Building the Ultimate vSphere Lab – Part 6: Domain Controller
The first VM we will deploy is our Domain Controller.
Right-click the Windows2008R2_Base VM and select Manage – Clone.
Base the clone on an Existing Snapshot named Version 1.0 (or whatever you called it before).
Create a Linked Clone.
Store it on the SSD drive and name it DC.
Power On the DC!
It will boot and will run through the Mini Setup.
Windows will ask you for Regional Settings and a Password. It will boot afterwards.
You may notice that display performance is a bit sluggish. Just Reinstall VMware Tools and Repair it and you’re set.
Okay, the first thing we will do is to put the network of this DC to the Internal we created earlier.
Edit the settings of the VM and change Network Adapter to VMnet2. The DC is now isolated from your home network. It can only communicate with other VMs on VMnet2 (but there aren’t any for now).
Fill in the IP4 Settings like in the screen below (mind the subnet! It’s a /24!).
Next, Rename the VM to DC and reboot.
After the reboot, get back into the Computer Rename dialog box and press the More… button.
Fill in a valid DNS Suffix for your new domain we will create. Mine will be named labo.local. This means my DC will be DC.labo.local. Reboot afterwards.
Next up, open Server Manager and click the Add Roles link. Select DHCP Server & DNS Server.
Click Next a couple of times until you reach the IPv4 DNS Settings. Fill in labo.local in the Parent domain field.
Continue clicking Next until the DHCP Scopes screen. Click Add and add a scope ranging from 10.0.0.100 until 10.0.0.200.
Click Next until the DHCPv6 Stateless Mode and disable it.
Install the goodies!
Open the DNS Console and create a Forward Lookup Zone with the following settings:
| Type | Primary zone |
| Zone name | labo.local |
| Create a new file … | labo.local.dns |
| Dynamic Updates | Allow both unsecure and secure dynamic updates |
Then, create a Reverse Lookup Zone with the following settings:
| Type | Primary zone |
| IP | IPv4 Reverse Lookup Zone |
| Network ID | 10… |
| Create a new file… | 10.in-addr.arpa.dns |
| Dynamic Updates | Allow both unsecure and secure dynamic updates |
Now perform an ipconfig /registerdns (or reboot your server) and ensure it is listed in the Forward and Reverse lookup zone.
Now it’s time to perform a DC Promotion. Enter the dcpromo command. The AD binaries will be installed. Create a new domain in a new forest.
Fill in labo.local (or your own domain name) as the forest name.
Set the Forest functional level to Windows Server 2008 R2.
On the DNS Delegation, selection the option to no create the DNS delegation.
Accept the default file locations for AD binaries. You could change them (as a best practice) to seperate disks, but since this is only a small LAB AD, i won’t bother with that.
Fill in a valid Directory Services Restore Mode password and click Next a couple of times to install AD.
You will get a warning about the DNS Zone. Just skip it.
After the reboot, open Server Manager and go to Roles – DHCP Server. Right-click your DHCP server and select Authorize. This will make both IPv4 and IPv6 “green".
If you want, you can change the Forward and Reverse Lookup zone in DNS to AD Integrated, but it’s not really necessary for our lab.
That’s it for our Domain Controller!
Next up will be the SQL Server!
Building the Ultimate vSphere Lab – Part 1: The Story
Building the Ultimate vSphere Lab – Part 2: The Hardware
Building the Ultimate vSphere Lab – Part 3: VMware Workstation 8
Building the Ultimate vSphere Lab – Part 4: Base Template
Building the Ultimate vSphere Lab – Part 5: Prepare the Template
Building the Ultimate vSphere Lab – Part 6: Domain Controller
Building the Ultimate vSphere Lab – Part 7: SQL Server
Building the Ultimate vSphere Lab – Part 8: vCenter
Building the Ultimate vSphere Lab – Part 9: ESXi
Building the Ultimate vSphere Lab – Part 10: Storage
Building the Ultimate vSphere Lab – Part 11: vMotion & Fault Tolerance
Building the Ultimate vSphere Lab – Part 12: Finalizing the Lab
Hi again,, i guess the subnet was /8 and not /24.
Unless you have another purpose
oh sorry, ignore my question, how a geek I am
Hi,
Your whole Lab scenario is really amazing but in this scenario.how to access the lab from the Host system.I am if i want to access the vcenter from the host or ssh to esxi through putty i can’t do it as the network of whole lab is different then how can i do that. if i want to configure the update manager then how can you communicate update manager to internet.
Hoping that you understand my question.
Regards
Abyakta
The easiest way is to add an additional vNIC to your vCenter server and make it a Bridged connection. It will then receive an IP from your home network (router, modem, …).
You vCenter will then be able to access the internet (make sure that you don’t specify a default gateway on the vNICs connected to VMnet2 or 3 on the vCenter machine, only on the bridged connection.
You can then also reach your vCenter through RDP using that bridged connection.
If you want to PuTTY to your ESXi hosts from your desktop host, go into the Virtual Network Editor in VMware Workstation and enable “Connect a host virtual adapter to this network” on the VMnet2 network. You will get an extra Network Adapter (virtual) on your desktop PC. Give that an IP address in the same range as the ESXi hosts (10.0.0.x) without specifying a gateway and you’re set!
I really appreciate the time and effort you put into this lab setup. It is great.
Hmm.. for whatever reason, after completing the domain controller setup, I am getting a number of warnings and one error related to DHCP on the roles summary. Here is the error:
The DHCP/BINL service on the local machine, belonging to the windows Administrative Domain labo.local, has determined that it is not authorized to start.It has stopped servicing clients. The following are some possible reasons for this:
This machine is part of a directory service enterprise and is not authorized in the same domain.
This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.
WOuld you have any ideas what my problems might be? Thanks for any reply!
Normally, your DHCP must be authorized in AD. Check this article to Authorize it and that should get you rid of the error you are getting:
http://technet.microsoft.com/en-us/library/cc753329(v=ws.10).aspx
Thanks for this link.
Oddly enough, after restarting the vm a second time, the error has disappeared without my having done anything special.
However, I still get several warnings in the Roles summary. Would you know if these are things I should address or be concerned about:
Active Directory Domain Services:
Event 2886 – The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
DHCP Server:
Event 10020 – This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
Event 1056 – The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line “netsh dhcp server set dnscredentials” or via the DHCP Administrative tool.
Thanks again.
None of these warnings are critical or will limit the functionality of your lab. In a production environment you might want to look after them to secure your DC.
This Lab is great but how do you deal with the licensing activation etc. to keep you Virtual lab running?
Several options:
- For the Windows VMs, this expiration period is 180, for VMware 60 days
- Make a simple file copy of all VMs after the initial install. After the licenses are expired, restore the original VMs and you can restart the evaluation period.
- For Windows VMs, a Technet subscription is the cheapest solution to get permanent licenses
- For VMware, we have NFR licenses (work for a Partner)