Setting up Active Directory - woes and considerations

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
I have tried this a couple of times before and failed. But I would like this to work, at least as a small experimental setup with only three desktops and as few "features" as possible to start with. The main reason to even attempt this would be to ensure proper client patching.

Last time I failed was because I did not understand the local domain controller setup, or the need for local DNS servers. Server 2022 seems to have a more flexible approach to these requirements, according to this guide: Install and Configure Active Directory on Windows Server 2022 - TurboGeek which I intend to follow.

I will be asking things below, hoping for answers. I have a Firewall that may or may not require some attention towards this, but I address that in another place.

First question; I already run a standalone FileShare on that server, and wonder if that will be affected somehow?
 

DavidRa

Infrastructure Architect
Aug 3, 2015
336
156
43
Central Coast of NSW
www.pdconsec.net
No, the file share won't be a big problem, though permissions could get iffy. You might need to look at permissions after the DC promotion.

If this is your first domain deployment, some unsolicited tips:
  • Install the DNS role on your DCs. Once you're done configure ALL your devices to use the DCs and only the DCs for DNS
  • If you want to continue using an existing pihole or similar, use forwarding on the DNS servers to do that. (you can exclude the pihole from your DC DNS config)
  • Make your NetBIOS name the same as the leftmost label in DNS (for example, BOBDOMAIN matched with bobdomain.dns.example.com is fine, bob matched with bobdomain.example.com isn't great). Windows will suggest it, don't override.
  • Create your AD structure under a single Organizational Unit, and leave the default structures and policies in place. For example, create a Lab OU and put your Workstations, Servers, Groups and Users underneath Lab.
  • Don't create stuff in Users, don't move things out of, or into, Domain Controllers
  • If you want to build Group Policy, assign it to the right levels. Stay away from these (just ... don't do it till you know a lot more):
    • Blocking Inheritance
    • Enforcing Policies
    • Loopback
 
  • Like
Reactions: SecCon

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
hum... lemme see, some considerations and additional questions to that

The current Fileshare is shared with one (1) account that is admin and all has access to. (Backup not so much).
Everyone has access to that via a shared mapping with those credentials. That works fine, even considering they use their respective Microsoft Account to logon to the local machines - W11 Pro btw -, the moment I start using the AD DC for that and start creating accounts and joining computers things will happen.

Problem is I have no clue as to what will happen to accounts, or access rights, when going from Microsoft Account to local domain accounts.

Any ideas on that?
 
Last edited:

DavidWJohnston

Active Member
Sep 30, 2020
274
232
43
When you promote a server to a DC, and it's the first DC in a new domain, any existing local accounts on that server are migrated into AD and their filesystem permissions will be migrated as well - But the SID will change, and the domain prefix will change, so in many cases the drive will need to be re-mapped with domain-specific creds. (Ex: "domain\username" instead of simply "username")

When you join client machines to a domain and authenticate with newly created domain user accounts, the users' profiles will change (ie their Desktop, Documents, Favorites, etc will all start from fresh). You will see in C:\Users your existing local PC accounts will be like "username" and the new ones will be like "username.DOMAIN" if the username is the same. So all their stuff will still be on-disk, but not migrated to the new profile.

The process from the users' perspective will look like this: First sign-on after joining the domain. Let's say the user used to sign in with "localuser":

1697404414526.png

First sign-on, they need to click "Other User", then it will direct them to a domain sign-on (in my case, my domain is called NEXUS). Then they type in their new domain username you give them, their default password, then click the arrow:

1697404541779.png

Once this is done, they will be presented with a completely fresh desktop, Documents, etc. You can map drives automatically via GPO, but they will only fully map on the 2nd logon to the domain.

In the case above, the local username and domain username are different, so you'd have C:\Users\localuser and C:\Users\myDomainUsername for the old and new profiles respectively.

So if you create domain user accounts for everyone, (ex. Alice, Bob, Mary) - After joining their PC to the domain, and they sign in, you can deploy a script/preference to give them permissions to their previous profile to manually migrate stuff. There is a way to migrate whole profiles but this is hard and full of problems.

Being a DC, SMB signing will also be enabled for lower SMB protocols, which may affect share performance and CPU load depending on your clients and workload.

