Setup Microsft AD domain contoller
This how-to describes how to setup the MS AD domain controller node pxd-ad.
Overview
Setup
Show me
dkdjk
Bringing machine 'pxd-ad' up with 'virtualbox' provider...
==> pxd-ad: Importing base box 'c2platform/win2022'...
�[KProgress: 10%
�[KProgress: 90%
�[K==> pxd-ad: Matching MAC address for NAT networking...
==> pxd-ad: Checking if box 'c2platform/win2022' version '0.1.0' is up to date...
==> pxd-ad: Setting the name of the VM: ansible-phx_pxd-ad_1752576491515_67436
==> pxd-ad: Clearing any previously set network interfaces...
==> pxd-ad: Preparing network interfaces based on configuration...
pxd-ad: Adapter 1: nat
pxd-ad: Adapter 2: hostonly
==> pxd-ad: Forwarding ports...
pxd-ad: 5985 (guest) => 55985 (host) (adapter 1)
pxd-ad: 5986 (guest) => 55986 (host) (adapter 1)
pxd-ad: 22 (guest) => 2222 (host) (adapter 1)
==> pxd-ad: Running 'pre-boot' VM customizations...
==> pxd-ad: Booting VM...
==> pxd-ad: Waiting for machine to boot. This may take a few minutes...
pxd-ad: WinRM address: 127.0.0.1:55985
pxd-ad: WinRM username: vagrant
pxd-ad: WinRM execution_time_limit: PT2H
pxd-ad: WinRM transport: negotiate
==> pxd-ad: Machine booted and ready!
==> pxd-ad: Checking for guest additions in VM...
==> pxd-ad: Setting hostname...
==> pxd-ad: Waiting for machine to reboot...
==> pxd-ad: Configuring and enabling network interfaces...
==> pxd-ad: Mounting shared folders...
pxd-ad: /vagrant => /home/ostraaten/git/gitlab/c2/ansible-phx
pxd-ad: /software => /software/projects/phx
pxd-ad: /root/.marker => /home/ostraaten/.marker
pxd-ad: /software-cache => /software/projects/phx/cache
pxd-ad: /home/vagrant/.marker => /home/ostraaten/.marker
pxd-ad: /ansible-dev-collections => /home/ostraaten/git/gitlab/c2/ansible-dev-collections
pxd-ad: /root/.local/share/marker => /home/ostraaten/.local/share/marker
pxd-ad: /home/vagrant/.local/share/marker => /home/ostraaten/.local/share/marker
==> pxd-ad: Running provisioner: windows-sysprep...
==> pxd-ad: Configuring sysprep...
==> pxd-ad: Syspreping...
==> pxd-ad: Checking if box 'c2platform/win2022' version '0.1.0' is up to date...
==> pxd-ad: Clearing any previously set forwarded ports...
==> pxd-ad: Clearing any previously set network interfaces...
==> pxd-ad: Preparing network interfaces based on configuration...
pxd-ad: Adapter 1: nat
pxd-ad: Adapter 2: hostonly
==> pxd-ad: Forwarding ports...
pxd-ad: 5985 (guest) => 55985 (host) (adapter 1)
pxd-ad: 5986 (guest) => 55986 (host) (adapter 1)
pxd-ad: 22 (guest) => 2222 (host) (adapter 1)
==> pxd-ad: Running 'pre-boot' VM customizations...
==> pxd-ad: Booting VM...
==> pxd-ad: Waiting for machine to boot. This may take a few minutes...
pxd-ad: WinRM address: 127.0.0.1:55985
pxd-ad: WinRM username: vagrant
pxd-ad: WinRM execution_time_limit: PT2H
pxd-ad: WinRM transport: negotiate
==> pxd-ad: Machine booted and ready!
==> pxd-ad: Checking for guest additions in VM...
==> pxd-ad: Setting hostname...
==> pxd-ad: Configuring and enabling network interfaces...
==> pxd-ad: Mounting shared folders...
pxd-ad: /vagrant => /home/ostraaten/git/gitlab/c2/ansible-phx
pxd-ad: /software => /software/projects/phx
pxd-ad: /root/.marker => /home/ostraaten/.marker
pxd-ad: /software-cache => /software/projects/phx/cache
pxd-ad: /home/vagrant/.marker => /home/ostraaten/.marker
pxd-ad: /ansible-dev-collections => /home/ostraaten/git/gitlab/c2/ansible-dev-collections
pxd-ad: /root/.local/share/marker => /home/ostraaten/.local/share/marker
pxd-ad: /home/vagrant/.local/share/marker => /home/ostraaten/.local/share/marker
==> pxd-ad: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> pxd-ad: flag to force provisioning. Provisioners marked to run always will still run.
