AD Creation

[Paul125]

I am creating a new AD with dcpromo. When it asks the complete domain,
what should I choose? I have registered a domain, domain.com, for use
only on this server. Should I just put domain.com, or should I put
location.domain.com? Or servername.location.domain.com?
Thanks!

 

[Robert Moir]

I am creating a new AD with dcpromo. When it asks the complete domain,
what should I choose? I have registered a domain, domain.com, for use
only on this server. Should I just put domain.com, or should I put
location.domain.com? Or servername.location.domain.com?
Thanks!

You certainly shouldn't specify the computer name as part of the domain
name, and from what you've said I would probably put "domain.com".

However, please don't take this the wrong way, but if you have to ask
questions like this then I'm not too sure you are in the best position for
setting up active directory at all. Mistakes here can cost you a lot of time
and effort later on, and a bit of planning can pay dividends. Please
consider reading a few of the whitepapers on the microsoft website before
going any further, taking a look at planning and deployment.

You'll save yourself a lot of problems in the long run.

--

 

[Herb Martin]

I am creating a new AD with dcpromo. When it asks the complete domain,
what should I choose? I have registered a domain, domain.com, for use
only on this server. Should I just put domain.com, or should I put
location.domain.com? Or servername.location.domain.com?

Simplest is to use a child domain -- (for various esthetic reasons, I would
not
put a LocationName.domain.com as my root domain.)

Common is to use Domain.Com -- you will typically need to shadow your
DNS; external Domain.Com zone with only external records, and internal
domain.com with external PLUS internal records.

This isn't really much trouble but some people recommend against it mostly
because beginners seem to trip over it so frequently.

The other majors choices are domain.local or even a hybrid domain.org
or domain.net. These last two are technically Public (you actually register
them and put a placeholder on the Internet) but are effectively private like
domain.local.

 

[Herb Martin]

location.domain.com? Or servername.location.domain.com?

You certainly shouldn't specify the computer name as part of the domain
name, and from what you've said I would probably put "domain.com".

Whooo, I missed that possibility -- do NOT put the ServerName in the domain
name.

AND do NOT use a "ONE-tag name" like domain without an extension.
(You will have a corresponding NetBIOS name, i.e., for domain.com one
usually uses DOMAIN as the NetBIOS or legacy support name.)

 

[Larry Woods]

Herb,

I know that you will be giving me the same advice about "read the document"
but I have NEVER been so frustrated as I have been when I try to read the
doc on AD. The TOTAL lack of examples (at least in what I have read) leave
you guessing as to what to do. And then the example of a domain name like
"blah.microsoft.com". Yah, that makes sense to name my domain
"...microsoft.com". ?????????

Can you suggest a source of GOOD doc/explanation of AD?

TIA,

Larry Woods

 

[Herb Martin]

I know that you will be giving me the same advice about "read the
document"

Why do you say that? I have a strong tendency to offer short, clear
explanations
of various topic (sometimes with references) while others are much better at
providing links to documents (I don't have all those bookmarked nor
memorized.)

but I have NEVER been so frustrated as I have been when I try to read the
doc on AD.

Which doc on AD? AD is a big subject, with many -- both good and bad --
explanations for each area.

The TOTAL lack of examples (at least in what I have read) leave
you guessing as to what to do.

What do you wish to accomplish?

And then the example of a domain name like
"blah.microsoft.com". Yah, that makes sense to name my domain
"...microsoft.com". ?????????

I don't think that *I* use examples ending in Microsoft.com that often;
usually I use "Domain.Com" or (my) LearnQuick.Com or YourDomain.Com

Can you suggest a source of GOOD doc/explanation of AD?

Active Directory is -- first and foremost -- and ACCOUNTS Database.
Database means a place where you can store & lookup (account)
information.
It replaces the earlier NT SAM (security account manager) database
It has User, Computer, & Group accounts as well as the new "Organization
Units"
which allow an adminstrator to more easily delegate and set options
for the users
and computers
And more -- it includes other objects for managing the domain itself and
the network
It is also extensible
(the schema or rules about what can and cannot be stored in AD can
be extended)

What type of other objects? Group Policy is the best example of a new type
of object
that makes management easier for the Domain or for the individual OUs
Group Policy allows the administrator to (from a central console):
Deploy software and updates to computers or users
Set Security settings and run Startup/Shutdown & Logon/Logoff
Set other System and Application options using Administrative
Templates to modify
almost anything that can be controlled through the registry.

What other major differences does AD provide?
Multi-Mastered database & replication
In NT only the PDC can accept or make changes to the database
In AD any DC (not BDC) can accept changes and replicate these to
it's partners
Site based replication control
In NT, all changes were replicated from the SINGLE master PDC to
each BDC
In AD, changes are replicated almost immediately to other DCs in
that site and...
...administrators control the frequency and schedule of the
(compressed)
replication between automatically selected DCs (bridgehead
servers) in each
site with another in the (usually adjacent) sites.
Changes can be made on any DC and they are efficiently replicated.

What do you want to do today?

 

[Jocab]

Common is to use Domain.Com -- you will typically need to shadow your
DNS; external Domain.Com zone with only external records, and internal
domain.com with external PLUS internal records.

