Active Directory Services

Active Directory Domain Services on home-dc01.inside.domusdigitalis.dev provides identity management, DNS, and ISE integration for the Domus Digitalis environment.

1. Service Overview

Property	Value
Hostname	home-dc01.inside.domusdigitalis.dev.inside.domusdigitalis.dev
IP Address	10.50.1.50
Domain	inside.domusdigitalis.dev
Realm	INSIDE.DOMUSDIGITALIS.DEV
Platform	Windows Server 2022 → 2025 Core (migration pending)

Property

Value

Hostname

home-dc01.inside.domusdigitalis.dev.inside.domusdigitalis.dev

IP Address

10.50.1.50

Domain

inside.domusdigitalis.dev

Realm

INSIDE.DOMUSDIGITALIS.DEV

Platform

Windows Server 2022 → 2025 Core (migration pending)

Migration Planned: Migrating from Windows Server 2022 (Desktop) to Windows Server 2025 Core with AD-only role. DNS moves to pfSense, PKI to Vault. See Windows Server 2025 Core DC Migration.

2. Active Roles

Role	Function	Status
AD DS	Identity and authentication for domain-joined systems	Active
DNS	Internal DNS for inside.domusdigitalis.dev	Active
LDAP	Directory services for ISE, Keycloak, applications	Active

Role

Function

Status

AD DS

Identity and authentication for domain-joined systems

Active

DNS

Internal DNS for inside.domusdigitalis.dev

Active

LDAP

Directory services for ISE, Keycloak, applications

Active

3. Deprecated Roles

Role	Function	Status
AD CS (CA)	HOME-ROOT-CA - Certificate Authority	Deprecated

Role

Function

Status

AD CS (CA)

HOME-ROOT-CA - Certificate Authority

Deprecated

AD CS Migration In Progress

No new certificates from HOME-ROOT-CA
Existing client certs remain valid until expiry
All new certs issued from HashiCorp Vault (DOMUS-ROOT-CA)
Target decommission: 2026-07

4. ISE Integration

AD provides identity resolution for ISE 802.1X authentication:

Integration Point Purpose

Integration Point	Purpose
Identity Store	Machine and user authentication for EAP-TLS, PEAP
Group Membership	Authorization policy conditions (e.g., `GRP-Research-Linux-Workstations`)
Certificate Mapping	Subject CN → AD computer account for EAP-TLS
External Identity Source	ISE joined to inside.domusdigitalis.dev for LDAP queries

Identity Store

Machine and user authentication for EAP-TLS, PEAP

Group Membership

Authorization policy conditions (e.g., GRP-Research-Linux-Workstations)

Certificate Mapping

Subject CN → AD computer account for EAP-TLS

External Identity Source

ISE joined to inside.domusdigitalis.dev for LDAP queries

4.1. ISE AD Join Status

# Verify ISE AD connection
netapi ise get-ad-join-point

# Test AD connectivity from ISE CLI
show application status ise

5. DNS Zones

Zone Purpose

Zone	Purpose
`inside.domusdigitalis.dev`	Internal forward lookup (all infrastructure)
`1.50.10.in-addr.arpa`	Reverse lookup for management VLAN

inside.domusdigitalis.dev

Internal forward lookup (all infrastructure)

1.50.10.in-addr.arpa

Reverse lookup for management VLAN

6. Security Groups (ISE-Relevant)

Group Purpose

Group	Purpose
`GRP-Research-Linux-Workstations`	Linux workstations for EAP-TLS authorization rules
`GRP-Research-Linux-Admins`	Sudo access via SSSD group mapping
`GRP-ISE-NAD-Devices`	Network devices for TACACS+ (if applicable)

GRP-Research-Linux-Workstations

Linux workstations for EAP-TLS authorization rules

GRP-Research-Linux-Admins

Sudo access via SSSD group mapping

GRP-ISE-NAD-Devices

Network devices for TACACS+ (if applicable)

7. Backup & Recovery

Item Location

Item	Location
System State	Windows Server Backup → NAS
AD Database	`C:\Windows\NTDS\`
DNS Zones	AD-integrated (replicated with AD)
Recovery Runbook	`runbooks/disaster-recovery.adoc`

System State

Windows Server Backup → NAS

AD Database

C:\Windows\NTDS\

DNS Zones

AD-integrated (replicated with AD)

Recovery Runbook

runbooks/disaster-recovery.adoc

8. Related Documentation

Windows Server 2025 Core DC Migration - Active runbook for DC migration
AD CS Linux Certificate Template - Certificate template guide (legacy reference)
PKI Strategy - Vault PKI migration plan
HashiCorp Vault Sub-CA - Vault CA deployment