How to Configure Core Windows Services in a Home Lab

configure core windows services

Today, we are going to look at some core Windows services, like NTP, security groups and Group policy and how to configure them properly for our Home Lab. For any Windows Home Lab, you need to have a few core Windows Services available before you can start adding the more extravagant stuff. For example, NTP (network time protocol) is critical for many network devices to function correctly. Understanding how to set it up correctly is a critical part of being a Windows Administrator. Additionally, things like DHCP can be important, if you want DHCP to be managed from a server instead of a firewall or network device.

This is a continuation of this Home Lab from Scratch series I started a while back. If you’ve been following along, then you already have your ESX host configured, and at least one Windows server with Active Directory Domain Services installed. If you don’t have that and are wanting to go back, the list of what we have done so far is listed before. Feel free to jump around or start at the beginning to get caught up. Otherwise we will be starting with our domain controller as we configure these key core Windows services in our Home Lab. Lets go!

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Project List

  1. Download and Install vSphere (ESXi)
  2. Install and Configure OPNsense Firewall
  3. Download and Install Windows Server 2022
  4. Download and Install FreeNAS or Configure Synology (TBD)
  5. Install Windows Server and Configure Veeam Backup Server
  6. Install Windows Server and Configure ManageEngine Patch Manager
  7. Download and Configure MFA solution (Duo or KeyCloak)
  8. Evaluate Home Lab against initial requirements list
  9. Write Lessons Learned Blog post
  10. Plan Next Steps for Home Lab including Expansion

Table of Contents

Configure NTP on Domain Controller
Create OUs, Basic User Accounts and Groups
Conclusion

Configure NTP on Domain Controller

So it isn’t REQUIRED to have your Domain Controller be your NTP server, but it is a good practice. If your devices can reach the domain controller for authentication and DNS, then they will be able to hit it for time as well. Now with NTP, you will have a single NTP server that is the main clock for the domain. All other devices will point to that server, so once we configure it, we will have to make a note of the IP address so we can ensure everything else gets pointed to it.

NOTE: One consideration if you are planning on having PCs that aren’t connecting to the domain regularly. Client workstations in the domain will get their time from the DCs in our domain. If they don’t check in periodically they are at risk of their time being off. For these devices, you may want to consider a policy that points them to the same location the domains point to for time.

PDC

In a modern Windows domain, there is no “true” primary domain controller. As a result, there is a primary domain controller (PDC) emulator configured on one of the domain controllers. It will either be the first DC in your environment. If you aren’t which is it, follow these short steps.

  1. Open Active Directory Users and Computers
  2. Right click the Domain and choose “Operations Masters”
  3. Click the PDC tab to find the DC that has the PDC role.
PDC emulator role for NTP
PDC emulator role for NTP

NTP Configuration

  1. The DC with the PDC role is where you will perform these steps.
  2. First, log into your Domain Controller. Open a Command Prompt Window as Administrator.
  3. Run these commands to assign the PDC the role of NTP server for the rest of the domain.
w32tm.exe /config /syncfromflags:manual /manualpeerlist:131.107.13.100,0x8 /reliable:yes /update

w32tm.exe /config /update

NOTE: The 131.107.13.100 address is a NIST time server hosted by Microsoft. Alternatives include the NTP Pool Project or you can even use your own firewall. Just be sure your firewall has its own NTP time source.

GPO Configuration

  1. Next we will make a GPO for the rest of the DCs that end up in our environment, so they know which server to look to. Open “Group Policy Management” so we can create an NTP Client GPO.
  2. Right Client the OU named “Domain Controllers” and create a new Policy and call it “NTP Client Settings” or something similar.
NTP Client settings
  1. Right click our newly created GPO and Choose “Edit”. Navigate to Computer Settings -> Administrative Templates -> System -> Windows Time Service -> Time Providers.
  2. Double click the Configure Windows NTP Client.
  3. Set the state to Enabled
  4. Configure the Type to NTP
  5. Configure NTP Server to point to an IP address of a time server, followed by ,0x8.
    • In our case, it will be the PDC – 10.100.30.20,0×8
  6. Hit Apply and OK to save the policy.
  7. Close the GPO to close and apply the policy.
Finished NTP Client GPO configured and applied
Finished GPO configured and applied

Now any additional DC’s that get spun up in the environment, will automatically get the right time and pass it on to the other devices in the domain.

Create OU’s, Basic User Accounts and Groups

So in our lab, we will want to test things with some features of a standard Active Directory setup. This will include Custom Organizational Units (OU’s), standard user accounts, administrative user accounts, and security groups to round it all out. Organizational Units are logical containers used to organize similar objects. In general, the reason for creating separate OU’s, is so you are able to assign Group Policy to specific groups of objects. OU’s are NOT intended to be used like File Explorer for organization. You can also separate and manage objects of similar types through groups. Groups however, have use beyond Active Directory, which is why we need them. We can cover more when it comes to some of these use cases.

Here is what we will be creating:

  • User Account: Scott Calvin
  • User Account: Billy Madison
  • Admin Account: Bruce Almighty
  • Security Group: Office Managers
  • Security Group: Office Workers
  • Organizational Unit: Employees
  • Organizational Unit: Admin Accounts
  • Organizational Unit: Workstations
  • Organizational Unit: Security Groups

This will give us a good start to the Active Directory Structure, and allow us to mimic some common Active Directory functions. Lets get started.