==> pxd-ad: The Machine SID was changed from S-1-5-21-51764566-1011124836-2787823110 to S-1-5-21-25892634-3680924600-3759249411
==> pxd-ad: Running provisioner: shell...
pxd-ad: Running: inline PowerShell script
==> pxd-ad: Running provisioner: ansible...
pxd-ad: Running ansible-playbook...
[WARNING]: Collection community.windows does not support Ansible version 2.15.0
[WARNING]: Collection ansible.windows does not support Ansible version 2.15.0
[DEPRECATION WARNING]: community.general.yaml has been deprecated. The plugin
has been superseded by the the option `result_format=yaml` in callback plugin
ansible.builtin.default from ansible-core 2.13 onwards. This feature will be
removed from community.general in version 13.0.0. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
PLAY [AD Domain Controller] ****************************************************
TASK [Gathering Facts] *********************************************************
ok: [pxd-ad]
TASK [c2platform.core.secrets : Stat secret dir] *******************************
ok: [pxd-ad -> localhost] => (item=/home/ostraaten/git/gitlab/c2/ansible-phx/secret_vars/development)
ok: [pxd-ad -> localhost] => (item=/runner/project/secret_vars/development)
TASK [c2platform.core.secrets : Include secrets] *******************************
ok: [pxd-ad] => (item=/home/ostraaten/git/gitlab/c2/ansible-phx/secret_vars/development)
TASK [c2platform.wincore.ad : Include ad_resources] ****************************
[WARNING]: Collection microsoft.ad does not support Ansible version 2.15.0
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/ad_domain.yml for pxd-ad => (item= Ensure domain c2.org)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/ad_powershell.yml for pxd-ad => (item= DNS should only listen on 192.168.61.11)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/ad_domain_controller.yml for pxd-ad => (item= Domain controller)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/ad_user.yml for pxd-ad => (item= tony)
TASK [c2platform.wincore.ad : Ensure existence of a domain] ********************
changed: [pxd-ad] => (item=c2.org)
TASK [c2platform.wincore.ad : Debug] *******************************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/debug.yml for pxd-ad
TASK [c2platform.wincore.ad : Run PowerShell scripts] **************************
changed: [pxd-ad] => (item=DNS should only listen on 192.168.61.11)
TASK [c2platform.wincore.ad : Debug] *******************************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/debug.yml for pxd-ad
TASK [c2platform.wincore.ad : Manage domain controller/member] *****************
ok: [pxd-ad] => (item=c2.org)
TASK [c2platform.wincore.ad : Debug] *******************************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/debug.yml for pxd-ad
TASK [c2platform.wincore.ad : Manage AD user] **********************************
changed: [pxd-ad] => (item=c2.org)
TASK [c2platform.wincore.ad : Debug] *******************************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/debug.yml for pxd-ad
TASK [c2platform.wincore.ad : Include ad_resources_types] **********************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/ad_dns_client.yml for pxd-ad => (item=ad_dns_client)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/ad_membership.yml for pxd-ad => (item=ad_membership)
TASK [c2platform.wincore.ad : Configure DNS lookup] ****************************
changed: [pxd-ad] => (item=Use AD DNS sever → 192.168.61.11)
TASK [c2platform.wincore.ad : Manage domain controller/member] *****************
ok: [pxd-ad] => (item=c2.org)
TASK [c2platform.wincore.ad : Debug] *******************************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/ad/tasks/debug.yml for pxd-ad
TASK [c2platform.wincore.win : Include win_resources] **************************
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_shortcut.yml for pxd-ad => (item=0-bootstrap-dev Shortcuts)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_chocolatey.yml for pxd-ad => (item=0-bootstrap-dev NuGet and Firefox)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_file.yml for pxd-ad => (item=0_bootstrap Apps folder)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_powershell.yml for pxd-ad => (item=ad Don't register connection's addresses in DNS)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_shortcut.yml for pxd-ad => (item=ad Shortcuts)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_file.yml for pxd-ad => (item=share C2 Share)
