Windows Active Directory: Difference between revisions
No edit summary |
|||
| (34 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
===List Applied GPO's=== | ===List Applied GPO's=== | ||
GUI: | |||
rsop.msc | |||
CLI: | |||
gpresult /r /scope computer | |||
or save it to an html file with /h | or save it to an html file with <code>/h</code>: | ||
gpresult /h c:\gpresult.html | |||
<code>gpresult /h c:\gpresult.html | |||
===Confirm DC is Reachable=== | ===Confirm DC is Reachable=== | ||
net view \\<DC name> | |||
==Domain Controller Admin== | ==Domain Controller Admin== | ||
===Show DC | ===Show DC Replication Status=== | ||
This also shows the DSA object GUID of all DC's. | |||
repadmin /showrepl | |||
repadmin / | ===Show replication state and relative health of a forest=== | ||
repadmin /replsummary | |||
===Sync Domain Controller with all Replication Partners=== | |||
repadmin /syncall /d /e | |||
===Domain Controller Diagnostics=== | ===Domain Controller Diagnostics=== | ||
====Get List of all DCs in Domain==== | |||
nltest /dclist:lambnet.us | |||
====Verify DNS Services for DC==== | ====Verify DNS Services for DC==== | ||
| Line 34: | Line 49: | ||
nltest.exe /dsregdns | nltest.exe /dsregdns | ||
===Check DC FSMO Roles=== | |||
netdom query FSMO | |||
===Enable LDAPS=== | |||
Essentially, all you have to do is generate a SSL Server Certificate with the ''CN={hostname_of_dc}'' and place it into the '''Computer Certificates > Personal''' cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC. | |||
==Deploy a new Headless Domain Controller== | |||
Microsoft says ''headless'' = ''Windows Server Core''. | |||
Follow these instructions to add a DC to an existing domain. | |||
Start with a clean install of Windows Server Core. | |||
===Establish Network Connectivity=== | |||
<pre> | |||
Set-TimeZone -Id "Eastern Standard Time" | |||
Rename-Computer -NewName "dc-matt" -Restart | |||
Get-NetAdapter | |||
</pre> | |||
<pre> | |||
New-NetIPAddress ` | |||
-InterfaceAlias "Ethernet" ` | |||
-IPAddress 10.145.30.5 ` | |||
-PrefixLength 29 ` | |||
-DefaultGateway 10.145.30.1 | |||
Set-DnsClientServerAddress ` | |||
-InterfaceAlias "Ethernet" ` | |||
-ServerAddresses 10.145.30.4 | |||
</pre> | |||
<pre> | |||
Test-Connection lambnet.us | |||
Resolve-DnsName lambnet.us | |||
</pre> | |||
===Enable SSH Access=== | |||
<pre> | |||
Add-WindowsCapability -Online -Name OpenSSH.Server | |||
Start-Service sshd | |||
Set-Service -Name sshd -StartupType Automatic | |||
# add firewall exception | |||
New-NetFirewallRule ` | |||
-Name "SSH Server" ` | |||
-DisplayName "SSH Server" ` | |||
-Enabled True ` | |||
-Direction Inbound ` | |||
-Protocol TCP ` | |||
-Action Allow ` | |||
-LocalPort 22 | |||
# set PowerShell as default shell | |||
New-ItemProperty ` | |||
-Path "HKLM:\SOFTWARE\OpenSSH" ` | |||
-Name DefaultShell ` | |||
-Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ` | |||
-PropertyType String ` | |||
-Force | |||
</pre> | |||
===Join Domain=== | |||
<pre> | |||
# set an admin user here | |||
$u = "LAMBNET\dave" | |||
# and it'll prompt you for password, upon execution | |||
$p = Read-Host "Password" -AsSecureString | |||
$cred = New-Object System.Management.Automation.PSCredential($u,$p) | |||
Add-Computer ` | |||
-DomainName "lambnet.us" ` | |||
-Credential $cred ` | |||
-Restart | |||
whoami | |||
Get-ComputerInfo | Select CsDomain | |||
</pre> | |||
===Promote Server to Domain Controller=== | |||
<pre> | |||
Install-WindowsFeature AD-Domain-Services | |||
# set an admin user here | |||
$u = "LAMBNET\dave" | |||
# and it'll prompt you for password, upon execution | |||
$p = Read-Host "Password" -AsSecureString | |||
$cred = New-Object System.Management.Automation.PSCredential($u,$p) | |||
Install-ADDSDomainController ` | |||
-DomainName "lambnet.us" ` | |||
-Credential $cred ` | |||
-SiteName "MattNet" ` | |||
-DatabasePath "C:\Windows\NTDS" ` | |||
-LogPath "C:\Windows\NTDS" ` | |||
-SysvolPath "C:\Windows\SYSVOL" ` | |||
-NoGlobalCatalog:$false | |||
</pre> | |||
==Using Linux BIND DNS Servers for Dynamic AD Updates== | |||
See [[ISC Bind#Windows AD Dynamic Updates|ISC BIND]]. | |||
==RSAT Tools== | |||
Use these tools to manage your DC's from a client Windows PC: | |||
''Install on client PC, not on a DC.'' | |||
<pre> | |||
# Active Directory + GPMC | |||
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools | |||
# Group Policy specifically (usually included above, but explicit) | |||
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools | |||
# DNS | |||
Add-WindowsCapability -Online -Name Rsat.Dns.Tools | |||
</pre> | |||
<code>gpmc.msc</code> → Group Policy | |||
<code>dsa.msc</code> → AD Users & Computers | |||
<code>dnsmgmt.msc</code> → DNS Manager | |||
Latest revision as of 20:13, 1 May 2026
Client Commands
List Applied GPO's
GUI:
rsop.msc
CLI:
gpresult /r /scope computer
or save it to an html file with /h:
gpresult /h c:\gpresult.html
Confirm DC is Reachable
net view \\<DC name>
Domain Controller Admin
Show DC Replication Status
This also shows the DSA object GUID of all DC's.
