This post was originally published on this site

One of my biggest problems when I started to look into Kerberos Authentication, Oracle Centrally Managed Users as well Oracle Enterprise User Security was the availability of an Active Directory to setup test cases. It is usually not the core business of an Oracle DBA to configure an Active Directory server. 🙂 Using the productive AD is generally not a good choice either. One day I set up a Virtualbox VM with Windows 2016 and Active Directory. Great, but the VM went the way that many test VMs go and got screwed up. Set up a VM from scratch is cumbersome and time consuming. In particular when you would have to do it regular. Just doing backup and snapshot does work, but does not help to share the VMs with colleagues. Besides that the disk space on my notebook is limited. Then I did started to look into Vagrant. Then I did started to look into Vagrant. Not only for Oracle Database VMs but also for my Active Directory server. I have successfully used this environment in the past for several lectures and trainings at SOUG, DOAG and AOUG.

The aim of this blog post is to introduce the Trivadis LAB environment. In particular, the vagrant based setup of the Windows Server for Active Directory. I will discuss some basic steps to create such a VM, but also a few configuration details so that you can use it in your own engineering project. I myself use the Windows VM together with DB VMs (oehrlis/trivadislabs.com) but also with my Docker based engineering environment (oehrlis/doe). So lets get ready to rumble…

Trivadis LAB Environment

As you can see in the following figure, the entire Trivadis LAB environment contains VMs for Oracle databases and Oracle Unified Directory in addition to the VM for Active Directory. However, these are not included in this blog post. We just focus on Windows.

LabEnvironment
Trivadis LAB Environment

To allow a more or less practical use of the directory, a simple structure was created for the fictitious company Trivadis LAB. The following graphic shows the organisation chart including departments and employees for Trivadis LAB. All the users listed can be used as test users. The login name corresponds to the last name in lower case. The password for all users is set to a default password (see configuration files)

Trivadislabs Company
Organisation Chart Trivadis LAB

The fictitious company has the following departments:

id DEPARTMENT DISTINGUISHED NAME (DN)
10 Senior Management ou=Senior Management,ou=People,dc=trivadislabs,dc=com
20 Accounting ou=Accounting,ou=People,dc=trivadislabs,dc=com
30 Research ou=Research,ou=People,dc=trivadislabs,dc=com
40 Sales ou=Sales,ou=People,dc=trivadislabs,dc=com
50 Operations ou=Operations,ou=People,dc=trivadislabs,dc=com
60 Information Technology ou=Information Technology,ou=People,dc=trivadislabs,dc=com
70 Human Resources ou=Human Resources,ou=People,dc=trivadislabs,dc=com
Trivadis LAB Departments

The following groups were defined:

GROUP DISTINGUISHED NAME (DN) DESCRIPTION
Trivadis LAB APP Admins ou=Trivadis LAB APP Admins,ou=Groups,dc=trivadislabs,dc=com Application administrators
Trivadis LAB DB Admins ou=Trivadis LAB DB Admins,ou=Groups,dc=trivadislabs,dc=com DB Admins from the IT department
Trivadis LAB Developers ou=Trivadis LAB Developers,ou=Groups,dc=trivadislabs,dc=com Developers from the research department
Trivadis LAB Management ou=Trivadis LAB Management,ou=Groups,dc=trivadislabs,dc=com Management and managers
Trivadis LAB System Admins ou=Trivadis LAB System Admins,ou=Groups,dc=trivadislabs,dc=com System Admins from the IT department
Trivadis LAB Users ou=Trivadis LAB Users,ou=Groups,dc=trivadislabs,dc=com All Users
Trivadis LAB HR ou=Trivadis LAB HR,ou=Groups,dc=trivadislabs,dc=com Human Resources
Trivadis LAB Groups

Prerequisites

The vagrant projects in oehrlis/trivadislabs.com do require Vagrant and Window Server Virtualbox.

  1. Install Oracle VM VirtualBox
  2. Install Vagrant

The first time you provision a Windows Server VM, the basis Vagrant Box is loaded from the Vagrant Cloud, which may take a while. If preferred, you can download this VM in advance with Vagrant. Enclosed the example for Windows Server 2019


vagrant box add StefanScherer/windows_2019 --provider virtualbox

Setup

Setup of the Vagrant VM is straight forward. You have to decide if you would like to setup a Windows Server 2019 (win2019ad) or Windows Server 2016 (win2019ad). The steps below are for Windows Server 2019.

