Active Directory Bootstrap - Windows Server 2025 Core

Bootstrap a fresh Active Directory forest on Windows Server 2025 Core for ISE 802.1X EAP-TLS authentication.

Architecture Change from Legacy

PKI: Vault (DOMUS-ROOT-CA / DOMUS-ISSUING-CA) - NOT Windows AD CS
DC: Windows Server 2025 Core (no GUI, PowerShell only)
DNS: BIND HA (bind-01/bind-02), DC for AD-integrated zones only
Certificates: Issued via Vault PKI, not GPO auto-enrollment

1. Prerequisites

Requirement Verification Status

Requirement	Verification	Status
DC promoted and running	`Get-ADDomainController`	[ ]
Vault PKI operational	`vault secrets list \| grep pki`	[ ]
ISE trusts DOMUS-ROOT-CA	`netapi ise cert list-trusted \| grep DOMUS`	[ ]
SSH access to DC	`ssh home-dc01`	[ ]

DC promoted and running

Get-ADDomainController

[ ]

Vault PKI operational

vault secrets list | grep pki

[ ]

ISE trusts DOMUS-ROOT-CA

netapi ise cert list-trusted | grep DOMUS

[ ]

SSH access to DC

ssh home-dc01

[ ]

2. Phase 1: Verify DNS SRV Records

AD requires DNS SRV records for domain functionality. These should auto-register after DC promotion.

2.1. 1.1 Check SRV Records

From Linux workstation, verify all three critical SRV records exist:

dig _ldap._tcp.inside.domusdigitalis.dev SRV

Expected LDAP SRV (port 389)

;; ANSWER SECTION:
_ldap._tcp.inside.domusdigitalis.dev. 192 IN SRV 0 100 389 home-dc01.inside.domusdigitalis.dev.

dig _kerberos._tcp.inside.domusdigitalis.dev SRV

Expected Kerberos SRV (port 88)

;; ANSWER SECTION:
_kerberos._tcp.inside.domusdigitalis.dev. 600 IN SRV 0 100 88 home-dc01.inside.domusdigitalis.dev.

dig _gc._tcp.inside.domusdigitalis.dev SRV

Expected Global Catalog SRV (port 3268)

;; ANSWER SECTION:
_gc._tcp.inside.domusdigitalis.dev. 600 IN SRV 0 100 3268 home-dc01.inside.domusdigitalis.dev.

What these records mean:

_ldap._tcp (389) - LDAP directory queries
_kerberos._tcp (88) - Kerberos authentication
_gc._tcp (3268) - Global Catalog (forest-wide searches, required for SSSD)

If any are missing, SSSD will show "Offline" and domain operations will fail.

2.2. 1.2 Force SRV Record Registration (if missing)

If SRV records are missing, force re-registration:

ssh home-dc01 'powershell -Command "Restart-Service Netlogon"'

Wait 60 seconds, then verify DNS again.

2.3. 1.3 Manual DNS Registration (if still missing)

ssh home-dc01 'powershell -Command "nltest /dsregdns"'

3. Phase 2: Create OU Structure

3.1. 2.1 Design

Enterprise-grade OU structure following Microsoft’s Enterprise Access Model with tiering:

Tier	Assets	Compromise Impact
Tier 0	DCs, PKI, Identity infrastructure	Full domain compromise
Tier 1	Servers, applications	Application/data compromise
Tier 2	Workstations, endpoints	Single user compromise

Tier

Assets

Compromise Impact

Tier 0

DCs, PKI, Identity infrastructure

Full domain compromise

Tier 1

Servers, applications

Application/data compromise

Tier 2

Workstations, endpoints

Single user compromise

Design principles:

Tiering - Separate by security impact
OS separation - Different GPOs, management tools, compliance baselines
User separation - Admins vs standard users vs service accounts
Lifecycle - Staging for new objects, Disabled for decommissioned (audit retention)
Delegation - OUs enable delegated administration

Figure 1. Active Directory OU Structure

3.2. 2.2 Create Top-Level OUs

ssh home-dc01

New-ADOrganizationalUnit -Name "Tier 0 - Identity" -Path "DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Tier 1 - Servers" -Path "DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Tier 2 - Endpoints" -Path "DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "User Accounts" -Path "DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Groups" -Path "DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Staging" -Path "DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Disabled" -Path "DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

3.3. 2.3 Create Tier 0 Nested OUs

New-ADOrganizationalUnit -Name "Service Accounts" -Path "OU=Tier 0 - Identity,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

3.4. 2.4 Create Tier 1 Nested OUs (Servers)

New-ADOrganizationalUnit -Name "Linux" -Path "OU=Tier 1 - Servers,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Windows" -Path "OU=Tier 1 - Servers,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

3.5. 2.5 Create Tier 2 Nested OUs (Endpoints)

New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Linux" -Path "OU=Workstations,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Windows" -Path "OU=Workstations,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Mac" -Path "OU=Workstations,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Mobile" -Path "OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

3.6. 2.6 Create User Accounts Nested OUs

We use "User Accounts" instead of "Users" to avoid conflict with the default AD container CN=Users.

