Tag: Active Directory Guides

How to Configure Self-service Password Change for AD Users
[ad_1]
Read this guide to learn how to set up self-service password reset for Active Directory users.

Step 0: Review Problem Background and Overview

Whenever users need to change their Active Directory password, they call the Service Desk team. This is time-consuming and unsustainable.

So, your manager asked you to configure a tool that allows users to change their passwords.

I will walk you through the steps to complete this task in this guide.

I’m using a Windows Server 2022 Standard server for my test configuration. The server must be a member of the domain, and you must sign in to it with your domain credentials.

Step 1: Install Remote Desktop Web Access and IIS Web Server
1. From the Server Manager Manage menu, select Add Roles and Features.
1. When the Add Roles and Features wizard opens, click Next until you get to the Server Roles page. Then, check Remote Desktop Services and Web Server (IIS). When you check Web Server (IIS), the wizard dispays a pop-up, select Add Features in the pop-up.
1. Confirm that the two roles are checked. Then, click Next.
1. Continue clicking Next until you get to Remote Desktop Services Role Services. Check Remote Desktop Web Services, then, click the Add Features button in the pop-up.
1. After that, click Next several times until you get to the Confirmation page. Click Install to install the Windows Server roles.
1. Wait for the wizard to confirm that the roles have installed successfully, the close it.
Step 2: Enable the Password Reset Feature in IIS RDWeb
1. Search for and open IIS.
1. In the IIS Manager, expand the Server name, then navigate to Sites > Default Web Site > RDWeb and left-click Pages. On the details pane, double-click Application Settings.
1. On the Application Settings page, double-click PasswordChangeEnabled and change its Value from false to true.
Step 3: Configure HTTPS Binding in the Remote Desktop Web Site

By default, the Remote Desktop Web Site in IIS is configured to use HTTPS. Meanwhile, to use HTTPS, you require a certificate.

If you’re configuring self-service password reset for production use, I recommend purchasing a publicly signed certificate from a certificate authority.

Since I am configuring mine for test purposes, I will be creating and using a self-signed certificate.

Task 3.1: Create a Self-signed Certificate

Open PowerShell as an administrator and run the command below to create a self-signed certificate.

Change the Dnsname, IPMvWAC, to your server name.
```
New-SelfSignedCertificate -FriendlyName ad-ss-cert -DnsName IPMvWAC -KeyUsage DigitalSignature
```
Task 3.2: Configure IIS HTTPS Binding to use the Certificate
1. Back in the IIS Manager, left-click Default Web Site, then in the Actions menu, select Bindings.
1. Then, on the Site Bindings pop-up, left-click https and then Edit.
1. Finally, on the Edit Site Bindings pop-up, select the self-signed certificate from the SSL Certificate drop-down and click OK. If you receive a confirmation pop-up, select yes.
1. Return to the PowerShell console and run the iisreset command.
Step 4: Test the Self-service Password Change Remote Desktop Web Site
1. From a browser on the local server where you configured the self-service password reset, open the URL below:
```
https://127.0.0.1/RDWeb/Pages/en-US/password.aspx
```
1. You’ll receive a certificate warning. Click Advanced, then Continue.
The site displays the page for changing an AD password.

If your users receive the error message – “Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.” – modify your domain password policy.

If the password reset does not work, ensure that the Forms Authentication in Sites > Default Web Sites > RDWeb > Pages is enabled.

Conclusion

Providing your users with a way to reset their passwords without contacting the Service Desk is a time saver. In this hands-on guide, I have explained the steps to enable self-service password reset using Remote Desktop Web services.

The first step is to install the IIS web server and the Remote Desktop Web Access Windows Server roles. After that, configure the PasswordChangeEnabled feature of the RDWeb site in IIS.

Finally, configure SSL and you’re good to go.
[ad_2]

Victor Ashiedu

Source link
April 28, 2025
How to Setup a Windows Server 2022 AD Domain (Step-by-step)
[ad_1]
Read this guide to learn how to install AD DS and DNS roles in Windows Server 2022, and configure a Windows Active Directory domain.

