Solved

Install AD

Posted on 2006-11-01
24
247 Views
Last Modified: 2010-04-10
Ive worked with AD in an enviroment where it has already been installed but if there is a small domain (4 servers) and 12 workstations that are NOT using AD how can I install AD? Do I just use the dcpromo and use the ISP DNS (if they dont already have an internal one) and thats it?
0
Comment
Question by:tolinrome
  • 10
  • 6
  • 6
  • +2
24 Comments
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17854065
No, you cannot use the ISP DNS.  You should allow the DNS to be installed during the AD configuration process.

What are the 4 servers running?  All Win2k3 server?
What about the workstations?  All XPpro?
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17854085
0
 
LVL 7

Author Comment

by:tolinrome
ID: 17854142
What would I specify as the full dns name for the domain during the ad installation, just the domain name itself? For ex: if the domain is called. "ourcompay" I would specify it as exactly it as "ourcompany.com"?

No, 2 win2k3 and 2 w2k servers and all xp pro clients.
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17854190
I'm assuming you are using a private IP class for your internal network and if so you want to create a internal domain name like mycompany.local
0
 
LVL 7

Author Comment

by:tolinrome
ID: 17854279
yes all private ip's behind the fw. what does the .local mean? Will it cause any problems? Is there a link on this you know of?
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17854528
The .local TLD is a non-registered extension which has become a kind of defacto standard for internal domains.
http://support.microsoft.com/kb/296250/
http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/ff48115a-d020-4335-a7b2-f0ca3c6df2f3.mspx?mfr=true
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17854884
since your windows DNS domain name is only used for internal reasons, you can name it whatever you want really.  If you already have a publically registered domain name you can even use that if you would like.  Just make sure to keep your external and internal DNS server seperate as they are two completely different things.  internal clients point to your internal server, external clients point to your external server, thats it.

0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17854969
While technically you ~could~ use the same name as you're registered domain, I *STRONGLY* advise against it.  There are substantial pitfals and few if any advantages.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17855030
no disadvantages IF setup properly.  proper setup/engineering is the key to any IT solution
0
 
LVL 7

Author Comment

by:tolinrome
ID: 17855058
What if, for example I would liek to publish one of the servers to the internet as a web server, then the .local wouldnt be suffice, true?
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17855097
again, with proper DNS setup either way will work.  If you DO choose to do the .local top level domain and choose to publish the web server to the public it would work (if properly setup).

external machines would point to a public DNS server that would resolve www.yourdomain.com to the public IP that is mapped to the server.

internal machines would point to your private internal DNS server that would have to have its own DNS zone for www.yourdomain.com that would point to the Private IP of the server...

and just for TexorcisT, this is on ADVANTAGE of having the public and internal domain names the same.... b/c in the above scenerio the network would have to have .yourpublicdomain.com AND .internaldomain.local zones on the internal DNS server.  If you use the public domain as the internal domain, you only have to have one DNS zone on the internal DNS server (publicdomain.com).    And no you can't have the internal DNS server forward requests for www.publicdomain.com to a public DNS server since it will return a public address, not a private address, since firewalls will NOT let these requests go "out and back in" to get to the internally hosted server so to speak for obvious reasons.

1. if the server is on the internal network, so go out to the internet, then back in to reach it?
2. it is much faster to access the internal server over the LAN, rather than going over the LAN, out to the WAN, out the the internet cloud, back in the WAN, back in the LAN.... doesn't make much sense does it?


0
 
LVL 4

Accepted Solution

by:
Smacky311 earned 50 total points
ID: 17855099
Documentation is also key to proper setup/engineering and the documentation will be confusing and ambiguous when one combines ones namespaces. You'll need to use your own DNS server for local name resolution and then you can forward unresolved queries to the ISP DNS server.  
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17855111
>>You'll need to use your own DNS server for local name resolution and then you can forward unresolved queries to >>the ISP DNS server
or just have ALL the correct DNS records on your local DNS server.

usually there are only a handfull of DNS queries that should be external (basically anything you outsource) to it's no big deal.

0
 
LVL 7

Author Comment

by:tolinrome
ID: 17855132
This is all good information but I would like to do exactly what smacky311 commented on.

I will install ad on a dc and ALL workstations/servers on the lan will point to the internal private dns servers, I will also set up dns forwarding on the internal dns to the isp dns.

The point that stumbles me is when I create the AD and it asks me for the "full dns name" what do I put? They already have a publicly registered domain name Ex: "mycompany.com"  - maybe I can enter "mycompanyAD.com" for the dns name, does that make sense?

Another thing, after AD is installed with the new domain name "mycompanyAD.com" how do the other servers take on that name that are already installed?
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17855184
>>...me for the "full dns name" what do I put?
again, since this is ONLY used by your internal clients you can really put whatever you want.  remember, the ONLY machines in the world that will ever be pointed to this DNS server are your own clients.  Some people like to use their publically registered domain name (like me obviously) and some people like to use some random name like domainAD.com or domain.local (this just confuses things to me though) For example, your users will have to remember TWO domains for certain things (such as internal servers that are also available externally (like email).  If they are at home, they will have to access it via mail.publicdomain.com, but if they are in the office they will have to access it via publicdomainAD.com.  Why not just have them use both as publicdomain.com,,, it is just cleaner.

