- VMware Workstation
- 2 Windows Servers VM (Core - w/o GUI and one with GUI) - Networking NAT
- Install Forest on the Core Server
Install-ADDSForest `
-DomainName "wintest.local" `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "7" `
-ForestMode "7" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$True `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
- Add local admin user to the different Admin Groups
Add-ADGroupMember -Identity "Domain Admins" -Members john
Add-ADGroupMember -Identity "Enterprise Admins" -Members john
Add-ADGroupMember -Identity "Administrators" -Members john
-
Reboot
-
If later needed, deactivate local firewall
netsh advfirewall set allprofiles state off
-
On the 2. VM, change DNS address to the IP address of the Core VM
-
Set also a proper name for Server
-
Join such server & Reboot
-
Enable gMSA on Core
New-ADGroup -Name "WebApp01 Authorized Hosts" -SamAccountName "WebApp01Hosts" -GroupScope DomainLocal
New-ADServiceAccount -Name "WebApp01" -DnsHostName "WebApp01.wintest.local" -ServicePrincipalNames "HOST/MYVM,HOST/myVM.wintest.local" -PrincipalsAllowedToRetrieveManagedPassword "WebApp01Hosts"
# Add your container hosts to the security group
Add-ADGroupMember -Identity "WebApp01Hosts" -Members "MYVM$"
- Reboot non-Core Server again
- Test
docker run --security-opt "credentialspec=file://wintest_webapp01.json" --hostname WebApp01 -it mcr.microsoft.com/windows/servercore:ltsc2022 powershell
nltest /sc_verify:contoso.com