New-ADOrganizationalUnit -Name "Admins" -Path "OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Standard" -Path "OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Service Accounts" -Path "OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

3.7. 2.7 Create Groups Nested OUs

New-ADOrganizationalUnit -Name "Security" -Path "OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Distribution" -Path "OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -ProtectedFromAccidentalDeletion $true

3.8. 2.8 Verify OUs

Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName | Format-Table -AutoSize

Expected output (19 OUs total including Domain Controllers)

Name               DistinguishedName
----               -----------------
Domain Controllers OU=Domain Controllers,DC=inside,DC=domusdigitalis,DC=dev
Tier 0 - Identity  OU=Tier 0 - Identity,DC=inside,DC=domusdigitalis,DC=dev
Service Accounts   OU=Service Accounts,OU=Tier 0 - Identity,DC=inside,DC=domusdigitalis,DC=dev
Tier 1 - Servers   OU=Tier 1 - Servers,DC=inside,DC=domusdigitalis,DC=dev
Linux              OU=Linux,OU=Tier 1 - Servers,DC=inside,DC=domusdigitalis,DC=dev
Windows            OU=Windows,OU=Tier 1 - Servers,DC=inside,DC=domusdigitalis,DC=dev
Tier 2 - Endpoints OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev
Workstations       OU=Workstations,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev
Linux              OU=Linux,OU=Workstations,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev
Windows            OU=Windows,OU=Workstations,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev
Mac                OU=Mac,OU=Workstations,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev
Mobile             OU=Mobile,OU=Tier 2 - Endpoints,DC=inside,DC=domusdigitalis,DC=dev
User Accounts      OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev
Admins             OU=Admins,OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev
Standard           OU=Standard,OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev
Service Accounts   OU=Service Accounts,OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev
Groups             OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
Security           OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
Distribution       OU=Distribution,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
Staging            OU=Staging,DC=inside,DC=domusdigitalis,DC=dev
Disabled           OU=Disabled,DC=inside,DC=domusdigitalis,DC=dev

4. Phase 3: Create Security Groups

Security groups are used by ISE for authorization policies. Groups are organized by object type (Computers, Servers, Users) for clarity.

Naming Convention: GRP-<ObjectType>-<OS/Role>[-Tier]

GRP-Computers-* - Computer objects for 802.1X machine auth
GRP-Servers-* - Server computer objects
GRP-Users-* - User objects for user-based policies

4.1. 3.1 Create Computer Groups (Workstations)

These groups contain computer objects (e.g., modestus-razer$). ISE checks these for 802.1X machine authentication.

New-ADGroup -Name "GRP-Computers-Linux-Admin" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Linux admin workstations - Tier 2 privileged"

New-ADGroup -Name "GRP-Computers-Linux-Standard" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Linux standard workstations"

New-ADGroup -Name "GRP-Computers-Windows" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Windows workstations"

New-ADGroup -Name "GRP-Computers-Mac" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Mac workstations"

4.2. 3.2 Create Server Groups

New-ADGroup -Name "GRP-Servers-Linux" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Linux servers - network access"

New-ADGroup -Name "GRP-Servers-Windows" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Windows servers - network access"

4.3. 3.3 Create User Groups

These groups contain user objects for user-based authorization policies.

