## dockerized WordPress
https://github.com/docker/awesome-compose/tree/master/wordpress-mysql
- create a directory `docker-wp`
- create compose.yml
>[!Caution]
> Absolutely never use a tab in a docker-compose.yml file
```
services:
db:
# We use a mariadb image which supports both amd64 & arm64 architecture
image: mariadb:10.6.4-focal
# If you really want to use MySQL, uncomment the following line
#image: mysql:8.0.27
command: '--default-authentication-plugin=mysql_native_password'
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
- MYSQL_ROOT_PASSWORD=somewordpress
- MYSQL_DATABASE=wordpress
- MYSQL_USER=wordpress
- MYSQL_PASSWORD=wordpress
expose:
- 3306
- 33060
wordpress:
image: wordpress:latest
ports:
- 80:80
restart: always
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_USER=wordpress
- WORDPRESS_DB_PASSWORD=wordpress
- WORDPRESS_DB_NAME=wordpress
volumes:
db_data:
```
- `docker compose up -d`
- wait...it's really that easy?
- yes
___
### showing how containers use the same kernel as the host
- example: the following commands will:
- Print out the current version of Ubuntu on docker01. `cat /etc/lsb-release`
- Print out the current version of docker01's linux kernel. `echo "Current Kernel is: $(uname -a)"`
- Invoke a container of the stored Ubuntu image as well as an interactive bash command prompt, and print out the kernel being used by the Ubuntu container. `docker run -it archlinux /bin/uname -a`
![image](../assets/4df08b6e-cbf7-474b-8301-f2f52e65ba4d.png)
- as you can see, both the docker container(archlinux) and the host(docker01-charlotte) are using the same kernels

59
sysadmin-ii-sys265/labs/lab04-git-and-linux-ssh.md Normal file
View file

@ -0,0 +1,59 @@
# Git and Linux SSH
>[!Note]
>This entry is pretty empty because I've already written [this journal Entry for using git/github](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/automation-sys320/week01/github_setup.md)
# Automating ssh authentication
- generate SSH key pair on your management node (in this case, web-01)
- push pubkey to github repo
- run the secure-ssh.sh script on remote host to create a new user that has the pubkey in `.../.ssh/authorized_keys`
- you can now ssh from web-01 to remote hosts without password!
___
### creating/adding ssh key
```
ssh-keygen -t rsa -b 4096 -C "sys265"
cat ~/.ssh/id_rsa
```
copy this to github SSH & GPG section
- to test: `ssh -T git@github.com`
- `git remote -v`
- if git is using https. you will have to change it to use ssh
- `git remote set-url origin git@github.com:charlottecroce/champlaintechjournals`
___
before being able to commit, you will have to add the following authentication:
- `git config user.email charlotte.croce@mymail.champlain.edu`
- `git config user.name charlottecroce`
## docker-01
copying config files to git repo
```
sudo apt install git
git clone https://git.charlotte.sh/lotte/ChamplainTechJournals
cd ~/champlaintechjournals/sysadmin-ii-sys265/configs/docker-01
sudo cp /etc/hosts .
sudo cp /etc/netplan/* .
sudo cp /etc/cloud/cloud.cfg .
```
## mgmt-01
- install git from web
```
git clone https://git.charlotte.sh/lotte/ChamplainTechJournals
cd ~/champlaintechjournals/sysadmin-ii-sys265/configs/mgmt-01
echo $(hostname) > README.md
git add .
