Configuring Active Directory in Windows Server 2019

Photo by Ales Nesetril on Unsplash

This is the first blog out of a series in which I’ll be configuring Active Directory (AD) with WSO2 Identity Server 6.0.0 (IS). I will go through following topics in a span of 3articles.

1. Configure Active Directory (AD) Userstore in Windows Server 2019
2. Configure AD as a Secondary Userstore in Super Tenant and Tenant Mode in WSO2 Identity Server 6.0.0
3. Configure a AD as a Primary Userstore in Super Tenant Mode in WSO2 Identity Server 6.0.0

Part 1: Configure Active Directory in a Windows Server 2019

There are four steps to follow when configuring AD in Windows Server 2019.

1. Install Active Directory Domain Services (AD DS)and promote it as a “Domain Controller”
2. Setup Active Directory Certificate Service (AD CS) and configure a private key
3. Import AD CS private key into AD DS certificate store
4. Start secure LDAP

Install Active Directory Domain Services (AD DS)and promote it as a “Domain Controller”

• Open the Server Manager and go to Manage. Click Add Roles and Features. It will open the Add Roles and Features Wizard.
• Click Next.

• In Select Installation Type, select Role-based or feature-based installation. Click Next.

• Click Select a server from the server pool and select the current server. Then click Next.

• Select Active Directory Domain Services from the Roles list.

• It will prompt to add required features for Active Directory Domain Services. Click Add Features. Then click Next.

• Click Next in Select Features.

• Click Next.

• In the Confirm installation selections page, click Install.

• Once the installation is complete, click on the link Promote this server to a domain controller. This will open the Active Directory Domain Services Configuration Wizard.

• In the Deployment Configuration, select Add a new forest and enter Root domain name. Then Click Next.

• In Domain Controller Options, make sure that Forest functional level and Domain functional level is set as Windows Server 2016, which is the latest. Keep Domain Name System (DNS) Server checked. Enter a password for Directory Services Restore Mode. Then Click Next.
• (Note: DSRM Password is required when booting the domain controller into recovery mode)

• Ignore the warning given in the DNS Options page and then Click Next.

• Verify the NetBIOS domain name. Click Next.

• Leave the recommended settings in the Paths page and click Next.

• Review the configurations and click Next.

• In Prerequisites Check, Wizard will show whether all the prerequisite checks have passed. Click Install.

• Once the installation is complete, click Close to finish the installation wizard.
• Active Directory Domain Services has been successfully installed and the server will be rebooted automatically.

Setup Active Directory Certificate Service (AD CS) and Configure a Private Key

• Open the Server Manager and go to Manage. Click Add Roles and Features. It will open the Add Roles and Features Wizard. Click Next.

• In Select Installation Type, select Role-based or feature-based installation. Click Next.

• Click Select a server from the server pool and select the current server. Then click Next.

• Select Active Directory Certificate Services from the Roles list.

• It will prompt to add required features for Active Directory Domain Services. Click Add Features. Then click Next.

• Click Next in Select Features.

• Click Next in Active Directory Certificate Services.

• In Roles Services, select Certification Authority, and click Next.

• In the Confirmation Page, click Install to install the selected roles.

• Once the installation process is complete, click on the link Configure Active Directory Certificate Services on the destination server.

• In the AD CS Configuration wizard, enter credentials of the Administrator if needed and and then click Next.

• Select Certification Authority and click Next.

• Specify Enterprise CA as the setup type of the CA. Click Next.

• Select Root CA as the type of the CA. Click Next.

• Select Create a new private key and click Next.

• Keep the default settings in the Cryptography for CA page.

• Enter a name in the field, Common name for this CA and keep the default Distinguished name suffix values.

• Select a validity period for the certificate generated for the CA.

• Keep the default Certificate database and Certificate database logs locations.

• Click Configure and close the wizard.

• Now Active Directory Certificate Services has been successfully installed in the Windows Server.

Import AD CS Certificate into AD DS Certificate Store

In order to enable secure LDAP (LDAPS) we need to import the AD CS certificate into the AD DS certificate store. To export the certificate from AD CS, follow the below steps.

• Go to Server Manager, then click Tools and from the drop down menu, select Certificate Authority.

• Right click on the name of the certification authority and select Properties. In the General tab, select the certificate you want to access and click View Certificate.

• In the Details tab, select Copy to File. The Certificate Export Wizard will be prompted.

• Click Next.

• Select Base-64 encoded binary X.509(.CER) as the Export File Format. Click Next.

• Enter a filename along with the path and click Next.

• Click Finish.

Now we have successfully exported the certificate. To import Certificate into AD DS, follow the below steps.

• Start mmc.exe program using Run.
• Go to File, click Add/Remove Snap-in. From the Add or Remove Snap-ins wizard select certificates and click Add.

• From the Certificates snap-in wizard, select Service Account and click Next.

• Select Local computer and click Next.

• From the Service Account list, select Active Directory Domain Services and click finish. Click OK in the Add or Remove snap-ins wizard.

• Expand Certificates - Service (Active Directory Domain Services).

• Right click on NTDS/Personal and from All Tasks select Import.

• Click Next in the Certificate Import Wizard.

• Browse the certificate you exported from the AD CS and click Next.

• Keep the default location in the Certificate Store and click Next.

• Click Finish to import the certificate.

Now we have successfully imported the certificate into AD DS.

Start Secure LDAP

If secure LDAP (LDAPS is not currently running on the port 636), follow the below steps to start secure LDAP.

• Start ldp.exe using Run.
• Click Connection and click Connect. In the Connect wizard, enter the server name. Enter port 636 and check the SSL box.

• Click OK and LDAPS should start running.

Now we have successfully configured Active Directory in Windows Server 2019.