Active Directory Planning

pts.
Tags:
Active Directory
I am new to setting up active directory so I apoligize if this question seems basic. I have 2 domains I would like to be contained within this active directory. One (domain1 for out example) will be made accessable to the internet. In addition to these 2 domains there are currently multiple internet domains being hosted on the DNS server for websites we host on Win2k. There is a second server that I would like to setup to share the load of the first and take over anything from the first in the event of server failure (the server is setup, but not in service yet). To that end, both servers are running Windows 2000, SQL Server 2000, IIS 5.0, MS DNS, ISA and Exchange 2000. This is for an office shared by two companies. Most of the hardware is owned by the company represented by domain 2. So my questions are: 1. Can I setup the AD using the structure domain2.com domain1.domain2.com etc... and still make domain1 accessable to the internet for vpn sessions? or should I direct the vpn to domain2 and from there (say an intranet website) direct the user to domain1? 2. Will AD share the DNS service with the other domains we host nicely or should I anticipate some interesting times ahead? If anyone has any past expeierence with this, their thoughts and comments would be very much appreciated. 3. I promoted the DNS server to and AD domain controller and created a forest populated by one domain, domain2 so far. For reasons I haven't yet found (log files in DNS server reviled nothing) the SRV record that is created by the promotion did not last past 2 days. Is there any tool or command I can use to rebuild them or any article I can read to understand how they work so I can manually recreate them in the DNS server? Or might it be a better use of my time to just re dcpromo again, remove the AD and redo the promotion? Thank you in advance, Jeff

Answer Wiki

Thanks. We'll let you know when a new response is added.

1. Can I setup the AD using the structure
domain2.com
domain1.domain2.com
etc…
and still make domain1 accessable to the internet for vpn sessions? or,

should I direct the vpn to domain2 and from there (say an intranet website) direct the user to domain1?

Our AD is similar than the AD you want to setup. Hope this can help you. Our AD consists of two internal Domains none of them is accesible from the internet as you like one of your domains be. I’m in charge of administering domain2 which is domain2.domain1.com

As you may see, the structure you suggest is possible within AD, however the first domain in the forest takes precedence, that means, will be the master administrator. You can not have domain2 as part of domain1.

As to the vpn, I see no problem to access any domain thru a VPN and from there jump to the other domains as long the domain user of domain2 have access to services in domain1. Contact your ISP provider for this.

Will AD share the DNS service with the other domains we host nicely or should I anticipate some interesting times ahead? If anyone has any past expeierence with this, their thoughts and comments would be very much appreciated.

That’s the way our network is setup. Domain2 uses Domain1 DNS Server without any problem. Just configure domain1 server network properties to point to the domain1 DNS server. We have no problems at all with this setup. I want to make that our domain1 and domain2 resides in differente Domain Servers and that domain users validate in their respective domain server to access services in the LAN/WAN.

Another thing, do not use a Domain Server for any thing than to validate domain user accounts and to act as a DNS server. If you have other applications like SQLServer or Exchange, install them on their own servers. Never install Exchange and SQL in the same server or a worst, in a server acting as a Domain Server.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    Jeff: Before you do anything, you sould plan out your domain migration. Here is a microsoft link for this. http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook/cookintr.mspx I strongly recommend you read all of this before proceeding any farther. As indicated in their literature, you should start the forest with a system in the root domain, not a subdomain. The other response is correct about mixing domain controllers with other jobs. In our environment we have a parent and two child domains. Originally the domain controllers were doing all sorts of functions. We now have two domain controllers dedicated to functions like integrated DNS, RADIUS, WINS and other functions tightly integrated with domain functions. Now our root domain is much more stable. Microsoft is very clear about not running exchange on a domain controller. Also, it isn't advisable to run SQL on a system exposed to the internet. As far as VPN access and public visibility, there should be no problem running VPNs to any device in your net. This is mainly a function of firewall rules. First decide exactly what you want to do with VPNs and it should become clear how they need to be configured. Remember these are extensions of your internal network. I would caution you about having a domain controller visible on the internet. This is a juicy target. We have all of our domain controllers behind the inner firewall. The outside world sees two linux DNS servers to resolve our public presence services and our domain controllers forward their external DNS requests through them. You can use the same domain naming structure for your internal domain as you use for the external world or they can be completely different. If they are different but close, you may run into some confusion now and then. We were told there were no issues with using a slightly different name space. This turned out to be untrue. Sorry about the extended answer but you seem to be rolling many complex issues into a single request. Since you are hosting public servers, your first concern should be security. You need to protect you internal domains while providing external connectivity and services. In our environment, the VPN server and web server ask the domain controllers for user authentication through the inner firewall. This is the closest we come to allowing domain controllers on the outside. rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following