The next step to getting my lab ready is to make some updates to my servers and computers. The fastest way to update all of my machines is to update the group policy objects (GPOs). After I update the GPO policies I am going to check the DNS configuration an make sure my domain is ready for the remaining workstations.
I am going to use group policy management console (GPMC) to update GPO policies for my domain. The first policy change I need to make is to finish enabling WSUS on my domain by mapping all of the workstations and servers to WSUS for updates. To make this change I am going to make a new GPO for the domain called WSUS settings in GPMC.
Create a new GPO in this domain and link to domainEditing the new GPO
Now I go to Computer configuration > Policies > Administrative Templates > Windows components > Windows Update > Specify intranet Microsoft update service location.
Selecting the policy to update
First, I map the domain servers and workstations to my WSUS server, I need to enter the address for my WSUS server. Then I enable the policy so it takes effect.
Adding the web address for my internal WSUS
Next, I need to configure the schedule for automatic updates. This sets all the machines to download updates from the internal WSUS and selects the desired behavior. I set the Configure Automatic Updates setting to make this change.
Setting automatic updates in GPO
Update Policy for Add/Remove Features
I need to make one more change related to WSUS. Right now WSUS is only used for software updates, but I also need to map workstations and servers to WSUS for adding and removing features. That is in Computer configuration > Policies > Administrative Templates > System > Specify settings for optional component installation and component repair.
Mapping add/remove features to internal WSUS
That’s it for the WSUS GPO. Now my workstations will map to the internal server for updates and features. Next I need to check DNS settings. I am going to use the DNS manager in RSAT for this.
DNS Manager for my domain
First, I am going to set the server to only listen on the IPv4 interface for DNS queries. Then I am going to check the DNS forwarders and make sure it is using the Pi-hole in the DMZ.
Selecting the IPv4 interface for DNS listenersChecking DNS Forwarders
My DNS is configured and working as expected. Now that my domain is ready for workstations. Before I add workstations though, I am going to add one more service: Email.
In this step I am creating a new server using the Windows Server 2019 template created earlier in this process. The first role is providing my network with shared storage by creating a file server, then adding Windows Server Update Services (WSUS). I can install the basic services with PowerShell and use the remote administration tools on my Admin PC to manage WSUS.
The first step is to clone the Windows Server template into a new VM that I am going to call FileSrv. After cloning, I just start the machine and change the Administrator password.
New server started, changing the admin password
Joining the domain in Server Core is easily done using SConfig. I changed the name on the server to FileSrv and joined the CORP domain in my lab. I also checked the network settings to make sure everything is correct.
Rename the server in SConfigChecking IP address in SConfigJoining my lab network domain from SConfig
Once the server reboots, I logged in with the Bob Admin credentials and prepared to install the File Server role. Installing the file server role is done through Powershell using the command below.
Now the File share is available on the entire domain using \\Globoshare\ to access.
Installing Windows Server Update Services (WSUS)
Installing WSUS on Server Core is a little more complicated than configuring a shared file. For this role, I will need to use a combination of PowerShell commands and the admin tools on my Win10Admin PC. The first step is installing the Windows Feature in PowerShell.
Next I need to enable remote administration of this server. That involves adding Web Management Service, along with ensuring it starts up automatically on reboot. I also need to make a registry change to enable remote management.
From here the remaining steps are done in the remote admin tool. I followed the prompts and selected Microsoft Update as my upstream provider. This step took a long time for the initial sync.
Starting screen after configuring remote managementConnect to Upstream server
After that I selected the language and products that apply to my domain, along with the classifications. Then I configured the Synchronization schedule.
Synchronize Updates Manually in WSUS
After finishing I chose to begin the initial synchronization.
Begin initial synchronization in WSUS
With that, my new server is ready to go. I installed file services, created a network share, and configured WSUS so my machines have a single update server where I can approve each update. Next I have some group policy changes and other domain changes to make from RSAT on the Windows 10 Admin PC.
The next step in getting my lab up and running is to create a Windows 10 admin machine in Proxmox. As with most of my VMs, I am going to create a Windows 10 template first so I can quickly set up additional workstations using cloning. I created a new VM with the following settings:
Name: Win10Template
CD/DVD image: Win10Eval.iso
Disk: 60GB on local-lvm
CPU: 1 socket / 4 cores
Memory: 4096MB
Network: LANnet / 1450 MTU
Once it loads I started the standard Windows 10 install process.
