Work on server [Domain Controller] directly
Physically : domain controller is placed in data center either physical server or virtual as [Hyper-V or VMware virtual machine]
This first option to access active directory is to work on server directly in data center : which nearly NOT sense
just skip it
Work on server remotely RDP
The second option to work on server remotely through remote desktop protocol RDP
This is good solution but with some risk , since you will have full control on server [domain controller] as domain administrator [ administrator@Pioneers.lab ]
This option require some additional steps like :
Enable RDP protocol in windows firewall with port 3389
On domain controller open control panel then select windows firewall
Now it’s time to Enable remote desktop service and allow only administrator Users since without administrator privileges you will not be allowed access to the Active Directory regardless of the server tools or network management applications that are employed
Please note that both above steps [enable windows firewall and configure RDP ] could be done through Group Policy object GPO , which will be fully discussed later
Since server in DMZ zone [servers farm ] then we have to open RDP port 389 on firewall [ PFsense ] between LAN subnet and DMZ subnet [Servers farm ]
Please note we are using network Firewall PFsense , but in your case à you have to configure your own firewall wither CISCO , SonicWALL or any firewall you are using
Finally on client computer open remote desktop connection tool [mstsc.msc ] to connect to domain controller [in our case dc101.pioneers.lab or with IP address 172.16.10.101
Once you login to domain controller : open console [active directory users and computers] or run [dsa.msc] [the same thing 🙂 ]
secure RDP woth RDG [Remote Desktop Gateway]
We can provide additional security to RDP connection by force using [remote desktop gateway ] which will allow only specific computers in LAN to access domain controller
This option provide extra line of security , but unfortunately it’s NOT common techniques in IT culture
Later , We will fully discuss this securing RDP with RDG : since this article require more knowledge about certificate authority SSL ,
RSAT [ remote server admonition tools ]
The fourth option [most secure ] is to install RSAT [remote server admonition tools ] on client computers [mostly IT staff ] to access AD consoles
RSAT is set of consoles [snap-in ] that installed on client employees computer [mostly IT staff ] to access services in on servers farm , the consoles are the following
- RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
- RSAT: BitLocker Drive Encryption Administration Utilities
- RSAT: Active Directory Certificate Services Tools
- RSAT: DHCP Server Tools
- RSAT: DNS Server Tools
- RSAT: Failover Clustering Tools
- RSAT: File Services Tools
- RSAT: Group Policy Management Tools
- RSAT: IP Address Management (IPAM) Client
- RSAT: Data Center Bridging LLDP Tools
- RSAT: Network Controller Management Tools
- RSAT: Network Load Balancing Tools
- RSAT: Remote Access Management Tools
- RSAT: Remote Desktop Services Tools
- RSAT: Server Manager
- RSAT: Shielded VM Tools
- RSAT: Storage Migration Service Management Tools
- RSAT: Storage Replica Module for Windows PowerShell
- RSAT: System Insights Module for Windows PowerShell
- RSAT: Volume Activation Tools
- RSAT: Windows Server Update Services Tools.
Currently we are concern with ONLY two consoles [Active Directory Domain Services and Lightweight Directory Services Tools] and [Group Policy Management Tools]
RSAT Steps
First of ALL : since we have PFsense firewall that control traffic between Subnet LAN and Subnet servers farm à then we have to open some ports so RSAT will work properly on client computers and also client computer can access domain controller properly
- UDP Port 88 for Kerberos authentication
- UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
- TCP Port 139 and UDP 138 for File Replication Service between domain controllers. – Needed?
- UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
- TCP and UDP Port 445 for File Replication Service – Needed?
- TCP and UDP Port 464 for Kerberos Password Change
- TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
- TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller
Then login to client computer IT124.pioneers.lab as domain administrator or any privileged user account
RSAT Need Delegation
Wait a minute:
is it that easy??!! Just install RSAT package and it will open active directory on domain controller?!
Actually when run snap-in from client computer : domain controller will authenticate who will open active directory?
[ which is domain administrator as seen above administrator@Pioneers.lab ] who has full control on domain controller and active directory
So on order to allow other domain users [mostly IT staff ] to open active directory and doing administrative tasks like [join to AD , create user , manage users ,reset password , publish printer, delete object … etc. ] you need to make something called delegation
Delegation is process of grant domain users [mostly IT staff] some administrative right [but NOT full control ] on specific OU in Active Directory [ NOT whole domain area ]
We will create full article about delegation later , please keep in touch
To clarify RSAT delegation , please have a look at pioneers.lab domain structure
as you see
frank@pioneers.lab is member of IT department , and we have delegate frank to ONLY reset password for finance department users for example
When frank open snap-in [active directory user and computers ] from his computer IT124.pioneers.lab and try to delete user from finance department
Let have another example :
lara@pioneers.lab from IT department also , but has NOT delegated yet at ALL
she is unable to see even users properties [ most user attributes are hidden ]
