- Description
- Setup - The basics of getting started with activedirectory
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
A module to manage some Active Directory services, such as Domain Controllers and DNS Servers. Uses Microsoft DSC as the engine for management via Puppet.
None. Requires only the DSC module.
Manage Domain Controllers and DNS Servers.
Tasks for doing the same, plus changing hostnames, creating SPNs, features and checking domains.
To manage ai Forest Domain Controller the following can be used:
class { 'active_directory::domain_controller':
domain_name => 'puppet.local',
domain_credential_user => 'Administrator',
domain_credential_passwd => 'P00rP@ssword123',
safe_mode_passwd => 'Th!s1sSAfe',
}
To manage a child Domain Controller the followin can be used:
class { 'active_directory::domain_controller':
domain_name => 'apac.puppet.local',
domain_credential_user => 'Administrator',
domain_credential_passwd => 'P00rP@ssword123',
parent_dns_addr => '192.168.0.10',
parent_domain_name => 'puppet.local',
safe_mode_passwd => 'Th!s1sSAfe',
}
Active Directory users can be manage with the active_directory::domain_controller
class as well via the ad_users
parameter. This hash needs to be in the format of dsc_xaduser
resource type.
To manage a DNS server the following can be used:
class { 'active_directory::dns_server':
dns_server_name => 'dns0.puppet.local',
}
This will use default settings for the DNS server. There are plenty of options for the DNS server as described in the following paragraphs.
active_directory::dns_server
: A class to manage DNS servers on Windows 2012 R2 and 2016active_directory::domain_controller
: This class manages Forest and child domain controllers. It can also manage AD users.active_directory::rsat_ad
: A class to manage the Remote Server Administration Toolsactive_directory::rsat_dns
: A class to manage the Remote Server Administration Tools
active_directory::dns_ad_zone
: Defined type to manage DNS Active Directory Zones.
active_directory::dns_server
A class to manage DNS servers on Windows 2012 R2 and 2016
class { 'active_directory::dns_server':
dns_server_name => 'dns0.puppet.local',
}
The following parameters are available in the active_directory::dns_server
class.
Data type: String
DNS Server name.
Data type: Active_directory::Addressanswerlimit
Number of addresses the server will return, 0 is unlimited or a range is 5 to 28.
Default value: '0'
Data type: Active_directory::Zero_one
Specifies whether the DNS Server accepts dynamic update requests.
Default value: '1'
Data type: Boolean
Indicates whether the DNS Server attempts to update its cache entries using data from root servers.
Default value: false
Data type: Integer
Indicates which standard primary zones that are authoritative for the name of the DNS Server must be updated when the name server changes.
Default value: 1
Data type: Boolean
Enables the DNS server to communicate with non-Microsoft DNS servers that use DNS BIND service.
Default value: false
Data type: Active_directory::Bootmethod
Determines the source of information that the DNS server uses to start, such as settings to configure the DNS Service, a list of authoritative zones, and configuration settings for the zones.
Default value: '3'
Data type: Boolean
Specifies whether support for application directory partitions is enabled on the DNS Server.
Default value: true
Data type: Active_directory::Zero_one
Specifies whether the DNS Server includes DNSSEC-specific RRs, KEY, SIG, and NXT in a response.
Default value: '1'
Data type: Active_directory::Zero_one
Specifies the behavior of the DNS Server. When TRUE, the DNS Server always responds with OPT resource records according to RFC 2671, unless the remote server has indicated it does not support EDNS in a prior exchange. If FALSE, the DNS Server responds to queries with OPTs only if OPTs are sent in the original query.
Default value: '1'
Data type: Active_directory::Loglevels
Determines which DNS events go to the Event Viewr. '0' None, '1' Errors only, '2' Errors and warnings, '4' All events.
Default value: '4'
Data type: Active_directory::Zero_one
Specifies whether queries to delegated sub-zones are forwarded
Default value: '0'
Data type: Optional[String]
A comma separated string of fowarder addresses.
Default value: undef
Data type: Integer
Time, in seconds, a DNS Server forwarding a query will wait for resolution from the forwarder before attempting to resolve the query itself.
Default value: 3
Data type: String
A comma separated string of listening addresses.
Default value: $facts['networking']['ip']
Data type: Boolean
Determines the order in which the DNS server returns A records when it has multiple A records for the same name.
Default value: true
Data type: Integer
Size of the DNS Server debug log, in bytes.
Default value: 500000000
Data type: String
File name and path for the DNS Server debug log.
Default value: '%SystemRoot%\System32\DNS\Dns.log'
Data type: Optional[Variant[Array[String],String]]
List of IP addresses used to filter DNS events written to the debug log.