>>This is all good information but I would like to do exactly what smacky311 commented on.
if i understood him correctly he is talking about if you use your internal and external domain with the same name, he says you have to "...you can forward unresolved queries to the ISP DNS server.", which is not true.

for example:
if an internal client tries to get to www.domain.com and that server is internal, then your DNS server will just point to the internal IP address of your www server.
if an internal client tries to get to email.domain.com and that server is extneral, then your DNS server will just point to the public IP address of your email server.
see, there is no need to forward anything to your ISP's DNS server if you have a DNS record on your internal DNS server.

0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17855217
Just for Mike -

Don't beat around the bush.  If you want to recommend a single domain name method then do it.  You won't because it's a bad idea.  We're trying to help the guy, not tell him every possible way to misconfigure it.

The one domain method was the originaly documented method published my MS in the 90's and then reversed due to the number of people having problems with it.  MS now recommends using .local for good reason.  even if using registered domains, MS recommends using a sub domain or another domain name all together.

A properly configured DMZ will allow you to use the external DNS for real world DNS resolution and easily route to it as well.  I don't know who is configuring your routers but your trafic to a DMZ IP address should never need to go "out to the WAN, out the the internet cloud, back in the WAN, back in the LAN".  What doesn't make much sense about that is how messed up your routing tables would have to be to do that.

And even if you couldn't get your routers to route correctly, why would having to manage one internal zone be easier than two?  With two you can easily differentiate between the manualy scribed zone and the AD scribed zone.  With only one you have to deal with the AD attempting to overwrite your custom A records.

Let's try to give some good advice here and not spar over what is technicaly possible albeit hardly recommended.

Thanks - Tex



0
 
LVL 5

Assisted Solution

by:Austin Texas
Austin Texas earned 100 total points
ID: 17855282
tolinrome -

The most common method for handling this situation is to name the internal AD mydomain.local and use the mydomain.com for your external addresses.  The reason why it is most common is becuase it's fairly easy and generaly considered not confusing.  

If you want, you can certainly use the mydomainAD.com but that is not recommended because .com is a registerable public TLD.  If you go that route, it is advised for you to register mydomainAD.com.

A better second choice would be to use a subdomain like AD.mydomain.com.

Do it like Smacky311 and I are recommending and it should go very smooth.  Save the publicly registered domain for external use and when you are asked the domain name during AD setup, just use the publicly registered domain name with a .local extension instead of .com and your are off to the races.

For best results, I highly recommend not breaking convention on your first AD deployment.

Good Luck!

Thanks - Tex
0
 
LVL 5

Expert Comment

by:cjtraman
ID: 17856376
You cannot use ISP DNS as they do not support dynamic registration of SRV & host records in DNS. Whenever you install AD, the dcpromo process would add SRV records for locating objects in AD. I assume you have all the servers and desktops in same physical network. I suggest you to go for single domain model with 2 domain controllers with inhouse DNS servers supporting DDNS. You have not mentioned about the roles the 4 servers perform currently and their hardware configurations. Hope they have sufficient hardware resources to host windows 2003 active directory.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 17858603
Thanks Everyone so much, I'm learning from you guys!!!! Yes, all hardware can support 2003 AD.

TexorcistT, I think I will def follow your advice as it makes more sense to me personally.

1. After AD is installed do I need to create DNS Zones? I will have 2 internal DNS servers (DC's).

2. Will the other 2 productions servers (file/print/dhcp/wins) take on the .local name fo rtheir computer name automatically after AD is installed on the DC's?
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 100 total points
ID: 17859001
yes i do recommend that he uses the same internal and external domain name, i never said otherwise.  i also said that either will work IF properly configured (and they both will). Please don't try to turn this thread into a pissing match (too late though) by saying that i'm trying to hurt this guy by intentionallly telling him how to MISCONFIGURE his DNS, that is absurd and you know it.  I guess you know everything though with all of your 4,450 points  on EE and i don't know anything with my mere 1,039,206.  i guess i got over a million points from telling people how to misconfigure their network, thats it.

>>If you go that route, it is advised for you to register mydomainAD.com.
if he registered mydomainad.com, then he would have the same internal domain name as a publically regeistered one... which you say is incorrect.

>>A better second choice would be to use a subdomain like AD.mydomain.com.
sorry, wrong again, for the same reason as above.  in that setup mydomain.com would be used publically AND used internally,,,, which you say is incorrect.
setting up ad.mydomain.com 'might' work, but just confuses the issue unnecessarly, which seems to be your goal.  
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17859408
tolinrome -

The AD setup will setup the DNS zone for you.

You will then need to add all the machines, including servers, to the domain.  That will take care of naming for those.

I recommend that you setup DHCP services from a domain controller as well.

Thanks - Tex
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17859464
background -

I have once tried the externaly registered domain for both internal and external and, maybe I did it wrong, but I had lot's of problems.

I'm currently managing around 50-100 separate small-medium biz networks all configured with .local internal zones with ease.

Thanks - Tex
0
 
LVL 7

Author Comment

by:tolinrome
ID: 17862658
Thanks guys. I realize now there are different ways and I just wanted to do what would be more practical and safe. Thanks so much for the help!
0
 
LVL 5

Expert Comment

by:Austin Texas
ID: 17862889
Wow!  Smacky got the accepted answer on that???  I gotta stop working so hard.
0

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now