New-ADGroup -Name "GRP-Users-Admins" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Admin users - privileged access"

New-ADGroup -Name "GRP-Users-Standard" -GroupScope Global -GroupCategory Security -Path "OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev" -Description "Standard users"

4.4. 3.4 Verify Groups

Get-ADGroup -Filter 'Name -like "GRP-*"' | Select-Object Name, GroupScope, DistinguishedName | Format-Table -AutoSize

Expected output (8 groups)

Name                       GroupScope DistinguishedName
----                       ---------- -----------------
GRP-Computers-Linux-Admin    Global   CN=GRP-Computers-Linux-Admin,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
GRP-Computers-Linux-Standard Global   CN=GRP-Computers-Linux-Standard,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
GRP-Computers-Windows        Global   CN=GRP-Computers-Windows,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
GRP-Computers-Mac            Global   CN=GRP-Computers-Mac,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
GRP-Servers-Linux            Global   CN=GRP-Servers-Linux,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
GRP-Servers-Windows          Global   CN=GRP-Servers-Windows,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
GRP-Users-Admins             Global   CN=GRP-Users-Admins,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev
GRP-Users-Standard           Global   CN=GRP-Users-Standard,OU=Security,OU=Groups,DC=inside,DC=domusdigitalis,DC=dev

ISE Policy Mapping

Each group maps to an ISE authorization policy:

AD Group

Members

ISE Authorization Profile

GRP-Computers-Linux-Admin

modestus-razer$, modestus-p50$, modestus-aw$

Linux-Admin-VLAN10

GRP-Computers-Linux-Standard

Future standard Linux workstations

Linux-Standard-VLAN10

GRP-Computers-Windows

Windows computer objects

Windows-Workstation-VLAN10

GRP-Computers-Mac

Mac computer objects

Mac-Workstation-VLAN10

GRP-Servers-Linux

vault-01$, kvm-01$, nas-01$

Server-VLAN20

GRP-Servers-Windows

home-dc01$, future Windows servers

Server-VLAN20

5. Phase 4: Create User Account

Your admin account goes in OU=Admins,OU=User Accounts (privileged accounts).

5.1. 4.1 Create Admin Account

New-ADUser -Name "Evan Rosado" -GivenName "Evan" -Surname "Rosado" -SamAccountName "evanusmodestus" -UserPrincipalName "evanusmodestus@inside.domusdigitalis.dev" -Path "OU=Admins,OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev" -AccountPassword (Read-Host -AsSecureString "Password") -Enabled $true -PasswordNeverExpires $true

5.2. 4.2 Add to Domain Admins

Add-ADGroupMember -Identity "Domain Admins" -Members "evanusmodestus"

5.3. 4.3 Verify

Get-ADUser evanusmodestus -Properties MemberOf, DistinguishedName | Select-Object Name, SamAccountName, DistinguishedName

Expected output

Name        SamAccountName DistinguishedName
----        -------------- -----------------
Evan Rosado evanusmodestus CN=Evan Rosado,OU=Admins,OU=User Accounts,DC=inside,DC=domusdigitalis,DC=dev

Get-ADPrincipalGroupMembership evanusmodestus | Select-Object Name

Expected output

Name
----
Domain Users
Domain Admins

6. Phase 5: Join ISE to Active Directory

6.1. 5.1 Prerequisites on ISE

ISE requires:

DNS resolution to DC (via BIND or VyOS forwarding)
NTP synchronized with DC (Kerberos requirement)
Outbound connectivity to DC ports: 88, 389, 464, 636

6.2. 5.2 Pre-Create ISE Computer Account in AD

Before ISE can join the domain, create a computer account in AD:

New-ADComputer -Name "ISE-02" -SamAccountName "ISE-02$" `
  -Path "OU=Linux,OU=Tier 1 - Servers,DC=inside,DC=domusdigitalis,DC=dev" `
  -Description "Cisco ISE Secondary PAN"

Verify:

Get-ADComputer ISE-02

Expected output

DistinguishedName : CN=ISE-02,OU=Linux,OU=Tier 1 - Servers,DC=inside,DC=domusdigitalis,DC=dev
Enabled           : True
Name              : ISE-02
SamAccountName    : ISE-02$

6.3. 5.3 Join Domain via GUI

ISE GUI path:

Administration > Identity Management > External Identity Sources > Active Directory
Click Add
Enter:
- Join Point Name: INSIDE-AD
- Active Directory Domain: inside.domusdigitalis.dev
Click Submit
When prompted, enter credentials: evanusmodestus@inside.domusdigitalis.dev

6.4. 5.4 Join Domain via netapi (Alternative)

If the join point already exists (e.g., from a previous DC), rejoin via API:

dsource d000 dev/network

netapi ise api-call openapi PUT '/api/v1/active-directory/INSIDE-AD/join' \
  --data "{
    \"operationType\": \"join\",
    \"adminUser\": \"evanusmodestus\",
    \"adminPassword\": \"$(gopass show -o ADMINISTRATIO/domus/ad/evanusmodestus)\"
  }"

This command returns no output on success. Verify by searching for AD groups.

