Windows Active Directory: Difference between revisions

From Dave-Wiki
 
(23 intermediate revisions by the same user not shown)
Line 18: Line 18:
==Domain Controller Admin==
==Domain Controller Admin==


===Show DC GUID===
===Show DC Replication Status===


   repadmin /showreps
This also shows the DSA object GUID of all DC's.
 
   repadmin /showrepl
 
===Show replication state and relative health of a forest===
 
  repadmin /replsummary


===Sync Domain Controller with all Replication Partners===
===Sync Domain Controller with all Replication Partners===


   repadmin /syncall
   repadmin /syncall /d /e


===Domain Controller Diagnostics===
===Domain Controller Diagnostics===
====Get List of all DCs in Domain====
nltest /dclist:lambnet.us


====Verify DNS Services for DC====
====Verify DNS Services for DC====
Line 43: Line 53:


   netdom query FSMO
   netdom query FSMO
===Enable LDAPS===
Essentially, all you have to do is generate a SSL Server Certificate with the ''CN={hostname_of_dc}'' and place it into the '''Computer Certificates > Personal''' cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.
==Deploy a new Headless Domain Controller==
Microsoft says ''headless'' = ''Windows Server Core''.
Follow these instructions to add a DC to an existing domain.
Start with a clean install of Windows Server Core.
===Establish Network Connectivity===
<pre>
Set-TimeZone -Id "Eastern Standard Time"
Rename-Computer -NewName "dc-matt" -Restart
Get-NetAdapter
</pre>
<pre>
New-NetIPAddress `
  -InterfaceAlias "Ethernet" `
  -IPAddress 10.145.30.5 `
  -PrefixLength 29 `
  -DefaultGateway 10.145.30.1
Set-DnsClientServerAddress `
  -InterfaceAlias "Ethernet" `
  -ServerAddresses 10.145.30.4
</pre>
<pre>
Test-Connection lambnet.us
Resolve-DnsName lambnet.us
</pre>
===Enable SSH Access===
<pre>
Add-WindowsCapability -Online -Name OpenSSH.Server
Start-Service sshd
Set-Service -Name sshd -StartupType Automatic
# add firewall exception
New-NetFirewallRule `
  -Name "SSH Server" `
  -DisplayName "SSH Server" `
  -Enabled True `
  -Direction Inbound `
  -Protocol TCP `
  -Action Allow `
  -LocalPort 22
# set PowerShell as default shell
New-ItemProperty `
  -Path "HKLM:\SOFTWARE\OpenSSH" `
  -Name DefaultShell `
  -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
  -PropertyType String `
  -Force
</pre>
===Join Domain===
<pre>
# set an admin user here
$u = "LAMBNET\dave"
# and it'll prompt you for password, upon execution
$p = Read-Host "Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential($u,$p)
Add-Computer `
  -DomainName "lambnet.us" `
  -Credential $cred `
  -Restart
whoami
Get-ComputerInfo | Select CsDomain
</pre>
===Promote Server to Domain Controller===
<pre>
Install-WindowsFeature AD-Domain-Services
# set an admin user here
$u = "LAMBNET\dave"
# and it'll prompt you for password, upon execution
$p = Read-Host "Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential($u,$p)
Install-ADDSDomainController `
  -DomainName "lambnet.us" `
  -Credential $cred `
  -SiteName "MattNet" `
  -DatabasePath "C:\Windows\NTDS" `
  -LogPath "C:\Windows\NTDS" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -NoGlobalCatalog:$false
</pre>


==Using Linux BIND DNS Servers for Dynamic AD Updates==
==Using Linux BIND DNS Servers for Dynamic AD Updates==


===ACL===
See [[ISC Bind#Windows AD Dynamic Updates|ISC BIND]].
 
==RSAT Tools==


  acl "DOMAIN-CONTROLLERS" {
Use these tools to manage your DC's from a client Windows PC:
      10.144.30.101;  // DC1-dave
      10.144.35.2;    // DC2-dave
      10.150.30.5;    // DC-jim
  };


===Zone Delcarations===
''Install on client PC, not on a DC.''


====Master Config====
<pre>
# Active Directory + GPMC
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools


  zone "_msdcs.lambnet.us" IN {
# Group Policy specifically (usually included above, but explicit)
      type master;
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools
      file "dynamic/_msdcs.lambnet.us";
      allow-update { DOMAIN-CONTROLLERS; };
  };
 
  zone "_sites.lambnet.us" IN {
      type master;
      file "dynamic/_sites.lambnet.us";
      allow-update { DOMAIN-CONTROLLERS; };
  };
 
  zone "_tcp.lambnet.us" IN {
      type master;
      file "dynamic/_tcp.lambnet.us";
      allow-update { DOMAIN-CONTROLLERS; };
  };
 
  zone "_udp.lambnet.us" IN {
      type master;
      file "dynamic/_udp.lambnet.us";
      allow-update { DOMAIN-CONTROLLERS; };
  };