Windows 10 Install Screen
I selected the following options during install:
Custom: Install Windows only (advanced)
Install Windows on Drive 0
I did not create any partitions
After reboot Windows enters OOBE, so I chose:
Selected region
Selected keyboard layout
Use domain join instead of a Microsoft account
Enter the information for Bob Admin created in the previous step
Answer security questions
Turn off all location and data sharing
No Coratana
Finally I got to the Windows Desktop and could start the remaining steps.
Windows 10 desktop after initial login
The next step was to run a Windows update and restart after updating.
Creating the Windows 10 template
Once I had all the desired configuration and updates covered, the final step was to remove all the specific information like user accounts. Just like with the Windows Server template, I can use the Windows Sysprep tool for this portion.
After the Sysprep finishes, Windows 10 will shutdown and the machine is ready. To create a Windows 10 template all I need to do is right click the machine and select the option to convert to template.
That’s it! Overall the process is a little faster than making a server template. Now it’s ready for cloning into the Windows Admin workstation.
Creating the Admin PC
Once I cloned the template, it goes through the same out of box experience as before. I selected the same options until I got to the main desktop.
My new Windows 10 Admin PC
Now I need to rename the machine and join it to the Globomantics domain I created in the last post. Renaming the PC is found in the system settings.
Workstation settings for Windows 10 Admin PCRenaming the PC
Now it’s ready to join to the domain. For that I use Advanced System Settings and select the change option to change to domain from workgroup.
Advanced System Properties
After adding to the domain and rebooting the machine, I could login to the CORP domain using the credentials for Bob Admin.
Login to the CORP domain after reboot
The last step was installing the Remote Server Admin Tools (RSAT). This is a simple download and install, but it is a Windows update pack and not an executable. After install the tools are available in the start menu and the Windows 10 Admin PC is ready for our next phase: creating a File Server and WSUS Server.
It’s time to create the internal LAN network starting with a domain controller and Active Directory domain. I am going to install Active Directory on server core using PowerShell. I will start by cloning the template from the previous post.
Cloning a template saves significant time on new server creation. To clone the Windows server template, I just right click the template and select clone. I am going to create a full clone and call it AD.
Naming the new server and selecting the mode
After running that I have to wait for the clone to finish creating. In Proxmox it has a lock symbol over the name until its done.
Proxmox is still creating the clone
After clone creation, I just start it and then I have to reset the Administrator account password. Sysprep removed all existing user accounts so I have to reset the password again.
Reset the administrator account password
Next I used SConfig to set a static IP address aligned to my network diagram, and configured the DNS server to use the Pi-hole in my DMZ. After that my server is ready for the Active Directory install.
Setting a static IP address and DNS server using SConfig
Install Active Directory on Server Core
To install Active Directory on server core, I am going to use PowerShell. From PowerShell I run this command. After running I will see the progress on a bar at the top of the window.
After the feature installation finished, I need to install the forest for my domain. The domain name I am using is corp.globomantics.local because I am using this lab for Pluralsight courses. The command to install the forest is:
Once that runs I just need to set the Safe Mode Administrator Password and confirm that the server will be a domain controller after completion. After confirming, the servers creates the domain and becomes a domain controller.
Confirm that the server will be a domain controller
After the install finishes the server reboots and then I need to login, check services, and configure DNS. I ran a dcdiag command to check the server and made sure it passed all the tests. Success! My domain is up and running.
Check AD functionality by running dcdiag
Configure DNS for the internal domain
The next step is configuring DNS for our internal domain. The first check is making sure the DNS forwarders are set correctly to my Pi-hole in the DMZ.
PS C:\Users\Administrator> Get-DNSServerForwarder
Check DNS forwarders and confirm they are correct
Next I had to configure the DMZ Pi-hole to allow requests from outside of the DMZ network. While the warning says potentially dangerous, since this server is not directly connected to the Internet it meets the home setup criteria.
