I am trying to set up a pair of domain controllers but not sure the order I should be doing things in.
Looks like call win_domain on primary to create a forest first, but after that I am a bit confused as it seems I need to make secondary dc a member of the domain first, but I am unable to get the second machine to join the new domain created on the primary as the win_domain_membership call fails with.
“failed to join domain ‘testdomain.local’ from its current workgroup \r\n’WORKGROUP’ with following error message: The specified domain either does not exist or could not be contacted.”
Also both this module and win_domain_controller ask for a domain adminstrator user/password but I’m not sure how to create the domain admin user (being something of a programmer I’ve not had to set up my own domain before). Maybe I just need to call Add-ADUser ?
IIRC, dcpromo run on a machine not attached to the domain will have an option for “alternate credentials” to be set and then use DNS to contact the existing domain. I’ve only done it via the dcpromo GUI back in the day (on 2008). So there is probably a way to do it via commands or perhaps its part of an answer file? Never did bulk operations like that back so relied on the GUI.
When you make the initial domain it asks to enter a domain admin password in the dcpromo setup and creates the ‘domain\Administrator’ account and also removes local users at that point (or blocks off the use of any local accounts) and uses the AD database as the only user store. After the initial domain setup I believe the recommendation was also to rename the existing domain admin account from ‘Administrator’ to some other name not commonly targeted. Then creating a new user account you would just add to the ‘Domain Admins’ group.
I probably could’ve done a better job with the actual docs descriptions on these (PRs welcome )…
win_domain is for “ensuring that the given domain exists”, creating a new forest/domain on the target machine if not.
win_domain_controller is for switching a host between domain controller and member server status on an existing domain.
win_domain_membership is for switching a host between a workgroup member and a domain member.
The domain admin creds for the DC and Membership modules are to specify existing domain admin credentials used to join/leave the domain or promote to a DC (since you can’t connect with domain creds to a workgroup host, and the DC promotion module doesn’t require that you’re already a member of the domain). When creating a new domain, all admin accounts that exist on the host are automatically domain admins for the new domain.
These modules are nowhere near exhaustive WRT the capabilities for creating a new domain, they just scratched an itch I had for doing this under our CI. We’re currently not testing domain anything, something I’m hoping to change for 2.4, but it requires “throwaway” domains, which we now have the capability to create.
Oh, and for the second DC once the domain exists, you’ll need to use win_dns_client to point the 2nd host at the new DC’s DNS server first, then use win_domain_controller to promote it (I haven’t tried promoting a non-member server in awhile, but it worked at one point, so you probably don’t need to use win_domain_membership to join the would-be-2nd-DC to the domain first).
Thanks for the above everyone.
I think I’ll start by making my domain (which is really going to be disposable) run on a single node and then tackle adding the second node later.
Jon
)…