Is there a Windows Active Directory container suitable for testing?

Question

I am looking for a container like openshift/openldap-2441-centos7 or https://github.com/osixia/docker-openldap that would be running a Windows OS and have some sensible defaults.

I'd like to add a couple of user accounts and test that my application can talk to the Windows AD and login with the specified accounts.

ATM we're testing against OpenLDAP on Linux but would like to test against a real Windows AD configuration.

Answer 1

The samba project (samba.org) offers a compatible implementation of the active directory network protocols that Windows clients happily use as an AD server.

Not sur if it helps and serves your needs, but we have created a samba-container project ttps://github.com/samba-in-kubernetes/samba-container/ that also features an active directory server container.

pre-built images are available here: https://quay.io/repository/samba.org/samba-ad-server

sure, this is not native Windows AD, but should be compatible enough for most purposes.

Answer 2

While these answers were valid I belive the definitive impossibility of running an Active Directory Domain Controller within a Windows container might no longer apply.

It may now be possible using Windows HostProcess/Priveleged Containers which were introduced last year.

These new containers allow access to: host networking, filesystem, namespaces, security identifiers (local users, service accounts, and computer identity), and IPC. In essence they behave much more like linux containers.

This being the case, I believe it could be possible to containerise a DC. However, because of the huge number of components involved in an AD Domain and the modifications it makes to members and controllers, I would expect lots of components to have weird and unexpected behaviour.

For DCs in a long-term or production environment. I would recommend sticking with Windows Server Core VMs (if you're looking for the minimalist approach).

While this new type of Windows container might not make a good DC, I think this opens up the opportunity to containerise other Active Directory | Windows Server roles very effectively.

For example, running DHCP, DNS, and NPS on a single host as a pod, with the ability to integrate with AD, and for the services to perform IPC, both with each other and the host.

The HostProcess containers are only compatible with the containerd runtime for now. Orchestrestation wise it's focused on being run in Kubernetes environments.

I'd recommend that you read more up on it if you're still investigating containerising windows server roles.

https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/

https://learn.microsoft.com/en-us/azure/aks/use-windows-hpc

https://youtu.be/LcXT9pVkwvo?si=kLKzkgAKp5CoYPki

Answer 3

• There is currently no available officially released docker image for Windows Server Active Directory that can be deployed in a container, however, you can configure a Windows container to run with a group managed service account which can in turn provide Active Directory authentication to a group of computers or applications running on other containers.

• For this purpose, you would need a Windows Active Directory domain with at least one functional domain controller running Windows Server 2012 R2 or later and a system with internet access and domain administrator credentials to download the CredentialSpec Powershell module.

• Retrieve the ‘KdsRootKey’ from the domain controller and make it effective. Create a group managed service account by the name of the container that can be shared across multiple different machines and whose access is limited to a security group including the container host through a access control list and further register a SPN for that gMSA.

• Once a gMSA is created, prepare a container host for domain joined container host and set up docker for Windows Server on it. Then, create the credential specification file on it and install on the container host. In this way, it becomes ready to authenticate with various applications with the active directory authentication.

Please find the below links for more information: -

https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts

https://kubernetes.io/docs/tasks/configure-pod-container/configure-gmsa/

Answer 4

I turned a turnkey linux lxc container into a docker container and used that for AD. It's Samba AD but you can use the stock Windows AD tools to manage it. It might not be what you are looking for but it works great and provides Windows AD in a container. It does everything I need it to do and I don't need to go through the Windows hassle to get it working. I just searched for Active directory on the turn key linux site, downloaded the Live ISO and converted it to a docker container. I could have just kept it as an lxc container but I wanted to run it in Minikube and I am using Docker and Podman for that, I am about to download their smb file server lxc container and do the same thing.

It sounds weird for something as simple as Active Directory to not be able to run in a container. It's probably a perfect target for a micro-services kind of thing. I am not a Windows guy but I understand X.500 and LDAP and it could be in a container.

Answer 5

The way Windows Active directory is designed , currently it does not support running inside a windows container. You may have to keep the Active directory server outside the container and setup DNS accordingly. Please check the article https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts . windows containers cannot be domain joined but for testing applications you can create a group managed service account (gMSA) . If you were hoping to run active directory service in a windows container , its not possible , however if you are looking for testing with service accounts you can use gMSA.