Permit all origins set in Pi-hole to enable queries from outside of the DMZ
Now I can confirm that DNS is resolving correctly by pinging an external host and the internal domain.
The last step for DNS configuration is adding a reverse lookup zone using PowerShell. I can add the zone using the command below and check it using the Get-DNSServerZone command.
Now that DNS is working correctly, I need to change the DHCP scope from pfsense to use the new server.
Changing the DHCP settings in pfsense
Add Active Directory Users in Server Core
The last step I am taking is creating a new user to act as Globomantics domain administrator, Bob. I am going to create a user account and separate admin account called Bob User and Bob Admin. I can use PowerShell to create the accounts with these commands.
That’s it, we have a domain, domain controller, DNS server, and domain admin. Globomantics internal network is ready for new users and computers. The first computer I am going to add is a Windows 10 machine that my user Bob Admin will use. I will install the Remote Server Administration Tools (RSAT) to enable remote administration of the servers.
Creating a base Windows Server template for my future VMs and later another for my Windows workstations allows me to conduct all the basic configuration, updates, and other typical install task once rather than with each server I create. This also allows me to clone the template which is much faster than an install from ISO. While I only have two servers planned for now, this will save time creating even the second machine, and significant time on all future servers I create.
Creating Windows Server Templates
I am using Proxmox if you haven’t been following along, but the process of creating a template to clone is similar in all Virtualization platforms with minor variations.
Creating any virtual machine template consists of four basic steps:
Install the VM with all drivers, updates, and software packages
Configure any other standard configurations that will apply to all servers
Remove all user data, passwords, and keys – for Windows run a sysprep
Convert the machine to a template
I created a virtual machine in Proxmox with the following specs:
Name: WinSrv2019
OS: mapped to ISO file on my host
Disk: 100GB (can be less)
CPU: 1 socket / 4 cores
Memory: 4096MB (4 GB)
Network: LAN / MTU 1450 (this is due to VXLAN in my lab)
After creating the VM and booting up, I get the install screen for Windows Server 2019.
Windows Server 2019 install screen
When selecting an operating system I am going to use Windows Server 2019 Standard Evaluation edition without the desktop experience. I will configure the servers from command prompt / PowerShell and then remotely administer from one of the Windows 10 workstations.
Selecting the desired version for install
After this step I configured my desired install drive and started the server installation.
Server 2019 install in progress
After the install finished, I rebooted the server and then logged in with the Administrator account to access the command prompt.
Command prompt after initial login to Server 2019
To update the server, I used PowerShell to check Windows update with the command below and then reviewed the updates.
Once complete I got the feedback “True” in the command prompt. I then ran the command below to check for pending reboot. In my case a reboot was required so I rebooted the server.
PS C:\Users\Administrator> Get-WUIsPendingReboot
After reboot I enabled Windows Remote Management (winrm).
PS C:\Users\Administrator> winrm quickconfig
I also set some basic options like enabling remote desktop and ensuring my servers had the correct timezone using SConfig.
Example SConfig after enabling Remote Desktop
I also made a firewall change and registry change to ensure remote desktop access is enabled.
PS C:\Users\Administrator> netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
PS C:\Users\Administrator> cscript C:\windows\system32\scregedit.wsf /ar 0
These were all the custom changes I wanted to make so now I just need to run a sysprep to make the server ready for use as a template.
Prepare for Template Creation
Running a Sysprep is done by running sysprep.exe and setting the options in a Window that comes up. I chose to generalize, Enter System Out-of-Box Experience (OOBE), and shutdown once complete.
Once shutdown, the last step is converting to a template. In Proxmox that is a very simple process, I just right click and select “convert to template”.
Server template in Proxmox
That’s it, I am ready to clone the template into my domain controller and file server. The new servers will already have all the updates and basic configuration I want for my lab.
I need a Domain Name System (DNS) server to control DNS queries and allow my internal and DMZ networks to access the Internet. Due to the low resource requirements, I can use Linux Containers (LXCs) rather than a full VM for these servers. I am going to install a Pi-hole for DNS on an LXC in the DMZ and on the external network. This allows the internal network to forward requests to a server within the domains control without exposing the Active Directory servers to the Internet. Using Pi-hole also allows me to configure a blacklist for certain domains. I use this on my personal network to remove ads which is Pi-hole’s main purpose.
