Good afternoon, dear readers and subscribers, there is something I haven’t told you about Windows domains for a long time, today I will correct it and we will look at such a fundamental topic as how to correctly name an active directory domain, since this will determine the further, correct functioning of your services, and you Reduce the number of problems that could arise if your domain services name is incorrect.
Errors in choosing an Active Directory name
If you have been reading my blog for a long time or have just joined, then I will remind you about the introductory article Introduction to Active Directory, where I tried to tell you what AD is and how it works, and most importantly, what components it consists of. If you've read carefully, you know that Active Directory cannot work without DNS servers.
- I'm sure most of you know that DNS names on the Internet are built according to a certain principle, it consists only of numbers, letters, dots and dashes (I'm not talking about the different types of DNS records)..com. There is a standard from the RFC 1123 document on naming domains, which states in black and white that the following special characters should not be present in the names: the dog sign @, tilde ~, number sign #, slash / and \, underscore, if you are unaware If you chose something containing an underscore as a domain name, then for example you will have big problems with the MS Exchange mail server. If there were no standards, there would be chaos.
- People choose external addresses, or rather second-level names, as local Active Directory names. A simple example, let’s say I have an enterprise Pyatilistnik.inc and the administrator decided to install an Active Directory controller and create a domain structure, but he took pyatilistnik as the local name for it.. Imagine the chaos that will begin when people need to reach him from local network, there will be a conflict with the AD name, to solve the problem you will have to keep both the external DNS zone and the internal one, which is not convenient and will lead to errors. Below I will tell you how to correctly name an active directory domain
- Zone names not included in the global official registry ICANN. Examples would be zones.local or for example.nn, although I am sure that the standard will reach them too, since it is profitable for this organization to make money out of thin air by selling names, which are no longer seen in domains now, but that is not what we are talking about today. It is not correct to use these names in the Activer Directory, since they cannot be used outside your office, and you cannot issue an ssl certificate for the domain.
Although if you are doing this in a test environment, then you can
- Disjoint Namespace > There are situations when the DNS name of a domain controller or computer does not match its NETBIOS name, for example, if my controller had the NETBIOS name dc6, and the domain dc.site. Such designs are workable and can be used during a merger of enterprises, but with Disjoint Namespace there can also be a rake with the same MS Exchenge. Below is an example of a match between both the NETBIOS and DNS names.
How to correctly name an active directory domain
We understand and know how to do it wrong, now we’ll do everything beautifully, I’ll repeat right away that if you have a test environment, call it AD, you can call it whatever you want, even microsoft.com. But seriously, let’s return to our company Pyatilistnik.inc. For the Active Directory domain zone, I would choose the third-level zone, ad.site. The company's website would be placed on a logical site. Thanks to this, there would be no problems with the MS Exchange server. If you have several branches, then I advise you to use one forest, an example is Nizhny Novgorod and Moscow, for Moscow I choose ad..ad.site. I hope you now understand how to better and more correctly name an Active Directory domain.
Yesterday, we received a letter to our studio from our regular reader Andrey, with the question:
I read your blog with pleasure, I learned a lot of useful things for myself, I wanted to know your opinion about the name of the Active Directory domain, many write that it should be called *organization*.local, and someone writes that it should be called the same as the domain.
Let's take a quick look at what is the best name to use when naming a domain within an organization.
As practice shows, choosing a domain name can baffle even an experienced system administrator. When you launch the utility for the first time dcpromo The domain name will be generated automatically and randomly; if at this stage the domain name is not brought into compliance with the necessary rules, then in the future it will be more difficult to change the domain name. Let's look at the possible options in order of popularity.
1. Domain named example.local
The leader of our hit parade is the domain name ending with local. There are other variations on this theme, for example test, firma, factory, nn, loc, and so on. Now you don’t even remember where such love came from, in all your books Microsoft company always uses its own naming type contoso.com where we clearly see domain naming format. However, for almost 10 years the domain .local occupied a leading position. The situation began to improve with the arrival of services that use SSL certificates. Where the use of “don’t care” domains becomes impossible. Look, let's say your company uses internally Exchange server, which requires an SSL certificate to encrypt client connections. According to your scenario, you need a certificate to implement this task external certification authority, in which you must indicate all the names of the servers used for external connection. It would seem that what’s wrong, we write down all the server names and apply for the issuance of certificates, but there is one thing. With the name of such a domain you will not be able to pass validation, since the “don’t care” domain does not exist and if you try to explain to an external certification authority that you need to put the FQDN name of a non-existent domain in the SAN, you will receive a soft refusal:
It’s not possible, we issue only certificates for real domain names.
