Active Directory + AD CS

Basic Information

Field	Value
Category	Infrastructure
Owner	Filip Kohák (AD), Artem Ryzhkov (AD CS / certificates)
Deputy	Sergej Vdovičenko
SLA	24x7
Deployment	On-prem VM (Windows Server, Proxmox cluster)

Description

Active Directory (AD) is the directory service for managing local user accounts, computers, groups, and Group Policy Objects (GPO). It runs on two Windows Server VMs (Srv01 as primary DC, Srv02 as secondary DC) on the Proxmox cluster.

AD CS (Active Directory Certificate Services) issues internal certificates for:

Wireless authentication (802.1X / FortiNAC)
Internal HTTPS services
VPN certificates (FortiClient)

RSAT / Active Directory Users and Computers: on a domain-joined Windows PC
Remote Desktop: mstsc → Srv01 or Srv02 (IP from Passbolt)
PowerShell: Enter-PSSession -ComputerName srv01
Internal domain name: etnetera.local
Login: domain admin account (stored in Passbolt)

Warning

Use the domain admin account only for necessary operations. Use a standard account for daily work. Changes to GPO or AD CS can affect all users or certificates.

Procedure — Create New User Account

Open Active Directory Users and Computers (ADUC)
Navigate to the correct OU (e.g. etnetera.local/Users/Employees)
Right-click → New → User
Fill in: First Name, Last Name, User Logon Name (firstname.lastname)
Set password → check User must change password at next logon
Add user to appropriate groups

Procedure — Manage GPO (Group Policy)

Open Group Policy Management (gpmc.msc) on DC
Navigate to domain or OU
Right-click → Create a GPO in this domain or edit existing
Edit policy: Computer Configuration or User Configuration
Policy applies on next gpupdate /force or user logon

Tip

Test new GPOs on the IT-Test OU (test machines) before rolling out to the entire domain.

Procedure — Issue Internal Certificate (AD CS)

On a domain PC open certmgr.msc or MMC → Certificates
Right-click → All Tasks → Request New Certificate
Select template (e.g. Web Server, Computer, User)
The domain CA issues the certificate automatically

Troubleshooting

Problem	Solution
Locked account	ADUC → find user → Properties → Account → uncheck Account is locked out
Forgotten password	ADUC → right-click user → Reset Password
GPO not applying	On workstation: `gpupdate /force`; diagnose: `gpresult /r`
DC replication failing	`repadmin /showrepl`; verify network between Srv01 ↔ Srv02
Certificate cannot be issued	Check CA status: `certutil -ping`; verify template and user permissions

Sync with Entra ID

AD is synchronized with Entra ID (Azure AD) via Entra Connect Sync. Users and groups from on-prem AD are replicated to the cloud.

Sync interval: ~30 minutes
Forced sync: Start-ADSyncSyncCycle -PolicyType Delta on the sync server

Entra ID — cloud identity, sync from AD
FortiNAC — uses AD groups for VLAN mapping
Proxmox — hosts Windows Server VMs

Contact

Owner (AD): Filip Kohák — Slack @filip / filip.kohak@etnetera.cz
Owner (AD CS / certificates): Artem Ryzhkov — Slack @artem
Deputy: Sergej Vdovičenko — Slack @sergej
Urgent incidents (DC outage): Slack #it-alerts

Active Directory + AD CS ​

Basic Information ​

Description ​

Access and Login ​

Procedure — Create New User Account ​

Procedure — Manage GPO (Group Policy) ​

Procedure — Issue Internal Certificate (AD CS) ​

Troubleshooting ​

Sync with Entra ID ​

Related Guides ​

Contact ​