Since it’s the first time I am using a Linux Container (LXC) I will walk through the process to set one up in Proxmox. The first step is to get a CT Template since I don’t have one already. I will use the Ubuntu-20.04-standard tempalte.
Add a CT Template to local storageSelecting a template
Once the download is complete you can create a LXC container in Proxmox.
Configure the basic information for the LXCChoose the template previously downloaded
After selecting the template I selected the system resources for the LXC. My DNS servers will have the following resources:
Disk: 8GB
CPU cores: 1
Memory: 512MB / Swap: 512MB
Network: Bridge for external / DMZ for DMZ server
Static IP: follows network diagram
DNS: use host settings for external / external DNS server IP for DMZ
Once you create the LXC the install happens automatically. Once you start it you access using root and the password set during configuration.
LXC login page for my external DNS server
Install Pi-hole for DNS on the LXC
Like with the other VMs my first step is to update, upgrade, and install dependencies. All I need for Pi-hole is curl to run the command in Pi-hole’s install guide.
# apt update && apt upgrade -y
# apt install curl
Install curl to run the Pi-hole install command
After the update and upgrade I rebooted, then I ran the install command.
# curl -sSL https://install.pi-hole.net | bash
Install screen should show up after running the command
After running the system checks the Pi-hole automated installer will start.
Pi-hole automated installer screen
From here I chose the following settings for my server:
Upstream servers: OpenDNS for external / External pi-hole for DMZ
Blocklists: Yes
Install Admin Web Interface: Yes
Web Server: Yes
Everything else was left default
After that I had a summary page with admin webpage login password.
Install complete summary page with web admin password
Once the server is finished installing I accessed the web interface, and then logged in to the Pi-hole dashboard.
Pi-hole web admin dashboard
Firewall and DHCP changes
I am using the pfsense firewall as my DHCP server so for the DMZ interface I needed to change the DNS servers to the new Pi-hole. I am not changing the LAN interface yet because those machines will eventually use the domain controller for its DNS which will forward requests to the Pi-hole.
Changing the DHCP scope on Pi-hole
Next it’s finally time to build my internal network, starting with a domain controller. Before installing that I am going to create a Windows Server template to streamline future server installs.
The next step to set up my lab involves configuring the pfsense firewall to create a DMZ. Within the DMZ I will create a DNS server using Pi-hole, email server using iRedMail, and a vulnerable web server from Vulnhub. Using a DMZ allows me to set different firewall rules for external facing and internal servers. This also allows me to control the traffic between the DMZ and LAN which provides a greater level of protection for the internal network.
How pfsense Firewall Rules Work
Before creating any rules it helps to understand the traffic flow through pfsense on our small network. There are two ways of setting up a DMZ. One way is to have two separate firewalls, one attached to the WAN, and one to the LAN. Between the two firewalls is the DMZ.
Example configuration using two firewalls
Configuring rules is fairly straightforward in this setup since each firewall only has two interfaces to configure. In my network I am using a single firewall to enable this using this network diagram.
Lab network overview diagram
To help understand how to configure rules in this setup, we need to think about how the traffic flows. The WAN interface is by default configured to block all traffic, and each interface is configured with a default deny. I will configure WAN rules later to forward specific ports to servers in the DMZ. To configure the DMZ I need to choose which traffic to allow out and to where. All traffic not specifically permitted will be denied.
Using the Linux admin workstation I accessed the firewall’s webConfigurator and changed the OPT1 interface’s firewall rules. The first rule shown in a step by step below was adding UDP port 53 to allow DNS traffic.
Firewall rules page on DMZ interface before rules are addedAdding the rule for UDP port 53 to enable DNS trafficAdding a rule description for future reference
While configuring the DMZ I also added rule necessary for web traffic and the ability to ping between the LAN and DMZ. These rules included:
TCP port 80 (HTTP) from DMZ to all
TCP port 443 (HTTPS) from DMZ to all
ICMP any from LAN to DMZ
ICMP echo reply from DMZ to LAN
Full DMZ firewall rule set for my lab
The last step I took was to rename the OPT1 interface and make sure the right MTU is set for VXLANs.