included: /home/ostraaten/git/gitlab/c2/ansible-dev-collections/ansible_collections/c2platform/wincore/roles/win/tasks/win_share.yml for pxd-ad => (item=share c2-share)
TASK [c2platform.wincore.win : Manage shortcuts] *******************************
changed: [pxd-ad] => (item=%Public%\Desktop\FireFox (Shared Profile).lnk)
changed: [pxd-ad] => (item=%Public%\Desktop\Downloads.lnk)
TASK [c2platform.wincore.win : Manage Chocolatey packages] *********************
changed: [pxd-ad] => (item=nuget.commandline present)
changed: [pxd-ad] => (item=firefox present)
changed: [pxd-ad] => (item=git present)
TASK [c2platform.wincore.win : Create, touch or remove files or directories] ***
changed: [pxd-ad] => (item=Apps)
TASK [c2platform.wincore.win : Run PowerShell scripts] *************************
changed: [pxd-ad] => (item=Don't register connection's addresses in DNS)
TASK [c2platform.wincore.win : Manage shortcuts] *******************************
changed: [pxd-ad] => (item=%Public%\Desktop\DNS Manager.lnk)
changed: [pxd-ad] => (item=%Public%\Desktop\Active Directory Users and Computers.lnk)
changed: [pxd-ad] => (item=%Public%\Desktop\Group Policy Objects (GPOs).lnk)
TASK [c2platform.wincore.win : Create, touch or remove files or directories] ***
changed: [pxd-ad] => (item=D:\c2-share)
TASK [c2platform.wincore.win : Manage Windows Share] ***************************
changed: [pxd-ad] => (item=c2-share)
PLAY RECAP *********************************************************************
pxd-ad : ok=34 changed=11 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0
Verify
Primary Domain Controller and Domain
To verify that c2.org is the Domain and pxd-ad is the primary domain
controller, SSH into the node, start powershell and then run:
systeminfo | Select-String "Domain"
Show me
Microsoft Windows [Version 10.0.20348.707]
(c) Microsoft Corporation. All rights reserved.
c2\vagrant@PXD-AD C:\Users\vagrant>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\vagrant> systeminfo | Select-String "Domain"
OS Configuration: Primary Domain Controller
Domain: c2.org
PS C:\Users\vagrant>
Listening IP Address
Open the DNS Manager and check the properties of the DNS server
PXD-AD. Only 192.168.61.11 should be enabled as a listening IP address.
Dig on Vagrant Host
On your Ubuntu laptop, run
dig @192.168.61.11 c2.org
This should resolve c2.org to 192.168.61.11.
Show me
ostraaten@mpc2:~$ dig @192.168.61.11 c2.org
; <<>> DiG 9.18.30-0ubuntu0.22.04.2-Ubuntu <<>> @192.168.61.11 c2.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59036
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;c2.org. IN A
;; ANSWER SECTION:
c2.org. 600 IN A 192.168.61.11
c2.org. 600 IN A 10.0.2.15
;; Query time: 0 msec
;; SERVER: 192.168.61.11#53(192.168.61.11) (UDP)
;; WHEN: Tue Jul 15 13:19:44 CEST 2025
;; MSG SIZE rcvd: 67
Verify domain member
Start for example pxd-win-devtop and Verify that the computer is part of the domain
c2.org:
vagrant up pxd-win-devtop
Again, use systeminfo command to check the “Domain”
systeminfo | Select-String "Domain"
Show me
PS C:\Users\vagrant> systeminfo | Select-String "Domain"
Domain: c2.org
On Linux
Shoudl return
Show me
root@pxd-rproxy1:/etc/apache2/sites-enabled# realm list
c2.org
type: kerberos
realm-name: C2.ORG
domain-name: c2.org
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
/etc/sssd/sssd.conf
root@pxd-rproxy1:/etc/apache2/sites-enabled# sudo cat /etc/sssd/sssd.conf
[sssd]
domains = c2.org
config_file_version = 2
services = nss, pam
[domain/c2.org]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = C2.ORG
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = c2.org
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_access_control = permissive
Test user resolution
root@pxd-rproxy1:/etc/apache2/sites-enabled# id tony@c2.org
uid=212801104(tony) gid=212800513(domain users) groups=212800513(domain users),212800512(domain admins),212800572(denied rodc password replication group)
Ping
root@pxd-rproxy1:/etc/apache2/sites-enabled# ping pxd-ubuntu-devtop
PING pxd-ubuntu-devtop(pxd-ubuntu-devtop.lxd (fd42:e2df:ed54:72de:216:3eff:fe09:dccb)) 56 data bytes
64 bytes from pxd-ubuntu-devtop.lxd (fd42:e2df:ed54:72de:216:3eff:fe09:dccb): icmp_seq=1 ttl=64 time=0.233 ms
64 bytes from pxd-ubuntu-devtop.lxd (fd42:e2df:ed54:72de:216:3eff:fe09:dccb): icmp_seq=2 ttl=64 time=0.258 ms
^C
— pxd-ubuntu-devtop ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
Last modified August 27, 2025:
phx dev save C2-633 (3b38443)