Creating Organizational Units

  1. Login to your Domain Controller through the VMware ESX console. After you are signed in, open the Start Menu, go to Windows Administrative Tools, and open Active Directory Users and Computers.
Active Directory Users and Computers
Active Directory Users and Computers
  1. Once it is open, expand your domain so you see the Built In OU’s.
Active Directory Users and Computers Expanded
Active Directory Users and Computers Expanded
  1. Now we will start by creating our new OUs. Right-click the Domain –> New –> Organizational Unit.
Creating a New Organizational Unit
  1. We are creating an OU called “Employees”. Type that name in the box that pops up. Leave the check box checked and hit OK. Repeat this process for another OU called “Workstations”, “Admin Accounts” and “Security Groups”
New Object - Organizational Unit
New Object – Organizational Unit

Now we have our OU’s to store the employee accounts, admin accounts and the workstations. Next we will create the user accounts in the Employees OU and the Admin Accounts in the appropriate OU as well.

AD Users and Computers with Newly Created OUs
AD Users and Computers with Newly Created OUs

Creating User Accounts

Now it is time to create some user accounts for the Domain. This will give us the ability to test different scenarios without having to use the Administrator account for everything. One key thing to note is that while this isn’t necessary at this point, ideally your username scheme should match what your email address scheme is. The goal would be to have the username be the same as the email address, so it is best to establish this upfront if you have a specific scheme in mind. If not, the just make one up here and you can make it your email scheme later if you get to that point.

  1. We will start by creating our standard user accounts. Right-Click on the Employees OU and go to –> New –> User. A dialog menu will pop up.
Lets start creating some new users
Lets start creating some new users
  1. From the new dialog window, fill in the basic information, and give your account a username that is unique to your environment. In this case, I just did the whole name. You pick something that works for you. Click next when you are finished.
Creating our first new user account in AD
Creating our first new user account in AD
  1. Next you need to give the account a good strong password. In the lab, you can make it something easy for you to remember. Just know that in the real world, every account should have complex passwords and they should be unique. You may also see some boxes checked. In the real world, it is rare that a user account will need any of these. If you expect a new user will be the first to use their password, then you can force a password change on logon. Otherwise, leave all these boxes unchecked for standard users. Give it a password and hit Next.
Use good password practices
Use good password practices
  1. Confirm the account settings and hit Finish. You have now created your first user in the lab! Repeat this process for each lab user you want to create. When you create the Admin account, be sure to create it in the right OU!
Hooray! First lab account created
Hooray! First lab account created
  1. Once this is complete, you should have two user accounts in the Employees OU and one in the Admin Accounts OU.
Starter user accounts created!
Starter user accounts created!

Creating Security Groups

Now up to this point, we haven’t actually started carving anything up into specific permissions or roles. This is because Active Directory uses security groups to assign permissions or set restrictions. In a folder structure, a domain will recognize NTFS permissions for access control, but that is still much easier to manage with security groups. This ultimately means that the security groups are the (in most cases) the best way to manage these NTFS permissions. That is a standard you will see all throughout this lab. Lets create some groups so we can set the stage for permissions.

  1. Starting in the Security Groups OU, Right-Click the OU name, and go to New –> Group.
Time to create some new security groups
Time to create some new security groups
  1. You will see a dialog box pop up. Create a security group by giving it a name. You will see both boxes fill with the same information. Leave the group Scope to Global and group type as security. The other options aren’t necessary for a standard security group. Hit OK when you are ready.
Choose a Group and basic Settings
Choose a Group and basic Settings
  1. Repeat that exact process for the second group we want to create. Once you are done, you should have two groups (at least) in the Security Groups OU.
We have our first groups created correctly
We have our first groups created correctly
  1. Now we need to put users in the groups. Right click the “Office Workers” group and go to properties.
Time to Bring it all together - adding users to AD security groups
Time to Bring it all together
  1. From here, click the Members Tab and then hit the Add button. Search for the account that is going to be a standard user with little to no permissions. Hit Check names to make sure you have the right account. You will see an underline when it is correct. Hit OK when you finished.
Billy is one of our standard users with no permissions - adding users to ad groups
Billy is one of our standard users with no permissions
  1. Review the Members Tab. You should now see the account you just added in the list. Repeat this process to add your other user to the “Office Managers” group.
Successfully added your first user to an AD group
Successfully added your first user to an AD group
Built In Security Groups

At this point you might be wondering, we didn’t create an Admin group for Bruce. Well that is because we will be using a Built In AD group for the Bruce Almighty Admin account. A Built In AD group is one that has preconfigured permissions and settings across the domain. This is perfect for Admin accounts or accounts needing privileged access.

  1. Right-click your domain root in AD Users and Computers and choose “Find”. You will see a search box pop up. Search for “Domain” and you will see several built in groups come up. Add Bruce to Domain Admins using the instructions above, and save this group.

That is all there is to it. We have now created the OUs, user and admin accounts, as well as some security groups to use when assigning permissions later. All the ground work for our users is set for later lessons.

Conclusion

This covers some core Windows Services for our Home Lab setup. There are other things that you could configure, but this covers the minimum set up. NTP is super important to activities in the environment, especially authentication. If you are having issues logging in that aren’t related to passwords, NTP is something to look into. Ensure it is configured in your Home Lab so that you can minimize the issues you will have in the future. Another thing to consider with NTP will be for the non-Windows devices and any domain devices that don’t hit the domain very often. These also need accurate time, so you’ll have to look at each use case and determine the best course of action.

I hope you find value in this series. It is helpful for me to go through these things writing as I go. It helps me remember the steps, and document my journey as I build a new home lab for myself. As always, I’m open to suggestions, and willing to update this as I go, so if you have suggestions on what I missed, please let me know.

As always, hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →