Trivadis LAB: Simple Vagrant Setup of Windows AD Server
One of my biggest problems when I started to look into Kerberos Authentication, Oracle Centrally Managed Users as well Oracle Enterprise User Security was the availability of an Active Directory to setup test cases. It is usually not the core business of an Oracle DBA to configure an Active Directory server. Using the productive AD is generally not a good choice either. One day I set up a Virtualbox VM with Windows 2016 and Active Directory. Great, but the VM went the way that many test VMs go and got screwed up. Set up a VM from scratch is cumbersome and time consuming. In particular when you would have to do it regular. Just doing backup and snapshot does work, but does not help to share the VMs with colleagues. Besides that the disk space on my notebook is limited. Then I did started to look into Vagrant. Then I did started to look into Vagrant. Not only for Oracle Database VMs but also for my Active Directory server. I have successfully used this environment in the past for several lectures and trainings at SOUG, DOAG and AOUG.
The aim of this blog post is to introduce the Trivadis LAB environment. In particular, the vagrant based setup of the Windows Server for Active Directory. I will discuss some basic steps to create such a VM, but also a few configuration details so that you can use it in your own engineering project. I myself use the Windows VM together with DB VMs (oehrlis/trivadislabs.com) but also with my Docker based engineering environment (oehrlis/doe). So lets get ready to rumble…
Trivadis LAB Environment
As you can see in the following figure, the entire Trivadis LAB environment contains VMs for Oracle databases and Oracle Unified Directory in addition to the VM for Active Directory. However, these are not included in this blog post. We just focus on Windows.
To allow a more or less practical use of the directory, a simple structure was created for the fictitious company Trivadis LAB. The following graphic shows the organisation chart including departments and employees for Trivadis LAB. All the users listed can be used as test users. The login name corresponds to the last name in lower case. The password for all users is set to a default password (see configuration files)
The fictitious company has the following departments:
|id||DEPARTMENT||DISTINGUISHED NAME (DN)|
|10||Senior Management||ou=Senior Management,ou=People,dc=trivadislabs,dc=com|
|60||Information Technology||ou=Information Technology,ou=People,dc=trivadislabs,dc=com|
|70||Human Resources||ou=Human Resources,ou=People,dc=trivadislabs,dc=com|
The following groups were defined:
|GROUP||DISTINGUISHED NAME (DN)||DESCRIPTION|
|Trivadis LAB APP Admins||ou=Trivadis LAB APP Admins,ou=Groups,dc=trivadislabs,dc=com||Application administrators|
|Trivadis LAB DB Admins||ou=Trivadis LAB DB Admins,ou=Groups,dc=trivadislabs,dc=com||DB Admins from the IT department|
|Trivadis LAB Developers||ou=Trivadis LAB Developers,ou=Groups,dc=trivadislabs,dc=com||Developers from the research department|
|Trivadis LAB Management||ou=Trivadis LAB Management,ou=Groups,dc=trivadislabs,dc=com||Management and managers|
|Trivadis LAB System Admins||ou=Trivadis LAB System Admins,ou=Groups,dc=trivadislabs,dc=com||System Admins from the IT department|
|Trivadis LAB Users||ou=Trivadis LAB Users,ou=Groups,dc=trivadislabs,dc=com||All Users|
|Trivadis LAB HR||ou=Trivadis LAB HR,ou=Groups,dc=trivadislabs,dc=com||Human Resources|
The vagrant projects in oehrlis/trivadislabs.com do require Vagrant and Window Server Virtualbox.
The first time you provision a Windows Server VM, the basis Vagrant Box is loaded from the Vagrant Cloud, which may take a while. If preferred, you can download this VM in advance with Vagrant. Enclosed the example for Windows Server 2019
vagrant box add StefanScherer/windows_2019 --provider virtualbox
Setup of the Vagrant VM is straight forward. You have to decide if you would like to setup a Windows Server 2019 (win2019ad) or Windows Server 2016 (win2019ad). The steps below are for Windows Server 2019.
- Clone this repository git clone https://github.com/oehrlis/trivadislabs.com
- Adjust configuration in trivadislabs.com/common/config/vagrant.yml
- Change into the trivadislabs.com/win2019ad directory
- Run vagrant up
- The first time you run this it will provision everything and may take a while (20-40min). Ensure you have a good internet connection as the scripts will download a couple of tools via Chocolatey.
- The installation can be customised, if desired (see below).