git commit -m "added a readme"
git push
```
- login with token authentication
# web-01
- `sudo yum install git`
- create ssh key and connect to git with it (see above section)
```
mkdir -p linux/public-keys
mkdir -p linux/ubuntu
mkdir -p linux/centos7
```
- create [secure-ssh.sh script](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/sysadmin-ii-sys265/linux/centos7/secure-ssh.sh)

322
sysadmin-ii-sys265/labs/lab05-ansible-automation.md Normal file
View file

@ -0,0 +1,322 @@
# Automation with Ansible
Demonisioning: web01, nmon-01, docker-01 😢
___
## New Machines
### controller-charlotte - Ubuntu
configure with netplan
```
network:
ethernets:
ens160:
dhcp4: no
addresses:
- 10.0.5.90/24
routes:
- to: default
via: 10.0.5.2
nameservers:
addresses:
- 10.0.5.5
version: 2
```
#### to reset DNS
```
dhclient -r
dhclient
```
### ansible1-charlotte - CentOS
configure with nmtui
- IP: 10.0.5.91
- DG: 10.0.5.2
- DNS: 10.0.5.5
### ansible2-charlotte - CentOS
configure with nmtui
- IP: 10.0.5.92
- DG: 10.0.5.2
- DNS: 10.0.5.5
## Initial Configuration
- on all machines, create a sudo account named deployer (use same password across all systems)
- install ansible on controller
```
sudo apt install ansible sshpass python3-paramiko
```
- Configure sudo access:
- create `/etc/sudoers.d/sys265` on all systems
- add the following line to allow passwordless sudo for deployer:
```
deployer ALL=(ALL) NOPASSWD:ALL
```
> [!Note]
> Although it is not uncommon to update `/etc/sudoers` directly, it is far easier to script the addition of a file to `/etc/sudoers.d`
## SSH Key Setup
As the deployer user on controller:
- Create RSA keypair with passphrase:
```
ssh-keygen -t rsa
```
- copy pukey to ansible1 and ansible2
```
ssh-copy-id deployer@ansible1-charlotte
ssh-copy-id deployer@ansible2-charlotte
```
-configure `ssh-agent` to avoid typing passphrase for 4 hours
```
eval(ssh-agent) # test to see if ssh-agent is running, and if not,run it
ssh-add -t 14400
```
## Ansible Configuration
in `deployer@controller:/home/deployer/`
- make directory structure
```
mkdir -p ansible/roles
cd ansible/
```
- create inventory and test conection
```
echo ansible1-charlotte >> inventory.txt
echo ansible2-charlotte >> inventory.txt
cat inventory.txt
```
```
ansible all -m ping -i inventory.txt
```
- add webmin tag to `inventory.txt` and test
```
ansible1-charlotte
[webmin]
ansible2-charlotte
```
```
deployer@controller-charlotte:~/ansible$ ansible webmin -m ping -i inventory.txt
ansible2-charlotte | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
```
## webmin installation
- install webmin role
```
ansible-galaxy install semuadmin.webmin -p roles/
```
- create `webmin.yml` playbook to handle repository setup, installation, and firewall configuration
```
- name: webmin sys265
hosts: webmin
become: true # Run all tasks with sudo/root privileges
vars:
install_utilities: false
firewalld_enable: true
pre_tasks: # before role execution. we need the repo/key before executing webmin installation role
- name: add webmin repo and GPG key
yum_repository:
name: webmin
description: Webmin Distribution Neutral
baseurl: http://download.webmin.com/download/yum
enabled: true
gpgcheck: true
gpgkey: http://www.webmin.com/jcameron-key.asc
# update YUM cache to recognize new repository
- name: clean and update YUM cache
yum:
update_cache: yes
roles:
- semuadmin.webmin # apply the webmin installation role
handlers: # will run when a task has notify:name parameter
- name: reload firewall # runs after adding firewall rule
command: firewall-cmd --reload
tasks:
# open port 10000 in firewall for webmin web interface
- name: add firewall rule
firewalld:
port: 10000/tcp
permanent: true
state: enabled
notify: reload firewall
- name: install webmin
yum:
name: webmin
state: present # will only install if not already
- name: enable and start webmin service
systemd:
name: webmin
enabled: true
state: started
daemon_reload: yes # reload systemd to recognize new service
```
- run playbook
```
ansible-playbook -i inventory.txt roles/webmin.yml
```
- change webmin root password
```
sudo /usr/libexec/webmin/changepass.pl /etc/webmin root newpassword
```
## apache isntallation
- edit inventory.txt
```
[apache]
ansible1-charlotte
[webmin]
ansible2-charlotte
```
- install apache role
```
ansible-galaxy install geerlingguy.apache -p roles/
```
- create `apache.yml` file
```
- name: apache sys265