Default value: undef
Data type: Boolean
Indicates whether the DNS Server performs loose wildcarding.
Default value: false
Data type: Integer
Maximum time, in seconds, the record of a recursive name query may remain in the DNS Server cache.
Default value: 86400
Data type: Integer
Maximum time, in seconds, a name error result from a recursive query may remain in the DNS Server cache.
Default value: 900
Data type: Integer
Indicates the set of eligible characters to be used in DNS names.
Default value: 2
Data type: Boolean
Indicates whether the DNS Server performs recursive look ups.
Default value: false
Data type: Integer
Elapsed seconds before retrying a recursive look up
Default value: 3
Data type: Integer
Elapsed seconds before the DNS Server gives up recursive query.
Default value: 8
Data type: Active_directory::Zero_one
Indicates whether the DNS Server round robins multiple A records.
Default value: '1'
Data type: Integer
RPC protocol or protocols over which administrative RPC runs (bitmap value).
Default value: 5
Data type: Integer
Interval, in hours, between two consecutive scavenging operations performed by the DNS Server.
Default value: 1
Data type: Boolean
Indicates whether the DNS Server exclusively saves records of names in the same subtree as the server that provided them.
Default value: false
Data type: Integer
Port on which the DNS Server sends UDP queries to other servers.
Default value: 0
Data type: Boolean
Indicates whether the DNS Server parses zone files strictly.
Default value: false
Data type: Integer
Restricts the type of records that can be dynamically updated on the server, used in addition to the AllowUpdate settings on Server and Zone objects.
Default value: 783
Data type: Boolean
Specifies whether the DNS Server writes NS and SOA records to the authority section on successful response.
Default value: false
Data type: Integer
Time, in seconds, the DNS Server waits for a successful TCP connection to a remote server when attempting a zone transfer.
Default value: 30
active_directory::domain_controller
This class manages Forest and child domain controllers.
attempt domain creation. controller.
active_directory::domain_controller { 'first_AD': domain_name => 'puppet.local', domain_credential_user => 'Administrator', domain_credential_passwd => 'THis_should_be_nbetter', safe_mode_passwd => 'safe_P@ssw0rd', }
The following parameters are available in the active_directory::domain_controller
class.
Data type: String
The username for a user that has/will have domain administrator rights.
Data type: String
The password for the user that has/will have domain admininstrator rights.
Data type: String
The password for safe mode. The user for this is set to 'Admininstrator'.
Data type: String
The name of he domain to be managed.
Data type: String
The number of times a non-Forest domain controller will attempt to contact the Forest controller to
Default value: '5'
Data type: String
The interval between attempts that the non-Forest domain controller will attempt to contact the Forest
Default value: '5'
Data type: String
The path where the Active Directory Database will be created/managed.
Default value: 'C:\Windows\NTDS'
Data type: String
The log path for Active Directory logs.
Default value: 'C:\Windows\NTDS'
Data type: Optional[Hash]
A hash of Active Directory users to create. Must bw of the type dsc_xaduser
.
Default value: {}
Data type: Optional[String]
IP address of parent DNS server.
Default value: undef
Data type: Optional[String]
The name of the parent domain this domain will belong to. Not required for a new Forest.
Default value: undef
Data type: String
The system volumne path for Active Directory.
Default value: 'C:\Windows\SYSVOL'
active_directory::rsat_ad
A class to manage the Remote Server Administration Tools for Active Directory
include active_directory::rsat_ad
active_directory::rsat_dns
A class to manage the Remote Server Administration Tools for DNS Server
include active_directory::rsat_dns
active_directory::dns_ad_zone
WARNING: due to bug with DSC xdnsserver module the active_directory::dns_ad_zone
defined type does not function dsccommunity/DnsServerDsc#53
active_directory::dns_ad_zone { 'puppet.local':
domain_credential_user => 'Administrator',
domain_credential_passwd => "P00rP@ssword123',
replicationscope => 'Forest',
dynamicupdate => 'Secure',
}
The following parameters are available in the active_directory::dns_ad_zone
defined type.
Data type: String
The username for a user that has/will have domain administrator rights.
Data type: String
The password for the user that has/will have domain admininstrator rights.
Data type: Active_directory::Replicationscope
Scope of replication for zone. Can be "Custom", "custom", "Domain", "domain", "Forest", "forest", "Legacy", or "legacy"
Default value: 'Forest'
Data type: Active_directory::Dynamicupdate
Determine how updates are performed. Can be "None", "none", "NonsecureAndSecure", "nonsecureandsecure", "Secure", or "secure"
Default value: 'Secure'
Data type: Optional[String]
Name of directory partition.
Default value: undef
Tested on Windows 2012R2.
Pull Requests welcome.