Setting up Windows Server / Active Directory / DNS for small business

[Peter]

Hi all,

I am a part-time system administrator for a small business that currently
has a Windows NT domain with approximately 10 workstations. I recently
purchased a new server computer that has windows 2003 server pre-installed.
I haven't even taken it out of the box yet because I am currently "studying"
Windows Server 2003, Active directory, and DNS, as this is the first time
I've had a chance to work with them. I'm thinking it would be much better
to design and implement the "new" network correctly using best practices
rather than just guessing what the appropriate solution would be. I've done
some searching but haven't found anything particularly useful describing
best practices for a small business in our situation, which I can't believe
is that unique.

I will describe the current setup and am looking for some input on what the
new setup should look like. Since it is a small business with very few
users, I'm not planning on "migrating" the NT 4.0 domain server to windows
2003, I'm planning on basically configuring the win2003 server as a new
domain and then having all the workstations join the new domain. Any files
(such as users' saved documents on the old NT server will either be burned
to CDs or temporarily moved to one of the workstations, and then eventually
moved to the new server once it is online. I'll just create the 10 or so
user accounts on the new server.

Current setup:
- 1 Windows NT 4.0 Server (PDC) used primarily as a File/Print server
- The current NT domain name is SUNRAY
- 10 workstations running Windows XP Professional
- Internet connection via DSL using a static IP address
- The DSL router has a built in firewall and also acts as a DHCP server and
DNS server
- All workstations in the network are configured to request an IP address
via DHCP, an internal IP address range is used
- The NT Server has a hard coded internal IP address
- Outsourced email and web hosting, the public domain for the web site and
email is SUNRAYVT.COM

Possible new setup:
- 1 Windows 2003 Server used primarily as a File/Print server
- It will also be the new DHCP server, and DNS server
- Since it is a small network, we'll use 1 active directory
domain/site/tree/forest.
- 10 workstations running Windows XP Professional
- Internet connection via DSL using a static IP address
- Continue to use outsourced email and web hosting
- 1 employee will need to work remotely, so terminal services and/or VPN
will need to be supported

Its possible that sometime in the future we may decide to host our own
website and email, ideally it shouldn't require a network redesign to
accommodate that.

My biggest questions are about the domain structure and what the domain
should be called.

Should the new domain name be called SUNRAYVT.COM or SUNRAY.SUNRAYVT.COM?
Or should we register a completely new public domain name? Even though we
own the sunrayvt.com public domain, it is being used by the ISP that we
chose to host the website and email, so I'm not sure if it can also be used
by us for our windows domain.

If we did use sunrayvt.com, I'm assuming the workstations would be named
something like workstation1.sunrayvt.com, workstation2.sunrayvt.com, etc.
From a workstation on our network, how would we be able to get to
www.sunrayvt.com, since its not actually a computer in our network? Is
there some sort of DNS setup that I would need to do to tell traffic for
www.sunrayvt.com to go to a certain external IP address?

Any input you can provide regarding my questions or other setup tips for
small businesses would be appreciated. Please also let me know if you know
of any resources for setting up windows 2003 in a small business
environment.

Thanks!

-Peter

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi all,

I am a part-time system administrator for a small
business that currently has a Windows NT domain with
approximately 10 workstations. I recently purchased a
new server computer that has windows 2003 server
pre-installed. I haven't even taken it out of the box yet
because I am currently "studying" Windows Server 2003,
Active directory, and DNS, as this is the first time I've
had a chance to work with them. I'm thinking it would be
much better to design and implement the "new" network
correctly using best practices rather than just guessing
what the appropriate solution would be. I've done some
searching but haven't found anything particularly useful
describing best practices for a small business in our
situation, which I can't believe is that unique.

I will describe the current setup and am looking for some
input on what the new setup should look like. Since it
is a small business with very few users, I'm not planning
on "migrating" the NT 4.0 domain server to windows 2003,
I'm planning on basically configuring the win2003 server
as a new domain and then having all the workstations join
the new domain. Any files (such as users' saved
documents on the old NT server will either be burned to
CDs or temporarily moved to one of the workstations, and
then eventually moved to the new server once it is
online. I'll just create the 10 or so user accounts on
the new server.

