\n\nThis page has been machine-translated from the original page.
\n
These are my notes from when I built an AD environment in my lab.
\nFor now, I have summarized the steps and troubleshooting up to configuring the domain controller and joining a client to AD.
\nI plan to add more if I try other configurations.
\n\nIn an AD environment, resources are managed by the domain controller (DC).
\nThe feature that provides this domain controller functionality is AD DS.
\nIn the AD DS environment built here, organizational unit resource groups (OUs) are created to manage objects such as users and servers.
\nPermissions and settings can also be defined through Group Policy.
\nIn an AD environment, a collection of domains is called a forest. When creating AD, you always need one forest and one domain.
\nThis is the configuration information for the Windows Server used as the AD server.
\nIf the computer name is 15 bytes or longer, it will be shortened when converted to a NetBIOS name.
\nFirst, add a server role and enable Active Directory Domain Services.
\nThe default settings are fine, so set a password under Domain Controller Options.
\nThis completes the AD environment setup.
\nAfter this, the other machines built in the lab environment will be added to AD and managed with Group Policy.
\nWhen joining a server to the AD you created, you need to configure the preferred DNS server on the joining server to use the domain controller’s IP address.
\nTo make this easier, set a static IP address on the domain controller side.
\nWhen I opened the network properties, the preferred DNS server was set to localhost by default.
\nWith that setting left as is, all that remains is to set a static IP address.
\nFrom [Tools] in Server Manager, open [Active Directory Users and Computers] and confirm that the combination of the computer name you set and the root domain name is correctly configured as the DNS name in [Domain Controllers].
\nNext, open [DNS] from [Tools] in Server Manager and confirm that the zones related to the AD you created are configured in Forward Lookup Zones.
\nFinally, start PowerShell and confirm that the domain controller’s address can be resolved correctly for the domain you created.
\n$ nslookup hackroom.lab\nサーバー: localhost\nAddress: ::1\n名前: hackroom.lab\nAddresses: 2001:f71:81a0:3a00:3086:3ad5:664d:d4e0\n 192.168.100.50The preferred DNS server on the AD server is defined as localhost by default after promotion to domain controller.
\nThis confirms that it can resolve its own address under the name hacklab.local.
Immediately after configuring AD, only the default users are registered, so add a user.
\nOpen [Active Directory Administrative Center] from [Tools] in Server Manager.
\nHere, as shown above, right-click Users in the registered domain and create a new user.
\nHere, I created a user named TESTUSER.
\nIn my environment, there was an error saying that the DNS server could not open a socket on 192.168.100.50.
I messed this up in my environment.
\nI had to rebuild AD.
\nReference: Active Directoryのドメイン名に「.local」を使ってはいけない件 - asohiroblog
\nIt seems that joining AD can fail if name resolution uses IPv6.
\n\nIf you get an error like the following, it seems that DNS successfully resolves the domain controller name, but the connection to the domain controller itself fails.
\nクエリによって、次のドメイン コントローラが識別されました。\n\n<DC>\n\nこのエラーの一般的な原因:\n\n- ドメイン コントローラの名前を IP アドレスに割り当てるための Host (A) レコードが見つからないか、正しくないアドレスを含んでいる。\n- DNS で登録されているドメイン コントローラがネットワークに接続されていないか、実行中でない。In my environment, this problem occurred when I created AD with multiple NICs. Recreating AD with only one NIC assigned to the AD server resolved it.
\nTry checking the following.
\nReference: ドメイン参加時にクライアントPC・サーバー設定で気をつけること: niyoな日記
\nI also referred to the following article.
\nReference: ValidationMemo: Active Directoryのドメイン名を検討するときに考えるべきこと
\nIf you want to use LDAPS to integrate AD with other applications, the following articles were helpful.
\nIf you only need to install Active Directory Certificate Services and use a self-signed certificate for authentication, it can be configured very easily.
\nReference: Active DirectoryのLDAPS通信を有効化する | KMMR Note
\nReference: Windows ADサーバーのLDAPS有効化の構築方法 | puti se blog
\nI had a hard time resolving the issues, and troubleshooting took quite a while.
\nAs expected, if your understanding of AD integration itself is insufficient, troubleshooting also takes more time.
","fields":{"slug":"/windows-activedirectory-lab-en","tagSlugs":["/tag/active-directory/","/tag/windown-server/","/tag/備忘録/","/tag/english/"]},"frontmatter":{"date":"2021-12-05","description":"","tags":["ActiveDirectory","WindownServer","備忘録","English"],"title":"Notes on Building an Active Directory Lab Environment: Steps and Troubleshooting","socialImage":{"publicURL":"/static/94f7e08e2e22c344b8817a31b1bc027d/windows-activedirectory-lab.png"}}}},"pageContext":{"slug":"/windows-activedirectory-lab-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}