re: single label dns name for active directory
Thursday, March 13, 2008 at 8:53 pm
Posted by tsforrest
(1 messages posted)
Well first, you need to remember that your Windows domain is not something that you
want to share publicly. Second, you do not own dyndns.org, so you cannot use is
as your domain without causing any computers in your domain to lose connectivity
to dyndns.org (not really lose connectivity, but name resolution, but will have a
similar effect and is stated for simplicity here).
I'll try to keep this AS BASIC AS POSSIBLE, trying only to give enough info to get
a Windows domain working, while simplifying and skipping a lot of stuff. DO NOT DO
THIS FOR VITAL COMPUTERS without a thorough understanding of Active Directory, Windows
Server, etc.
Finally, your Windows domain is something that is intended to be used to control
access and other security for a group of computers and other resources belonging
to an group or entity of some kind, and to allow different computers and devices
in this group to find each other. This means that you do not need to use a publicly
valid domain name (and SHOULDN'T) just for your internal computers to find and access
each other. It will not affect how computers on the Internet find and communicate
with your computers in your domain in this scenario. Sure, if you own "mydomain.com",
you could set up and Active Directory domain controller in a domain named "mydomain.com",
then set your domain's public DNS hosts records to the public IP address of your
Acitive Directory domain controller with the DNS service running (these days, this
is usually done through the company you use to purchase the domain). Then, computers
on the Internet could find the computers in your domain by name or alias (computer1.mydomain.com,
or even www.mydomain.com).
NOTE - DNS stands for Domain Name System, and it is used for computer to find each
other by name on the Internet, or to find each other if they are in the same Active
Directory domain. The first machine you use to install Active Directory will become
a Domain Controller for that domain, and must have DNS installed. Windows will use
DNS for computers and other resources in the same domain to find each other by name,
to find Domain Controllers, and other stuff.
Usually, but not always the case for some companies, an Active Directory domain is
not something you would find on the Internet. Especially for a home or test domain,
you want to select something completely different, like "domain.local", MyFamilyDomain.home",
or "home.loc" ("loc" short for local) or anything like that. If you MUST use ".com"
make sure you select a domain you'll never need to access over the Internet, like
"ThisNameIsSoLongNoOneWouldUseIt.com". I will use "home.loc" for my examples, and
you could use this for your domain as well. After you specify your DNS domain name
of "home.loc", you will then be prompted for the NetBIOS domain name, which has no
period. If you used "home.loc" for your DNS domain name, then use something like
"HOME" for your NetBIOS domain name. When you add a computer to your domain (say
"computer1"), it's fully-qualified domain name, or FQDN, would become "computer1.home.loc".
It's NetBIOS name would simply be "COMPUTER1". Your user names would be "user1@home.loc"
(DNS) or "HOME\user1" (NetBIOS). The machine you use to install Active Directory
(AD from now on) will be your first Domain Controller and DNS server (DNS servers
help computers find each other by name instead of IP address). Then, you add the
IP address of your domain controller as the first DNS server in the IP Address configuration
on any computer you want to add to the domain. Once done, each computer will then
be able to ask your DNS server (also your AD domain controller) where to logon, where
to find other computers and resources, etc.) Then, after adding the DNS server stuff
to another computer (say "computer2"), it can be added to your domain and will get
a fully-qualified DNS name of "computer2.home.loc" in the "home.loc" domain and a
NetBIOS name of "COMPUTER2" in the "HOME" domain. Once added to the domain, you
can open a command prompt on computer2 (Start->Run, type "cmd", press ENTER) and
you could "ping" computer1 by typing "ping computer1" (it will add "home.loc" to
the end of the name by default since that is it's domain), or by using the FQDN with
"ping computer1.home.loc". You can share printers, create file shares, select which
AD users have what type of access to which resources, and then you have a simple
home domain where you can create users that could logon to any computer in the domain
and do all sorts of other neat stuff.
This info should be enough to get you started, or at least enough to get you past
your current "hump" in the road. There are a lot of other AD stuff than can be set
up like WINS servers, certificate authorities, and a bunch of other stuff. A lot
of applications such as Microsoft Exchange (the intended mail server for Microsoft
Outlook) and lots of other Microsoft and non-Microsoft applications, services, devices,
etc. need a Windows domain to function, or fully function.
*****I am tired, and have a lot more work to do, so I don't have time to proof this
post (my apologies to everyone). I kept things simple, so please don't go
crazy with corrections. ******
You may think I'm lazy for that, but hey, I posted a marathon post in an attempt
to help. If you disagree with something, post to help this guy, and others, get
a Windows domain up to play with as quickly and easily as possible without knowing
the technical details. If you post, post to help, not to show how smart or quick-witted
you think you may be. I am not that smart, but I work with this stuff a lot, and
it is good practice and feels good to know I tried to help someone. As long as this
is for home or test use, this can only lead to further understand of Active Directory.
DO NOT use this post to try to set up a domain for a business or anything critical,
since setting up domains for anything other than play or testing needs to be done
ONLY AFTER CAREFUL PLANNING, RESEARCH, TRAINING (books, at least), AND TESTING.
GOOD LUCK! If you know AD and have something to contribute, POST HERE. Have a better
way to explain this while keeping it simple, POST HERE. Share what you know, and
learn what others share. Have fun.
ONE LAST TIP - Download Microsoft Virtual Server 2005-SP1 or VMWare Virtual Server.
They are both free and will let you set up "virtual" computers or servers that are
"fully functional", except maybe 3D games and such. This is a great way to install
Windows Server, set up AD, and even get multiple servers working in a domain without
junking up the machine you use to surf the Internet, play games, and other usual
home stuff. This will take some extra RAM if you don't have much (1GB for one virtual
machine, 2GB for up to three VM's with 512MB each if you are lucky, and use 3GB to
run 2-3 VM's and still have plenty of RAM left for your "real" computer to run smoothly).
This will give you the ability to turn off the virtual machines, and have your computer
be basically just as it was before. One you go VM, you will wonder why you had not
done that before. It is some really cool stuff, even the stuff you get for free
is some kick-a** stuff for testing, or even for big business if you really know what
you are doing.
On Friday, February 29, 2008 at 9:12 pm, nielson wrote:
>hi,
>i want to set up active directory. i am confident with the software but while i
am
>installing it wants a full dns name as the domain name, which i would enter my (my
>domain name).dyndns.org but i have heard that this can be a security risk. is this
>true or is this an old wives tale?
>
>
>when i try to put in a single name for example i just put in 'domain' or 'nielson'
>instead of putting my dyndns.org domain name in windows server pops up with a message
>saying that this requires extra configuration. what are they talking about?
[Reply or follow-up to this message]
|