6.5. 5.5 Verify Join via netapi

dsource d000 dev/network

netapi ise ers ad

Expected output

Join Point: INSIDE-AD
Domain: inside.domusdigitalis.dev
Status: Operational

6.6. 5.6 Add AD Groups to ISE

After joining, import the security groups. First verify ISE can see them:

netapi ise search-ad-groups "INSIDE-AD" "GRP"

Then add the groups:

netapi ise add-ad-groups "INSIDE-AD" "GRP-Computers-Linux-Admin"
netapi ise add-ad-groups "INSIDE-AD" "GRP-Computers-Linux-Standard"
netapi ise add-ad-groups "INSIDE-AD" "GRP-Computers-Windows"
netapi ise add-ad-groups "INSIDE-AD" "GRP-Computers-Mac"
netapi ise add-ad-groups "INSIDE-AD" "GRP-Servers-Linux"
netapi ise add-ad-groups "INSIDE-AD" "GRP-Servers-Windows"
netapi ise add-ad-groups "INSIDE-AD" "GRP-Users-Admins"
netapi ise add-ad-groups "INSIDE-AD" "GRP-Users-Standard"

Verify:

netapi ise get-ad-groups "INSIDE-AD"

Or via GUI:

Administration > Identity Management > External Identity Sources > Active Directory
Select INSIDE-AD
Go to Groups tab
Click Add > Select Groups from Directory
Search for GRP-Computers-Linux-Admin
Select and add

7. Phase 6: Domain Join Linux Workstations

7.1. 6.1 Verify Prerequisites

From Linux workstation:

# DNS resolution
host inside.domusdigitalis.dev
host home-dc01.inside.domusdigitalis.dev

# Kerberos test
kinit evanusmodestus@INSIDE.DOMUSDIGITALIS.DEV
klist

7.2. 6.2 Join Domain

Follow Domain Join Runbook (ise-linux) for full procedure.

Quick reference:

sudo net ads join -U evanusmodestus@INSIDE.DOMUSDIGITALIS.DEV

7.3. 6.3 Add Computer to Security Group

After domain join, add computer to ISE authorization group:

ssh home-dc01 'powershell -Command "Add-ADGroupMember -Identity \"GRP-Linux-Admin-Workstations\" -Members \"modestus-razer$\""'

ssh home-dc01 'powershell -Command "Add-ADGroupMember -Identity \"GRP-Linux-Admin-Workstations\" -Members \"modestus-p50$\""'

ssh home-dc01 'powershell -Command "Add-ADGroupMember -Identity \"GRP-Linux-Admin-Workstations\" -Members \"modestus-aw$\""'

7.4. 6.4 Move Computer to Proper OU

ssh home-dc01 'powershell -Command "Move-ADObject -Identity \"CN=MODESTUS-RAZER,CN=Computers,DC=inside,DC=domusdigitalis,DC=dev\" -TargetPath \"OU=Workstations,DC=inside,DC=domusdigitalis,DC=dev\""'

7.5. 6.5 Verify Group Membership

ssh home-dc01 'powershell -Command "Get-ADGroupMember -Identity \"GRP-Linux-Admin-Workstations\" | Select-Object Name, objectClass"'

Expected output

Name           objectClass
----           -----------
MODESTUS-RAZER computer
MODESTUS-P50   computer
MODESTUS-AW    computer

8. Phase 7: ISE Authorization Policy

Create authorization policy using AD group membership.

8.1. 7.1 Create Authorization Profile

netapi ise create-authz-profile "Linux-Admin-VLAN10" \
    --vlan 10 \
    --description "Linux admin workstations - VLAN 10"

8.2. 7.2 Create Authorization Rule

netapi ise create-authz-rule "Linux-Admin-Workstations-EAP-TLS" \
    --policy-set "Domus-Wired-802.1X" \
    --condition "AD:ExternalGroups CONTAINS inside.domusdigitalis.dev/Groups/GRP-Linux-Admin-Workstations" \
    --profile "Linux-Admin-VLAN10"

Or via GUI:

Policy > Policy Sets > Domus-Wired-802.1X
Authorization Policy section
Add rule:
- Name: Linux-Admin-Workstations-EAP-TLS
- Condition: AD:ExternalGroups CONTAINS inside.domusdigitalis.dev/Groups/GRP-Linux-Admin-Workstations
- Profile: Linux-Admin-VLAN10