  1. Clone this repository git clone https://github.com/oehrlis/trivadislabs.com
  2. Adjust configuration in trivadislabs.com/common/config/vagrant.yml
  3. Change into the trivadislabs.com/win2019ad directory
  4. Run vagrant up
    1. The first time you run this it will provision everything and may take a while (20-40min). Ensure you have a good internet connection as the scripts will download a couple of tools via Chocolatey.
    2. The installation can be customised, if desired (see below).
  5. Connect to the VM using vagrant rdp as vagrant or administrator user. Default password is either store in vagrant.yml or default_pwd_windows.txt.
  6. If necessary, run the Windows Update manually.
  7. You can shut down the VM via the usual vagrant halt and then start it up again via vagrant up

Enclosed an excerpt from the vagrant up command:


user@host:~/trivadislabs.com/win2019ad/ [ic19300] time vagrant up
Bringing machine 'win2019ad' up with 'virtualbox' provider...
==> win2019ad: Importing base box 'StefanScherer/windows_2019'...
==> win2019ad: Matching MAC address for NAT networking...
==> win2019ad: Checking if box 'StefanScherer/windows_2019' version '2020.07.17' is up to date...
==> win2019ad: Setting the name of the VM: win2019ad.trivadislabs.com
==> win2019ad: Clearing any previously set network interfaces...
==> win2019ad: Preparing network interfaces based on configuration...
   
...

    win2019ad: This Computer SID is S-1-5-21-1473420208-2468469534-
    win2019ad: =========================================================
    win2019ad:  Successfully finish setup AD VM
    win2019ad:   Host      : win2019ad
    win2019ad:   Domain    : trivadislabs.com
    win2019ad: =========================================================

real    34m7.109s
user    1m4.814s
sys 0m32.222s

Configuration

The Vagrantfile is preconfigured for the Trivadis LAB domain. I.e. host name, domain name, user etc. are predefined. Generally there is no need to adjust the Vagrant file itself. To ensure that all VMs in Trivadis LAB always work with the same configurations, a central YAML file is used for Vagrant. The file is locate in common/config/vagrant.yml. For the Window VM you find the following configuration:


# Configuration valid for all VM's
common
:
  default_password
: LAB01schulung
  domain_name
: trivadislabs.com
  company_name
: Trivadis LAB
  gateway
: 10.0.0.1
  dns
: 10.0.0.4
  public_dns1
: 8.8.8.8
  public_dns2
: 4.4.4.4

# Configuration valid for Windows 2019 AD server
win2019ad
:
  box
: StefanScherer/windows_2019
  vm_name
: win2019ad
  domain_mode
: WinThreshold
  people_ou_name
: People
  groups_ou_name
: Groups
  mem_size
: 2048
  cpus
: 1
  public_ip
: 10.0.0.4

A short explanation of the settings and possibilities:

  • common YAML common section
  • win2019ad YAML section for Windows Server 2019
  • default_password Password used to initialise the AD Server. It is recommended to change this as soon as possible. Default is LAB01schulung
  • domain_name Network domain name for the environment. Depending on this, the directory tree in AD and the AD domain itself is named. Default value is trivadislabs.com
  • company_name Company Name for the Trivadis LAB. This is used to name the AD groups.
  • network configuration for gateway (10.0.0.1), dns (10.0.0.4), public_dns1 (8.8.8.8), public_dns2 (4.4.4.4)
  • box the base Vagrant box used to setup the VM
  • vm_name Name of the VM win2019ad
  • domain_mode Active Directory domain mode
  • people_ou_name Active Directory OU for the users
  • groups_ou_name Active Directory OU for the groups
  • mem_size Memory size for the VM
  • cpus Number of CPUs for the VM
  • public_ip Public IP address of the VM

The different scripts use the settings for initialising the AD server. So it is possible to change the AD domain, host domain name etc.

Access

There are several option to access the VM. You either can directly start the Console on Virtualbox. If you run the VM in headless mode you will either run vagrant rdp or use Microsoft Remote Desktop directly. Running vagrant rdp finally starts only Microsoft Remote Desktop as well.

Remote Desktop Configuration for win2019ad
Microsoft Remote Desktop Session on win2019ad

From here the environment is ready for all kinds of engineering. Depending on what you want to do, you may need some customisation, e.g. creating service users, generating keytab files, installing the Oracle password filter etc.

Behind the scenes

Setting up ad Active Directory server cannot be done in one swing. You need several steps and server reboot. Therefore the configuration is divided into different PowerShell scripts. The following list gives an overview of the different scripts. They are executed in the listed sequence. After the script 22_install_chocolatey.ps1 and 27_config_cmu.ps1 the VM is restarted by Vagrant.

Conclusion

It took some effort to prepare the environment. Nevertheless, the effort was worth it. I was quite happy to have a Test AD at hand in some projects. Testing Oracle Enterprise User Security, Oracle Centrally Manage Users or Kerberos is not possible without an Active Directory server. In particular if you like to test the Oracle Passwort Filter for Active Directory. But this will be an other blog post.