DC & Vault PKI Migration

Overview

Migration from legacy Windows Server 2022 (Desktop Experience) with AD CS to a modern architecture:

Windows Server 2025 Core - No GUI, PowerShell-only administration
Vault PKI - DOMUS-ROOT-CA / DOMUS-ISSUING-CA replaces HOME-ROOT-CA
ISE Integration - AD groups for 802.1X authorization

Architecture

Before (Legacy)

Component	Configuration
DC	Windows Server 2022 Standard (Desktop Experience)
PKI	Windows AD CS (HOME-ROOT-CA / HOME-ISSUING-CA)
Certificate Issuance	GPO auto-enrollment
Administration	RDP, GUI tools

Component

Configuration

Windows Server 2022 Standard (Desktop Experience)

PKI

Windows AD CS (HOME-ROOT-CA / HOME-ISSUING-CA)

Certificate Issuance

GPO auto-enrollment

Administration

RDP, GUI tools

After (Modern)

Component Configuration

Component	Configuration
DC	Windows Server 2025 Standard (Core) - home-dc01
PKI	HashiCorp Vault (DOMUS-ROOT-CA / DOMUS-ISSUING-CA)
Certificate Issuance	Vault CLI (`vault write pki_int/issue/…`)
Administration	SSH + PowerShell, no GUI

Windows Server 2025 Standard (Core) - home-dc01

PKI

HashiCorp Vault (DOMUS-ROOT-CA / DOMUS-ISSUING-CA)

Certificate Issuance

Vault CLI (vault write pki_int/issue/…)

Administration

SSH + PowerShell, no GUI

Milestones

Phase	Description	Status	Date
1	Deploy Windows Server 2025 Core VM on KVM	Complete	2026-02-09
2	Promote to Domain Controller (new forest)	Complete	2026-02-09
3	Configure SSH with YubiKey authentication	Complete	2026-02-09
4	AD Bootstrap (OUs, groups, accounts)	In Progress	2026-02-09
5	Join ISE to Active Directory	Pending
6	Domain join Linux workstations	Pending
7	Test 802.1X EAP-TLS with Vault certs	Pending
8	Decommission old DC (if applicable)	Pending

Key Decisions

Why Server Core?

Reduced attack surface (no GUI components)
Lower resource usage (4GB RAM vs 8GB+)
Faster patching (fewer components to update)
Forces automation and scripting discipline
Enterprise best practice for DCs

Why Vault PKI over AD CS?

Platform-agnostic (works with Linux, Windows, containers)
API-driven certificate issuance
No Windows CA dependency
Better audit logging
Supports ACME protocol (future)
Centralized secrets management integration

Why New Forest vs Migration?

Clean slate - no legacy cruft
Simpler than FSMO transfer and AD CS decommission
Home enterprise can tolerate brief downtime
Opportunity to implement best practices from start

Infrastructure

Host	Role	Status
home-dc01	Windows Server 2025 Core DC (10.50.1.50)	Online
vault-01	HashiCorp Vault PKI server	Online
ISE	RADIUS / 802.1X authentication	Online

Host

Role

Status

home-dc01

Windows Server 2025 Core DC (10.50.1.50)

Online

vault-01

HashiCorp Vault PKI server

Online

ISE

RADIUS / 802.1X authentication

Online

Runbooks

Windows Server 2025 Core DC - DC deployment procedure
AD Bootstrap - OUs, groups, ISE integration
Vault PKI Cert Issuance - Certificate procedures
Vault PKI Quick Reference - Command reference

Related Components

domus-ise-linux (ise-linux) - Linux 802.1X methodology
domus-secrets-ops (secrets-infrastructure) - Secrets management

Lessons Learned

Server Core Administration

sconfig for initial setup (hostname, network, RDP)
Exit to PowerShell with option 15
SSH keys go in C:\ProgramData\ssh\administrators_authorized_keys for admin accounts
icacls permissions required: Administrators:F and SYSTEM:F

Gopass Credential Structure

Separate entries per credential type:

ADMINISTRATIO/servers/home-dc01/
├── Administrator    # Local admin password
├── dsrm             # Directory Services Restore Mode password
└── meta             # Metadata (hostname, IP, roles, etc.)

SSH Config

Host home-dc01
    HostName 10.50.1.50
    Port 22022
    User Administrator
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000