hosts: apache
become: true # Run all tasks with sudo/root privileges
vars:
install_utilities: false
firewalld_enable: true
ansible_os_family: RedHat
ansible_distribution: CentOS # required because role searches for Rocky config files
roles:
- geerlingguy.apache # apply the apache installation role
handlers: # will run when a task has notify:name parameter
- name: reload firewall # runs after adding firewall rule
command: firewall-cmd --reload
tasks:
# open port 443 in firewall for apache web interface
- name: add firewall rule
firewalld:
port: "{{ item }}"
permanent: true
immediate: true
state: enabled
loop:
- 80/tcp
- 443/tcp
notify: reload firewall
- name: install apache
yum:
name: httpd
state: present # will only install if not already
- name: enable and start apache service
systemd:
name: httpd
enabled: true
state: started
daemon_reload: yes # reload systemd to recognize new service
```
- run playbook
```
ansible-playbook -i inventory.txt roles/webmin.yml
```
# Ansible on Windows
## OpenSSH Server Setup
>[!Caution]
> DO NOT INSTALL 32 BIT VERSION
### Install OpenSSH
Run these commands in PowerShell as Administrator:
```
wget https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.8.1.0p1-Preview/OpenSSH-Win64.zip -O 'C:\Program Files\OpenSSH.zip'
Expand-Archive -Path 'C:\Program Files\OpenSSH.zip' -DestinationPath 'C:\Program Files\OpenSSH'
rm 'C:\Program Files\OpenSSH.zip'
powershell.exe -ExecutionPolicy Bypass -File 'C:\Program Files\OpenSSH\OpenSSH-Win64\install-sshd.ps1'
```
### Configure OpenSSH
- start service
```
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
Get-Service -Name sshd # check if running
```
- add firewall rule
```
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Get-NetFirewallRule | Where-Object DisplayName -Like '*ssh*'
```
- set PowerShell as default SSH shell
```
Set-ItemProperty "HKLM:\Software\Microsoft\Powershell\1\ShellIds" -Name ConsolePrompting -Value $true
New-ItemProperty -Path HKLM:\SOFTWARE\OpenSSH -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
```
- add `charlotte.croce-adm` to the **Remote Management Users** groups
- Add/uncomment the following lines in C:\ProgramData\ssh\sshd_config
- `StrictModes no` is sometimes needed on Windows systems because Windows permissions don't map perfectly to the UNIX-style permissions that OpenSSH expects
```
AllowUsers charlotte\charlotte.croce-adm
StrictModes no
```
## Ansible Setup
### Inventory Setup
- add windows machines to `inventory.txt`
```
[windows]
mgmt01-charlotte
wks01-charlotte
[windows:vars]
ansible_shell_type=powershell
```
- create ansible.cfg in ansible directory, to skip host key checking
```
[defaults]
host_key_checking = false
```
- test connection
```
ansible windows -i inventory.txt -m win_ping -u charlotte.croce-adm@charlotte.local --ask-pass
```
## Software deployment using win_chocolatey
- create playbook `roles/windows_software.yml`
```
- name: install windows applications
hosts: windows
tasks:
- name: install firefox and 7zip
win_chocolatey:
name:
- firefox
- 7zip
state: present
```
- run playbook
```
ansible-playbook -i inventory.txt roles/windows_software.yml -u charlotte.croce-adm@charlotte.local --ask-pass
```
- If you encounter .NET Framework errors, install version 4.8 (in my case I needed version 4.8, it will probably be a different version in the future)
```
Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2088631" -OutFile "C:\dotNetFx48.exe"
Start-Process -FilePath "C:\dotNetFx48.exe" -ArgumentList "/quiet /norestart" -Wait
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release # verify installation
```
> [!Note]
> Installation may take several minutes. System restart required after installation.
- list packages installed with chocolatey
```
'C:\ProgramData\chocolatey\bin\choco.exe' list
```

69
sysadmin-ii-sys265/labs/lab06-ad-gpo-sw-deployment.md Normal file
View file

@ -0,0 +1,69 @@
# AD Group Policy & SW Deployment
## Prepare an OU, user & workstation
Before we get into configuring a Group Policy Object (GPO) within Active Directory (AD), lets set the AD stage to deploy a software package. Via AD Users & Computers, create a “Test OU”.
![image](../../assets/a5a9d811-0e27-48e2-b25d-97cb9e345e56.png)
Use Powershell on AD01 via MGMT01 to create another OU called “Software Deploy”, move WKS01 and your regular named account into it, and then delete the Test OU.
