2025-04-18 - Active Directory 1.0 - Installing DNS, File Storage, ADDS, and ADLDS in case

        I am finally seeing what I can do to commit to learning Active Directory while the VPN server is up and running, since it seems like every month or so, something goes wrong. And right when I sit down to do AD, I can't because the VNPN is down or something. I am doing this remotely because everybody at BYU is studying or doing something for class, trying to learn, studying, so I prefer to do this in that company. 

        I had some trouble getting the Proxmox VM for Windows Server 2025 up and running. The problem was resolved in the 0.5 entry from back in February. 

        But now I am in the Server Manager and trying to install the DNS and File Storage roles. In the Server Manager you go to the Manage menu on the top right of the window > select Add Roles and Features. This will be a role-based installation. The reason is because out of the two options, the second one being  Remote Desktop  Services Installation, the one you will be picking most often will be Role-Based. You would only choose the other option for obvious reasons. If in an office setting and configuring systems on site, pick Role-Based. 

        I selected the roles DNS and File Storage and then a message popped up saying 

Validation Results

The validation process found problems on the server to which you want to install features.

Click Continue install the selected features anyway, or click Cancel to select different

features.

Validation

Server

Results

@ W WIN-BCCTlROV6RS

No static IP addresses were found on this computer. If the IP address changes, clients

might not be able to contact this server. Please configure a static IP address on this

computer before installing DNS Server.

        So I went to Control Panel > Network and Sharing Center > Change Adapter Settings > right-clicked on the ethernet adapter > Properties > Internet Protocol Version 4 (TCP/lPv4) > Properties. I decided to add an address from my actual home router running DHCP for my home lab, so I went to the CMD > ran IPCONFIG /ALL > grabbed the IP address 192.168.50.191 and the default gateway of 192.168.50.1 and the MAC address for my Proxmox server that's running the Windows Server VM. I selected UUse The Following IP Address > added the IP address ending in .191 to to the first field > subnet mask fills in automatically depending on what address is used > entered the address ending in 50.1 in the default gateway field which is the private IP address of my router, and also added the same address as my preferred DNS server. Whatever request this server has from the internet will be forwarded to each successive DNS server until it hits one that knows the address of any site I visit. 

        However, I decided to also reserve that .191 IP address on my router. You require a static or reserved IP address for the server so anytime a machine boots up or a device returns to the network, the server managing Active Directory will always be at the same address and the corresponding devices connected to it won't have connection errors to the server--expecting the server to be at a different address. 

        However, I ran into a bit of a problem. As WinServ2025 is hosted on a Proxmox server, and the Proxmox server is already reserved automatically on my router, which is an arrangement they came up between them and I cannot change it, this also means that the same MAC address that would be used to reserve this .191 address is already being used to reserve the IP address for the Proxmox server. Research suggests that you want to have a separate IP address for the Windows Server than the Proxmox server, so this is where I get stuck. Technically, the requirement to make the .191 address static has been met. I can continue, but there's nothing stopping the router from assigning that address to yet another device at any time in the future. 

        Normally, you would either make an address static on the system using it or reserve it on the DHCP server, the router in my case, since all consumer grade routers are combo devices, with a layer 3 router, a layer 2 switch built in which is what those four or five extra ethernet ports on the back are connected to, a layer 2 access point which is the WiFi antennas, layer 3 DNS server, which converts between hostnames and IP addresses, a layer 3 DHCP server which dolls out the IP addresses on the private network, a layer 3 and 4 Firewall, which includes NAT or network address translation, which separates public addresses from private addresses, which is why network addresses and gateway addresses matter. 

        This was cleared up, I both made the address static on the server which allows me to do AD, I think it was the domain or the DNS or something tat required it, and I also reserved it on my router by going to the WAN tab > DHCP > and the dropdown menu where I reserved my file servers address didn't show the virtual Proxmox Windows Server VM so I just added it by typing it in and the router accepted it. There was a reason why not to make an address both static and reserved as I recall but I had asked ChatGPT about this and explained the problem with only making it static on the server side, that DHCP on the router might assign it a new address and it seemed to agree this was a good idea to also reserve it on the router. 

