projects/nebula-domain-join
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nebula-domain-join/DC-SETUP.md

4.1 KiB
Raw Blame History

Domain Controller Setup

This document describes the expected Active Directory domain controller configuration for use with the Nebula domain bootstrap scripts. The DC must already be a member of the Nebula mesh before onboarding workstations.

Assumptions

  • The DC is running Windows Server with Active Directory Domain Services (AD DS) and DNS Server roles
  • The DC has a Nebula certificate with a group that workstations are allowed to reach (e.g., ad)
  • The DC is accessible to workstations at its Nebula IP (e.g., 10.10.10.13)

Nebula Configuration

The DC's Nebula certificate should be in a group (e.g., ad) that workstations have firewall access to. The DC's Nebula firewall rules must allow inbound traffic from the workstations group for the following services:

Service Ports Protocol
DNS 53 TCP/UDP
Kerberos 88 TCP/UDP
LDAP 389 TCP/UDP
LDAPS 636 TCP
SMB (Group Policy) 445 TCP
Kerberos Password Change 464 TCP/UDP
Global Catalog 3268-3269 TCP
RPC/Dynamic 49152-65535 TCP

Alternatively, allow any port/protocol from the workstations group if fine-grained port filtering is not required.

DNS Configuration

The DC's DNS server should be configured with the following:

Forward Lookup Zones

  1. Domain zone (e.g., arvandor.internal) — Created automatically when AD DS is installed. Contains SRV records for domain services (_ldap._tcp, _kerberos._tcp, etc.) that allow workstations to locate the DC.

  2. Nebula zone (e.g., .nebula) — Internal zone for resolving Nebula mesh hostnames. Add A records for each node on the mesh.

Forwarders

Configure DNS forwarders for external resolution. Queries that don't match any local zone are forwarded upstream:

  • 1.1.1.1 (Cloudflare) — or your preferred external DNS provider

This allows workstations that use the DC as their sole DNS server (over the Nebula adapter) to resolve both internal and external names.

DNS Resolution Flow

Workstation (nebula1 adapter)
  └─► DC DNS at 10.10.10.13 (over Nebula tunnel)
        ├─► arvandor.internal  →  local zone (AD records)
        ├─► .nebula            →  local zone (mesh hostnames)
        └─► everything else    →  forwarded to 1.1.1.1

Physical adapters (Wi-Fi, Ethernet) retain their DHCP-assigned DNS and are not affected.

Active Directory Configuration

Organizational Units

Create OUs to organize computer objects by type. Example structure:

arvandor.internal
  └─ Computers
       ├─ Workstations
       └─ Servers

Pre-staging Computer Objects

To pre-stage a computer object before onboarding:

  1. Open Active Directory Users and Computers
  2. Navigate to the target OU
  3. Right-click > New > Computer
  4. Enter the machine's intended NetBIOS name

The bootstrap scripts will auto-match the pre-staged object if the machine is renamed to match before running the bootstrap. If no pre-staged object exists, AD will create one automatically in the default Computers container during the domain join.

Group Policy

GPOs linked to the OU containing the computer object will apply after the machine reboots following the domain join. The Nebula tunnel provides connectivity to the DC at the login screen, so GPOs are pulled before any user logs in.

Network Trust Model

workstations  ──►  ad  ──►  infrastructure
  • workstations can only reach the ad group (DNS, LDAP, Kerberos, GPO)
  • ad can reach the infrastructure group (upstream services, Nebula DNS)
  • infrastructure has broad access

Workstations never communicate with infrastructure directly. All domain services flow through the DC over the Nebula mesh.

Verification

From a workstation that has completed the bootstrap:

# Verify DNS resolution
nslookup arvandor.internal

# Verify domain SRV records are reachable
nslookup -type=SRV _ldap._tcp.arvandor.internal

# Verify Nebula mesh connectivity to DC
ping 10.10.10.13

# Verify GPO application (after domain join and reboot)
gpresult /r