Last Updated: 31 Oct 2005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
The domain structure available under Windows 2000 is
much better -- and more complex -- than what was
available under NT4. Here are some guidelines for
installing and configuring Active Directory in a small
Office or Home network. These same guidelines also
apply to a Windows 2003 domain (except that 2003 has
better tools) and a bit more functionality.
===================
TABLE OF CONTENTS
===================
1. SAMPLE NETWORK DIAGRAMS
2. BENEFITS OF A DOMAIN
3. CHOOSING A DOMAIN NAME
4. IP ADDRESSING CONSIDERATIONS
5. NAME RESOLUTION VIA DNS
6. SETTING UP DHCP
7. SERVER OR ROUTER?
8. ACTIVE DIRECTORY IN WINDOWS SERVER 2003
9. TROUBLESHOOTING
=========================
SAMPLE NETWORK DIAGRAMS
=========================
Here are some sample network diagrams for connecting an
Active Directory LAN to the Internet. The importance of
pointing to the correct DNS server will be addressed later
in this document:
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-AD.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=NetBasics-AD.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=SafeNetwork.PDF
• http://KB.UltraTech-llc.com/Diagrams/?File=AD-DNS-Split.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=AD-DNS-NAT.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=Office-VPN.JPG
• http://KB.UltraTech-llc.com/Diagrams/?File=VPN-Star.JPG
======================
BENEFITS OF A DOMAIN
======================
Active Directory provides a rich management environment
for computers and users, that far surpasses what NT4 has
to offer, or what can be obtained with a workgroup. For
many home environments, AD might be considered overkill,
but it can provide a excellent learning environment for
dealing with Enterprise Domain issues.
From my perspective, it is useful to deploy a domain if
centralized control of your systems is important to you,
or you want better management of network resources.
As a benefit of centralized administration, the ability
to secure the environment also increases as you can
control where all user account information is, and the
entry/access points to all systems. In a workgroup,
access to each system must be controlled on each system
making it possible for one weak system to undermine
good security practices on other systems.
A domain is ultimately much easier to manage than a
workgroup, especially once you get above 5 or 6 client
systems. In most cases, you'll want to make a second
domain controller as a backup for all your domain
settings.
========================
CHOOSING A DOMAIN NAME
========================
When creating your first Active Directory controller,
you will be asked to generate a name. Actually, you
will be asked to provide two names:
• DNS NAME ............... something.tld
• NetBIOS NAME ........... shortname
DNS NAME
The DNS name can be any name that would be valid on
the Internet, and even names that would not be valid
outside of your environment. For example, the DNS name
MICROSOFT.MYLAN is one that would not be useful/valid
on the Internet itself, but would be fine for your own
network.
Although you can choose to use an existing FQDN (fully
qualified domain name) as your Active Directory domain
name, I would recommend that you either create a sub-
domain of your existing Internet DNS name, or create
your own TLD (top-level domain) to use internally.
This will give you more flexibility and prevent you
from having to put your AD zone out on the Internet.
Subdomain Examples:
CORP.MICROSOFT.COM
INTERNAL.INTEL.COM
AD.MYCOMPANY.COM
Unique TLD Examples:
MICROSOFT.LOCAL
INTEL.INTERNAL
MYCOMPANY.ADZONE
Be sure to choose your name wisely, as it is very hard
to change without undoing Active Directory (pre-Win2003).
Additionally, I advocate never mixing the Internal and
External domain namespaces, regardless of whether or not
you decide to create an empty root domain.
There are too many business and marketing decisions that
can affect your external domain name (merger, spin-off,
lawsuit, etc), resulting in major reengineering efforts
if that same name is used internally.
If you find the .LOCAL name unappealing, then consider
registering one or two additional domains that will ONLY
be used internally.
SPLIT-HORIZON DNS
In the event that you choose to use the same domain name
on your internal network as your external, you would be
well advised to configure a separate set of servers to
handle internal vs external resolution. This will
prevent your AD zones from being exposed to the outside
world.
You are still advised to avoid this scenario if at all
possible, but for many small companies, a single domain
will be used internally and externally, necessitating
this solution. Just bear in mind that it will require
separate DNS servers to handle the external zone of the
same name as your internal AD-integrated zone, and that
updates between zones will not be automatic.
This falls in the realm of "Needless Complexity" for
most smaller environments.
Here's a excerpt by Ben Scott in a conversation on an
NT Mailing List:
===========
My objection is simple: It is one more thing to go
wrong. If I can eliminate a place for something to
go wrong, I will. And when you are claiming authority
for a DNS zone you are not authoritative for (which is
what split DNS is all about), there is the potential
for things to get out of sync. Sure, if you do it
right, nothing will, but *WHY* even open up the
possibility, if it does you get you any advantage?
At the same time, I think using a separate DNS domain
name has several advantages:
- It clearly identifies internal vs external resources
in their name.
- You don't have to worry about keeping two different
DNS zones in sync.
- Should you decide you want to expose your private DNS
to the public for any reason, you can still do so.
- Roaming systems which are sometimes outside the
private network will never get confused over which
DNS zone is currently visible.
In short, it keeps separate things separate.
===========
There are certainly occasions where Split-Horizon DNS
is suitable or desirable, but it has drawbacks that you
would do well to consider before deploying.
• http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbc_logi_kqxm.asp
• http://www.microsoft.com/downloads/details.aspx?familyid=15d276a5-4bf6-4add-9f67-56b38ccb576b&displaylang=en
NETBIOS NAME
The NetBIOS name is for backwards compatibility with
older Windows clients (NT4, Win9x) or applications
which rely on NetBIOS such as Lotus Notes and certain
windows services like Network Neighborhood.
It is limited to 15 characters maximum and should start
with an alpha character (A-Z), rather than a number.
You are well advised to leave the following characters
out of any NetBIOS names you create, as they may affect
interoperability with other systems:
" " (space)
"." period
"," comma
"-" dash
"_" underscore
In general, it is best to stick to the alphanumberic
characters (A-Z, 0-9) unless you want to experience
more troubleshooting fun than any of your colleagues.
==============================
IP ADDRESSING CONSIDERATIONS
==============================
Be sure to choose your IP addressing scheme with care.
Even though it is easy to accept whatever default your
hardware vendor suggests, you should consider selecting
a different range within the acceptable private address
blocks. The reason for this is that should you ever
desire to setup a VPN, you would have problems connecting
to anyone who was using the same addressing scheme for
their local LAN. Simply put, it becomes a routing issue
when a remote network is using the same addressing scheme
as a local network, and you attempt to connect the two
via VPN.
For example, if both you and your neighbor have chosen
to use 192.168.0.0/24 as your local LAN, when you attempt
to setup a tunnel between each other's networks, how will
your routers and firewalls be able to establish where the
traffic has originated from? Most modern firewalls would
raise alarms of spoofing upon getting such packets.
Consider using addresses in the 172.16.x.x - 172.32.x.x
since these are most frequently overlooked by others.
=========================
NAME RESOLUTION VIA DNS
=========================
DNS is king in an Active Directory domain. In order to
avoid connectivity and authentication problems, you
should ensure that DNS is properly configured in your
domain.
When you setup your DNS server, be sure to setup a
reverse lookup zone using the IP address of your LAN.
The Win2K DNS wizard makes it very easy. And make sure
that your DNS servers have pointer (PTR) entries setup.
This can be validated by performing an NSLOOKUP of
the IP addresses of machines on your network.
With AD, there is no longer the concept of Primary and
Backup domain controllers -- with the exception of 5
roles, all DCs are peers. Even on a small network, you
should consider the wisdom of having two DCs for
redundancies sake.
Your first domain controller should point to itself as
the DNS server. Subsequent DCs should point to the 1st
DC as DNS #1, and to themselves as DNS #2, just in case
DNS #1 becomes unavailable.
See Q291382 for more details.
You can setup your DNS server to use forwarders (that
is, point to other servers for addresses that it does
not maintain locally) or have it lookup the entries
by checking with the root servers directly. Either
method is fine, but the Forwarders method can be faster.
• http://support.microsoft.com/?KBID=291382
• http://support.microsoft.com/?KBID=323380
• http://support.microsoft.com/?KBID=825036
=================
SETTING UP DHCP
=================
When considering the use of DHCP, my rule is static IPs
for servers and network devices, and dynamic addresses
for everything else (with things like IP-based printers
using reserved DHCP addresses).
There are some who favor reserved using DHCP addresses
for servers, but I don't like the potential issues that
can ensue if the DHCP infrastructure is down for any
length of time.
• Static IP .............. Network Devices, Servers
• Standard DHCP .......... Regular Client systems
• Reserved DHCP .......... Printers, special Client systems
Remember that if you're using a broadband router to
allow access to one of your internal systems from the
outside, that system will need a static address, or
DHCP will need to be controlled by a device other than
the broadband router.
DHCP scopes in Windows are notoriously difficult to
expand after deployment, so you should endeavor to
chose an adequate size for your network up front, and
exclude a few addresses for networking devices, servers
or miscellaneous devices. I usually reserve .1 to .9
and .250 to .254 in a class C range for networking
devices such as routers, firewalls and switches.
Here's a example of how you might breakdown a class C
range of addresses for a small network. The options
you choose will depend on your ratio of servers to users,
and the need for Remote Access or network printers.
.1 - .9 Networking Devices
.10 - .149 Desktops using Standard DHCP Addresses
.150 - .169 Desktops using Reserved DHCP Addresses
.170 - .199 Remote Access Pool
.200 - .229 Servers & Network Storage
.230 - .249 Network Printers
.250 - .254 More Networking Devices
For most small networks, the following scope options
will be more than adequate:
003 Router
004 Time Server
006 DNS Servers
015 DNS Domain Name
If you have NT4 or Win9x systems, or you have a need to
run NetBIOS applications, you might also want to add
the following options:
044 WINS/NBNS Servers
045 NetBIOS over TCP/IP
046 WINS/NBT Node Type
Always use Type 8 for DHCP option 046 (Node Type).
Another good thing to do is to configure the DHCP server
to ping an address before handing out a DHCP address.
This is called "Conflict Detection" and is very useful in
the event that someone makes the mistake of giving
themselves a static address, which the DHCP server
believes is available for clients.
Remember to authorize your DHCP server in Windows 2000
(or 2003) and be sure that the scope you create is on
the same subnet as your DHCP server itself.
===================
ROUTER or SERVER?
===================
When setting up Active Directory on your home network
(or any other small network that contains a broadband
router), you should avoid the temptation to have the
router handle DNS and DHCP. Your Windows 2000 server
can provide more flexibility for both DNS and DHCP
than any broadband router, and DNS is very important
to Active Directory.
Ultimately, you'll experience far less trouble with
your domain in general, and your client systems in
particular, if you follow these simple guidelines:
• Disable DHCP on your Router
• Setup DNS and DCHP on your server
• Setup a reverse domain for your LAN
• Create the DHCP scope and authorize the DHCP server
• Ensure that a valid PTR record exists for the server
• Point the server to its own DNS (primary & secondary)
• Setup the DNS to use forwarders for external resolution
• Add a second domain controller for redundancy
• Point the primary DNS entry on this server to the 1st DC
• Point the secondary DNS entry on this server to itself
• Set DHCP to point all clients to your DNS server(s)
• Enable Dynamic DNS registration on the clients
• Create a SystemState backup of your domain controller
=========================================
ACTIVE DIRECTORY IN WINDOWS SERVER 2003
=========================================
Where AD under Windows 2000 had only Mixed and Native
modes, Windows Server 2003 brings a total of FOUR modes
(now called Domain Functional Levels) to the table.
1. Windows 2000 mixed (default)
2. Windows 2000 native
3. Windows Server 2003 interim
4. Windows Server 2003
Among other things, the various levels allow for domain
controller interoperability with older versions of Windows.
Mode #4 is the one with the most features, but all of your
domain controllers must be running Windows 2003 Server.
There are also THREE Forest Functional Levels:
1. Windows 2000 (default)
2. Windows Server 2003 interim
3. Windows Server 2003
• http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_levels.asp
By default, Windows 2003 AD enables the following polices
which will prevent Win9x systems from connecting to a 2003
Domain Controller:
* Microsoft Network Server: Digitally sign communications (always)
* Domain Member: Digitally encrypt or sign secure channel data (always)
Either alter these policies (not recommended) or install
DSClient on the Win9x systems that need to connect to AD.
• http://support.microsoft.com/?KBID=811497
=================
TROUBLESHOOTING
=================
Incorrectly configured DNS is likely to constitute the
bulk of issues that Active Directory environments face.
Ensure that any clients are pointing to the correct DNS
servers (which should be the AD boxes, and not your ISP
DNS server).
Also, be advised that incorrect or missing PTR entries
for your domain controllers will result in clients not
being able to find your DCs for the purposes of joining
the domain or logging on to the network.
A number of tools in the Resource Kit and Support Tools
will provide diagnostics for AD and DNS. You'll want
to install at least the Support Tools from the OS CD.
And don't forget to install Terminal Services (in Admin
mode) for easy remote administration.
• http://support.microsoft.com/?KBID=237675
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DOMAIN NAME
• http://support.microsoft.com/?KBID=237675
• http://support.microsoft.com/?KBID=260362
• http://support.microsoft.com/?KBID=254680
• http://support.microsoft.com/?KBID=296250
• http://www.faqs.org/rfcs/rfc1591.html
SETTING UP DNS IN 2000/2003
• http://www.microsoft.com/downloads/details.aspx?familyid=15d276a5-4bf6-4add-9f67-56b38ccb576b&displaylang=en
• http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_pro_EnableCondForwarders.asp
• http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dnsbd_dns_pxsr.asp
• http://www.microsoft.com/windows2000/technologies/communications/dns/
• http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_zzui.asp
• http://www.adiscon.com/Common/en/Articles/Configure-Windows-DNS-for-Internet-Access.asp
• http://www.winnetmag.com/Article/ArticleID/13507/13507.html
• http://www.arstechnica.com/reviews/004/software/windows/exchange-1-1.html
• http://support.microsoft.com/?KBID=323380
• http://support.microsoft.com/?KBID=825036
DNS TROUBLESHOOTING IN 2000/2003
• http://support.microsoft.com/?KBID=291382
• http://support.microsoft.com/?KBID=275278
• http://support.microsoft.com/default.aspx?scid=/support/win2000/dns.asp&FR=1
FSMO ROLES
• http://www.microsoft.com/windows2000/en/server/help/sag_ADgcInfFSMO.htm
• http://support.microsoft.com/?KBID=255690
• http://support.microsoft.com/?KBID=324801
• http://support.microsoft.com/?KBID=255504
SIZING AND MAINTENANCE
• http://support.microsoft.com/?KBID=222019
• http://support.microsoft.com/?KBID=229602
• http://www.microsoft.com/windows2000/downloads/tools/sizer/
• http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/adsizer-o.asp
• http://labmice.techtarget.com/ActiveDirectory/AD_replication.htm
• http://www.ad.gatech.edu/adproj_design042502.html#gt
MIGRATIONS & TRANSFERING USERS (via LDIFDE)
• http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-aff85ad3d212&DisplayLang=en
• http://support.microsoft.com/?KBID=326480
• http://support.microsoft.com/?KBID=283791
• http://www.microsoft.com/windows2000/techinfo/administration/redir-ldifde.asp
• http://www.microsoft.com/windows2000/downloads/tools/admt/
• http://builder.com.com/article.jhtml?id=r00220020605low01.htm
• http://www.jsiinc.com/SUBJ/tip4700/rh4795.htm
AD CLIENT EXTENSIONS
• http://www.microsoft.com/windows2000/downloads/tools/adclient/
• http://support.microsoft.com/?KBID=811497
DISASTER RECOVERY FOR AD
• http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx
• http://www.microsoft.com/technet/community/events/windows2003srv/tnt1-94.mspx
• http://www.microsoft.com/technet/community/events/windows2000srv/tnt1-76.mspx
• http://support.microsoft.com/servicedesks/webcasts/wc031902/wcblurb031902.asp
• http://www.jsifaq.com/SUBE/tip2300/rh2384.htm
• http://www.4mcts.com/downloads/addisaster.pdf
WHITEPAPERS & TECH DOCUMENTS
• http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/
• http://www.arstechnica.com/reviews/004/software/windows/exchange-1-1.html
• http://www.dslwebserver.com/
• http://www.computerperformance.co.uk/dns_dhcp_wins.htm
• http://www.netpro.com/ebook/
• http://www.nalanda.nitc.ac.in/resources/cse/ebooks/Win2k_srvr/Chapter02.pdf
• http://labmice.techtarget.com/ActiveDirectory/
• http://www.serverwatch.com/tutorials/article.php/1474461
• http://www.swynk.com/friends/dinicolo/adquick.asp
• http://msdn.microsoft.com/library/en-us/dnduwon/html/d5activedir.asp
• http://support.microsoft.com/?KBID=237675
• http://support.microsoft.com/?KBID=260362
• http://support.microsoft.com/?KBID=232070
• http://www.microsoft.com/windows2000/technologies/directory/ad/
• http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/manadsteps.asp
• http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_levels.asp
• http://www.faqs.org/rfcs/rfc1925.html
• http://www.ad.gatech.edu/adproj_design042502.html#gt
PERSONAL NOTES
• Sep 2005: ADMT v3 has just been released. Many of the
requested improvements have been provided. For very
large migrations, there are still better 3rd party tools
available, but for small or straight-forward migrations,
ADMT is very effective.
• A correctly configured DNS infrastructure is essential
to the proper operation of Active Directory. Check the
eventlogs regularly for information regarding the
health of your DNS servers.
• Be sure that your Domain Controllers and domain clients
are pointing to your internal DNS server, and *not* your
ISP DNS. Otherwise, your logon times will be slow...
• You should avoid using the default IP range that is
provided by the maker of your router/gateway/firewall
for at least two reasons:
(1) People should not be able to figure out your IP
addressing scheme, simply by knowing what device
you own.
(2) If you ever want to setup a Site-to-Site VPN
with a friend or colleague, you'll find it a
bit more challenging if you both have the same
IP Address ranges. Be creative and with your
use of the RFC 1918 addressing space.
• Any domain which is running Windows 2003 as a domain
controller is a Windows 2003 Active Directory domain,
and has the option of running in one of the following
FOUR Domain Functionality Levels:
Windows 2000 mixed (default)
Windows 2000 native
Windows Server 2003 interim
Windows Server 2003
• The info on Domain & Forest functional levels can also
be found in the Windows 2003 HELP system
• Although NT4 and Win9x machines are supported in 2000
domains via the AD Client, by default, 2003 does not
allow Win9x machines or NT4 pre-SP4 systems to connect
to a 2003 Active Directory domain. See Q811497
• Mastering Windows Server 2003 by Mark Minasi is a great
book for anyone who is new to Active Directory and
Windows 2000/2003
RELATED SCRIPTS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/Scripts/?File=Debug.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=IPDebug.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=BackupSS.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=BackupSched.BAT
RELATED TOPICS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/?File=NetBasics.TXT
• http://KB.UltraTech-llc.com/?File=ADUpgrade.TXT
• http://KB.UltraTech-llc.com/?File=Browser.TXT
• http://KB.UltraTech-llc.com/?File=NameRes.TXT
• http://KB.UltraTech-llc.com/?File=Naming.TXT
• http://KB.UltraTech-llc.com/?File=UserMgr.TXT
• http://KB.UltraTech-llc.com/?File=UserAcct.TXT
• http://KB.UltraTech-llc.com/?File=CopyProfile.TXT
• http://KB.UltraTech-llc.com/?File=ServerSpecs.TXT
• http://KB.UltraTech-llc.com/?File=OSBasics.TXT