Setup Overview

In this guide, I will create lab.infopressmedia.com AD domain for my home lab. The Domain Controller is a VMware VM with the specs specified in the table below.

VM Name CPU RAM Hard Disk

IPMvDC1 2 cores 4 GB 90 GB

Here are the details of the VM’s network configuration

Host Name IP Address FQDN

IPMvDC1 192.168.0.81 IPMvDC1.lab.infopressmedia.com

The sections below detail the steps to configure a new AD DS domain using Windows Server 2022 Standard.

Step 1: Install Windows Server 2022

The task of installing Windows Server 2022 is pretty straightforward. So, I’ll not provide a step-by-step guide. If you need help with this section, read my guide, How to Install and Configure Windows Server 2022 Core.

The guide in the above link is for installing a Windows Server 2022 Cor (No GUI). To install the Server with GUI, select the Desktop Experience option in the Select Image section of the installation.

After installing the Operating System, rename the Server on the OS, assign it a static IP address, change Time Zone, and install Windows Updates.

Once you finish with this boring section, let’s get to the main actions in the proceeding sections!

Step 2: Install AD DS and DNS Roles
1. Sign in to the server and open PowerShell as administrator.
2. Then, install the Active Directory Domain Service and DNS roles with the command below
```
Install-WindowsFeature -Name AD-Domain-Services, DNS -IncludeManagementTools -IncludeAllSubFeature
```
Step 3: Configure DNS for AD DS

Before promoting the server to a Domain Controller and creating the AD domain, you must configure DNS. Follow the steps in these subsections to get your DNS ready.

Step 3.1: Create a Forward Lookup Zone
1. From Server Manager: Tools > DNS open the DNS manager.
1. Then, expand the server name, right-click Forward Lookup Zones, and choose New Zone. On the welcome page, click Next.
1. After that, on the Zone Type page, select Primary zone.
1. On the Zone Name field, enter the fully qualified domain name of the AD domain you will create later. Then, accept the default zone file name on the next page.
1. Then, on the Dynamic Updates page, accept the default – Do not allow dynamic updates.
1. Finally, review your selections and settings and click Finish to create the forward lookup zone.
Step 3.2: Create a Reverse Lookup Zone
1. Right-click Reverse Lookup Zones and select New Zone. Then, click Next on the welcome page.
1. After that, choose Primary zone. Then, IPv4 Reverse Lookup Zone.
1. On the Reverse Lookup Zone Name, enter the Network ID portion of the IP address of the server – mine is 192.168.0. On the Zone file name page, accept the default.
1. Then, choose the “Do not allow dynamic updates” option on the next page, then create the reverse lookup zone.
Step 3.3: Configure Forwarder

For the DNS server to resolve internet addresses, configure a forwarder on the DNS Manager with these steps:
1. From the DNS Manager, right-click the Server and choose Properties.
1. Then, on the Forwarders tab, click Edit, then enter 8.8.8.8, and press Enter to load the entry. After that, enter 8.8.4.4 and press enter.
When you finish, click OK. DO NOT close the server’s Properties sheet as you will need it in the remaining subsections below.

8.8.8.8 and 8.8.4.4 are Google’s public DNS servers. My DNS server will use these to resolve internet DNS names.

Step 3.4: Configure DNS Interfaces

Click the Interfaces tab, and choose Only the following IP address. After that, check the IPv4 address and uncheck the IPv6 addresses.

To save all the changes you have made, click OK (bottom left of the Properties sheet).