What do you mean with shadowing? Eg I register domain.com with a DNS
pointer to my server... And then?

 

[Herb Martin]

What do you mean with shadowing? Eg I register domain.com with a DNS
pointer to my server... And then?

You make sure to have TWO SETS of DNS servers:

1) On the Internet with limited records -- just the publicly accessible
resources
2) Internally, isolated from the Internet -- with public and private
resources listed

This is termed "shadow DNS" (aka "split DNS") -- you must add all external
records
twice, one each of the two DNS server (sets.)

Generally it is best to let your Registrar (or 2nd best ISP) handle the
public DNS
(unless you have a 24/7 DNS support staff and high bandwidth access to the
backbone.)
[/QUOTE]

 

[Larry Woods]

Thanks for getting back to me, Herb. There is another message from me to
the NS about my problem. I want to use AD for user security in a
"straightforward" LAN application where I have 1 server running SQL Server
and 4 workstations that will be accessing the server (VB.NET). I want to
have a center repository of user information so that I don't have to update
the user access permissions on each desktop all of the time. This looked
like a perfect application of AD. Sooo, I created my Win 2000 server as a
DNS...actually not knowing much about what I was doing. Then I gened AD and
attempted to follow their instructions. During the gen they gave an example
of a URL format, using ".......microsoft.com" as the example. I realized
that I didn't want to do THAT, but I DID use xxx.com as part of the path.
Also somewhere in the gen I was asked for a name for AD so here is the final
name of my AD:

dsnserver.mydomain.xxx.com
I can open AD using MMC and everything "seems" to be there, but I can't get
to it. Probably my first problem is that I am having a heck of a time
trying to figure out what exactly I should be entering as a request. Here
is what I have tried (many variations of it, I might add):

ldap://DC=Administrator/DC=Users/CN=dnsserver/CN=mydomain/CN=xxx/CN=com

First, I have a feeling that the "com" idea was wrong to start with.
Another responder has suggested "local" instead, which makes sense. But, of
course, now my question is: Can I change the URL, or should I just rebuild
the server (This is a "can do" since I have not loaded anything else onto it
at the present time).

Any advise will be MUCH appreciated.

Larry

 

[Jocab]

You make sure to have TWO SETS of DNS servers:

1) On the Internet with limited records -- just the publicly accessible
resources
2) Internally, isolated from the Internet -- with public and private
resources listed

This is termed "shadow DNS" (aka "split DNS") -- you must add all external
records
twice, one each of the two DNS server (sets.)

Generally it is best to let your Registrar (or 2nd best ISP) handle the
public DNS
(unless you have a 24/7 DNS support staff and high bandwidth access to the
backbone.)

This would be for a server colocated at an ISP. AD is needed for
Exchange 2003. There's just that one server, nothing else. So I guess
no point in shadowing?

 

[Herb Martin]

dsnserver.mydomain.xxx.com

I can open AD using MMC and everything "seems" to be there, but I can't get
to it. Probably my first problem is that I am having a heck of a time
trying to figure out what exactly I should be entering as a request. Here
is what I have tried (many variations of it, I might add):

You must never have the server name as part of the Domain name -- things
will get very confusing (and apparently you have already encountered
problems.)

More appropriate was MyDomain.Com with the server being
ServerName.MyDomain.com

First, I have a feeling that the "com" idea was wrong to start with.
Another responder has suggested "local" instead, which makes sense. But,

of

No wrong or right, another choice... But YOU must OWN xxx.com (or
MyDomain.Com
or WhatEver.Com).

If you don't own ANY Internet domain names then use the .local idea

course, now my question is: Can I change the URL, or should I just rebuild
the server (This is a "can do" since I have not loaded anything else onto it
at the present time).

Rebuild -- you are just starting (and experimenting) so do it now.

 

[Herb Martin]

This would be for a server colocated at an ISP. AD is needed for

Exchange 2003. There's just that one server, nothing else. So I guess
no point in shadowing?

If you want to have those on the Internet send you email, you need a
public DNS. If you are using DNS for AD I would NEVER expose
that (set of records) on the Internet.

Shadow.

It costs little or nothing -- most people already pay a Registrar or ISP for
the DNS service, and if you don't move to Register.Com (or suitable
substitute.)

 

[Jocab]

If you want to have those on the Internet send you email, you need a
public DNS. If you are using DNS for AD I would NEVER expose
that (set of records) on the Internet.

In the DNS manager, how do I see the difference between the public
records and the private AD records?

 

[Herb Martin]

If you want to have those on the Internet send you email, you need a

In the DNS manager, how do I see the difference between the public
records and the private AD records?

You cannot (really) do this -- public and private are labels that we
administrators
apply to various machines.

Of course, you can sort based on the data column (IP addresses will be in
order)
and see all of the machines on particular nets together.

Presumably the private machines are from that range of networks (probably,
but
not necessarily the locally adminstered ranges, 192.168.x.y/16, 10.x.y.z/8,
or
172.16.0.0/12)

You really need to MANUALLY split these based on YOUR JUDGEMENT,
which should be pretty obvious to you (the human admin.)

 

[Larry Woods]

Thanks for the advice, Herb.

Lets see, now. Where did I leave that CD.......?

(Get back to you when I have created "MyDomain.local")

Larry