Solved

Active Directory: WinSvr 2012 Forest / Domains

Posted on 2013-11-06
7
354 Views
Last Modified: 2014-02-10
I am setting up a new network of sorts.  I got 2 new servers with 3 existing servers and 3 PC's and 2 Laptops.  Lastly, Firewall running WinSvr 2008 R2 with MS TMG 2010 Firewall.

I want to know the best way to setup the DNS, Domain Naming, Forest and assuring 2 way trusts.

The forest and domain controllers are my issue in simply planning.

Servers Names and Roles (Roles are not in place YET this planning )are below to give you an idea:

CTCSVR000 (Possible Domain Controller Internal Use) - Running WinSvr 2012
CTCSVR001 (Web Server IIS 8.0Internal and External use) - Running WinSvr 2012
CTCSVR002 (File Server and Web IIS 8.0 use Internal)

CTCSVR003 (Exchange Server 2013)
CTCSVR004 (Share team Server 2013)
Future Server:  CTCSVR005 (Lync Server 2013)

Thinking maybe doing Domain Controller on Server CTCSVR000 as Domain Controller and Hyper-V Exchange 2013???

So the Servers CTCSVR003 and CTCSVR004 are going to be access by clients. They will be using email thru Exchange 2013 and using Share Team 2013.

Also the Web Servers will be used by Clients from the outside.

I know your suppose to use real world domain names - NO domainname.local or .pdc but
domainname.com which debating on using my real company domain as the domain name???  I host my email on Google Business Apps and run my web site in house so I would just do sub-domains correct....   CTCSVR000.mydomain.com etc etc for each server???

should I make more than one forest from the mostly internal servers from the semi external servers.  there is a little over lap...

with 2 way trusts and what if I want 2 Domain controllers one for internal use and the other for external use...

Here is my thoughts:  
All one forest
2 domain controllers

Servers: CTCSVR000, CTCSVR001, CTCSVR002 and the firewall under same domain Controller.

Servers: CTCSVR003 and CTCSVR004 under there own domain controller

I might need more users names by having more active directory's so if a client name is Clint and there is already a Clint there can be two... I know I can do naming conventions like First.Lastname etc but I might need more...

In house, there are only 8 of us so internal users are about 8 and that is with future growth in mind.

If I have one forest and join all the servers to the same forest and I can have 2 domain controllers that supports the servers I join it too and they have 2 way trusts so they can access each other.

Or is JUST ONE DOMAIN CONTROLLER the best... I am guess 2 domain controllers anyway if I keep them under just one domain name controller.  For a back up if I have to move active directory or / and if I have to take the domain controller down the other domain controller in the same forest and domain will be up to take request???

Thanks, Clint
0
Comment
Question by:Clint Jones
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39627657
Definitely one domain controller is not the way to go...good thinking with 2.   If you only have one and that goes down hard you are going to have issues.   With such a small environment have you looked at Office 365 also?   The samaccountnames/usernames should be unique in the domain.   First.Last is common.  You could also use middle initial for cases where two are the same.

Thanks

Mike
0
 
LVL 6

Expert Comment

by:iradatsiddiqui
ID: 39627853
ONE DC and one more Additional domain controller (ADC) would be ideal in your scenario as you cannot trust only on one domain controller in case of failure. Try to keep Exchange on separate box not on Hyper V.
0
 

Author Comment

by:Clint Jones
ID: 39628066
Office 365 I already have office 2013 and Server 2012 R2 on all servers but we are just at the name of the server part - nothings a been promoted to a DC Yet and and no one has become a member server obliviously...

Yes I am will make exchange and share team on their own box and 2 servers as domain controllers of the same forest and domain...

So having a completely different domain you think is not the way to go from the external and internal users...

The external users will be web based and exchange thru the SSL web for direction to the exchange server..  and Share team and the web server is complete web based so there is no real danger of external clients being on the same servers as the company which is me and 8 others...

We gave cloud devices for file downloads for clients like 4 TB WD Cloud.. and Share Team of course can do file management,,,

So 2 domain controllers in same domain so we have a active - active directory if one of the goes down and 2nd is promoted to main DC...

and member's servers are just subdomains of the domain


Server:

Svr001.mydomain.com
etc
etc
etc
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:Clint Jones
ID: 39628068
Quickie:  Does NTDS run on all of them or just the domain controllers... I think I know the answer but refreshing my memory?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39629201
Avoid having a multi-domain forest - instead, start your design with a single domain forest and unless you can come up with a compelling reason to create additional domains, leave it as such. In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008/2012 DFL, this is no longer the case.

In general it is recommended that at least two DCs in a domain for high availablity and fault tolerance, but how many DCs at each site will depend on your requirement. Normally one DC at each site can serve thousands of users with regard to authentication. To me it's OK with 2 DCs in your scenario.

Determining the Number of Forests for Your Network
http://technet.microsoft.com/en-us/library/cc960533.aspx

Determining the Number of Domains Required
http://technet.microsoft.com/en-us/library/cc732201(WS.10).aspx

How many domain controllers are recommended
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/991d4f68-5178-4c9a-8b7d-8f2b5f53867e

Make all the DCs global catalogs and dns server.

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

To choosing the internal domain name see this article.
What's in an Active Directory DNS Name? Choosing the Same As Your Public Domain Name, a ".net" Version of Your Public Name, or ".local:http://msmvps.com/blogs/acefekay/archive/2009/09/07/what-s-in-an-active-directory-dns-name-choosing-a-domain-name.aspx

Ensure that web server/exchage role is not placed on DC it should be on domain member server.
0
 

Author Comment

by:Clint Jones
ID: 39657147
Thanks you to all but thank you to - Sandeshdubey.  Very informative help with new information to me.  I am researching it all over now.  So thank you for your help.
0
 

Author Closing Comment

by:Clint Jones
ID: 39847999
Thank You
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question