Windows Active Directory: Difference between revisions
| (11 intermediate revisions by the same user not shown) | |||
| Line 60: | Line 60: | ||
==Deploy a new Headless Domain Controller== | ==Deploy a new Headless Domain Controller== | ||
Microsoft | Microsoft says ''headless'' = ''Windows Server Core''. | ||
Follow these instructions to add a DC to an existing domain. | |||
Start with a clean install of Windows Server Core. | |||
===Establish Network Connectivity=== | ===Establish Network Connectivity=== | ||
<pre> | |||
Set-TimeZone -Id "Eastern Standard Time" | Set-TimeZone -Id "Eastern Standard Time" | ||
Rename-Computer -NewName "dc-matt" -Restart | |||
Rename-Computer -NewName "dc-matt" -Restart | |||
Get-NetAdapter | Get-NetAdapter | ||
</pre> | |||
<pre> | |||
New-NetIPAddress ` | New-NetIPAddress ` | ||
-InterfaceAlias "Ethernet" ` | -InterfaceAlias "Ethernet" ` | ||
| Line 79: | Line 86: | ||
-InterfaceAlias "Ethernet" ` | -InterfaceAlias "Ethernet" ` | ||
-ServerAddresses 10.145.30.4 | -ServerAddresses 10.145.30.4 | ||
</pre> | |||
<pre> | |||
Test-Connection lambnet.us | Test-Connection lambnet.us | ||
Resolve-DnsName lambnet.us | Resolve-DnsName lambnet.us | ||
</pre> | |||
===Enable SSH Access=== | ===Enable SSH Access=== | ||
<pre> | |||
Add-WindowsCapability -Online -Name OpenSSH.Server | Add-WindowsCapability -Online -Name OpenSSH.Server | ||
| Line 92: | Line 102: | ||
Set-Service -Name sshd -StartupType Automatic | Set-Service -Name sshd -StartupType Automatic | ||
# add firewall exception | |||
New-NetFirewallRule ` | New-NetFirewallRule ` | ||
-Name "SSH Server" ` | -Name "SSH Server" ` | ||
| Line 101: | Line 112: | ||
-LocalPort 22 | -LocalPort 22 | ||
# set PowerShell as default shell | |||
New-ItemProperty ` | New-ItemProperty ` | ||
-Path "HKLM:\SOFTWARE\OpenSSH" ` | -Path "HKLM:\SOFTWARE\OpenSSH" ` | ||
| Line 107: | Line 119: | ||
-PropertyType String ` | -PropertyType String ` | ||
-Force | -Force | ||
</pre> | |||
===Join Domain=== | ===Join Domain=== | ||
<pre> | |||
# set an admin user here | |||
$u = "LAMBNET\dave" | $u = "LAMBNET\dave" | ||
# and it'll prompt you for password, upon execution | |||
$p = Read-Host "Password" -AsSecureString | $p = Read-Host "Password" -AsSecureString | ||
$cred = New-Object System.Management.Automation.PSCredential($u,$p) | $cred = New-Object System.Management.Automation.PSCredential($u,$p) | ||
| Line 124: | Line 138: | ||
Get-ComputerInfo | Select CsDomain | Get-ComputerInfo | Select CsDomain | ||
</pre> | |||
===Promote Server to Domain Controller=== | ===Promote Server to Domain Controller=== | ||
<pre> | |||
Install-WindowsFeature AD-Domain-Services | Install-WindowsFeature AD-Domain-Services | ||
# set an admin user here | |||
$u = "LAMBNET\dave" | $u = "LAMBNET\dave" | ||
# and it'll prompt you for password, upon execution | |||
$p = Read-Host "Password" -AsSecureString | $p = Read-Host "Password" -AsSecureString | ||
$cred = New-Object System.Management.Automation.PSCredential($u,$p) | $cred = New-Object System.Management.Automation.PSCredential($u,$p) | ||
| Line 143: | Line 159: | ||
-SysvolPath "C:\Windows\SYSVOL" ` | -SysvolPath "C:\Windows\SYSVOL" ` | ||
-NoGlobalCatalog:$false | -NoGlobalCatalog:$false | ||
</pre> | |||
==Using Linux BIND DNS Servers for Dynamic AD Updates== | ==Using Linux BIND DNS Servers for Dynamic AD Updates== | ||
See [[ISC Bind#Windows AD Dynamic Updates|ISC BIND]]. | See [[ISC Bind#Windows AD Dynamic Updates|ISC BIND]]. | ||
==RSAT Tools== | |||
Use these tools to manage your DC's from a client Windows PC: | |||
''Install on client PC, not on a DC.'' | |||
<pre> | |||
# Active Directory + GPMC | |||
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools | |||
# Group Policy specifically (usually included above, but explicit) | |||
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools | |||
# DNS | |||
Add-WindowsCapability -Online -Name Rsat.Dns.Tools | |||
</pre> | |||
<code>gpmc.msc</code> → Group Policy | |||
<code>dsa.msc</code> → AD Users & Computers | |||
<code>dnsmgmt.msc</code> → DNS Manager | |||
Latest revision as of 20:13, 1 May 2026
Client Commands
List Applied GPO's
GUI:
rsop.msc
CLI:
gpresult /r /scope computer
or save it to an html file with /h:
gpresult /h c:\gpresult.html
Confirm DC is Reachable
net view \\<DC name>
Domain Controller Admin
Show DC Replication Status
This also shows the DSA object GUID of all DC's.
