Setting up Active Directory is not difficult. However, many people experience problems with their installation shortly after completing it because they neglect to properly plan their implementation of DNS. I receive e-mail on almost a weekly basis from users who have gone ahead and run dcpromo, and then wonder why client systems can't properly connect to the Internet. The purpose of this article is to act as a quick primer toward ensuring that Active Directory works, while at the same time allowing your network systems proper Internet access.
Before I begin, it's worth mentioning that this article is aimed at users who are looking to install and work with Active Directory on a small or home network. It is not aimed at users upgrading from NT 4 or those planning a major Active Directory deployment including Exchange 2000, although the central concepts outlined still hold true. However, if you are looking for a quick and easy guide to setting up an AD test network, then this article should help to ensure that you get started on the right foot. I assume that the server we are configuring will be the first domain controller in your new Active Directory domain, and that your internal systems can already access the Internet via some method, such as Internet Connection Sharing, NAT, or perhaps some type of connection-sharing hardware router.
The first and most important step in installing Windows 2000 Active Directory is properly planning your DNS implementation. AD cannot exist without DNS, so this is well worth paying attention to. Unfortunately, in their quest for simplicity, Microsoft decided that DNS would be installed automatically as part of the Active Directory installation process if you didn't explicitly configure it in advance. As such, my suggestion is that you always configure DNS manually prior to even considering Active Directory. If you don't, you will probably end up with a DNS implementation that doesn't meet your needs.
At this point, I am going to assume that you have Windows 2000 Server installed. The first step towards a proper AD implementation will involve installing and configuring DNS. If you haven't done so already, add the DNS service to your server from the Windows Components option in Add/Remove Programs in Control Panel, as shown below.
Active Directory Networking Services
After adding DNS, the next step is configuring a new DNS zone. The name of the zone is important, and I generally suggest using a "private" name for Active Directory, such as company.local instead of a public name that your company may have already registered, such as company.com. This will help to ensure that both your internal and external hostnames resolve correctly once all is said and done. In this case, create a new zone called company.local using the DNS administrative tool. This is accomplished by right clicking on Forward Lookup Zones and choosing New Zone.
Creating a New Zone
The wizard that walks you through the process is fairly straightforward, but be sure to choose to create a standard primary lookup zone, as shown below.
Once the zone has been created, the next step is to ensure that your server is pointing at itself for DNS name resolution. Go into the server's TCP/IP properties and add the IP address of this server as the DNS server address. This step is critical, so be sure not to skip it.
Once this step has been completed, you are ready to begin the Active Directory installation process by running dcpromo from the Run command, as shown below.
The Active Directory installation wizard is another simple tool. Our goal is to create a new Active Directory domain, in a new tree, in a new forest - this is ultimately covered in the first 3 input screens of the dcpromo process. The first input screen is shown below.
When prompted for your Active Directory domain name, choose exactly the same name as the DNS zone that you set up earlier — for example, company.local.
There is nothing wrong with using a private DNS zone name internally on your network. In fact, many companies prefer it, because it allows them to separate internal and external naming. Most small companies use the services of a hosting provider to handle their email, web, and DNS services. If you did choose to use your public DNS name internally, you would then need to manually create additional DNS records for all of your external clients on your internal servers, or internal clients would not be able to reach your public servers properly. Using a private name internally makes life a great deal easier; the internal DNS server will resolve names for internal servers, while external DNS (like that hosted by your ISP) will still properly resolve the names of external resources.
The main reason for setting up DNS in advance is to avoid a very common problem. Many people complain that their DNS server will not resolve names for Internet hosts on account of the Root Hints file not being present, as well as the fact that they cannot configure Forwarders. What this means is that your DNS server has been configured as a Root Server during the Active Directory installation process. In other words, your DNS server thinks that it is the top of the DNS hierarchy, and as such, there is no higher level to which queries should be forwarded. If your DNS implementation is lacking a Root Hints file or the ability to set up Forwarders, see this Microsoft KB article:
Once Active Directory is installed, you should be able to access the Internet from this server, since it will forward DNS queries to other external DNS servers as necessary, starting with the Root Servers. However, for faster name resolution, you should consider setting up DNS forwarding. To do this, access the properties of you DNS server in the DNS tool, and add the IP addresses of your ISPs DNS servers to the Forwarder tab. This ensures that DNS queries for external resources will first be forwarded to your ISP, where information on many external servers is likely already cached. In general, this will result in better name resolution performance.
After Active Directory is installed, all of your internal clients should also be pointing at your new domain controller for DNS name resolution. Once they are pointing at the new domain controller for DNS purposes, add the Windows NT/2000/XP clients to your new domain.
If you want to add additional domain controllers to your network, ensure that they are pointing to your new DNS server for name resolution prior to running dcpromo.
If you wish, you can also make any new domain controller a DNS server by installing the DNS service on that box, and then configuring it as a secondary name server. Alternatively, you can also install DNS and then configure your company.local domain as an Active Directory integrated zone, where DNS information is actually stored as part of the Active Directory database.
No comments:
Post a Comment