Windows Active Directory: Difference between revisions

Client Commands

List Applied GPO's

GUI:

 rsop.msc

CLI:

 gpresult /r /scope computer

or save it to an html file with /h:

 gpresult /h c:\gpresult.html

Confirm DC is Reachable

 net view \\<DC name>

Domain Controller Admin

Show DC Replication Status

This also shows the DSA object GUID of all DC's.

 repadmin /showrepl

Show replication state and relative health of a forest

 repadmin /replsummary

Sync Domain Controller with all Replication Partners

 repadmin /syncall /d /e

Domain Controller Diagnostics

Get List of all DCs in Domain

nltest /dclist:lambnet.us

Verify DNS Services for DC

 dcdiag /test:dns

Comprehensive, Run all tests, Verbose

 dcdiag /c /v

Force registration of all DC-specific DNS records

 nltest.exe /dsregdns

Check DC FSMO Roles

 netdom query FSMO

Enable LDAPS

Essentially, all you have to do is generate a SSL Server Certificate with the CN={hostname_of_dc} and place it into the Computer Certificates > Personal cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.

Deploy a new Headless Domain Controller

Microsoft says headless = Windows Server Core.

Follow these instructions to add a DC to an existing domain.

Start with a clean install of Windows Server Core.

Establish Network Connectivity

Set-TimeZone -Id "Eastern Standard Time"

Rename-Computer -NewName "dc-matt" -Restart

Get-NetAdapter

New-NetIPAddress `
  -InterfaceAlias "Ethernet" `
  -IPAddress 10.145.30.5 `
  -PrefixLength 29 `
  -DefaultGateway 10.145.30.1

Set-DnsClientServerAddress `
  -InterfaceAlias "Ethernet" `
  -ServerAddresses 10.145.30.4

Test-Connection lambnet.us

Resolve-DnsName lambnet.us

Enable SSH Access

Add-WindowsCapability -Online -Name OpenSSH.Server

Start-Service sshd
Set-Service -Name sshd -StartupType Automatic

# add firewall exception
New-NetFirewallRule `
  -Name "SSH Server" `
  -DisplayName "SSH Server" `
  -Enabled True `
  -Direction Inbound `
  -Protocol TCP `
  -Action Allow `
  -LocalPort 22

# set PowerShell as default shell
New-ItemProperty `
  -Path "HKLM:\SOFTWARE\OpenSSH" `
  -Name DefaultShell `
  -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
  -PropertyType String `
  -Force

Join Domain

# set an admin user here
$u = "LAMBNET\dave"
# and it'll prompt you for password, upon execution
$p = Read-Host "Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential($u,$p)

Add-Computer `
  -DomainName "lambnet.us" `
  -Credential $cred `
  -Restart

whoami

Get-ComputerInfo | Select CsDomain

Promote Server to Domain Controller

Install-WindowsFeature AD-Domain-Services

# set an admin user here
$u = "LAMBNET\dave"
# and it'll prompt you for password, upon execution
$p = Read-Host "Password" -AsSecureString
$cred = New-Object System.Management.Automation.PSCredential($u,$p)

Install-ADDSDomainController `
  -DomainName "lambnet.us" `
  -Credential $cred `
  -SiteName "MattNet" `
  -DatabasePath "C:\Windows\NTDS" `
  -LogPath "C:\Windows\NTDS" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -NoGlobalCatalog:$false

Using Linux BIND DNS Servers for Dynamic AD Updates

See ISC BIND.

RSAT Tools

Use these tools to manage your DC's from a client Windows PC:

Install on client PC, not on a DC.

# Active Directory + GPMC
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools

# Group Policy specifically (usually included above, but explicit)
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools

# DNS
Add-WindowsCapability -Online -Name Rsat.Dns.Tools

gpmc.msc → Group Policy

dsa.msc → AD Users & Computers

dnsmgmt.msc → DNS Manager