With this Active Directory tutorial, find out how to get your servers up and running, and at the same time ensure your network systems retain proper Internet access.
This Active Directory tutorial is aimed at users looking to install and work with Active Directory on a small or home network. If you are planning a major Active Directory deployment, much of what is outlined here will hold true; however, for the nitty-gritty details, we recommend checking our numerous Windows Server 2008 and 2008 R2 Active Directory articles and other recent articles about Active Directory capabilities and limitations. News about Active Directory can also be found on ServerWatch.
Setting up Active Directory is
not difficult. However, many people experience problems with their
installation shortly after completing it because they neglect to properly
plan their implementation of DNS. I receive e-mail on almost a weekly basis
from users who have gone ahead and run dcpromo, and then wonder why client
systems can't properly connect to the Internet. The purpose of this article
is to act as a quick primer toward ensuring that Active Directory works,
while at the same time allowing your network systems proper Internet access.
Before I begin, it's worth
mentioning that this article is aimed at users who are looking to install
and work with Active Directory on a small or home network. It is not aimed
at users upgrading from NT 4 or those planning a major Active Directory
deployment including Exchange 2000, although the central concepts outlined
still hold true. However, if you are looking for a quick and easy guide to
setting up an AD test network, then this article should help to ensure that
you get started on the right foot. I assume that the server we are
configuring will be the first domain controller in your new Active Directory
domain, and that your internal systems can already access the Internet via
some method, such as Internet Connection Sharing, NAT, or perhaps some type
of connection-sharing hardware router.
The first and most
important step in installing Windows 2000 Active Directory is properly
planning your DNS implementation. AD cannot exist without DNS, so this is
well worth paying attention to. Unfortunately, in their quest for
simplicity, Microsoft decided that DNS would be installed automatically as
part of the Active Directory installation process if you didn't explicitly
configure it in advance. As such, my suggestion is that you always configure
DNS manually prior to even considering Active Directory. If you don't, you
will probably end up with a DNS implementation that doesn't meet your needs.
At this point, I am going
to assume that you have Windows 2000 Server installed. The first step
towards a proper AD implementation will involve installing and configuring
DNS. If you haven't done so already, add the DNS service to your server from
the Windows Components option in Add/Remove Programs in Control Panel, as
After adding DNS, the next
step is configuring a new DNS zone. The name of the zone is important, and I
generally suggest using a "private" name for Active Directory, such as
company.local instead of a public name that your company may have already
registered, such as company.com. This will help to ensure that both your
internal and external hostnames resolve correctly once all is said and done.
In this case, create a new zone called company.local using the DNS
administrative tool. This is accomplished by right clicking on Forward
Lookup Zones and choosing New Zone.
The wizard that walks you
through the process is fairly straightforward, but be sure to choose to
create a standard primary lookup zone, as shown below.
Once the zone has been
created, the next step is to ensure that your server is pointing at itself
for DNS name resolution. Go into the server's TCP/IP properties and add the
IP address of this server as the DNS server address. This step is critical,
so be sure not to skip it.
Once this step has been
completed, you are ready to begin the Active Directory installation process
dcpromo from the Run command, as shown below.
The Active Directory
installation wizard is another simple tool. Our goal is to create a new
Active Directory domain, in a new tree, in a new forest - this is ultimately
covered in the first 3 input screens of the dcpromo process. The first input
screen is shown below.
When prompted for your
Active Directory domain name, choose exactly the same name as the DNS zone
that you set up earlier for example, company.local.
There is nothing wrong with
using a private DNS zone name internally on your network. In fact, many
companies prefer it, because it allows them to separate internal and
external naming. Most small companies use the services of a hosting provider
to handle their email, web, and DNS services. If you did choose to use your
public DNS name internally, you would then need to manually create
additional DNS records for all of your external clients on your internal
servers, or internal clients would not be able to reach your public servers
properly. Using a private name internally makes life a great deal easier;
the internal DNS server will resolve names for internal servers, while
external DNS (like that hosted by your ISP) will still properly resolve the
names of external resources.
The main reason for setting
up DNS in advance is to avoid a very common problem. Many people complain
that their DNS server will not resolve names for Internet hosts on account
of the Root Hints file not being present, as well as the fact that they
cannot configure Forwarders. What this means is that your DNS server has
been configured as a Root Server during the Active Directory installation
process. In other words, your DNS server thinks that it is the top of the
DNS hierarchy, and as such, there is no higher level to which queries should
be forwarded. If your DNS implementation is lacking a Root Hints file or the
ability to set up Forwarders, see this Microsoft KB article:
Once Active Directory is
installed, you should be able to access the Internet from this server, since
it will forward DNS queries to other external DNS servers as necessary,
starting with the Root Servers. However, for faster name resolution, you
should consider setting up DNS forwarding. To do this, access the properties
of you DNS server in the DNS tool, and add the IP addresses of your ISPs DNS
servers to the Forwarder tab. This ensures that DNS queries for external
resources will first be forwarded to your ISP, where information on many
external servers is likely already cached. In general, this will result in
better name resolution performance.
After Active Directory is
installed, all of your internal clients should also be pointing at your new
domain controller for DNS name resolution. Once they are pointing at the new
domain controller for DNS purposes, add the Windows NT/2000/XP clients to
your new domain.
If you want to add
additional domain controllers to your network, ensure that they are pointing
to your new DNS server for name resolution prior to running dcpromo.
If you wish, you can also
make any new domain controller a DNS server by installing the DNS service on
that box, and then configuring it as a secondary name server.
Alternatively, you can also install DNS and then configure your
company.local domain as an Active Directory integrated zone, where DNS
information is actually stored as part of the Active Directory database.
Original date of publication, 04/02/2003