Rename the DMZ interface
That’s all there is to it, I created a DMZ using pfsense and it’s ready for server deployment. Next I am going to install a DNS server on the external and DMZ networks.
To connect to the LAN interface of the pfsense firewall and use the webConfigurator I need a virtual machine on the LAN Vnet. I am going to install Ubuntu Desktop in Proxmox to act as the Linux admin workstation for my lab network. The desktop version will give me a web browser to access the firewall, and later I can add the machine to the networks Active Directory domain.
I covered the step by step instructions with screenshots for creating a virtual machine in Proxmox in the post linked above. From this post on I will list the settings used for each machine instead of walking through each step.
Linux Admin Workstation:
Name: UbuntuDesktop
Start on boot: no
ISO image: ubuntu-22.04.2-desktop-amd64.iso
System: defaults
Disk size: 40GB
CPU: 1 socket / 2 cores
Memory: 2048MB
Network: LANnet / MTU 1450
On boot you will see the Install screen for Ubuntu where you select the language and install Ubuntu.
Install screen for Ubuntu Desktop
I kept the default options throughout the install with the exception of selecting “minimal installation” instead of “normal installation”.
Selecting minimal installation on the updates and other software screen
Post Install Actions
After installing Ubuntu, I needed to check my network configuration to ensure the MTU settings were correct and I had network connectivity to the firewall and to the WAN by pinging one of my hosts.
Confirm MTU is set to 1450 for VXLANSuccessful ping to the vmhost outside of the VXLAN and through the firewall
Login to the pfsense webConfigurator
Now I navigate to the pfsense webConfigurator address and login to finish setting up the pfsense software.
Pfsense webConfigurator initial page on first load to finish software configuration
I set my hostname and domain to pfsense and the globomantics.local domain I will use for Pluralsight courses.
Configure hostname and domain
For my network I am unchecking the box to block RFC1918 private networks. My simulated WAN is using the network 172.16.1.0/24 which falls in this range. If I left this checked I would not be able to access anything inside the network.
Uncheck block RFC1918 private networks
After finishing these steps, I checked for updates and then finished the configuration. On my network the interfaces reset to 1500 MTU and I had to manually change them back on the shell to regain access. This was covered in the previous post. You can also set the MTU in the webConfigurator on each interface.
Setting the MTU in the webConfigurator
Now my first workstation is online and the initial firewall setup is complete. I am ready to set up the DMZ and configure DNS for my Globomantics network. These topics are the next couple of posts.
I need to enable communication between the VXLANs and the Internet, so the first machine I will create is a pfsense firewall in Proxmox. I will connect the WAN interface to the external network and 2 other interfaces to the VXLANs. This will grant Internet access to the VXLANs, but force the traffic to flow through the firewall.
The creation of a virtual machine in Proxmox is pretty straightforward. Since this is the first machine in the lab and the first one in this guide I will go into more detail in this post. The first step is to create the machine itself and name it. I configured it to start when the host boots so the VXLNAS have immediate Internet access.
Create the virtual machine and give it a name
Next I selected the pfsense ISO image and added it to the CD/DVD drive. I left the system settings default and gave the machine a 40 GB disk.
Selecting the operating system installer image from software uploaded to the serverDefault system settings for the virtual machineConfigure disk size set to 40GB
After configuring the disk size, I had to set the CPU and memory settings. I chose to use 1 socket with 2 cores for CPU, and gave the firewall 2048MB or 2GB of RAM.
Setting the CPU to 1 socket with 2 coresMemory set to 2048MB or 2GB for the firewall
Next I set the WAN interface to vmbr0 which is the external facing bridge on my host. Then I confirmed the settings to finish the initial configuration. Before booting I have to add the other 2 interfaces.
Set the WAN interface to vmbr0Confirm settings, uncheck start after created
Before booting the machine I added the DMZ and LAN interfaces, selecting the appropriate Vnet for each bridge. I did not make the change here but recommend configuring the MTU to 1450 now in your setup. You can change it in the pfsense web console if you forget like I did.
Add the LAN and DMZ interfaces prior to boot
Next, I boot up the machine and am greeted with the pfsense installer.