        If you want to skip a future project idea I have that AD caused me to think about, skip any of the following that's in italics!

        I ran into an interesting snag. I had this idea, stemming from another idea I'd had for a very long time. In short, I have always thought that the ultimate computer experience was totally handheld, portable, transferrable from one physical console to another, just having like a base computer the size of a smartphone or really anything that fits in your pocket, that can handle pretty serious computer tasks, but may possibly fall short in some ergonomic ways for the lack of a better term. I wake up at the beginning of the day, my phone is my alarm clock, it actually displays the time which interestingly, the iPhone now does when charging and positioned horizontally, it holds all your music, everything you would watch, the whole experience is very personalized, everything you would look up is or rather can be through it, you may have a slightly less portable device like the size of a laptop that you can somehow insert it into or that acts like a docking station that provides a larger screen and keyboard and mouse functionality, when it's time to get in the car and go to work, it connects to your car and acts as the radio, or any communication device, I mean, it always does each of these things, but it is the central device that does everything, and all other devices are secondary to it and act as potential appendages to it. It may even control the car. Of course the car may need to control itself, so it might be in constant contact with the phone or portable computer device that fits in your pocket. When you get to work, it is your work computer, connecting to another docking station that is more geared towards productivity, there might be more screens or a larger one, and any other tool needed for the job or desired for comfort. 

        Now, talking about this I find irony that my ultimate choice for a laptop is a GPD Pocket 3 and my iPhone is kind of hinting at a lot of this but this is all still a bit of a ways off even if steam is gathering rapidly. But I had an idea that stems for this that might potentially involve a personal project possibility for AD. I wondered if there was a way to centralize my computer experience on my laptop and desktop so that whichever device I am using at the time, it picks up where the other left off. I realized that Active Directory had some potential use for this and ChatGPT confirmed it up to a point. However,  specific programs running and icons placed in the same spot on the desktop on each device, and things like that would not be possible. ChatGPT suggested that this could still be somewhat managed with effort, there are other tools that could help realize this dream. And it quickly got tot he point in my conversation with ChatGPT that it was like, well, perhaps you should consider this other program altogether, and part of my idea was lost. And then it was revealed, that if I used Active Directory to realize this dream, there would be one huge problem I am aware of so far, so there could be others, but one glaring problem that stops this in its tracks is that every time I started using one device or another, there would be an immediate and huge requirement for bandwidth between the server hosting AD and the machine being used, to get the environment set up for my use. Being remotely used so frequently, my laptop cannot be subject to this. I often rely on either my hotspot on my iPhone which has a limit that I am very cautious not to rush through, and established WiFi at places like BYU where I study or eat. And that WiFi also has its limits. So this is not feasible. 

        And then I was about to start exploring the thing with adding roles and features to get AD up and running, and I had passed through this screen many times now, having explained it about six months to a year ago in former blog posts about AD. Role-based or feature-based installation vs Remote Desktop Services installation, and I remember the reason for not using Remote Desktop Services Installation was because this is for remote users and is used far more rarely. And I wondered what if I created a virtual machine-based session-based desktop deployment. 

        I wondered what if AD VDI centralizes a single desktop experience on a server that multiple devices can access remotely, such as my laptop and desktop? Log into the same Windows environment from either the desktop or laptop. All my apps, files, settings, even open windows, are exactly as I left them. It's like having my main PC live in the cloud or on a server, and you just remote into it. 

        However, then I came up on a realization, wait, couldn't I just install windows 11 in a Proxmox VM and remote into it for the desired results? And the answer is yes. So I asked what the benefits of using AD over the win 11 Proxmox approach would be and it said basically no multi-user environment and I can't think of any instance where I would need to access one instance from two devices at the same time, and scalability, there's only me so that's out, load balancing, well, if it's just me then load balancing on a server powerful enough to handle any task I might want to perform is already automatically balanced by the fact that it's just me using it and then app publishing, well, I wasn't sure about that one. But I don't typically create apps. I do have a project in mind to do so just for academics but that's it. So now I am just wondering if I aught to simply have one desktop environment that I remote into? I love that I can use everything on one powerful server, so no matter how demanding my photoshop requirements get, no matter how many chrome tabs I have open, this will stop being an issue. 

