It is a fairly straightforward procedure since we just need a barebones, basic ADS PDC with DNS. It is also much quicker and less error-prone to use PowerShell vs the GUI.
There is some setup you need to do in GPC which I will add when I find my notes but I will link my Terraform config to setup a Windows Server 22.
Installing Active Directory
First things first:
Ensure the primary interface is configured to use a static IP address.
Start a PowerShell session as Administrator. (I recommend you go old school and run the IDE version so you can copy and edit the commands before you run them).
NOTE:
You will get these errors/warnings - you can ignore them (you did make the IP static correct?).
WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.
WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "ginaz.org". Otherwise, no action is required.
Procedure:
Install the Active Directory Domain Services (AD DS) role:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Import the ADDSDeployment module:
Import-Module ADDSDeployment
Promote the server to a Domain Controller:
Install-ADDSForest -DomainName "ginaz.org" ` -DomainNetbiosName "ginaz" ` -InstallDns:$true ` -NoRebootOnCompletion:$false ` -SafeModeAdministratorPassword (ConvertTo-SecureString -String "XXXXXX" -AsPlainText -Force)
Explanation:
DomainName: The fully qualified domain name (FQDN) of your domain.
DomainNetbiosName: The NetBIOS name for your domain.
InstallDns: Installs the DNS server along with AD DS (set to $true).
NoRebootOnCompletion: Specifies whether to skip reboot after installation.
SafeModeAdministratorPassword: The password for the Directory Services Restore Mode (DSRM) administrator.
Reboot the system (if necessary):
Restart-Computer
Configuring AD and extracting OU information to configure VAST
Create OU for VAST and setup redirection:
Create a new OU with a different name (VAST):
New-ADOrganizationalUnit -Name "VAST" -Path "DC=ginaz,DC=org"Redirect new computer accounts to the new OU:
redircmp "OU=VAST,DC=ginaz,DC=org"Move existing computer accounts if needed
Get-ADComputer -SearchBase "CN=Computers,DC=ginaz,DC=org" -Filter * |
ForEach-Object {
Move-ADObject -Identity $_.DistinguishedName -TargetPath "OU=VAST,DC=ginaz,DC=org"
}Get AD OU information for configuring VAST AD integration:
Sometimes it can be difficult to get the exact information you need through GUIs or by asking questions. Fortunately, there are a few PowerShell commands you can use.
NOTE: You will need the AD PowerShell modules; most AD domain controllers should already have them installed.
Domain Information -
PS C:\> (Get-ADDomain).DistinguishedName
DC=ginaz,DC=orgOUs for adding Servers (VAST was added previously)
PS C:\> Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName
Name DistinguishedName
---- -----------------
Domain Controllers OU=Domain Controllers,DC=ginaz,DC=org
VAST OU=VAST,DC=ginaz,DC=org Find the Admin users - needed for domain join later
PS C:\> Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, ObjectClass
Name SamAccountName ObjectClass
---- -------------- -----------
Administrator Administrator user Get the Bind DN for an Admin user that can add servers (clusters) to a domain
PS C:\> Get-ADUser -Identity "Administrator" | Select-Object DistinguishedName
DistinguishedName
-----------------
CN=Administrator,CN=Users,DC=ginaz,DC=orgEnable local Administrator login via Remote Desktop Protocol (RDP) - (optional)
Ensure that RDP is enabled
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\' -Name 'fDenyTSConnections' -Value 0Enable the local Administrator account.
Enable-LocalUser -Name "Administrator"Add the local Administrator account to the "Remote Desktop Users" group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "Administrator"Set the password
$password = ConvertTo-SecureString "XXXXXX" -AsPlainText -Force
Set-LocalUser -Name "Administrator" -Password $password