Windows Server and Active Directory
- Infrastructure
- Servers
- ADDS
- Active Directory
Intro¶
Windows Server is pervasive in the corporate IT world, and many employers are looking for people with experience with Active Directory. I've only touched Windows Server once before, in around 2017, for a whole of a few days. Recently however, I've been searching for jobs, and so many want ADDS experience, so four days ago I installed Windows Server 2019 Evaluation. Why not 2022? I had access to a 2019 cd-key.
Active Directory¶
What is it? I had no idea to be honest. What's it used for? Again, no clue. I decided to jump in head first. I had a vauge idea that it'd make file sharing easier and more secure when using SMB, how and why, once again not a clue. So I installed it, without ever activating the windows server installation.
I started on Windows Server Standard Core edition. I'd prefer not to use a GUI.
Installing it¶
Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools
Great, now it's installed but not doing anything. To actually have it do things, I needed to create something called a Forest.
Install-ADDSForest -DomainName ad.centerionware.com -ForestMode Win2012 -DomainMode Win2012 -DomainNetbiosName CENTERIONWARE -InstallDns:$true
At first I had set the DomainName to just centerionware.com, but that conflicts with the existing infrastructure. So setting it to a subdomain that doesn't exist was a far better option. I also left WOSHUB as the NetBIOS name - because I copied the original command from their site and didn't know what it meant. The following snippet was used to change the domain and NetBIOS name. I tried a few other things around the internet first that would fail because of the file encoding.
$OldDNSName="centerionware.com"
$NewDNSName="ad.centerionware.com"
$OldNetBIOSName="WOSHUB"
$NewNetBIOSName="CENTERIONWARE"
rendom /list
$Domainlist = Get-Content .\Domainlist.xml
$Domainlist | % { $_.Replace($OldDNSName,$NewDNSName) } | Set-Content .\Domainlist.xml -Encoding Unicode
$Domainlist = Get-Content .\Domainlist.xml
$Domainlist | % { $_.Replace("<NetBiosName>$OldNetBIOSName</NetBiosName>","<NetBiosName>$NewNetBIOSName</NetBiosName>") } | Set-Content .\Domainlist.xml -Encoding Unicode
rendom /showforest
rendom /upload
Integrate with Bind9¶
This is when I find out there's still more to do. Either I let this active directory be a DHCP server and the main DNS servers on my lan, or I integrate it into my existing bind9 infrastructure. Of course I'm not going to have this new server I know very little about be my DNS and DHCP servers, so the answer was simple, although it took me about 7 hours to actually get something working. So many suggestions, "Stub zones, Delegation zones, Forwarding zones", at one point I had a halfway working forwarding zone, but it only worked on the primary (master) bind9 server. When I zone transferred to the secondary (slave) server, it would throw out the forwarding information. So that idea was a bust.
What did end up working was creating a slave zone for ad.centerionware.com
on both the primary and secondary bind9 servers, and setting the master server to the ipv4 address of the active directory server. I tried ipv6 too, and they won't update - probably because they need to be explicitly allowed by the active directory server.
So after doing that, it still didn't work, because I needed to allow the bind9 servers as secondaries on the active directory.
dnscmd ad.centerionware.com /zoneresetsecondaries ad.centerionware.com /securelist 192.168.255.1 192.168.255.4
Once that's done the primary and secondary dns servers are now permitted to get zone transfers from the active directory. however, neither the primary nor secondary actually initiated a zone transfer yet at this point. To get it going i needed to login to both the servers and run
rndc retransfer ad.centerionware.com
Now the bind9 servers are populated with the domain information provided by active directory, and resolution can start working. From here I was able to login my Windows Professional pc to the domain ad.centerionware.com (or CENTERIONWARE using the NetBIOS name.).
TrueNAS Scale¶
Integrating it into TrueNAS Scale was extremely easy, using the Credential
->Directory Services
menu built into the TrueNAS WebUI.
But then it was stuck Joining
, running the command midclt call activedirectory.lookup_dc ad.centerionware.com
in truenas's shell fixed this issue and allowed it to finish joining.
Of course doing this caused all the SMB shares to no longer work how they used to, and to get things going again I had to create ACL's for the new AD users and groups I setup on the server. But how do I set those up?
Logging in as Administrator¶
Now that things were setup to a point, i was able to use my desktop pc to login to the domain as Administrator, and could install the RSAT (Remote Server Administration Tools), which let me create users and groups on the domain without directly managing it on the server itself.
Activating Windows¶
Now that things were running, the NAS was working with domain users and groups, and my PC logged into the domain, I figured I should activate windows. This is where I kept running into problems. dism /online /Get-TargetEditions
would only ever return ServerDatacenterCor
. I kept trying things, and then read I can't change 'editions' of windows when it's running as an active domain controller. At first I tried to create a second domain controller, and it seemed to be going fine, but after 3 hours of waiting it seemed to be stuck doing .. something, I don't know what. I rebooted the second server. The second server was listed as a DomainController in the RSAT tools, and I couldn't delete it from there, but the second server would say that it wasn't a domain controller. i couldn't figure any of it out so I nuked the whole system and started again.
After installing ServerStandardCore again, I tried first to activate it with the cdkey, but then I had the same issue where dism /online /Get-TargetEditions
would still return the same ServerDatacenterCor
. Perplexed I wandered the internet, found it's a common problem. Some kind of bug that was fixed at one point then came back, or something. So I nuked that VM once again and installed the standard desktop experience to see if things would be any different. Guess what, same thing.
I'm currently still running this last install with Desktop Experience, because I did find a way to activate it.
to summerize, first activate with a generic KSM key, then run a couple commands to install the actual key.
DISM /online /Set-Edition:ServerStandard /ProductKey:N69G4-B89J2-4G8F4-WWYCC-J464C /AcceptEULA
slmgr.vbs /upk
slmgr.vbs /ipk <MY_KEY_HERE>
slmgr.vbs /ato
I'm curious now if this would have worked on the Core version, I don't see why it wouldn't have. But now I'm going to just leave the desktop experience, because most of the tutorials for crap about windows server online has images for doing things through the desktop, and getting it done in Powershell seems to be more.. esotaric/arcane type knowledge.
End¶
Now that windows was actiavted, I re-setup the active directory, followed all the previous steps, and things seem to be working just fine. TrueNAS is sharing with the domain users, however I did have a slight issue trying to cut and paste a file from one smb share to another, it turns out I had to go into the truenas CLI (via ssh) and set the user and group on the share's top level folder, for whatever reason setting the ACL's via the UI worked for all the things inside the folder but didn't work on that folder itself (Though it worked on others) - so just something to keep an eye out for in the future. Now I've got to create a user for Proxmox, most of the shares it mounts are via NFS but I have one setup with SMB. Not for any really good reason, just is that way beacuse that's the way I did it. Probably just testing to make sure it would work as expected. That particular mount is used for backups of a certain semi-critical VM, so I'll go fix that after finishing up this. Speaking of..