```powershell
# Create another OU called Software Deploy under charlotte.local
# Move WKS01 and your regular named account into it, and then
# Delete the Test OU
# Get the domain Distinguished Name (DN)
$domainDN = (Get-ADDomain).DistinguishedName
# Create the "Software Deploy" OU
$swDeployOUDN = "OU=Software Deploy,$domainDN"
$swDeployOU = Get-ADOrganizationalUnit -Identity $swDeployOUDN
if($swDeployOU){
Write-Host "'Software Deploy' OU already exists at $swDeployOUDN"
}else{
New-ADOrganizationalUnit -Name "Software Deploy" -Path $domainDN -Description "Software Deployment OU"
Write-Host "Created $swDeployOUDN"
}
# Move WKS01 computer to new OU
$computerDN = (Get-ADComputer -Identity "WKS01-CHARLOTTE").DistinguishedName
$targetOUDN = "OU=Software Deploy,$domainDN"
Move-ADObject -Identity $computerDN -TargetPath $targetOUDN
Write-Host "Computer $computerDN added to $targetOUDN"
# Move charlotte.croce-adm to new OU
$userDN = (Get-ADUser -Identity "charlotte.croce-adm").DistinguishedName
Move-ADObject -Identity $userDN -TargetPath $targetOUDN
Write-Host "User $userDN added to $targetOUDN"
# Remove the "Protect from accidental deletion" flag from Test OU and delete
$testOU = Get-ADOrganizationalUnit -Filter {Name -eq "Test OU"}
if($testOU){
Set-ADObject -Identity $testOU -ProtectedFromAccidentalDeletion $false
Remove-ADOrganizationalUnit -Identity $testOU -Confirm:$false
Write-Host "Deleted $testOU"
}
```
## Deploying Software via GPO
- On MGMT01, download the current Putty x64-bit Windows Installer Package.
- Next, create a Share on MGMT01 named Software and place Puttys .msi in it, so users and computers (via GPO) can access & install it shortly.
- see SYS255 file share docs [here](https://git.charlotte.sh/lotte/ChamplainTechJournals/src/branch/main/sysadmin-i-sys255/lab07-lab-server-core-and-remote-administrator-tools.md#use-rsat-to-add-to-fs01-and-create-a-sales-users-share). No need to map drive to letter
- Via Group Policy Management feature on MGMT (You need to install this), create a new GPO named Deploy SW within the Software Deploy OU. \
![image](../../assets/64d738b7-1b8e-45ea-9f7d-474fc6679cfb.png)
![image](../../assets/dccadcee-10f4-4fce-ac7b-0f7b9b87f0cd.png)
- Edit the new GPO by creating a new Software installation, and assign Puttys .msi package to deploy. \
![image](../../assets/45ad5e35-665c-4861-a8be-e9aa17d6b676.png)
- With the new GPO setting, run `gpupdate /force` on WKS01, and then allow the restart when prompted. PuTTY should now be installed
> [!Note]
> An extremely common issue youll encounter in MS Window environments are the differences between Local Permissions vs. Share Permissions:
>
> Local Permissions (also called NTFS Permissions): Permissions that are applied only Locally (and not Remotely) on the OS, and affects both Local (i.e. via keyboard) and Remote (i.e. via network) account access.
>
> Share Permissions: Permissions that are applied only Remotely (and not Locally) to the OS, and affects only Remote (i.e. via network shares) account access.
