It's 2015, the Internet has become widespread, every self-respecting company has long had its own website. You don't have to look far - even every city hospital has its own web resources. But nevertheless, all the same, sysadmins have not learned how to create normal names for their domains.
The cost of a second-level domain (for example, bissquit.com) is just over 500 rubles per year. This is very little even for ordinary citizens like you and me, and this is a mere penny for companies, even more so. I acquired my domain long before the idea of \u200b\u200b“sawing up” this blozhik appeared. It's just convenient. Let's even take a remote connection via rdp - I enter my domain name instead of a dull ip-address.
On the Internet, for the query "active directory domain best practices", almost every site contains comprehensive recommendations on naming AD domains and explains why it is necessary to do this. Let's take a closer look at what recommendations are in question:
- Use a subdomain of your organization's officially registered domain to name your AD domain.
You got it right, just one piece of advice. It's all! You can talk a lot about details and small nuances, but 80-90% of the reasoning comes down to one single piece of advice voiced above. All problems proceed from the fact that a person knows that this should be done, but does not understand why it is impossible or highly discouraged to do it differently. From now on, more details.
1. Why can't you use internal, externally unresolved names like .local, .corp, .lan?
Can. As much as possible. Most of them also use them. I have examples among friends who have 2000+ people in their organizations and use the .local domain. All difficulties will begin if you suddenly need a real AD domain. This can happen when using hybrid cloud deployments (a prime example of this is Exchange + Office365). "Why not just rename the domain, since it is quite possible with a certain version of AD?" - you ask. Yes, in principle, you can, but you have to face the difficulties of migrating domain-dependent services. Among them are all the same Exchange and others, but here one Exchange is more than enough.
2. “Ok, we buy a real external name - my-company.com, we will also name the AD domain” - also not an option. You will have problems resolving other resources located at my-company.com, for example, the company's website. And besides, your DNS servers will not be authoritative for this domain, although they will consider themselves so. This will cause problems too.
There are other considerations for domain naming, including creating a domain that is similar to the real one but in a different TLD. But it seems to me that there is not much sense in doing this, because some of the problems still remain, and there are simply no obvious advantages in comparison with using the corp.my-company.com domain (the name is taken as an example).
For those who like to do everything in their own way, problems with certificates will also be added recently, so there is no point in using internal names now at all.
The question of choosing a domain name technically rests on the line in which you write down the name when creating an AD domain and nothing more. However, the consequences that will entail the wrong choice of name will cause you many problems in the future, and therefore it is very important to do everything efficiently at the planning stage. Once again, it's a good idea to read articles by experienced admins
Good afternoon, dear readers and subscribers, I haven't told you about Windows domains for a long time, today I will fix it and we will analyze such a fundamental topic, how to correctly name an active directory domain, since this will result in further, correct functioning of your services, and you reduce yourself the number of problems that could arise with the wrong domain service name.
Active Directory Name Selection Errors
If you have been reading my blog for a long time or have just joined, then I will remind you about the introductory article, Introduction to Active Directory, where I tried to tell you what AD is and how it works, and most importantly what components it consists of. If you read carefully, you know that Active Directory cannot function without DNS servers.
- I'm sure most of you know that DNS names on the Internet are built according to a certain principle, it consists only of numbers, letters, dots and dashes (I'm not talking about different types of DNS records) .. com. There is a standard from RFC 1123 on domain naming, where it is written in black and white that the following special characters should not be present in the names: the dog sign @, tilde ~, number sign #, slash / and \\, underscore, if you don't know as a domain name you have chosen something that contains an underscore, then for example you will have big problems with the MS Exchange mail server. If there were no standards, there would be chaos.
- As local names for Active Directory, people choose external addresses, or rather second-level names. A simple example, let's say I have a Pyatilistnik.inc enterprise and the administrator decided to install an Active Directory controller and create a domain structure, but he took pyatilistnik as the local name for it .. Imagine what chaos will begin when people need to reach him from the local network , there will be a conflict with the AD name, you will have to keep both the external DNS zone and the internal DNS zone to solve the problem, which is inconvenient and will lead to errors. Below I will tell you how to correctly name an active directory domain.
