Active Directory Configuration - squatchulator/Capstone GitHub Wiki

Generator

Background

  • NOTE: Servers were both activated with Windows Server 2022 keys on 4/12/2024.

  • Generator's infrastructure is based off of a redundant and local Active Directory configuration. This is for the sake of having backups of data and to leave availability in the future for potential off-site DC replication. Generator's domain is titled generator.local and is managed by the Leahy Center's Managed Services department. In order to access and manage Generator endpoints, technicians can log into NinjaOne with their Leahy Center credentials and perform actions like remote desktop management, script execution, patch management, and more.

  • In order to manage Generator's domain controllers, Generator has a Chrome Remote Desktop profile specifically for this purpose. It is stored in TPM-MS, and is accessible by both Leahy Center technicians and Generator staff. This is to allow Generator staff to perform minor administrative requests such as password resets, account creation, and account deactivation without needing to submit tickets to the Leahy Center. Credentials for the lcadmin administrative account and the genadmin account are both stored in TPM-MS as well.

What Roles, Features, and Services

(Roles)

  • Active Directory Domain Services
  • DHCP Server (Inactive - using Unifi controller's DHCP service)
  • DNS Server
  • File and Storage Services
    • File Server
    • DFS Replication
    • File Server Resource Manager

(Features)

  • Enhanced Storage
  • Failover Clustering
  • Failover Clustering Tools
    • Failover Clustering Management Tools
  • Storage Replica
  • Windows Server Backup

New forest (Made on DC1): generator.local

  • Forest and Domain Functional on Windows Server 2016
  • DNS Server, Global Catalog |_DC2 is READ ONLY DSRM Password same as Local Administrator password for each server
  • No DNS delegation
  • NetBIOS name is GENERATOR
  • Database folders are all default

After rebooting for Roles and Features install, promote to DC and reboot again Go into ADUC and in Users, rename Administrator to lcadmin Delete Managed Users container Create the Generator and LeahyCenter local admin users (in settings) |_Accounts are members of:

  • Administrators
  • Domain Admins
  • Domain Users
  • Enterprise Admins
  • Group Policy Creators
  • Schema Admins

OU Structure:

  • Builtin
  • Computers
  • Domain Controllers |_DC1 |_DC2
  • ForeignSecurityPrincipals
  • Users
  • Workstations |_Flex Space |_Learning Lab
  • Generator Users |_Staff |_Members |_Management Accounts |_lcadmin |_genadmin

TPM entries to make: DC1 and DC2 local admin (LeahyCenter account) Leahy Center Domain Admin (lcadmin account) DC1 and DC2 Generator Staff local admin (Generator account) Generator Staff Domain Admin (genadmin account)

Disk 0 is formatted to take up the whole drive. It is assigned the letter D:\ and is named Backups. Disk 1 is formatted to take up the whole drive. It is assigned the letter E:\ and is named Files. After formatting it in Windows Server Backup, go back into the disk editor and assign it a drive letter again so our script can see it. Backups are sent to Disk 0. This drive will be reserved for this purpose on each server. Backups are scheduled to occur daily at 9pm. In order to automatically delete old backups after a certain period of time, we need to make a .ps1 script that is executed to do so via Task Schedueler. This script is kept on the C:\ drive under a folder called "Process Scripts". It is titled "BackupRotate.ps1". The script contains the following:

$backupFolder = "D:\WindowsImageBackup\GEN-DC1" (or DC-2) # Specify the path to the folder containing backups
$thresholdDays = 15                       # Specify the number of days to keep backups

# Calculate the date threshold
$thresholdDate = (Get-Date).AddDays(-$thresholdDays)

# Get backup folders older than the threshold date and containing the word "Backup"
$oldBackupFolders = Get-ChildItem -Path $backupFolder -Directory | Where-Object { $_.Name -like "*Backup*" -and $_.CreationTime -lt $thresholdDate }

# Delete old backup folders
foreach ($folder in $oldBackupFolders) {
    Remove-Item $folder.FullName -Recurse -Force
}

To make the task, open Task Schedueler and make a New Task named "BackupRotate". Create a new trigger on a scheduele that executes daily at midnight. Create a new action - select Start a program, hit browse, and select your .ps1 script.