- Connect to the VM using vagrant rdp as vagrant or administrator user. Default password is either store in vagrant.yml or default_pwd_windows.txt.
- If necessary, run the Windows Update manually.
- You can shut down the VM via the usual vagrant halt and then start it up again via vagrant up
Enclosed an excerpt from the vagrant up command:
user@host:~/trivadislabs.com/win2019ad/ [ic19300] time vagrant up
Bringing machine 'win2019ad' up with 'virtualbox' provider...
==> win2019ad: Importing base box 'StefanScherer/windows_2019'...
==> win2019ad: Matching MAC address for NAT networking...
==> win2019ad: Checking if box 'StefanScherer/windows_2019' version '2020.07.17' is up to date...
==> win2019ad: Setting the name of the VM: win2019ad.trivadislabs.com
==> win2019ad: Clearing any previously set network interfaces...
==> win2019ad: Preparing network interfaces based on configuration...
win2019ad: This Computer SID is S-1-5-21-1473420208-2468469534-
win2019ad: Successfully finish setup AD VM
win2019ad: Host : win2019ad
win2019ad: Domain : trivadislabs.com
The Vagrantfile is preconfigured for the Trivadis LAB domain. I.e. host name, domain name, user etc. are predefined. Generally there is no need to adjust the Vagrant file itself. To ensure that all VMs in Trivadis LAB always work with the same configurations, a central YAML file is used for Vagrant. The file is locate in common/config/vagrant.yml. For the Window VM you find the following configuration:
# Configuration valid for all VM's
company_name: Trivadis LAB
# Configuration valid for Windows 2019 AD server
A short explanation of the settings and possibilities:
- common YAML common section
- win2019ad YAML section for Windows Server 2019
- default_password Password used to initialise the AD Server. It is recommended to change this as soon as possible. Default is LAB01schulung
- domain_name Network domain name for the environment. Depending on this, the directory tree in AD and the AD domain itself is named. Default value is trivadislabs.com
- company_name Company Name for the Trivadis LAB. This is used to name the AD groups.
- network configuration for gateway (10.0.0.1), dns (10.0.0.4), public_dns1 (184.108.40.206), public_dns2 (220.127.116.11)
- box the base Vagrant box used to setup the VM
- vm_name Name of the VM win2019ad
- domain_mode Active Directory domain mode
- people_ou_name Active Directory OU for the users
- groups_ou_name Active Directory OU for the groups
- mem_size Memory size for the VM
- cpus Number of CPUs for the VM
- public_ip Public IP address of the VM
The different scripts use the settings for initialising the AD server. So it is possible to change the AD domain, host domain name etc.
There are several option to access the VM. You either can directly start the Console on Virtualbox. If you run the VM in headless mode you will either run vagrant rdp or use Microsoft Remote Desktop directly. Running vagrant rdp finally starts only Microsoft Remote Desktop as well.
From here the environment is ready for all kinds of engineering. Depending on what you want to do, you may need some customisation, e.g. creating service users, generating keytab files, installing the Oracle password filter etc.
Behind the scenes
Setting up ad Active Directory server cannot be done in one swing. You need several steps and server reboot. Therefore the configuration is divided into different PowerShell scripts. The following list gives an overview of the different scripts. They are executed in the listed sequence. After the script 22_install_chocolatey.ps1 and 27_config_cmu.ps1 the VM is restarted by Vagrant.
- 21_install_ad.ps1 PowerShell script to install Active Directory server role
- 22_install_chocolatey.ps1 PowerShell script to install Chocolatey package manager
- 23_config_ad.ps1 PowerShell script to configure Active Directory
- 24_config_dns.ps1 PowerShell script to configure DNS server
- 25_config_ca.ps1 PowerShell script to configure Certification Autority
- 26_install_tools.ps1 PowerShell script to install tools via chocolatey package
- 27_config_cmu.ps1 PowerShell script to configure CMU on Active Directory
- 28_config_misc.ps1 PowerShell script to configure NAT zone records for AD domain
- 29_sum_up_ad.ps1 PowerShell script to display a summary of Active Directory Domain and install Windows updates
- reset_ad_users.ps1 PowerShell script to reset all domain user password. This script is not executed automatically.
It took some effort to prepare the environment. Nevertheless, the effort was worth it. I was quite happy to have a Test AD at hand in some projects. Testing Oracle Enterprise User Security, Oracle Centrally Manage Users or Kerberos is not possible without an Active Directory server. In particular if you like to test the Oracle Passwort Filter for Active Directory. But this will be an other blog post.