- Zone names not included in the global officially registered registry ICANN. Examples are .local or eg.nn zones, although I am sure that the standard will reach them, since it is profitable for this organization to make money out of thin air by selling names, which domains you cannot find now, but this is not the issue today. It is not correct to use these names in the Activer Directory, since they cannot be used outside your office, you cannot issue an ssl certificate for a domain.
Although if you are doing this in a test environment, then you can
- Disjoint Namespace\u003e there are situations when the DNS name of a domain controller or computer does not match its NETBIOS name, for example, if my controller had a NETBIOS name dc6, and a domain dc site. Such constructions are workable and can be at a merger of enterprises, but with a Disjoint Namespace there can be a rake with the same MS Exchenge. Below is an example of matching both NETBIOS and DNS names.
How to name an active directory domain correctly
We understood how to do it wrong and we know, now we will do everything beautifully, I will repeat right away that if you have a test environment, you can call AD as you like, even microsoft.com. But seriously, let's get back to our company Pyatilistnik.inc. For the Active Directory domain zone, I would choose a third-level zone, ad.site. The company's website would be hung on a logical site. Thanks to this, there would be no problems with the MS Exchange server. If you have several branches, then I advise you to use one forest, for example Nizhny Novgorod and Moscow, for Moscow I choose ad..ad.site. I hope you now understand how to better and more correctly call the Active Directory domain.
In rare cases, the domain services administrator may face the task of renaming the current domain. The reasons may be different, but this situation is quite possible. Despite the fact that this task cannot be called trivial, but occasionally you have to face it, it is extremely important to do everything correctly, since otherwise the outcome of events can be critically dangerous, up to a completely inoperative corporate infrastructure. So, later in this article, you will learn about the prerequisites for performing this operation, some restrictions, and how you can rename your domain. Before we begin, please do not perform these steps in a production environment until you have successfully renamed your test domain in a lab environment. Let's start.
Prerequisites
Before you start renaming your domain, be sure to consider the following information:
- Active Directory forest functional level... You can perform domain renaming tasks only if all domains in the forest are equipped with at least Windows Server 2003 (in this case, there are no edition restrictions). Moreover, the functional level must be raised at least to the level of Windows Server 2003. That is, if you have selected the functional level of Windows Server 2000 in the forest, then the following operation will simply become impossible;
- Domain location... There can be different levels of domains in an Active Directory forest. That is, there can be either a separate domain, or the forest can include child domains. In the event that you change the location of the domain controller within the forest, you will have to create a trust relationship;
- DNS zone... Before performing the domain rename operation, you need to create a new DNS zone;
- Administrative credentials... To perform the domain rename operation, you must be logged in with an administrative account that is a member of the Enterprise Admins group;
- Distributed File System (DFS) servers... If your corporate environment has DFS deployed or roaming profiles configured, please note that the DFS root servers must be running at least Windows Server 2000 with Service Pack 3 or higher operating systems;
- Incompatibility with Microsoft Exchange servers... The most frustrating point is that if Microsoft Exchange Server 2003 Service Pack 1 mail server is deployed in your Active Directory forest, then domain renaming will be performed without any problems, but the user account under which the domain renaming process will be performed should be a member of the Full Exchange Administrator group. All newer mail servers (including Exchange Server 2016) are incompatible with domain rename operations.
Also note that you must freeze all upcoming Active Directory forest configurations while the domain is being renamed. In other words, you must make sure that your forest configuration does not change until the domain rename operation is complete (see below for details on how to complete this step). These operations include: creating or removing domains within your Active Directory forest, creating or removing application directory partitions, adding or removing domain controllers in the forest, creating or removing a directly established trust, and adding or removing attributes that will be replicated to the global catalog.
Just in case, I would also suggest that you make a full system state backup on every domain controller in your Active Directory forest. If you complete this task, this precaution will definitely not be superfluous.
In the event that your infrastructure meets the above mentioned requirements and all the required backups have been made, you can proceed to the process of renaming the domain.
