In a previous guide, Manage Samba4 Active Directory Using RSAT on windows 7, we installed RSAT tool on a windows system and used it to manage our samba4 server and we where successfull in adding users and computers onto the network.
In this guide, https://topnetworkguide.com/manage-samba4-dns-group-policy-using-rsat/, we are going to add DNS records such as forward lookup zones and reverse lookup zones to test that our samba4 server which is also the dns server is able to resolve hostnames to ip address and vice versa.
We will then extend it to achieve things like:
Use group policy to push desktop wall paper to client machines.
Allow internet access to some users while preventing other users from the internet.
Set Proxy server address on client browsers.
Install application on remote systems e.t.c.
As we progress, we may decide to add group policy requirements to our active directory environment.
Manage Samba4 DNS, Group Policy Using RSAT
If you followed the guide in the Manage Samba4 Active Directory Using RSAT on windows 7, you should now have your mmc open with dns snapin loaded. Here is a screenshot showing the dns snapin.
Expand Dns => Expand (samba server name) => expand forward lookup zone and then right click on (domain name). Our domain name in this guide is carehealth.local.
Now click on New host(A or AAAA) to add a new host A record. This record when done correctly, can help in finding an ip address using the domain name.
For instance, say you have a mail server with the ip address of 192.168.1.100. You may have to type this ip again and again in the browser to be able to manage the mail server or access your mails using a browser. At times remembering this ip address can be a hassle. So, simply create a name for the mail server in the forward lookup zone, and use the name for the mail server in the browser e.g mail.carehealth.com, which is by the way more easy to remember, and the system will automatically translate the name to its corresponding ip address.
You could also ping the name and the corresponding ip address will be shown.
Hope that was an easy way to explain the forward lookup zone function.
Now enter in the name of the host A record. In our case, we used mail.
Also enter in the ip address of the mail server and then click on add host.
Now let us test it!
Open up powershell or the command line and ping mail.carehealth.local. You should get a translation to 192.168.100.100. In our case, this server is non existent. But we used the dummy ip address above just for test.
REVERSE LOOKUP ZONE
A reverse lookup zone on the other hand converts an ip address to a corresponding computer or domain name.
To configure reverse lookup zone for our network, Expand Dns => Expand (samba server name) =>right click reverse lookup zone and click new zone.
Now click on next. Select the type of zone you need for your network. We selected Primary zone. Click Next and then select “to all dns servers running on domain controllers in the domain”. Click next, select ipv4 lookup zone, click next and then enter the network id as shown below:
Click next, allow secure dynamic updates, click next and finish.
GROUP POLICY MANAGEMENT ON SAMBA4
With group policy, we can push out computer settings and configurations to multiple system at once. It eliminates the need to sit from one system to the other, manually inputting settings and configurations.
SET DESKTOP WALLPAPER ON CLIENT MACHINES
Make sure group policy management is installed from control panel => turn windows feature on and off =>RSAT => Feature administration. Tick group policy management.
Now include the group policy management snapin in mmc.
Expand group policy management => Expand Forest:(your domain)=> Expand Domain. Now right click on your domain name and click create a GPO in the domain.
Name the GPO, Desktop Wallpaper.
Expand carehealth.local in our case, and right click on Desktop Wallpaper and click Edit.
Now expand user configuration => policies => Administrative Template and then expand Desktop, after which you should click on Desktop.
Now click on double click on Desktop wallpaper in the setting(right above). and enable it.
Download or design a corporate wallpaper. The wallpaper name can be either from a local path or shared and using the UNC path. We choose to use the shared UNC path. Select Fit in the wallpaper style.
You should reboot your windows machine now and the result will be a new desktop wallpaper as shown below.
Now that clients can get the new wallpaper, we want to proceed to use group policy to set proxy server address on client browsers.
SET PROXY SERVER ADDRESS ON CLIENT BROWSERS
This can be usefull if we want to prevent all users from having access to the internet using a fake proxy address, or if we want to implement non-transparent proxy.
On our network, we have a proxy server configured with the squid proxy server on ubuntu 16.04.
Alternatively, you could visit our guide on how to install web proxy on vyos. Our proxy server listens on port 3128 and has the ip address of 192.168.100.1. Instead of manually updating all client browsers with this ip address and port number, we could use group policy to push these setting to all client browser. This is how.
Go to group policy management in mmc. Expand forest, expand domain and expand the domain name. Rignt click group policy object and click new. Give the new group policy object a name and hit ok.
Now expand group policy object, right click on the browsers proxy server setup object and click edit.
On the next screen, expand user configurations => expand policies => expand windows settings and then expand internet explorer maintenance. Click on connection.
Now double click on proxy settings and then tick the box next to enable proxy settings.
Also enter in the ip address of the proxy server and the port number as shown.
Now go to the name of your domain and right click it. Select link an existing gpo. Note that we want this gpo to apply to all users in the domain.
Select our newly created browser proxy gpo to link and click ok.
Restart a client computer, open up internet explorer => Tools = > internet options => LAN settings and this is what you should see.
That went well. With this proxy server in place, you could grant access to some users on the network while preventing other users.
Nevertheless, we are still going to use group policy to a limited degree, to enable certain users have access to the internet while preventing others.