Current setup:
- 1 Windows NT 4.0 Server (PDC) used primarily as a
File/Print server
- The current NT domain name is SUNRAY
- 10 workstations running Windows XP Professional
- Internet connection via DSL using a static IP address
- The DSL router has a built in firewall and also acts
as a DHCP server and DNS server
- All workstations in the network are configured to
request an IP address via DHCP, an internal IP address
range is used
- The NT Server has a hard coded internal IP address
- Outsourced email and web hosting, the public domain
for the web site and email is SUNRAYVT.COM

Possible new setup:
- 1 Windows 2003 Server used primarily as a File/Print
server
- It will also be the new DHCP server, and DNS server
- Since it is a small network, we'll use 1 active
directory domain/site/tree/forest.
- 10 workstations running Windows XP Professional
- Internet connection via DSL using a static IP address
- Continue to use outsourced email and web hosting
- 1 employee will need to work remotely, so terminal
services and/or VPN will need to be supported

Its possible that sometime in the future we may decide to
host our own website and email, ideally it shouldn't
require a network redesign to accommodate that.

My biggest questions are about the domain structure and
what the domain should be called.

Should the new domain name be called SUNRAYVT.COM or
SUNRAY.SUNRAYVT.COM? Or should we register a completely
new public domain name? Even though we own the
sunrayvt.com public domain, it is being used by the ISP
that we chose to host the website and email, so I'm not
sure if it can also be used by us for our windows domain.

If we did use sunrayvt.com, I'm assuming the workstations
would be named something like workstation1.sunrayvt.com,
workstation2.sunrayvt.com, etc. From a workstation on our
network, how would we be able to get to www.sunrayvt.com,
since its not actually a computer in our network? Is
there some sort of DNS setup that I would need to do to
tell traffic for www.sunrayvt.com to go to a certain
external IP address?

Any input you can provide regarding my questions or other
setup tips for small businesses would be appreciated.
Please also let me know if you know of any resources for
setting up windows 2003 in a small business environment.

Thanks!

-Peter

Since you are going to have at least one VPN user, I highly recommend using
the third level name sunray.sunrayvt.com this will become apparent once it
is set up. You should aso create a delegation named 'sunray' in the public
'sunrayvt.com' zone, this delegation should point to the internal IP of the
sunray.sunrayvt.com DNS server. This way when the VPN is connected DNS
resolution for the VPN client will be seamless. Without this delegation the
VPN client will have problems resolving internal names because the VPN
client will have a view of both internal and external namespaces.

Integrating Your Active Directory Namespace Into an Existing DNS
Infrastructure Without Name Overlap:
http://www.microsoft.com/windows200...scenarios/dns_int_adns_to_dns_inf_wo_olap.asp
Verification of SJC-SP-DNS-01.supplier01-int.com:
http://www.microsoft.com/windows200...enarios/scenarios/dns_vfy_sjcspdns01_01ic.asp

 

[Enkidu]

I will describe the current setup and am looking for some input on what the
new setup should look like. Since it is a small business with very few
users, I'm not planning on "migrating" the NT 4.0 domain server to windows
2003, I'm planning on basically configuring the win2003 server as a new
domain and then having all the workstations join the new domain.

That IS a migration. The other option is to *upgrade* the current
domain to 2003.

Any files
(such as users' saved documents on the old NT server will either be burned
to CDs or temporarily moved to one of the workstations, and then eventually
moved to the new server once it is online. I'll just create the 10 or so
user accounts on the new server.
Sounds good.

Current setup:
[snip]
- The DSL router has a built in firewall and also acts as a DHCP server and
DNS server

It would be best to stop it doing this. Use the Win2003 services
instead.

Possible new setup:
- 1 Windows 2003 Server used primarily as a File/Print server
- It will also be the new DHCP server, and DNS server
Ah, good.

Its possible that sometime in the future we may decide to host our own
website and email, ideally it shouldn't require a network redesign to
accommodate that.

The router may be able to support a DMZ setup, where the Web server is
effectively on a seperate network to the LAN. I'd investigate that. If
not, I'd look for a device that *will* allow it. You *could* punch a
hole in the firewall and have the web server on the LAN, but that
opens up a bag of worms. If you can't keep the web server separate
from the LAN, you could get it hosted elsewhere are still maintain it
and have complete control. Check you local (and remote!) service
providers.

For the email, you will either have to punch a hole in the firewall or
host the mail server on a DMZ. Are you sure that you want the hassle?
You will have to configure the mail server to filter viruses and SPAM
and genrally keep it up to date with SPAM and virus defs. It is
potentially a lot of work.

My biggest questions are about the domain structure and what the domain
should be called.

Should the new domain name be called SUNRAYVT.COM or SUNRAY.SUNRAYVT.COM?
Or should we register a completely new public domain name? Even though we
own the sunrayvt.com public domain, it is being used by the ISP that we
chose to host the website and email, so I'm not sure if it can also be used
by us for our windows domain.