        But this then causes me to wonder, like, one of the things that makes me dislike services like Spotify, and paying for them, and the subsequent data requirements on a hotspot is that I can simply have my music or movies on my mobile device and not keep paying for it every time I want to use it and then be chained to the internet just to do so. I would essentially be creating my own prison again, and I would still have to pay for it because of hotspot data needs. 

        However, I started thinking about things like iTunes, while it would be great to be able to run my iTunes library from a centralized location that can be accessed anywhere, and not have multiple machines to maintain which is why I killed iTunes on my desktop and only maintain it on my laptop, but have reinstalled it only so I can game and listen to music with game audio on my desktop, which requires me to run my laptop simultaneously to have access to my laptops library, if I then moved it to a centralized VM, this would then present those roaming challenges where I would require being constantly tethered to the internet in order to do basic things. I conclude for now that this is something I should do but only to a hybrid extent. Run everything on a central server that would not be inconvenient to do so in any way and keep local functions such as movie playback and iTunes local on each machine respectively.  

        2025-05-20

        I went to Add Roles and Features and clicked right through most of the wizard, and checked DNS, ADDS, and ADLDS, didn't add any features except that I checked to make sure Group Policy Management was checked, which you'll need if you'll be working with GPO's. .Net Framework 3.5 is for legacy apps. I'm not worrying about. I clicked install. It took a moment and then when I returned to it, it had opened a new folder located in Windows\Server Manager, with files called serverlist and serverlist1, I closed this window. Server Manager will keep these files to remember which servers it  manages. 

This has been Truncat3d 00000000111100010100110______________end of line

2025-04-14 - VPN Server Went Down Again!

        I was seriously starting to feel this time like if this darn thing can't stay up and running for even a month without there being some problem that takes a ton of effort to troubleshoot then the thing isn't worth using. I also concluded if I just reinstall PiVPN with WireGuard (WG) and then WG on every corresponding device that uses the VPN again, that would likely solve the problem. But this was only after exhaustive troubleshooting that went nowhere because nothing was wrong. There were no catastrophic failures, no brown-outs, no drivers, Kernels, Os's updated that would then throw it out of whack, And after multiple days of putting Proxmox Active Directory VM's aside--because everything I have centers around my VPN functioning properly, I had then concluded that just reinstalling the thing would almost certainly fix the issue. 

        I even had a friend come over that the first time he helped me with my server like three weeks ago or so, the second he sat down, the problem was cleared up because everything that was wrong with my server just vanished. It would turn on before but there was no POST light flickers from the keyboard on boot, the motherboard was just as lively as ever, but no screen output because its a server that runs headless and so when you plug something in, nothing shows up unless you reboot, and nothing worked now because tried to reboot not knowing it was doing a Kernel update and then apparently temporarily bricking the server for the next whole day until it sorted itself out I assume, then it could be rebooted and produce output for a monitor and we could enter BIOS and there were no problems. The server booted fine, everything worked perfectly as if nothing had happened. Weeks later when I tried again to do my TEMPer2 project to get a USB temperature sensor to read the temp of my room and connect to Home Assistant to then connect to my AC to trip the AC on or off, only then did I discover when running a command to check the latest version of the Kernel was installed, and it saying yes, that in fact no it was not, because then I had this problem and the boot took an inordinate amount of time while trying to see if rebooting would solve the VPN problem. I couldn't SSH back into the machine for maybe twenty minutes I think, well, that's when I tried to SSH in a fourth time anyway, and it finally worked. And that was a few days ago during the latest server troubleshoot for the VPN. 