9. Phase 8: Verification Checklist

Item Command Status

Item	Command	Status
DNS SRV records	`dig _ldap._tcp.inside.domusdigitalis.dev SRV`	[ ]
OUs created	`Get-ADOrganizationalUnit -Filter *`	[ ]
Security groups created	`Get-ADGroup -Filter 'Name -like "GRP-*"'`	[ ]
User account created	`Get-ADUser evanusmodestus`	[ ]
ISE joined to AD	`netapi ise ers ad`	[ ]
AD groups in ISE	ISE GUI > AD > Groups tab	[ ]
Workstations domain-joined	`sudo net ads testjoin`	[ ]
Computers in AD group	`Get-ADGroupMember GRP-Linux-Admin-Workstations`	[ ]
Authorization policy created	ISE GUI > Policy Sets	[ ]
802.1X authentication working	`netapi ise mnt sessions`	[ ]

DNS SRV records

dig _ldap._tcp.inside.domusdigitalis.dev SRV

[ ]

OUs created

Get-ADOrganizationalUnit -Filter *

[ ]

Security groups created

Get-ADGroup -Filter 'Name -like "GRP-*"'

[ ]

User account created

Get-ADUser evanusmodestus

[ ]

ISE joined to AD

netapi ise ers ad

[ ]

AD groups in ISE

ISE GUI > AD > Groups tab

[ ]

Workstations domain-joined

sudo net ads testjoin

[ ]

Computers in AD group

Get-ADGroupMember GRP-Linux-Admin-Workstations

[ ]

Authorization policy created

ISE GUI > Policy Sets

[ ]

802.1X authentication working

netapi ise mnt sessions

[ ]

10. PKI Architecture Reference

This deployment uses Vault PKI, NOT Windows AD CS.

Component Details

Root CA

DOMUS-ROOT-CA (Vault pki/)

Issuing CA

DOMUS-ISSUING-CA (Vault pki_int/)

Certificate Issuance

vault write pki_int/issue/domus-client

ISE Trust

DOMUS-ROOT-CA + DOMUS-ISSUING-CA imported to ISE

Auto-enrollment

Not applicable (manual Vault issuance)

See Vault PKI Certificate Issuance for certificate procedures.

11. Appendix A: Automation Scripts

PowerShell scripts for creating and resetting the AD structure. See AD Bootstrap Scripts for full source code with explanations.

Reset script is destructive. Use only in lab/test environments.

11.1. A.1 Script Locations

Script Purpose

Script	Purpose
`scripts/ad-bootstrap-reset.ps1`	Delete all OUs, groups, user (with optional recreate)
`scripts/ad-bootstrap-create.ps1`	Create all OUs and groups (idempotent, skips existing)

scripts/ad-bootstrap-reset.ps1

Delete all OUs, groups, user (with optional recreate)

scripts/ad-bootstrap-create.ps1

Create all OUs and groups (idempotent, skips existing)

11.2. A.2 Usage

Copy scripts to DC:

scp scripts/ad-bootstrap-*.ps1 home-dc01:C:/Users/Administrator/

11.2.1. Create Script

Dry run

powershell -ExecutionPolicy Bypass -File ad-bootstrap-create.ps1 -WhatIf

Create all OUs and groups

powershell -ExecutionPolicy Bypass -File ad-bootstrap-create.ps1

11.2.2. Reset Script

Dry run (preview only, no changes)

powershell -ExecutionPolicy Bypass -File ad-bootstrap-reset.ps1 -WhatIf

Reset only (delete all objects)

powershell -ExecutionPolicy Bypass -File ad-bootstrap-reset.ps1

Reset and recreate (full test cycle)

powershell -ExecutionPolicy Bypass -File ad-bootstrap-reset.ps1 -Recreate

11.3. A.3 What It Does

Phase 1: Removes user account (evanusmodestus)
Phase 2: Removes all 8 security groups (GRP-*)
Phase 3: Removes all 21 OUs (nested first, then parents)
Phase 4: (with -Recreate) Rebuilds entire structure

The -Recreate flag does NOT recreate the user account (requires password input). After recreate, manually run the user creation command from Phase 4.

11.4. A.4 Verification

After reset:

# Should show only Domain Controllers OU
Get-ADOrganizationalUnit -Filter * | Select-Object Name

# Should return nothing
Get-ADGroup -Filter 'Name -like "GRP-*"' | Select-Object Name

# Should fail (user not found)
Get-ADUser evanusmodestus

12. Related Documentation

Windows DC Core Deployment
Vault PKI Certificate Issuance
Linux Domain Join (ise-linux)
ISE Authorization Policy (ise-linux)