0

I want to install Active directory on my server so that i can have centralized user authetication.

I don't know much about about AD but i am reading stuff.

I am also reading about DNS servers.

Now in every subject they talk about domain name. Now i am confused what domain name they are talking bout.

is there any website domain name i have to type here or what.

If i type any name then it says can't connect to that.

How can i find what domain name i have to type while doing the DNS or AD

2 Answers2

2

If you're asking these questions, you really need to do more research before you jump into installing AD.

Good Reading:

http://technet.microsoft.com/en-us/library/cc758535%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc770946%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/bb727030.aspx

DNS and AD go hand in hand. The domain name you choose should be globally unique, but not routable. Best practice is to make it a sub-domain of a domain that you already own, but not exposing it to the Internet. If you don't own a domain name and are just doing this for testing, you can use any non-standard TLD.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Actually i am reading stuff but this domain thing is confusing me. E,g if i have domain name www.testad.com , then i type that domain where it asks , then do i have to chnage some DNS setting where i have registered the domain name –  Dec 15 '09 at 02:48
  • Assuming that testad.com is your AD domain name then Www.testad.com is a DNS entry in your AD DNS domain. The AD domain controllers with DNS installed will assume they are authoritative for the DNS domain testad.com. So yes you may have change DNS settings but where depends on your other DNS setup. Machines that are going to be part of the AD will have to know to send DNS requests to the DNS servers (normally the DCs) that host the AD DNS domain. – Sim Dec 15 '09 at 02:59
  • If www.testad.com is routable on the internet, you should not make it your AD domain. Instead you should use something like internal.testad.com and do NOT have an external DNS entry for it. Your DNS entries for internal.testad.com should be on your internal DNS servers, which are *usually* also your domain controllers. – MDMarra Dec 15 '09 at 03:03
  • @Sim - setting up an AD like that is asking for trouble. It is much, much easier to recommend making it a non-routable sub domain – MDMarra Dec 15 '09 at 03:06
  • If we want non routable domain then even mirror51.microsoft.com will be non routable , can't it means that i can use any domain?? So basically by domain means i am giving my server with ip 10.0.11.1 as the name internal.testad.com. How will computer know that 10.0.11.1 is internal.testad.com –  Dec 15 '09 at 03:24
  • @MarkM - I wasn't suggesting that specifically though it may have come across that way. I agree the non-routable domain is a much better approach. – Sim Dec 15 '09 at 04:23
  • @Mirror, since you don't own Microsoft.com, there is a chance that it will become routable. Since you have no control over that domain, you don't want to do it like that. – MDMarra Dec 15 '09 at 04:29
  • @Mirror - Your computers will know that, because you will make it a DNS server when you promote it to a domain controller. Then, you will configure your internal computers to use that as a DNS server, either through DHCP options, or static assignment. – MDMarra Dec 15 '09 at 04:30
  • @Mirror51 - The AD Domain Controllers will resolve queries for the AD DNS domain e.g. testad.com. The computers who are members of the AD will need to use the Domain Controllers as their DNS servers for them to understand that 10.0.11.1 is internal.testad.com. The DCs can also be configured to send queries for other DNS domains e.g. mirror51.microsoft.com to your "normal" DNS servers. – Sim Dec 15 '09 at 04:37
2

There are really two ways to go about deciding what you want to name your domain. You just need to remember that for all intents and purposes you can't change your domain name without starting from scratch. Yes there are ways to rename a domain, but they are dangerous, and can be a little tricky to do right.

Theoretically you can name your domain whatever you like as long as it conforms to (and someone correctly if i'm remembering wrong) RFC1035. However, there are etiquette considerations such as not using a valid domain you don't own (essentially .com, .net, ccTLD based domains, etc) internally. For example using microsoft.com for your internal domain would be bad form as well as making it all but impossible to get to anything hosted by microsoft. The two most common standards are to use either:

a) a subdomain of a domain you own - as an example I would use ad.brokenhaze.com or internal.brokenhaze.com (or anything similar) because i'm the owner of brokenhaze.com

b) $something.local, to use your "testad.com" example if you changed it to "testad.local" you would be perfectly fine. The .local suffix is generally excepted as an internal suffix as well as used by most of the zero-conf protocols.

To answer your comment on MarkM's answer. During AD installation, if it is a new domain it will force you to install DNS, as well as setup all of the records required by AD to work properly. Then you would point your client machine's DNS server to - using your example - 10.0.11.1 (in other words the IP of the DC that is hosting DNS). AD is HIGHLY dependant on DNS so your clients really need to be pointed to an internal server that is hosting the correct DNS records (In smaller installations these are normally the DC(s) )

Also besides reading up on AD, you should really also read up on LDAP - as that is the backbone of AD and all major, modern Central Authentication systems.

Zypher
  • 36,995
  • 5
  • 52
  • 95