repadmin /showrepl
Show replication state and relative health of a forest
repadmin /replsummary
Sync Domain Controller with all Replication Partners
repadmin /syncall /d /e
Domain Controller Diagnostics
Get List of all DCs in Domain
nltest /dclist:lambnet.us
Verify DNS Services for DC
dcdiag /test:dns
Comprehensive, Run all tests, Verbose
dcdiag /c /v
Force registration of all DC-specific DNS records
nltest.exe /dsregdns
Check DC FSMO Roles
netdom query FSMO
Enable LDAPS
Essentially, all you have to do is generate a SSL Server Certificate with the CN={hostname_of_dc} and place it into the Computer Certificates > Personal cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.
Deploy a new Headless Domain Controller
Microsoft says headless = Windows Server Core.
Follow these instructions to add a DC to an existing domain.
Start with a clean install of Windows Server Core.
Establish Network Connectivity
Set-TimeZone -Id "Eastern Standard Time" Rename-Computer -NewName "dc-matt" -Restart Get-NetAdapter
New-NetIPAddress ` -InterfaceAlias "Ethernet" ` -IPAddress 10.145.30.5 ` -PrefixLength 29 ` -DefaultGateway 10.145.30.1 Set-DnsClientServerAddress ` -InterfaceAlias "Ethernet" ` -ServerAddresses 10.145.30.4
Test-Connection lambnet.us Resolve-DnsName lambnet.us
Enable SSH Access
Add-WindowsCapability -Online -Name OpenSSH.Server Start-Service sshd Set-Service -Name sshd -StartupType Automatic # add firewall exception New-NetFirewallRule ` -Name "SSH Server" ` -DisplayName "SSH Server" ` -Enabled True ` -Direction Inbound ` -Protocol TCP ` -Action Allow ` -LocalPort 22 # set PowerShell as default shell New-ItemProperty ` -Path "HKLM:\SOFTWARE\OpenSSH" ` -Name DefaultShell ` -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ` -PropertyType String ` -Force
Join Domain
# set an admin user here $u = "LAMBNET\dave" # and it'll prompt you for password, upon execution $p = Read-Host "Password" -AsSecureString $cred = New-Object System.Management.Automation.PSCredential($u,$p) Add-Computer ` -DomainName "lambnet.us" ` -Credential $cred ` -Restart whoami Get-ComputerInfo | Select CsDomain
Promote Server to Domain Controller
Install-WindowsFeature AD-Domain-Services # set an admin user here $u = "LAMBNET\dave" # and it'll prompt you for password, upon execution $p = Read-Host "Password" -AsSecureString $cred = New-Object System.Management.Automation.PSCredential($u,$p) Install-ADDSDomainController ` -DomainName "lambnet.us" ` -Credential $cred ` -SiteName "MattNet" ` -DatabasePath "C:\Windows\NTDS" ` -LogPath "C:\Windows\NTDS" ` -SysvolPath "C:\Windows\SYSVOL" ` -NoGlobalCatalog:$false
Using Linux BIND DNS Servers for Dynamic AD Updates
See ISC BIND.
RSAT Tools
Use these tools to manage your DC's from a client Windows PC:
Install on client PC, not on a DC.
# Active Directory + GPMC Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools # Group Policy specifically (usually included above, but explicit) Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools # DNS Add-WindowsCapability -Online -Name Rsat.Dns.Tools
gpmc.msc → Group Policy
dsa.msc → AD Users & Computers
dnsmgmt.msc → DNS Manager