        So once again we go through this problem, I couldn't use my VPN while out remotely, and working on my Active Directory project to make myself more hirable. And I couldn't connect. I was at BYU trying to connect to internet, sometimes it doesn't like connecting to the captive portal so I can agree to terms and conditions for visitor WIFI unless I turn off my VPN in WG. SO I turned it off and connected and then I turned it back on and it still wasn't working. But I just connected to it. What do you mean there's no internet? I checked the WG client and saw that neither tunnel would receive any packets back from my VPN server, X amount of Kb sent, 0 received. I tried then to turn off both WG tunnels and AnyDesk unattended into my home desktop and couldn't do that either. What's going on here?! I discovered after troubleshooting when I got home that in fact I accidentally deleted my token or key authentication account for unattended access to my desktop when troubleshooting another problem for my mom a few months ago, within the Free app I use I have been using this free authenticator app for years because I didn't know there were better, free options. But with this option, there was little documentation online of how to troubleshoot it, and if you created a new token or key or whatever account to use for any particular thing, which you could create several for different devices, you couldn't rename the very easily. I found this extremely frustrating. So I switched to a very popular free one called Microsoft Authenticator offers which does let you easily rename "accounts", as long as you know they call them accounts. 

        Okay so then I got that back up and running. But then I spent hours and hours troubleshooting the VPN itself now that I found I could easily ping and SSH into the server, open and use server files on my desktop through SMB, or even on my laptop if I am using the internet in my room with my server, by all appearances, nothing was wrong with the server. If I didn't have a VPN I heavily rely on, I would never know that my server had a problem. 

        But I ran out of ability to troubleshoot. Everything was working fine. No catastrophic events, all WG keys and IP addresses were entered correctly. I am not the best at looking at logs, but I checked them and couldn't even understand most of them, and did my best and still didn't find anything wrong. Every time I googled, I couldn't exactly find what I was looking for in reference to my particular problem. Googles AI Overviews, the thing at the top of most google searches, had more to say than any result I found and even when it sounded like it might be in the same relative neighborhood as my VPN problem, it would just link me to a site with a guy who was like 'yeah I don't know what I'm doing, followed instructions installing WG best I could, donno what I did wrong'. 

        ChatGPT told me whenever I explained the problem there to enter "sudo wg show" and it instructed me to look at the connection status, to see if bits or bytes or whatever was received, and that command simply didn't show anything but that there were various clients with their own tunnels, the virtual /32 IP addresses WG assigned them, the keys would be omitted, and there were no lines showing connection status for any of them. I told ChatGPT this isn't showing status and it insisted that it's supposed to be there and finally told me to check the status another way using "sudo systemctl status wg-quick@wg0" I didn't get far with Grok3 either.  

        I had restarted services several times, turned WG on my laptop on and off multiple times, rebooted the laptop, rebooted the server, that was exciting because it took a lot longer to reboot than it should have which makes me think the Kernel finally updated, I checked multiple logs, I was starting today to start double checking everything because I figured I just had to have missed something simple. My friend came over and he actually is in Information Systems, he is familiar with a lot of Information Technology stuff because I guess his job doesn't have much in the way of IT, he offered his help but said he didn't know how VPN's work so I said that was fine, I do, but I can't figure this problem out. So he came over early this morning and I started explaining WG and VPN's and how packets move on and off a network so he could differentiate from what he already knew, admitting that routing is confounding to him. I explained TCP and UDP, port forwarding, half tunnels and full tunnels and each of their pros and cons, I had drawn a diagram of my physical network that made sense in a logical fashion with the VPN taken into account. And then I drew another diagram of a cloud with a tunnel running through it with my server on one end of the tunnel and my laptop on the other end and explained the keys purpose, encryption, how the routers figure into the tunnel. I showed him the wg0.conf file, which has all the keys, tunnel names, IP ranges, IP addresses, etc. I showed him the tunnel configuration window in the WG client on my laptop and accidentally turned it on and had trouble SSHing into my server and couldn't figure out what the problem was now and then realized, oh I accidentally turned on the tunnel, so I have no internet, he didn't understand why I would have no internet so I explained that since its a full tunnel, everything, all network traffic to and from my laptop now has to go over the VPN except possibly DHCP. Maybe that's why when I connect to internet and turn on the VPN, my WIFI icon changes to a no network icon, because even DHCP can't reach the laptop so the connection is dubious. Then he wondered why it would matter, why if I turned on my VPN while at home, why would the connection have to go back outside my network and back in, and I explained that the WG client has the public IP address my ISP gave my apartments router, so when it looks for my network it has to look for that public IP address, it goes through NAT and the firewall, the firewall will only let it in if the port WG is using which is usually 51820 which is why you'll see an ipv4 address with a ":51820" at the end of it, the ports are all closed by default and only opened according to what you approve, and so if you want to search the internet with unsecured HTTP fifteen years ago or whatever, it was port 80, now it's 443 for HTTPS over SSL almost entirely, and WG gets 51820 by default and anything 51820 will go straight to my server as long as the port forwarding is configured on every router of the network local to the server. Customer side of the Demarcation point. If it's Xfinity, which is an ISP a lot of people around me have, they don't buy a huge pool of IP's for people to use and instead just a few and have their own version of NAT that they then have public addresses they assign to customers, which is why with Xfinity, you can't use a VPN. You would have to either get the only port forwarding their entire pool would allow because ports are usually only assigned to one service for security I assume, and would look that up if I didn't already have a packed schedule. 