But there is one more problem. Domain Name Usage not yours in a domain name can lead to disastrous consequences. Imagine the situation if the zone local will have public status. Like a zone com or ru. I don’t think it’s worth continuing any further :)
2. The domain name is the same as the external domain name
Second place in our hit parade. Despite the fact that such a scenario is less popular, it still has the right to life. Apart from the fact that in the near future you will still experience some inconvenience when maintaining the network, nothing else threatens you. The main problem in this scenario is that you will have to maintain two DNS servers: internal and external. Under this condition, computers located inside the network will use the internal DNS server to resolve names, and computers outside the company perimeter will use an external one. Let's assume your domain has a proud name example.com. IN DMZ zone you are in website company named example.com. In the scenario described above, the computers located inside organizations they won't be able to access it due to the fact that for them example.com is domain name and when you enter this address in the browser they will go to domain controller. As I noted above, apart from inconvenience, this will lead to nothing. You can always use crutches that will redirect you to an external site, but you will agree that this is unnecessary double work, or inside the network use the site name starting with www, or outside.
3. One-word domain name
Perhaps the most incorrect option of the above. Single-level domains: Single-label domain is a domain that only contains one component. Apparently they began to be used in the days of NT, when Microsoft adopted the successful experience of Novell. It so happened that initially I was the administrator of FreeBSD and a large fleet of NetWare servers starting with version 4.11, and so in those ancient times NetWare used Bindery in its work, which is precisely the names single-level domain diagram, which was later adopted by Microsoft.
Best practices
It's time to sum it up. What domain name should I use? Only a third-level domain in the domain you own. You should not use other people's more beautiful domain names :-). You can see an example of such a domain below.
In rare cases, a domain services administrator may be faced with the task of renaming the current domain. The reasons may be different, but such a situation is quite possible. Despite the fact that this task cannot be called trivial, but occasionally you have to deal with it, it is extremely important to do everything correctly, since otherwise the outcome of events can be critically dangerous, up to a completely non-functional corporate infrastructure. So, later in this article, you will learn about the prerequisites for this operation, some restrictions, and how you can rename your domain. Before we begin, a strong request: do not perform these steps in your production environment until you have successfully renamed your test domain in your lab environment. Let's begin.
Prerequisites
Before you start renaming your domain, be sure to consider the following information:
- Active Directory forest functional level. You can perform domain renaming tasks only if all domains in the forest are equipped with at least the operating system Windows Server 2003 (in this case there are no restrictions on editions). Moreover, the functional level must be raised to at least the level of Windows Server 2003. That is, if you have the Windows Server 2000 functional level selected in your forest, then the following operation will simply become impossible;
- Domain location. In an Active Directory forest there may be different levels domains. That is, there can be either a separate domain, or the forest can include child domains. If you change the location of the domain controller within the forest, you will have to create a trust relationship;
- DNS zone. Even before performing the domain rename operation, you need to create a new DNS zone;
- Administrative Credentials. To perform a domain rename operation, you must be logged on with an administrative account that is a member of the Enterprise Admins group;
- Distributed File System (DFS) servers. If you have deployed DFS services or configured roaming profiles in your corporate environment, note that the DFS root servers must be running, at a minimum, Windows Server 2000 SP3 or higher operating systems;
- Incompatibility with servers Microsoft Exchange . The worst part is that if you have a mailbox deployed in your Active Directory forest Microsoft server Exchange Server 2003 Service Pack 1, then the domain renaming will be performed without any problems, but the user account under which the domain renaming process itself will be performed must be a member of the Full Exchange Administrator group. More and more modern mail servers(including Exchange Server 2016) are not compatible with domain rename operations.
Also note that while you are renaming the domain, you must freeze all upcoming Active Directory forest configuration activities. In other words, you must ensure that your forest configuration does not change until the domain rename operation is completely completed ( detailed information You will see how to perform this action below). These operations include: creating or deleting domains within your Active Directory forest, creating or deleting application directory partitions, adding or deleting domain controllers in the forest, creating or deleting a directly established trust, and adding or deleting attributes that will be replicated to the global catalog.
Just in case, I would also advise you to make a full backup of the system state on each domain controller in the Active Directory forest. If this task is performed, this precaution will definitely not be superfluous.
