projects/nebula-domain-join
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add domain controller setup guide

Browse Source
This commit is contained in:
Damien Coles 2026-02-12 14:31:09 -08:00
parent a4847a3fd5
commit 08be15e31b
2 changed files with 116 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
DC-SETUP.md Normal file
View File

@ -0,0 +1,114 @@
# Domain Controller Setup
This document describes the expected Active Directory domain controller configuration for use with the Nebula domain bootstrap scripts. The DC must already be a member of the Nebula mesh before onboarding workstations.
## Assumptions
- The DC is running Windows Server with Active Directory Domain Services (AD DS) and DNS Server roles
- The DC has a Nebula certificate with a group that workstations are allowed to reach (e.g., `ad`)
- The DC is accessible to workstations at its Nebula IP (e.g., `10.10.10.13`)
## Nebula Configuration
The DC's Nebula certificate should be in a group (e.g., `ad`) that workstations have firewall access to. The DC's Nebula firewall rules must allow inbound traffic from the `workstations` group for the following services:
| Service | Ports | Protocol |
|---|---|---|
| DNS | 53 | TCP/UDP |
| Kerberos | 88 | TCP/UDP |
| LDAP | 389 | TCP/UDP |
| LDAPS | 636 | TCP |
| SMB (Group Policy) | 445 | TCP |
| Kerberos Password Change | 464 | TCP/UDP |
| Global Catalog | 3268-3269 | TCP |
| RPC/Dynamic | 49152-65535 | TCP |
Alternatively, allow `any` port/protocol from the `workstations` group if fine-grained port filtering is not required.
## DNS Configuration
The DC's DNS server should be configured with the following:
### Forward Lookup Zones
1. **Domain zone** (e.g., `arvandor.internal`) — Created automatically when AD DS is installed. Contains SRV records for domain services (`_ldap._tcp`, `_kerberos._tcp`, etc.) that allow workstations to locate the DC.
2. **Nebula zone** (e.g., `.nebula`) — Internal zone for resolving Nebula mesh hostnames. Add A records for each node on the mesh.
### Forwarders
Configure DNS forwarders for external resolution. Queries that don't match any local zone are forwarded upstream:
- **1.1.1.1** (Cloudflare) — or your preferred external DNS provider
This allows workstations that use the DC as their sole DNS server (over the Nebula adapter) to resolve both internal and external names.
### DNS Resolution Flow
```
Workstation (nebula1 adapter)
└─► DC DNS at 10.10.10.13 (over Nebula tunnel)
├─► arvandor.internal → local zone (AD records)
├─► .nebula → local zone (mesh hostnames)
└─► everything else → forwarded to 1.1.1.1
```
Physical adapters (Wi-Fi, Ethernet) retain their DHCP-assigned DNS and are not affected.
## Active Directory Configuration
### Organizational Units
Create OUs to organize computer objects by type. Example structure:
```
arvandor.internal
└─ Computers
├─ Workstations
└─ Servers
```
### Pre-staging Computer Objects
To pre-stage a computer object before onboarding:
1. Open **Active Directory Users and Computers**
2. Navigate to the target OU
3. Right-click > **New** > **Computer**
4. Enter the machine's intended NetBIOS name
The bootstrap scripts will auto-match the pre-staged object if the machine is renamed to match before running the bootstrap. If no pre-staged object exists, AD will create one automatically in the default Computers container during the domain join.
### Group Policy
GPOs linked to the OU containing the computer object will apply after the machine reboots following the domain join. The Nebula tunnel provides connectivity to the DC at the login screen, so GPOs are pulled before any user logs in.
## Network Trust Model
```
workstations ──► ad ──► infrastructure
```
- **workstations** can only reach the `ad` group (DNS, LDAP, Kerberos, GPO)
- **ad** can reach the `infrastructure` group (upstream services, Nebula DNS)
- **infrastructure** has broad access
Workstations never communicate with infrastructure directly. All domain services flow through the DC over the Nebula mesh.
## Verification
From a workstation that has completed the bootstrap:
```powershell
# Verify DNS resolution
nslookup arvandor.internal
# Verify domain SRV records are reachable
nslookup -type=SRV _ldap._tcp.arvandor.internal
# Verify Nebula mesh connectivity to DC
ping 10.10.10.13
# Verify GPO application (after domain join and reboot)
gpresult /r
```

2
README.md
View File

@ -4,6 +4,8 @@ Onboards a Windows machine to the Nebula mesh network and joins it to an Active
**Nebula version:** 1.10.3 (downloaded from GitHub at install time) **Nebula version:** 1.10.3 (downloaded from GitHub at install time)
For domain controller setup requirements, see [DC-SETUP.md](DC-SETUP.md).
## Prerequisites ## Prerequisites
Before running, you need the following **per-host files** prepared by the domain administrator: Before running, you need the following **per-host files** prepared by the domain administrator: