+ Post New Thread
Page 1 of 4 1234 LastLast
Results 1 to 15 of 51
Windows Server 2008 R2 Thread, Brand new Active Directory - From scratch in Technical; We are going to be installing a brand new Active Directory environment. This will be based on Windows Server 2012 ...
  1. #1

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Brand new Active Directory - From scratch

    We are going to be installing a brand new Active Directory environment. This will be based on Windows Server 2012 R2 domain controllers (all virtualized under ESXi/vSphere), and hopefully all clients will be Windows 7+. We will still have all of the data from staff/student home drives, along with things in shared areas, but these will need to be copied and sorted out on a new file server.

    What I'm interested in is how others currently have their AD set up - and, if they were able to recreate it from scratch, what they might do differently. This includes everything from how domain controllers are configured, through to OU structure, groups, NTFS permissions, Group Policy, etc.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,239
    Thank Post
    882
    Thanked 2,742 Times in 2,316 Posts
    Blog Entries
    11
    Rep Power
    784
    Domain.internal not .local and not someotherschool.school.nz <- having to deal with the last one again thanks to a support company.

    School ou
    -users
    --students
    --staff
    -computers

    Etc.

    Actual install is easy, just add the roll and follow the wizard.
    Last edited by SYNACK; 5th February 2014 at 12:07 PM.

  3. #3

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    12,258
    Thank Post
    1,670
    Thanked 2,014 Times in 1,463 Posts
    Blog Entries
    2
    Rep Power
    451
    @SYNACK hit the nail on the head there. It is as simple as going through the wizard. Just never add an external domain ending (.com or .co.uk etc)

  4. #4

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,132
    Thank Post
    522
    Thanked 2,542 Times in 1,976 Posts
    Blog Entries
    24
    Rep Power
    876
    The recommended domain naming convention is to use a subdomain of a real 'routable' domain. Eg. If you have "myschool.county.sch.uk" you would go for something like "int.myschool.county.sch.uk".

    The reason being is that DNS management should be easier, as you can have a single DNS server at the top level 'myschool.county.sch.uk' which controls all DNS for your site, internal and external.

    Using the *same* domain internal and external is not advised, as you can end up with 1 name being needed for 2 different things, meaning you suddenly have a DNS issue.
    Last edited by localzuk; 5th February 2014 at 12:20 PM.

  5. #5

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 286 Times in 218 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by nephilim View Post
    @SYNACK hit the nail on the head there. It is as simple as going through the wizard. Just never add an external domain ending (.com or .co.uk etc)
    I agree with the never using a .local domain, that was a cruel joke MS consultants played on the world. Also the basic structure SYNACK stated is also a good start.

    However, I disagree with the advice about not using a valid domain name - what is the reason for that? It's actually considered best practice, and I have never encountered a single problem with it. You do need to either register a domain name that will never be used publicly for the internal domain or use a subdomain of a public domain and use split DNS (views) to properly segregate public from private. I could only see a problem if something were misconfigured quite badly.

  6. #6

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    12,258
    Thank Post
    1,670
    Thanked 2,014 Times in 1,463 Posts
    Blog Entries
    2
    Rep Power
    451
    The problem I have encountered is when I inherited a badly configured one and had to redo it from scratch. Was not happy to say the least

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,239
    Thank Post
    882
    Thanked 2,742 Times in 2,316 Posts
    Blog Entries
    11
    Rep Power
    784
    Quote Originally Posted by localzuk View Post
    The recommended domain naming convention is to use a subdomain of a real 'routable' domain. Eg. If you have "myschool.county.sch.uk" you would go for something like "int.myschool.county.sch.uk".
    Which is perfectly fine as long as no one decides to put a * record on the domain and suddenly all your clients
    Spend a quality 25 seconds crying when outside the network and trying to connect to the domain or use nla which gets very concerned. It also relies on your school keeping the domain forever which is also not a given.

    Edit, of course given the new domain rules some tool will register .internal shortly anyway and break that too.
    Last edited by SYNACK; 5th February 2014 at 12:23 PM.

  8. #8

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,132
    Thank Post
    522
    Thanked 2,542 Times in 1,976 Posts
    Blog Entries
    24
    Rep Power
    876
    Anyone who puts a *. record on a DNS server for a production domain needs shooting. That isn't a network design problem, that's a ID10T problem.

