I have a virtualization host (Proxmox VE) at home, which runs amongst other things a virtual Windows Active-Directory infrastructure. It has its own isolated virtual network, but there is an OpenBSD VM acting as a router doing network address translation.


I asked myself if it is possible to connect via Active-Directory Users and Computers (ADUC) to the virtual domain controller. In addition the client does not belong to the same domain as the test system.

First I added port forwarding to my OpenBSD router by adding the following line to /etc/pf.conf:

pass in proto tcp from any to (egress) port { 88, 137, 139, 389, 445 } rdr-to

The kerberos port 88 is not really necessary but nice to have. Now activate the rule with: pfctl -f /etc/pf.conf

On your client computer start a shell as Administrator and run:

runas /u:ACME\Administrator /netonly "mmc %windir%\system32\dsa.msc /server="

It works quiet well, but there is a problem looking up the old NETBIOS name of the domain (I don’t care).