2

I'm new to the Active Directory world (I know how to use it, not set it up :) ). I just bought a server from Leaseweb running Windows Server 2012 R2 and plan to use it for Active Directory. It has its own IP address, and everything.

My question is though, I obviously can't bind computers to it's domain using a .local network, so how would I set up an active directory using a domain I own?

Say I own example.com and I create a subdomain in my DNS settings on my domain's hosting provider ad.example.com. Is it possible to use that subdomain on my Windows server as the active directory name?

Looking for some guidance on how to setup active directory correctly using a server that isn't on my local network. Please let me know what information you need to know.

Thank you in advance!

timothym96
  • 31
  • 3
  • 2
    1. You should use an unused subdomain of your public domain. 2. You should not add that subdomain to your public DNS zone. – joeqwerty Apr 04 '14 at 16:05
  • [`First of all, don't use made up TLDs like .local, .lan, .corp, or any of that other crap. Those TLDs are not reserved. ICANN is selling TLDs now, so your mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, then the smart thing to do is use something like internal.mycompany.com or ad.mycompany.com for your internal AD name. If you use mycompany.com as an externally resolvable website, you should avoid using that as your internal AD name as well, since you'll end up with a split-brain DNS.`](http://serverfault.com/q/402580/118258) – HopelessN00b Apr 04 '14 at 16:07
  • Actually there are reserved TLD's - RFC 6761 and 6762 reserve 5 in total, among them ".local" (but that for link local use). – TomTom Apr 04 '14 at 16:12
  • Okay, so do you recommend I purchase another domain for use on the AD? Our current domain if entered does go to a website if that is what you mean, and would cause issue. Currently, company.com does go to an address. So you are saying making it ad.company.com would give me issues? EDIT: I read more into it, you mean don't use company.com as the domain name, use a subdomain. I gotcha now. – timothym96 Apr 04 '14 at 16:15
  • 1
    @timothym96 Using an unused subdomain of a publicly accessible, registered domain that you own is actually the recommendation from Microsoft. [Take a look at the question I asked on the topic a little while ago](http://serverfault.com/q/567775/118258), which contains numerous reasons and links to recommendations on why that's the case. – HopelessN00b Apr 04 '14 at 16:18
  • Nice thanks for that! DirectAccess seems so much easier then VPN setup, I will play around with that too! THANK YOU again for all the help! – timothym96 Apr 04 '14 at 16:37

2 Answers2

2

Setting up an Active Directory Domain is the same, whether the computer you're doing it on is local or remote. The difference will be in how you join to and connect to the remote Active Directory domain - this is usually done via VPN, as it's a bad practice (for security reasons) to expose your domain controllers to access from the internet.

As to how, precisely, you set up an Active Directory forest... that's too broad a topic for our Q&A format. Do it (find a guide online, if needed), and then feel free to come back to search for answers or ask about any specific problems or questions you come across.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • Thank you very much for the link. I do plan on using a VPN for this then. That I can do some Googling about to figure out how to setup :) I appreciate your help! So it doesn't really matter what I make it, because technically the VPN will make me "local" according to the machine since I will be on the same network, so I will be able to bind it, etc etc. So, I can simply tell the server to use ad.example.com when setting it up? – timothym96 Apr 04 '14 at 16:12
  • @timothym96 Basically, yes. In a typical enterprise setup, what you'd end up doing is setting up a site-to-site VPN between the remote domain controller and the clients, so that the clients are able to connect to the domain controller at boot and logon... otherwise, you end up with trouble processing GPOs and all kinds of headaches around the fact that the clients can't contact the domain controller at boot/logon time. And the site-to-site VPN is usually done on the network gear... though you could use Windows RRAS servers (or Linux/BSD servers) to do it as well, if needed. – HopelessN00b Apr 04 '14 at 16:16
  • Thank you! I did some searching and found some helpful guides about how client would log in (looks very simple). Thank you very much for your help! – timothym96 Apr 04 '14 at 16:23
1

Running active directory over the public internet is a really bad idea. Normally you would use a local server. If you must use a remote server you should setup a VPN between your network and the server. This will keep the traffic secure and make the server appear to be local so you can join workstations to the domain.

Also despite its prolific use, using .local for your domain isn't a good idea. Check microsoft's documentation for current best practices. Its not bad enough that I would rename an existing domain but I certainly wouldn't setup a new on with a .local domain.

Grant
  • 17,671
  • 14
  • 69
  • 101
  • Yes, I did learn .local is bad which is why I was curious about using our company's domain. So, I can simply tell the server to use ad.example.com when setting it up? – timothym96 Apr 04 '14 at 16:12