        After Robert left and we had run out of time, I had this idea to just ask Grok what the most common problems were that fit my situation and it said that it was most likely either the Firewall or port-forwarding issues, Nat or Routing problems, MTU (maximum transmission unit) mismatch--the maximum IP packet size on ever layer 3 device is configured to different maximum sizes which can cause errors with packets that were already segmented into smaller pieces for network communication and then run into devices that can't pass them because their MTU is set to a smaller size, you really want every device set to the same MTU and if you're sending and receiving from the internet then you want your network to to conform to that, which is 1500 bytes and 1500 or 1492 when taking packet headers and trailers into account is almost always the standard and consumer routers are just automatically configured to this to a lay-person don't have to worry about this. 

        Anyway, I spent about an hour trying to get any one of the last three roommates to have control over the router to help me access it to make sure the configuration is still good because that is probably the one thing I didn't check. With the VPN being such a virtual thing, it never occurred to me to check anything physical except my own plugs in my room. I had internet so there was no obvious clue that it was the router that I was aware of. But I wanted to check. This problem was confounding enough and if I was going to reinstall Pi VPN, I would lose the opportunity to know what the heck went wrong so I can just check that next time something like this happens. 

        My current roommate with control over the internet and utilities said he was in class and was too busy to deal with this right now. He isn't an IT person so he doesn't know that it really needs to be him that does it because he would have all the credentials. I asked him if he could ask Nate who had utilities and internet last to give him his credentials and then Robert before him, and then I rolled my eyes and just texted them myself and already had both of them tell me I don't have it, Nate took over, he told me so, and Nate to say he never got it from Robert, and then Nate to look up his account online to see if he still had the account in his name which he did so my new roommate was no longer needed, and I had never been allowed to access the router myself because Robert was very cautious about messing with things that belonged to him and he had responsibility for and not knowing what he was doing so if it worked, the only ones that would touch it is the technician from the ISP and him. He would let me give him instructions and he would look at things for me, but now it's not even under his control. And Nate was sure he didn't have it either but the account said otherwise. So now he is mad at Brenner and I had to put out a fire when I already had a smoldering mess of my own and so on, so after we got all the drama out of the way, Nate asked for money because the bill that was now currently due that he apparently has to worry about is now due so Brenner and I have to pay thirty five each for the fiber connection. And then he asked more sympathetically, "Did you unplug the router for forty-five seconds?" I thought, no, but I guess it can't hurt to try. 

    So I did, I can't believe it. Everything worked after that. He called back later and I told him about it and then I said it was a good thing this happened because since he isn't exactly rolling in the dough, and didn't know he owed our ISP money, my internet wasn't shut down, the fix to my VPN was simple even if extremely frustrating and confounding, and we hadn't caught up in a while because we actually didn't particularly love living together even though we had almost nothing to do with each other with him living in the basement and me in the attic and so we almost never saw each other. And his entry and exit to the house is faster if he just walks in and out of the front door, and the stairs up to my room are right in front of the back door to the parking lot and I have a car which he doesn't have. So we just never saw each other. So I told him I thought this was a good thing and I think he agreed with me. He has since asked me to help him run an errand and so I have to run. 

This has been Truncat3d 00000000111100010100110______________end of line