>
> If both Shared & Local Permissions are set, then MOST RESTRICTIVE PERMISSION WINS. #LeastPriledgeRules -- summary [here](https://blog.netwrix.com/ntfs-vs-share-permissions)

149
sysadmin-ii-sys265/labs/lab07-certs.md Normal file
View file

@ -0,0 +1,149 @@
# Lab07 - certs
make certain -adm account is in the Enterprise Admins
```powershell
Get-ADGroupMember "Enterprise Admins"
```
add RSAT to MGMT01. needs to run as administrator
```powershell
Install-WindowsFeature RSAT-ADCS -IncludeManagementTools
```
Start remote PowerShell session
```powershell
$session = New-PSSession -ComputerName ad01-charlotte
```
Install AD Certificate Services Role
```powershell
Invoke-Command -Session $session -ScriptBlock {
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools
# Import the ADCS module
Import-Module ADCSDeployment
}
```
Configure Enterprise Root CA
```powershell
Invoke-Command -Session $session -ScriptBlock {
Install-AdcsCertificationAuthority `
-CAType EnterpriseRootCA `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-HashAlgorithmName SHA512 `
-ValidityPeriod Years `
-ValidityPeriodUnits 7 `
-Force
}
```
Create Certificate Share
```powershell
Invoke-Command -Session $session -ScriptBlock {
# create the shared folder for certs
New-Item -Path "C:\Shares\Certs" -ItemType Directory -Force
New-SmbShare -Name "Certs" -Path "C:\Shares\Certs" -FullAccess "Domain Admins" -ChangeAccess "Authenticated Users"
# copt cert to shared directory
$cert = Get-ChildItem -Path "Cert:\LocalMachine\CA" | Where-Object {$_.Subject -like "*charlotte-ad01-CHARLOTTE-CA*"}
# export cert to shared folder
Export-Certificate -Cert $cert -FilePath "C:\Shares\Certs\charlotte-AD01-CHARLOTTE-CA.cer" -Type CERT
}
```
Install AD CS role with Certification Authority and Web Enrollment
```
Install-WindowsFeature -Name ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools
```
Configure the Subordinate CA and generate certificate request
```powershell
Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "mgmt01-CHARLOTTE-SubCA" `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-HashAlgorithmName SHA512 `
-OutputCertRequestFile "C:\SubCARequest.req"
```
Install the Web Enrollment service
```powershell
Install-AdcsWebEnrollment
```
Move the certificate request to the Root CA, get it signed, and retrieve it
```powershell
# Copy request to Root CA's shared folder
Copy-Item -Path "C:\SubCARequest.req" -Destination "\\ad01-charlotte\Certs\"
# Sign the request on the Root CA
Invoke-Command -Session $session -ScriptBlock {
# Sign the subordinate CA certificate request
certreq -submit -config "ad01-charlotte\charlotte-AD01-CHARLOTTE-CA" -attrib "CertificateTemplate:SubCA" "C:\Shares\Certs\SubCARequest.req" "C:\Shares\Certs\SubCACert.cer"
}
# Copy the signed certificate back to the Subordinate CA
Copy-Item -Path "\\ad01-charlotte\Certs\SubCACert.cer" -Destination "C:\"
```
```powershell
# Start the CA service
Start-Service -Name CertSvc
# Install the issued certificate
certutil -installcert "C:\SubCACert.cer"
# Configure CA settings
certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLOverlapPeriodUnits 12
certutil -setreg CA\CRLOverlapPeriod "Hours"
# Restart the service to apply changes
Restart-Service -Name CertSvc
```
```
# Verify the CA status
certutil -ping
```
Clean up the remote session
```
Remove-PSSession $session
```
___
*at this point I stopped using PS and just used the GUI*
___
### Create Certificate Template
- open the CA console: `certsrv.msc`
- Expand root cert tree > RC Certificate Templates > Manage
- Duplicate User template
- General tab: Set name "Champ Lab User"
- Subject Name: Select "Build from AD info", uncheck all email options
- Extensions: Add "Smart Card Logon" to Application Policies
- Security: set "Authenticated Users" to Read, Enroll, Autoenroll permissions
## Issue Certificate Template
- in CA console
- Right-click Certificate Templates > New > Certificate Template to Issue > Select "Champ Lab User"
## Configure Group Policy
- `gpmc.msc`
- Create GPO "Champ Lab Users" at domain level
- Edit GPO > User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
- Enable "Certificate Services Client - Auto-Enrollment"
- Check both renewal options > OK
## Test Auto-Enrollment
- on WKS01:
- `gpupdate /force`
- Verify: `gpresult /r`
- `certmgr.msc` > Personal > Certificates > Verify "Champ Lab User" certificate is present
## Windows Admin Center Installation
- Download Windows Admin Center 2019 Evaluation
- https://info.microsoft.com/ww-landing-windows-admin-center.html
- download the msi
- you will have to put in information. i just used fake info
- Express setup. Generate self-signed cert. Disable updates
- Logon via -adm account, add ad01 + wks10, install AD + DNS extensions, and uninstall Azure + Cluster extensions