Active Directory Domain Rename Process
First, in order to check the original name of your domain, you can open the system properties window. As you can see in the accompanying illustration, my domain is called "Biopharmaceutic.local":
Figure: 1. Checking the original Active Directory domain name
You should now create a new DNS zone "biopharm.local" so that after a successful domain rename, your member servers and clients can easily join the new domain name. To do this, open “ DNS Manager» ( DNS Manager) and being in " Live view area» ( Forward Lookup Zone) select the option to create a new zone. In fact, the zone is created as usual: on the first page of the wizard for creating a new zone, you should read the introductory information and go to the second page. On the zone type page, select the main zone ( Primary Zone) and make sure the option to save the zone to Active Directory is enabled. On the zone replication scopes page, leave the default option - " For all DNS servers running on domain controllers in this domain: Biopharmaceutic.local» ( To all DNS servers running on domain controllers in this domain: Biopharmaceutic.local). On the zone name page, specify the new domain name (biopharm.local), and on the dynamic update page also leave the option “ Allow only secure dynamic updates (recommended for Active Directory)» ( Allow only secure dynamic updates (recommended for Active Directory)) which is selected by default. You can see several stages of creating a new zone below:
Figure: 2. Create a new DNS zone
The next step in domain renaming is to generate a description of the current state of the forest. Basically, this is the first domain rename operation that will use the command line utility Rendom... This utility will generate a textual description of your current forest structure as an XML file named Domainlist.xml. This file contains a list of all domain directory partitions as well as application directory partitions that reside in your Active Directory forest. Each entry for each domain and application directory partition is delimited by XML tags
To create such a file, open the command line under the appropriate account and execute the command “ random / list". The generated file will be saved in the root directory of your user account. Next, you will need to open this file using any text editor.
Inside this file, you need to change the domain name inside the section, which is delimited by tags
In the following illustration, you will see the process of executing the above command, the location of the Domainlist.xml file, and the changes for the first section of this file. In my case, the domain name in this config will be changed 4 times:
Figure: 3. Generation and modification of the Domainlist.xml file
In order to make sure that you have made the required changes to the corresponding file, you can run the command “ rendom / showforest". As you can see in the following illustration, all my entries have changed to "Bopharm":
Figure: 4. View potential changes
When you run the following command ( rendom / upload) The Rendom utility translates the new forest structure specified in the edited file into a sequence of directory update instructions that will run locally and remotely on every domain controller in the forest. In general terms, at this point, changes will be made in the configuration directory section of the Domain Naming Wizard to rename the Active Directory domain. In addition, a Dclist.xml file will be created and used to track the progress and status of each domain controller in the forest for the domain rename operation. By the way, at this point the Rendom utility freezes your Active Directory forest from making any changes to its configuration. The process of executing this command is seen below:
Figure: 5. Executing the rendom / upload command
The following command is run to check the readiness of the domain controllers before the domain rename operation. During this step, you must run the preparatory check command on every domain controller in the forest... This is to ensure that the Active Directory database on every domain controller in the forest is in the correct state and ready to make changes that will rename your domain. Therefore, run the command " rendom / prepare"As shown in the following illustration:
Figure: 6. Preparing the domain for renaming
The most crucial moment. Executing the command “ rendom / execute". When you run this command, the domain rename instructions are followed on the domain. Essentially, at this very moment, each domain controller in the forest is being accessed individually, forcing each domain controller to follow the instructions to rename the domain. Upon completion of this operation, each domain controller will be rebooted. Refer to the following illustration for the process of domain renaming:
Figure: 7. Domain Rename Process
But that's not all. Even though your domain has essentially already been renamed, you still have the task of fixing GPOs and their links after the domain rename operation is complete. Use the command line utility to restore GPOs as well as GPO links in each renamed domain Gpfixup.exe... This procedure cannot be neglected due to the fact that without its use, after the operation of renaming a domain in a new forest is completed, Group Policies simply will not function correctly. Please note that this command must be run once in every renamed domain. Hence, run the command once gpfixup with parameters /olddns:Biopharmaceutic.local (the old name of the domain you renamed) and /newdns:Biopharm.local (new renamed domain name) and then command gpfixup with parameters / oldnb: Biopharmaceutic and / newnb: Biopharm (respectively, the old and new NETBIOS name of your domain). This procedure is visible below:
Figure: 8. Repairing Group Policy Objects
There are only two commands left to execute: the command “ rendom / clean", Which allows you to remove all references to old domain names within your Active Directory, as well as the command" rendom / end", In fact, unfreezing the Active Directory forest from making changes to its configuration. You can see the process of executing these commands in the following illustration:
Figure: 9. Completion of renaming the Active Directory domain
You will have to reboot their computers twice for the changes to be applied to member servers and end clients. However, you will have to manually rename the domain controllers. As you can see in the following illustration, my domain controller name remains the same.