repadmin /showrepl
Show replication state and relative health of a forest
repadmin /replsummary
Sync Domain Controller with all Replication Partners
repadmin /syncall /d /e
Domain Controller Diagnostics
Get List of all DCs in Domain
nltest /dclist:lambnet.us
Verify DNS Services for DC
dcdiag /test:dns
Comprehensive, Run all tests, Verbose
dcdiag /c /v
Force registration of all DC-specific DNS records
nltest.exe /dsregdns
Check DC FSMO Roles
netdom query FSMO
Enable LDAPS
Essentially, all you have to do is generate a SSL Server Certificate with the CN={hostname_of_dc} and place it into the Computer Certificates > Personal cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.
Deploy a new Headless Domain Controller
Microsoft says headless = Windows Server Core.
Follow these instructions to add a DC to an existing domain.
Start with a clean install of Windows Server Core.
Establish Network Connectivity
Set-TimeZone -Id "Eastern Standard Time" Rename-Computer -NewName "dc-matt" -Restart Get-NetAdapter
New-NetIPAddress ` -InterfaceAlias "Ethernet" ` -IPAddress 10.145.30.5 ` -PrefixLength 29 ` -DefaultGateway 10.145.30.1 Set-DnsClientServerAddress ` -InterfaceAlias "Ethernet" ` -ServerAddresses 10.145.30.4
Test-Connection lambnet.us Resolve-DnsName lambnet.us
Enable SSH Access
Add-WindowsCapability -Online -Name OpenSSH.Server Start-Service sshd Set-Service -Name sshd -StartupType Automatic # add firewall exception New-NetFirewallRule ` -Name "SSH Server" ` -DisplayName "SSH Server" ` -Enabled True ` -Direction Inbound ` -Protocol TCP ` -Action Allow ` -LocalPort 22 # set PowerShell as default shell New-ItemProperty ` -Path "HKLM:\SOFTWARE\OpenSSH" ` -Name DefaultShell ` -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ` -PropertyType String ` -Force
Join Domain
# set an admin user here $u = "LAMBNET\dave" # and it'll prompt you for password, upon execution $p = Read-Host "Password" -AsSecureString $cred = New-Object System.Management.Automation.PSCredential($u,$p) Add-Computer ` -DomainName "lambnet.us" ` -Credential $cred ` -Restart whoami Get-ComputerInfo | Select CsDomain
Promote Server to Domain Controller
Install-WindowsFeature AD-Domain-Services # set an admin user here $u = "LAMBNET\dave" # and it'll prompt you for password, upon execution $p = Read-Host "Password" -AsSecureString $cred = New-Object System.Management.Automation.PSCredential($u,$p) Install-ADDSDomainController ` -DomainName "lambnet.us" ` -Credential $cred ` -SiteName "MattNet" ` -DatabasePath "C:\Windows\NTDS" ` -LogPath "C:\Windows\NTDS" ` -SysvolPath "C:\Windows\SYSVOL" ` -NoGlobalCatalog:$false
Using Linux BIND DNS Servers for Dynamic AD Updates
See ISC BIND.
RSAT Tools
Use these tools to manage your DC's from a client Windows PC:
Install on client PC, not on a DC.
# Active Directory + GPMC Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools # Group Policy specifically (usually included above, but explicit) Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools # DNS Add-WindowsCapability -Online -Name Rsat.Dns.Tools
gpmc.msc → Group Policy
dsa.msc → AD Users & Computers
dnsmgmt.msc → DNS Manager