If we did use sunrayvt.com, I'm assuming the workstations would be named
something like workstation1.sunrayvt.com, workstation2.sunrayvt.com, etc.
From a workstation on our network, how would we be able to get to
www.sunrayvt.com, since its not actually a computer in our network? Is
there some sort of DNS setup that I would need to do to tell traffic for
www.sunrayvt.com to go to a certain external IP address?

There are many schools of thought on this one, and many of the debates
flare into almost religious wars. Simple answer is to choose what
seems to you the best way to go. I've run systems where the LAN Domain
name was the same as a registered Domain Name, where the LAN Domain
Name was a sub-Domain of a registered Domain Name and where the LAN
Domain Name was a bogus Domain Name eg "cliffs.lan".

I've not found too many operational issue with any of them. You will
have an internal DNS and you will have an external Internet DNS to
interact with. If the LAN Domain Name is the same as your Internet
Domain Name, then you in essence need to set things up as follows:

1) All clients including the DNS servers have to be configured via
DHCP or manually to reference the DNS internal servers *only*

2) The internal DNS servers NICs need to be configured to reference
themselves as DNS.

3) The gateway for *all* machines is the ADSL router.

4) The DNS service on the DNS servers needs to be configured to
forward all requests it doesn't know about to an external DNS, eg your
ISPs. These are the only machines that talk to an external DNS.

So far the applies to all AD setups. If your LAN Domain Name is the
same as your Internet Domain Name then you have to do the following:

5) Manually add an external machines that yuse your common Domain Name
to DNS. eg if www.company.com exists outside the LAN and you need to
access it from inside the LAN, add www.company.com manually to the DNS
with its correct IP address. Since the IP address is external, packets
to the server will go out the gateway/ADSL router to the right place.

Any input you can provide regarding my questions or other setup tips for
small businesses would be appreciated. Please also let me know if you know
of any resources for setting up windows 2003 in a small business
environment.

www.microsoft.com !! <grin> Seriously that is a good place to start.
There are also courses and books and other websites.

Cheers,

Cliff

{MVP Directory Services}

 

[Jeff Cochran]

Current setup:
- 1 Windows NT 4.0 Server (PDC) used primarily as a File/Print server
- The current NT domain name is SUNRAY
- 10 workstations running Windows XP Professional
- Internet connection via DSL using a static IP address
- The DSL router has a built in firewall and also acts as a DHCP server and
DNS server
- All workstations in the network are configured to request an IP address
via DHCP, an internal IP address range is used
- The NT Server has a hard coded internal IP address
- Outsourced email and web hosting, the public domain for the web site and
email is SUNRAYVT.COM

Possible new setup:
- 1 Windows 2003 Server used primarily as a File/Print server
- It will also be the new DHCP server, and DNS server
- Since it is a small network, we'll use 1 active directory
domain/site/tree/forest.
- 10 workstations running Windows XP Professional
- Internet connection via DSL using a static IP address
- Continue to use outsourced email and web hosting
- 1 employee will need to work remotely, so terminal services and/or VPN
will need to be supported

Its possible that sometime in the future we may decide to host our own
website and email, ideally it shouldn't require a network redesign to
accommodate that.

My biggest questions are about the domain structure and what the domain
should be called.

Should the new domain name be called SUNRAYVT.COM or SUNRAY.SUNRAYVT.COM?
Neither.

Or should we register a completely new public domain name? Even though we
own the sunrayvt.com public domain, it is being used by the ISP that we
chose to host the website and email, so I'm not sure if it can also be used
by us for our windows domain.

Pick a new domain name for internal use only. SUNRAYVT.LAN or
SUNRAYVT.LOCAL for example. Svaes a lot of headaches with a split
horizon DNS later.

If we did use sunrayvt.com, I'm assuming the workstations would be named
something like workstation1.sunrayvt.com, workstation2.sunrayvt.com, etc.

Name systems whatever you wish. If Workstation1, Workstation2, etc.
work for you then fine. It can be tough to figure out when your
network grows, rather than Sales1, Receptionist1, etc.

From a workstation on our network, how would we be able to get to
www.sunrayvt.com, since its not actually a computer in our network?

That's one reason you won't use your public domain name for your
internal domain name.

Is
there some sort of DNS setup that I would need to do to tell traffic for
www.sunrayvt.com to go to a certain external IP address?

Yes, but again, don't do this.

Any input you can provide regarding my questions or other setup tips for
small businesses would be appreciated. Please also let me know if you know
of any resources for setting up windows 2003 in a small business
environment.

The big resources are all at Microsoft.com. You may want to use SBS
2003 to handle this setup.

Jeff