Step 3.5: Create the Server’s Host A Record
1. To create a Host A record, right-click the Forward Lookup zone in DNS Manager, and choose Host (A or AAA) Record.
1. Then, enter the name and IP address of the new server – ensure that the Create associate pointer (PTA) record checkbox is checked – then, click Add Host.
Step 3.6: Configure the Server’s DNS Address

To set the server to use its IP address, open PowerShell as administrator and run this command.
```
Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses 192.168.0.81
```
Step 3.7: Configure Name Servers
1. Right-click the forward lookup zone and select Properties.
1. Click the Name servers tab, the server should be selected, and click Edit. Then, enter the FQDN of the server and click Resolve – the IP address of the server should display – click OK.
1. Click the Start of Authority (SOA) tab, then use the Browse button to select the server’s name.
1. Finally, click OK to save the changes and close the zone’s properties sheet. If prompted to confirm that you want to delete the original record, click Yes.
Step 4: Create an Active Directory Domain
1. Open Server Manager, then, click the post-installation task icon and select Promote this server to a domain controller.
1. Then, first page of the wizard, select the Add a new forest option and enter the Forest root domain – the domain name you want to configure. After that, click Next to load the next page.
1. Enter the password of the domain’s administrator account.
1. On the DNS Options page, ignore the zone delegation warning and click Next. On the Additional Options page, the NetBIOS name will be selected automatically.
1. Accept the default paths for the Database, Log files, and SYSVOL folders.
1. Review your selections and click Next – the wizard will run pre-promotion checks. If all prerequisite checks pass, click Install and wait for the server to be promoted to a DC.
Step 5: Reconfigure the DNS Zone

After deploying Ad, you must reconfigure the DNS zone type to an Active Directory-integrated zone, and perform some other configurations.

Follow the steps below to complete these tasks.
1. Open the DNS manager, then right-click the forward lookup zone you created earlier and select Properties.
2. On the General tab, click the Change button, next to the zone Type.
1. Then, on the Zone Type pop-up, check the “Store the zone in Active Directory” checkbox and click OK. Click Yes to confirm the action.
The zone type will now become Active Directory-integrated and Replication will be set to All DNS servers in the domain.

The final step is to configure the zone to allow only Secure Dynamic updates. To change the settings, click the Dynamic updates drop-down and choose Secure only.

Finally, to save your changes and close the zone’s properties sheet, click OK.

Repeat the steps in this section for the Reverse Lookup zone.

The steps in this section changed the DNS zone type from Primary to Active Directory-integrated. Secondly, the zone is set to replicate to all DNS servers in the domain – which is the default and recommended configuration for AD-integrated zones.

Finally, we set up the zone to allow only Secure Dynamic updates. This allows domain-joined computers to update their IP addresses in the DNS zone – it is the recommended setting for Active Directory-integrated DNS zones.

Step 6: Add the Domain to the DNS Zone

For computers on the network to be able to join the domain, you must add it as a record on the DNS zone. To do this:
1. Right-click the zone and choose New Domain.
1. Then, enter the FQDN of the domain and click OK.
After adding the Domain to the DNS zone, when you refresh the zone, additional records like – _msdcs, _sites, _tcp, etc – would have been added.

Step 7: Join Computers to the Domain

Before joining a computer to your new domain, you must change the DNS server to the DC’s IP address.

To join a computer to the domain:
1. Search advanced system settings and open it from the search results
2. Then, click the Computer Name tab and then, the Change button.
1. Then, choose the Domain option, enter the FQDN of the domain, and click OK.
1. Finally, enter the username and password for an account with the permission to add computers to the domain and click OK.
After a few seconds, you should receive a “welcome to ” message – click OK. Then, when prompted, restart the computer.

Conclusion

Setting up a new Active Directory domain is pretty simple. However, it requires going through specific steps which includes proper DNS configuration.

In this guide, I explained the steps you need to deploy the first Domain Controller in an AD Forest, thereby creating a new Active Directory Domain.

I’m confident that you found this guicde helpful but I will still want to hear from you. Let me know your thoughts by responding to the “Was this page helpful?” feedback request below.
[ad_2]

Victor Ashiedu

Source link
July 29, 2024