Active Directory and Active Directory Domain services ports

 

Protocol and Port AD and AD DS Usage Type of traffic
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password
UDP Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389 AD DS Web Services SOAP
UDP 67 and UDP 2535 DHCP

noteNote
DHCP is not a core AD DS service but it is often present in many AD DS deployments.
DHCP, MADCAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon

Source: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Upgrading SYSVOL replication to DFSR

Server manager → Tools → Active directory Domains and Trusts

Click right button on Root (Active Directory Domains and Trusts [win2012 server name]) → Raise Domain Functional Level … → Windows Server 2012 R2

Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state

Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state

Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state

Check net share status

Also make sure in each domain controller FRS service is stopped and disabled

Start → Administrative Tools → Services → File Replication Service → Double click

 

Reference: http://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/

Ubuntu 16.04 Winbind and Active Directory

Official SSSD and Active Directory guide doesn’t work. It is hard to find what’s wrong. Using Winbind works well.

Installation:

sudo apt install winbind samba
sudo apt install cups-common python-crypto-dbg python-crypto-doc bind9 bind9utils ctdb ldb-tools ntp smbldap-tools heimdal-clients libnss-winbind libpam-winbind

Configuration:

sudo vi /etc/samba/smb.conf
[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
#   workgroup = GROUP

# server string is the equivalent of the NT Description field
  server string = %h server (Samba, Ubuntu)

        security = ads
        realm = MYDOMAIN.COM
# If the system doesn't find the domain controller automatically, you may need the following line
#        password server = 10.0.0.1
# note that workgroup is the 'short' domain name
        workgroup = MYDOMAIN
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

Restart services:

sudo service winbind stop
sudo service samba-ad-dc restart
sudo service winbind start

Join the AD (see “net ads help”):

sudo kinit Admin@MYDOMAIN.COM
# check klist
sudo klist
# join (ignore the dns error messages)
sudo net ads join -k

OR
sudo net ads join -U Admin@MYDOMAIN.COM

Setup Authentication

sudo vi /etc/nsswitch.conf

 

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Restart Winbind

sudo service winbind restart

PAM Configuration

sudo pam-auth-update

Create Home directory

sudo mkdir /home/MYDOMAIN

Add sudo users

sudo vi /etc/sudoers.d/MYDOMAIN

 

# replace adgroup as real domain group name
%adgroup        ALL=(ALL) NOPASSWD: ALL

Test

wbinfo -u
wbinfo -g

Login as a domain user and enjoy…

Dns command, primary DNS server in domain

To change DNS from command line: dnscmd

List all A type records:

> dnscmd <dns-server> /EnumRecords <your domain> . /type A

Add a A type record:

> dnscmd <dns-server> /RecordAdd <your domain> docker01 A 192.168.1.235

More information for dnscmd:

> dnscmd /help

Set the primary DNS server in domain and auto update other DNS servers. Assume the primary DNS server is dns.my.ads.

win2k-dns

Configuring NTP on Windows Server 2012

Original: http://www.sysadminlab.net/windows/configuring-ntp-on-windows-server-2012

Run using PowerShell as Administrator:

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
Stop-Service w32time
Start-Service w32time

Check status:

w32tm /query /status

Force a resnyc

w32tm /resync

Start from scratch:

Stop-Service w32time
w32tm /unregister
w32tm /register