====Slave Config====
# DNS
Add-WindowsCapability -Online -Name Rsat.Dns.Tools
</pre>


  zone "_msdcs.lambnet.us" IN {
<code>gpmc.msc</code> → Group Policy
      type slave;
      masters { 10.144.30.4; };
      file "dynamic/_msdcs.lambnet.us";
      allow-update-forwarding { DOMAIN-CONTROLLERS; };
  };
 
  zone "_sites.lambnet.us" IN {
      type slave;
      masters { 10.144.30.4; };
      file "dynamic/_sites.lambnet.us";
      allow-update-forwarding { DOMAIN-CONTROLLERS; };
  };
 
  zone "_tcp.lambnet.us" IN {
      type slave;
      masters { 10.144.30.4; };
      file "dynamic/_tcp.lambnet.us";
      allow-update-forwarding { DOMAIN-CONTROLLERS; };
  };
 
  zone "_udp.lambnet.us" IN {
      type slave;
      masters { 10.144.30.4; };
      file "dynamic/_udp.lambnet.us";
      allow-update-forwarding { DOMAIN-CONTROLLERS; };
  };


===Logging===
<code>dsa.msc</code> → AD Users & Computers


  channel update-log {
<code>dnsmgmt.msc</code> → DNS Manager
      file "/var/log/named/named.update" versions 5 size 5m;
      severity info;
      print-category yes;
      print-severity yes;
      print-time yes;
  };
 
  category update      { update-log; };

Latest revision as of 20:13, 1 May 2026

Client Commands

List Applied GPO's

GUI: 

 rsop.msc

CLI: 

 gpresult /r /scope computer

or save it to an html file with /h: 

 gpresult /h c:\gpresult.html

Confirm DC is Reachable

 net view \\<DC name>

Domain Controller Admin

Show DC Replication Status

This also shows the DSA object GUID of all DC's. 

 repadmin /showrepl

Show replication state and relative health of a forest

 repadmin /replsummary

Sync Domain Controller with all Replication Partners

 repadmin /syncall /d /e

Domain Controller Diagnostics

Get List of all DCs in Domain

nltest /dclist:lambnet.us

Verify DNS Services for DC

 dcdiag /test:dns

Comprehensive, Run all tests, Verbose

 dcdiag /c /v

Force registration of all DC-specific DNS records

 nltest.exe /dsregdns

Check DC FSMO Roles

 netdom query FSMO

Enable LDAPS

Essentially, all you have to do is generate a SSL Server Certificate with the CN={hostname_of_dc} and place it into the Computer Certificates > Personal cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.

Deploy a new Headless Domain Controller

Microsoft says headless = Windows Server Core.

Follow these instructions to add a DC to an existing domain.

Start with a clean install of Windows Server Core.

Establish Network Connectivity

Set-TimeZone -Id "Eastern Standard Time"

Rename-Computer -NewName "dc-matt" -Restart

Get-NetAdapter

New-NetIPAddress `
  -InterfaceAlias "Ethernet" `
  -IPAddress 10.145.30.5 `
  -PrefixLength 29 `
  -DefaultGateway 10.145.30.1

Set-DnsClientServerAddress `
  -InterfaceAlias "Ethernet" `
  -ServerAddresses 10.145.30.4

Test-Connection lambnet.us

Resolve-DnsName lambnet.us

Enable SSH Access

Add-WindowsCapability -Online -Name OpenSSH.Server

Start-Service sshd
Set-Service -Name sshd -StartupType Automatic

# add firewall exception
New-NetFirewallRule `
  -Name "SSH Server" `
  -DisplayName "SSH Server" `
  -Enabled True `
  -Direction Inbound `
  -Protocol TCP `
  -Action Allow `
  -LocalPort 22

# set PowerShell as default shell
New-ItemProperty `
  -Path "HKLM:\SOFTWARE\OpenSSH" `
  -Name DefaultShell `
  -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
  -PropertyType String `
  -Force

Join Domain

# set an admin user here
$u = "LAMBNET\dave"
# and it'll prompt you for password, upon execution
$p = Read-Host "Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential($u,$p)

Add-Computer `
  -DomainName "lambnet.us" `
  -Credential $cred `
  -Restart

whoami

Get-ComputerInfo | Select CsDomain

Promote Server to Domain Controller

Install-WindowsFeature AD-Domain-Services

# set an admin user here
$u = "LAMBNET\dave"
# and it'll prompt you for password, upon execution
$p = Read-Host "Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential($u,$p)

Install-ADDSDomainController `
  -DomainName "lambnet.us" `
  -Credential $cred `
  -SiteName "MattNet" `
  -DatabasePath "C:\Windows\NTDS" `
  -LogPath "C:\Windows\NTDS" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -NoGlobalCatalog:$false

Using Linux BIND DNS Servers for Dynamic AD Updates

See ISC BIND.

RSAT Tools

Use these tools to manage your DC's from a client Windows PC:

Install on client PC, not on a DC. 

# Active Directory + GPMC
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools

# Group Policy specifically (usually included above, but explicit)
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools

# DNS
Add-WindowsCapability -Online -Name Rsat.Dns.Tools

gpmc.msc → Group Policy

dsa.msc → AD Users & Computers

dnsmgmt.msc → DNS Manager

Retrieved from "https://davehome.net/wiki/index.php?title=Windows_Active_Directory&oldid=888"