Pfsense installer screen
Installing pfsense firewall in Proxmox
Installing pfsense on a virtual machine is also a straight forward process so I will skip the first few installer screens and list the options I selected below.
Select Install
Select the keyboard layout
Select preferred partition method: I went with default
Remaining disk options: again I stuck with default
When you see a “Last Change!” ZFS configuration select yes to install
Once the install is complete select “No” for manual configuration and reboot
After the installation is complete and pfsense reboots you should see a screen stating all links are up. Select no to set up VLANs now.
Configure the Interfaces
I set my pfsense interfaces to the appropriate Vnets:
WAN = vtnet0
LAN = vtnet1
OPT1 = vtnet2
Pfsense interface configuration
Next I had to configure the right IP addresses on the interfaces. I left WAN as DHCP, but used option 2 on the main screen to set the LAN and DMZ IPs to the right networks.
Main screen after initial interface configuration
After changing the LAN interface you will receive an IP address for the webConfigurator, in my case the is http://10.0.1.1. Before I switched to the web interface, I had to set the MTU to 1450 on my interfaces using the shell (option 8 from this screen) using the command below.
root: ifconfig vtnet1 inet 10.0.1.1 netmask 255.255.255.0 mtu 1450
root: ifconfig vtnet2 inet 10.10.1.1 netmask 255.255.255.0 mtu 1450
With that my firewall install is complete and I can switch to the webConfigurator to configure the DMZ network. First, I need a machine to connect to the webConfigurator, which is the subject of the next post.
In the last post I installed Proxmox and set up a cluster with three VM hosts. Before I start setting up virtual machines, I need a way to segment the network so I can make it match the diagram below. To meet this requirement, I need to enable communication between the hosts, but keep the networks segmented using the firewall. The best way I found to accomplish this was to configure software defined networking in Proxmox to create VXLANs for the DMZ and LAN.
The first step in any installation is to make sure your hosts are updated. By default, Proxmox hosts will reach out to the enterprise repository, so I need to configure the pve-no-subscription repository. To enable that, I added it to /etc/apt/sources.list like the image below.
Add the pve-no-subscription repository
After adding the repository, I run an apt update and upgrade to install the latest patches and make sure the new repository works.
# apt update && apt upgrade -y
Now I can install the needed dependencies on each host. Important note here, the next few steps are run on EVERY node in the cluster.
# apt install libpve-network-perl ifupdown2
Configure Software Defined Networking in Proxmox
After updating the hosts and installing the dependencies the last step to enable software defined networking is to add a line to the interface configuration. I added the line below to the /etc/network/interfaces file on every host.
source /etc/network/interfaces.d/*
Example /etc/network/interfaces file with additional line
Once added, you should automatically see the software defined network menu in your datacenter view.
Adding VXLANs to the Lab Network
Configuring a software defined network in Proxmox consists of three steps for each network. I need to configure a Zone, a Vnet, and if I want to assign an IP range, a Subnet for each VXLAN.
Adding a VXLAN zone
To add a VXLAN zone, you select that zone type in the Proxmox SDN interface. According to Proxmox SDN documentation, when adding a VXLAN, you need to set the MTU to a slightly lower value than the standard 1500. A VXLANs is a simulated layer 2 network on top of the existing network. So the extra 50 bytes allows for the VXLAN header added to each packet. You also need to configure an ID and peer IP address list.
Example VXLAN zone configurationDMZ and LAN VXLAN zones added to Lab Network
Adding Vnets and Subnets
Once you configure a VXLAN zone, the next step is to add the associated Vnets and Subnets to each zone. In my lab, each zone will have a single Vnet and Subnet. Here is an example configuration of the LANnet and LAN subnet.
LANnet Vnet configurationVnet configuration overview for Lab NetworkExample subnet configuration
Apply to Configure Software Defined Networking in Proxmox Lab
The last step is to go back to the SDN overview and apply the configuration. I hit apply and then Proxmox configures the DMZ and LAN VXLANs on each host in the cluster.
Data center overview after software defined network configuration
That’s all there is to it, my lab network is ready for virtual machines. Next up, I create a virtual firewall running pfsense and configure the WAN, LAN, and DMZ interfaces.