    I'm just going by the advice Microsoft give for domain naming.

  9. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,239
    Thank Post
    882
    Thanked 2,742 Times in 2,316 Posts
    Blog Entries
    11
    Rep Power
    784
    Quote Originally Posted by localzuk View Post
    Anyone who puts a *. record on a DNS server for a production domain needs shooting. That isn't a network design problem, that's a ID10T problem.

    I'm just going by the advice Microsoft give for domain naming.
    Agreed, just pointing out the possible holes that I have had to fix up.

  10. #10

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Using a sub-domain of a publicly registered domain name does seem to be the recommended option these days. Local domains based on "fake" TLDs aren't guaranteed to be unique (though in theory they shouldn't need to be). Another more serious problem is that major CAs these days will only sign certificates based on real domains that you own. Again, maybe not the end of the world since you can push your own root certificate out to domain managed clients.

    Any thoughts on the number of domain controllers and FSMO role setup? I'm currently planning on having three DCs - the first will take on the forest roles (Schema Master, Domain Naming Master), the second will have the domain roles (PDC Emulator, RID Master), and the third will house the unused Infrastructure Master role but be available to transfer/seize other roles if there is a problem with one of the other DCs. All three would run DNS + Global Catalog.

    Currently playing around with DHCP too. We do currently have two DHCP servers, but I have no idea if they are properly load balanced or anything. 2012 & R2 support proper load-balanced DHCP servers and will even let you sync reservations and exclusion ranges with one click too, so probably going to go with DHCP running on the first two DCs if there's no downside to that.

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,132
    Thank Post
    522
    Thanked 2,542 Times in 1,976 Posts
    Blog Entries
    24
    Rep Power
    876
    Only need 2 really, for redundancy. In schools there simply isn't the need for such separation of individual roles. With 650 devices at my last school, a dual Xeon server, 4 years old 2 years ago, had a CPU usage of about 3% at peak.

  12. #12

    Join Date
    Jun 2012
    Location
    UK
    Posts
    33
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    6
    Quote Originally Posted by localzuk View Post
    The recommended domain naming convention is to use a subdomain of a real 'routable' domain. Eg. If you have "myschool.county.sch.uk" you would go for something like "int.myschool.county.sch.uk".

    The reason being is that DNS management should be easier, as you can have a single DNS server at the top level 'myschool.county.sch.uk' which controls all DNS for your site, internal and external.

    Using the *same* domain internal and external is not advised, as you can end up with 1 name being needed for 2 different things, meaning you suddenly have a DNS issue.
    I agree with this and i have yet to see anything else that says this isn't best practice. This set is also more friendly when throwing osx into the mix.

  13. #13

    Join Date
    Jun 2012
    Location
    UK
    Posts
    33
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    6
    Quote Originally Posted by karlr View Post
    Any thoughts on the number of domain controllers and FSMO role setup? I'm currently planning on having three DCs - the first will take on the forest roles (Schema Master, Domain Naming Master), the second will have the domain roles (PDC Emulator, RID Master), and the third will house the unused Infrastructure Master role but be available to transfer/seize other roles if there is a problem with one of the other DCs. All three would run DNS + Global Catalog.
    I remember reading somewhere that you need a minimum of 3 DC to provide redundancy for the FSMO roles.

  14. #14

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,267
    Thank Post
    112
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Quote Originally Posted by localzuk View Post
    The recommended domain naming convention is to use a subdomain of a real 'routable' domain. Eg. If you have "myschool.county.sch.uk" you would go for something like "int.myschool.county.sch.uk".
    .
    Got a reference for that? I remember reading it years back, but changed after my first network to .internal for what I remember to be good reasons....

  15. #15

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,132
    Thank Post
    522
    Thanked 2,542 Times in 1,976 Posts
    Blog Entries
    24
    Rep Power
    876

SHARE:
+ Post New Thread
Page 1 of 4 1234 LastLast

Similar Threads

  1. Replies: 10
    Last Post: 16th January 2012, 10:00 AM
  2. Importing new users into Active Directory
    By Mr_M_Cox in forum How do you do....it?
    Replies: 16
    Last Post: 4th November 2008, 11:36 AM
  3. Replies: 2
    Last Post: 28th November 2007, 04:40 PM
  4. Replies: 3
    Last Post: 16th November 2006, 09:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •