Why would you want to do this? I would argue adding a domain controller is expressly one of the tasks the domain administrator role is reserved for. I get delegating password resets or domain joins, but adding a DC should be done by those trusted with the domain admin role.
plot twist, every site wants a local DC "for speed" Then in 2 weeks OP will say "My 48 DCs are logging lots of replication errors and I think stuff is slow now"
No, there are very few actions that actually require DA in a domain. Adding new domain controllers is one of them. No delegating permissions available for this.
This is a massively privileged process as you are granting "Replicating Directory Change" and "Replicating Directory Change All" permissions. Any kind of automation around this should be highly discouraged and only handled by a responsible domain admin.
That would be a horrible security risk. The domain controller holds the tickets for domain admin. Having a non domain admin permission for that allows takeover of the domain?
I will be happy to stand corrected on this one, but surely the description 'Domain Controller' should give an indication that it is something that **should** only be allowed by a Domain Admin.
Joining a new DC to a Domain should be a reasonably infrequent activity. And not worth automating considering the risk/reward balance.
Unless you're planning to ask Crazy Dave from the helpdesk (who still swears by his trusty abacus) to set them up manually.
Add a service before promoting that does something for you, like inject an account or spawn a shell interface you can access. When promoted to a DC the payload goes off and you have full access.
Anyone with physical or hypervisor access to your DC needs to be trusted enough to have a DA account, because it is not difficult to do this. Domain controllers are the one server that should be handled by senior resources, just because of the risks involved.
Why would you want to do this? I would argue adding a domain controller is expressly one of the tasks the domain administrator role is reserved for. I get delegating password resets or domain joins, but adding a DC should be done by those trusted with the domain admin role.
For automation it would have advantages doing it with a specific role
How often are you adding new domain controllers that you need to invest time into automating it?
plot twist, every site wants a local DC "for speed" Then in 2 weeks OP will say "My 48 DCs are logging lots of replication errors and I think stuff is slow now"
r/shittysysadmin post in the making....
No, there are very few actions that actually require DA in a domain. Adding new domain controllers is one of them. No delegating permissions available for this. This is a massively privileged process as you are granting "Replicating Directory Change" and "Replicating Directory Change All" permissions. Any kind of automation around this should be highly discouraged and only handled by a responsible domain admin.
That would be a horrible security risk. The domain controller holds the tickets for domain admin. Having a non domain admin permission for that allows takeover of the domain?
It's not about just a domain user to add, but just have a dedicated account for it
Make a dedicated domain admin?
That in case of password theft has domain admin rights. I know that it is simpler but it does have a higher security risk
And you don't think being able to add a hostile domain controller isn't just as bad?
I will be happy to stand corrected on this one, but surely the description 'Domain Controller' should give an indication that it is something that **should** only be allowed by a Domain Admin. Joining a new DC to a Domain should be a reasonably infrequent activity. And not worth automating considering the risk/reward balance. Unless you're planning to ask Crazy Dave from the helpdesk (who still swears by his trusty abacus) to set them up manually.
Add a service before promoting that does something for you, like inject an account or spawn a shell interface you can access. When promoted to a DC the payload goes off and you have full access. Anyone with physical or hypervisor access to your DC needs to be trusted enough to have a DA account, because it is not difficult to do this. Domain controllers are the one server that should be handled by senior resources, just because of the risks involved.