4

So as the title says, I need to promote a standalone Win2008R2 server to a Domain Controller, and I don't a DNS Server (I think), as there will be no clients connected to the domain, it will be only used for Remote Desktop Services. Yes, I know, it's considered bad practice to install other roles on the DC, but in this case, it's necessary.

Do I need to install the DNS Server, and if I do, how to make it as transparent as possible?

EDIT: Seems that I need to install the DNS Server, so I can I configure it not to mess up my entire domain?

For example:

The server I need to promote is rdc.mydomain.com, and it has an A entry to it's IP in the current DNS, while other servers under mydomain.com are running Linux and don't need to know anything about this Windows box. The domain uses a third-party DNS and all edits and updates need to be done via a separate web page, our servers don't have write/update access.

onik
  • 997
  • 3
  • 7
  • 20
  • 1
    I just want to point out that 'bad practise' doesn't really cover it. It's just downright wrong to use a DC as a TS / RDS server. You're almost certainly going to hit problems. – Dan Mar 28 '12 at 10:05
  • My other solution would be to install the DC behind a NAT with no internet access, would this be a better idea or would the fact that there's no direct internet access cripple the DC? – onik Mar 28 '12 at 10:13
  • 1
    You DO need DNS present for AD to function correctly (though it doesn't need to be on the AD server), and any plan that calls for combining the DC and terminal server roles (or terminal server and just about any other role, for that matter) needs to be re-thought again from scratch. You might as well deploy your servers with a rootkit already installed as part of the install image, and cut out the middle man. – Rob Moir Mar 28 '12 at 10:23
  • 3
    Why do you need a DC for RDS? It's not a requirement that an RDS server be a domain member. Why not just install the RDS role and be done with it? – joeqwerty Mar 28 '12 at 10:43
  • +1 for joeqwerty's response. – Robin Gill Mar 28 '12 at 11:16
  • @joeqwerty To enable RemoteApp filtering by user. This feature requires the users to be domain users, local users can't be used. I previouly used TSFactory's RemoteApp Filter for this, but it doesn't support R2, only 2008. – onik Mar 28 '12 at 11:21
  • Don't you need domain admin rights to RDP to a DC anyway? – faker Mar 28 '12 at 13:57

4 Answers4

4

Simple answer, YES you need to install DNS Server. Otherwise you will not be able to install AD and installation will simply fail.

Cold T
  • 2,391
  • 2
  • 16
  • 28
  • Not quite. You don't *need* to install the DNS role while installing AD (this is what your answer suggests). DNS does need to be available on the network in order for AD to function correctly. – Rob Moir Mar 28 '12 at 10:25
  • Rob, your right, my explanation is slightly out. Indeed you can install DNS role after AD but to dcpromo it, you need DNS in place. – Cold T Mar 28 '12 at 10:39
  • 3
    to clarify: you need a DNS infrastructure in place. You don't need to install the DNS server on the server you are promoting. So long as you have a functional DNS infrastructure already, it is quite possible to promote a server to a domain controller without installing a local DNS server. -- That being said, it's generally easier and better to just install the DNS service when you promote it. – Rex Mar 29 '12 at 03:11
2

Active Directory depends on DNS, this is not negotiable at all. When you promote the server to be a DC, the wizard will ask if you want to install the DNS Server role on it as well, this is the easiest way to do it.

ThatGraemeGuy
  • 15,314
  • 12
  • 51
  • 78
1

Why not create a subdomain within that domain purely for AD (ad.mydomain.com)? Or create your own internal only domain for the Windows box (eg org.my).

There's no need to mess with the existing domain just for AD.

1

I managed to solve this by creating a VM into a local-only network and assigning that machine to be a DC to a local domain mydomain.local. This way the RD server can connect to it, but it's separate from the rest of the network and won't affect any other services/servers.

onik
  • 997
  • 3
  • 7
  • 20