But I would like to know - Your reason for implementing AD is patching? But AD doesn't really help you with that. Do you want to deploy WSUS? That is probably not what you want. Here's why:

When you have your PCs connect to MS Update on their own, and you enable updating all MS products, all potential updates will be available to them. But when you deploy WSUS, you need to select from a checkbox list of products and update classifications you want to be able to push. If you select all of them, you will end up with a slow, bloated WSUS database and a new product could be added at any time and you'd be missing the updates unless you update WSUS and manually go through the products and classifications checkbox lists.

And even then - You don't need AD to deploy WSUS - You can use registry edits to point PCs to your WSUS server if you really want WSUS for some reason.

Implementing AD when you don't need to or want to is going to be incredibly frustrating because it is complex. It's taken me years of working in IT and tinkering with it to really understand how little I actually know about it.

But I'm happy to help you. Good Luck!
 

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
@DavidWJohnston I appreciate your insight and you raise some interesting points.

I see AD as a Swiss knife that can be used to control the attached clients, their environment, and, to some extent, users. What you bring to bear is the hassle to actually implement AD based user accounts, when you already have well used accounts. Migration-confusion-supporting. I can already picture my wife after the first login, glaring at me and asking "Where did you put my files!? EH?" :rolleyes:

Thing is, I am not really new to AD, but I have always worked with it in an established environment and with custom tools. Making my own AD from scratch is kinda on my Bucket list. Yes, I would make an AD even if its usability is limited by other circumstances.

In regards to patching and updates, I thought I would have some kind of monitoring and tools available for connected clients, but then I only get that after I implement WSUS and that is still not really better than getting a list and executing updates manually. No automation, from what I understand.

Assigning mapped shares with GPO is on the plus side. Exactly the kind of automation and control I am after, less hazzle user-side, but how do you mean only available on the 2nd logon?

I can also imagine several security related settings being implemented, not least password complexity and similar items. In this I see it more like training myself.
 

ecosse

Active Member
Jul 2, 2013
466
113
43
Bit like David says, stay away from GPO's until you are confident or if you want to experiment create a test OU, move user and computer objects in there and only link your test GPO's to that OU first. Once saw a bad GPO link destroy 110,000 workstations in a single mouse movement.
 

DavidWJohnston

Active Member
Sep 30, 2020
274
232
43
Yeah I understand what you're saying - Crossing stuff off the IT bucket list and experimenting with tech is why we're all here, I think everyone who reads this thread can relate to that!

With WSUS, you do get automation. You can create groups, put your machines in groups, then approve updates to specific groups. Upon approval, if your GPO is so configured, updates will be applied to your clients automatically, and you get reporting of what's installed where. You can also set updates for auto-approve, for example critical security updates.

The "issue" with WSUS is the product selection. With vanilla Windows Update, you can easily install any update, like Office, device drivers, Visual Studio, and it's completely seamless. With a full database it requires a lot of computing resources to run WSUS.

The 2nd logon issue: When a user logs into Windows, the OS presents the desktop to the user before all the services are ready to make it feel faster. Sometimes this means the effectiveness of GPOs doesn't happen until the 2nd logon. You can turn off this behavior, but it makes the logon slow. There are other things you can do, like use logon/startup scripts.

This 2nd logon thing is just one of the MANY hitches you will run into. There are dozens more you will find, and when you Google you will find everyone else has them too.

Yes others posted about GPOs - It's not always possible to reverse the effect of a GPO. I saw IPSec policies ruin a network because they blocked traffic to most servers, including the DCs which needed comms to reverse the policies.

Ultimately, don't join everyone to AD right away. Do it first for yourself, solve all the problems one-by-one, create a test user and delete the profile to simulate the first logon experience your users will see so you can catch problems before they do.

DNS is also super important, as is the name of the domain itself. Lots of best practices apply to those decisions. So go ahead and do it, but don't expose your users to the changes until you've got it all working and properly tested.

Good Luck!
 

awedio

Active Member
Feb 24, 2012
779
228
43
I'm just curious if any of you have used/found any good YT videos for "setting up" AD?
 

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
I'm just curious if any of you have used/found any good YT videos for "setting up" AD?
I prefer written information, it is way easier to scroll text than vids. It is also a lot easier to understand most text than many vids.

Setting up AD is easy. having a good OU/domain design is the art form...
It may become easy once you done it a few times, and successfully for that part. Stating that something is "easy" and not in any other way contributing to why or how is not very constructive.

Having worked with people who's job actually was fiddling with GPO's I seem to recall some frustration on a daily basis, and this was with SRV 2016... from what you guys imply it is still not "frustration-free"... ;)

Since having a plan and get it in to writing, plus documenting every step, is kinda important I will start with that and see what steps follows.