What is a domain controller
A domain controller provides centralized management of network devices, that is, domains. The controller stores all information from accounts and parameters of network users. These are security settings, local policy and many others. It is a kind of server that completely controls a specific network or network group. A domain controller is a kind of set of special software that launches various Active Directory services. The controllers run specific operating systems, such as Windows server 2003. The Active Drive installation wizard lets you create domain controllers.
The Windows NT operating system uses the primary domain controller as the primary server. The other servers used are used as backup controllers. Basic PDC controllers can solve various tasks related to user group membership, creating and changing passwords, adding users and many others. The data is then transferred to additional BDC controllers.
Samba 4 software can be used as a domain controller if the operating system is Unix. This software also supports other operating systems such as windows 2003, 2008, 2003 R2 and 2008 R2. Each of the operating systems can be expanded, if necessary, depending on specific requirements and parameters.
Using domain controllers
Domain controllers are used by many organizations in which computers are located that are connected to each other and to the network. The controllers store directory data and control the entry and exit of users into the system, as well as manage the interaction between them.
Organizations using a domain controller need to decide how many to use, plan for data archiving, physical security, server upgrades, and other necessary tasks.
If the company or organization is small and only one domain network is used in it, then it is enough to use two controllers, which are able to provide high stability, fault tolerance and high level of network availability. In networks that are divided into a certain number of sites, one controller is installed on each of them, which makes it possible to achieve the necessary performance and reliability. By using controllers at each site, it is possible to significantly simplify user logon and make it faster.
Network traffic can be optimized to do this by setting the replication update time when the load on the network is minimal. Setting up replication will greatly simplify your work and make it more productive.
You can achieve maximum performance in the controller's operation if the domain is a global catalog, which will allow you to query any objects by a specific weight. However, it is important to remember that enabling the global catalog entails a significant increase in replication traffic.
It is best not to enable the master domain controller if more than one domain controller is used. When using a domain controller, it is very important to take care of security, because it becomes sufficiently accessible for attackers who want to take over the data they need to deceive.
Considerations for installing additional domain controllers
In order to achieve higher reliability in the operation of the necessary network services, it is necessary to install additional domain controllers. As a result, significantly higher stability, reliability and operational safety can be achieved. In this case, network performance will become much higher, which is a very important parameter for organizations that use a domain controller.
In order for the domain controller to function properly, some preparatory work is required. The first thing to do is check the TCP / IP parameters, they must be set correctly for the server. The most important thing is to check DNS names for matches.
For the secure operation of the domain controller, it is necessary to use the NTFS file system, which provides higher security compared to the FAT 32 file systems. For installation on the server, you need to create one partition in the NTFS file system on which the system volume will reside. You also need to access the DNS server from the server. DNS is installed on this or an additional server that must support resource records.
In order to properly configure the domain controller, you can use the Configuration Wizard, with which you can add the execution of specific roles. To do this, you will need to go to the administration section through the control panel. You must specify a domain controller as the server role.
The domain controller today is indispensable for networks and sites used by various organizations, institutions and companies in all areas of human activity. Thanks to him, high productivity and security are ensured, which is of particular importance in computer networks. The role of a domain controller is very important because it allows you to manage domain scopes built on computer networks. Each operating system has certain nuances associated with the operation of domain controllers, but the principle and its purpose are the same everywhere, so figuring out the settings is not as difficult as it might seem at the very beginning. However, it is very important that domain controllers are tuned by experts to ultimately achieve high performance and security during operation.