@DavidWJohnston you are of course right, one account and computer at a time. Fortunately I have some spare laptops I can test with. The main concern is how a DC promotion affects the rest of the network, but I should be ok as long as I do not join it... Maybe I should consider a separate comp, virtual or otherwise, for the first DC and not my main server as of yet.

Hum, coming to think of it I have a SuperMicro Server I am not currently using... that could be a suitable sacrifice to the AD DC Gods...
 
Last edited:
  • Like
Reactions: seadog2441

awedio

Active Member
Feb 24, 2012
779
228
43
I think it would be ok to share Carl Webster's AD guide. I always use it as reference material!
 
  • Like
Reactions: SecCon

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
  • Like
Reactions: PeterF

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
But why does he do all that in VMWare... I dumped my ESXi 7 servers years ago... and cancelled my WMUG, due to VMwares stringent and obnoxious hardware requirements.

Going to have to read very selectively...
 

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
Small update.
I will keep posting those here as a bit of a LOG...

OS (Srv 2022) has been installed and fully updated. 21H2.
(On a 256GB NVME with Xeon E3 1585 v5 and 32GB of DDR4 RAM running at 2133)

All that remains is all the rest:
  • Local IP 192.168.1.42 - need to sort out active NIC's. There are 4 ports. (One is shared with BMC Out-of-Band management on *.*.*.40)
  • Device drivers checked, had to install an Intel Integrated Sensor Hub driver manually.
  • SFC and DISM checks for Image health. OK.
  • Service account for my Lansweeper monitoring added.
  • Monitoring application for my Lansweeper installed.
  • FS share from my main server persistently mapped.
  • Network discovery - private - turned ON.
  • Removed "Feature" Azure Arc Setup.
 
Last edited:

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
Having two NIC's connected gives the usual woes about which to use, depending on how Windows set them up.

Code:
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : homered*
   Link-local IPv6 Address . . . . . : fe80::cd12:80f7:45b7:7e%5
   IPv4 Address. . . . . . . . . . . : 192.168.1.42
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Onboard LAN 1:

   Connection-specific DNS Suffix  . : homered*
   Link-local IPv6 Address . . . . . : fe80::1c1d:2cb7:4c17:8160%7
   IPv4 Address. . . . . . . . . . . : 192.168.1.214
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

1697787286085.png

Since I need the BMC connected no matter what and have that assigned in my Router as a static IP address on 192.168.1.40 anyways I think I will disconnect the other one to prevent confusion.

Also pondering whether I should disable IPV6 or not....I do not think it will matter, but still typing it here in case someone start screaming about what to do or not... :)

BTW, if you wonder about the term "homered" it is a variation of "homenet" using the Spanish word "red" instead of "net". I find it easier to say.
---

LOG entry
  • Added dedicated hostname "wsrvaddc1" to my Host Table for IP 192.168.1.42 on the Router, also as static entry in DHCP.
  • Disconnected network cable for "Onboard LAN 1" as listed above - keeping only "Ethernet".
 
Last edited:

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
Network, continued.

This is still before installing any DC or AD components.

So this was interesting. In the first tutorial I link ( Install and Configure Active Directory on Windows Server 2022 - TurboGeek ) they tell you to use 127.0.0.1 as DNS. But then I read Carl Websters text about creating AD and it says ( 14 Building Webster’s Lab V2 – Create Active Directory | Carl Webster ) :

My AD mentors taught me over the years that on the first DC, the Preferred DNS Server should be the DC’s IP address, and, at this time, the Loopback address should be Secondary. I recommend changing the DNS servers, as shown in Figure 5.
So the result, for me, is this:

1697798355181.png

Of course Windows will have views on my selection:

1697798592177.png

There are no Gateways but one... silly OS...
I answer Yes.

(You might also get an error about no DHCP and Windows will want to troubleshoot this, ignore that.)

And everything still works. Yay.
---
Edit
Damn, spoke to soon. No Internet connected. Reverting back to one DNS entry at 127.0.0.1.
 
Last edited:

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
AD installed and DC promotion executed.

No additional tampering with network, lets see how stuff goes from here.

Now I should be able to add some users and computers...
 

SecCon

Arkham Asylum Server Mgmt
May 26, 2022
292
65
28
DNS is messing with me. I shall gather more info and scream for help. Right now swearing over a ChatGPT prompt.

Ah, the DNS is resolving "itself" on a 169.254.*.* address. DaFu.