If your infrastructure meets the above mentioned requirements and all required backups, you can begin the domain renaming process.
Active Directory Domain Rename Process
First, to check the original name of your domain, you can open the system properties window. As you can see in the corresponding illustration, my domain is called “Biopharmaceutic.local”:
Rice. 1. Checking the original Active Directory domain name
Now you should create a new DNS zone “biopharm.local” so that after successful domain renaming, your member servers and clients can join the new one without any problems domain name. To do this, open " DNS Manager» ( DNS Manager) and being in " Direct viewing zone» ( Forward Lookup Zone) select the option to create a new zone. Essentially, the zone is created as usual: on the first page of the New Zone Wizard, read the introductory information and move on to the second page. On the zone type page, select the primary zone ( Primary Zone) and make sure that the option to save the zone in Active Directory is activated. On the zone replication scope page, you should leave the default option selected - " For all DNS servers running on domain controllers in this domain: Biopharmaceutic.local» ( To all DNS servers running on domain controllers in this domain: Biopharmaceutic.local). On the zone name page, you should specify the new domain name (biopharm.local), and on the dynamic update page, also leave the option " Allow only secure dynamic updates (recommended for Active Directory)» ( Allow only secure dynamic updates (recommended for Active Directory)), which is selected by default. You can see several stages of creating a new zone below:
Rice. 2. Create a new DNS zone
The next step in renaming the domain is to generate a description of the current state of the forest. In fact, this is the first domain rename operation in which the utility will be used command line Rendom. This utility will generate a text description of your current forest structure in the form of an XML file named Domainlist.xml. This file contains a list of all domain directory partitions as well as application directory partitions that are in your Active Directory forest. Each entry for each domain and application directory partition is delimited by XML tags
To create such a file, open a command prompt under the appropriate account and run the command “ random/list" The generated file will be saved in the root directory of your user account. Next, you will need to open this file using any text editor.
Inside this file you need to change the domain name inside the section that is limited by tags
In the following illustration you will see the process of executing the above command, the location of the Domainlist.xml file and the changes to the first section of this file. In my case the domain name in this config will be changed 4 times:
Rice. 3. Generating and modifying the Domainlist.xml file
To ensure that you have made the required changes to the appropriate file, you can run the command " rendom/showforest" As you can see in the following illustration, all my entries have changed to “Bopharm”:
Rice. 4. View Potential Changes
When executing the following command ( rendom/upload) the Rendom utility translates the new forest structure specified in the edited file into a sequence of directory update instructions that will run locally and remotely on each domain controller in the forest. In general terms, at this point, changes will be made to the directory section of the Domain Naming Wizard configuration to rename the Active Directory domain. In addition, a Dclist.xml file will be created, which is used to track the progress and status of each domain controller in the forest for the domain rename operation. By the way, at this point the Rendom utility freezes your Active Directory forest from making any changes to its configuration. The process of executing this command is visible below:
Rice. 5. Executing the rendom /upload command
The following command is run to check the readiness of the domain controllers before the domain rename operation. During this step, you must run the preparatory check command on every domain controller in the forest. This is to ensure that the Active Directory database on every domain controller in the forest is in the correct state and is ready to make changes that will allow you to rename your domain. Therefore, run the command " rendom/prepare", as shown in the following illustration:
Rice. 6. Preparing the domain for renaming
The most crucial moment. Executing the command " rendom /execute" When this command runs on a domain, instructions are executed to rename the domain. Essentially, at this very moment, each domain controller in the forest is contacted individually, causing each domain controller to execute the domain rename instructions. Upon completion of this operation, each domain controller will be rebooted. See the following illustration for the process of renaming a domain:
Rice. 7. Domain renaming process
But that is not all. Even though your domain has essentially already been renamed, you still have the task of fixing the GPOs and their links after the domain rename operation is complete. Use a command line utility to restore Group Policy Objects as well as GPO links in each renamed domain Gpfixup.exe. This procedure should not be neglected due to the fact that without its use, after completing the domain rename operation in the new forest, group policies I simply won’t function correctly. Please note that this command must be run once on each renamed domain. Hence, run the command once gpfixup with parameters /olddns:Biopharmaceutic.local(the old name of the domain you renamed) and /newdns:Biopharm.local(new name of the renamed domain), and then the command gpfixup with parameters /oldnb:Biopharmaceutical And /newnb:Biopharm(respectively, the old and new NETBIOS name of your domain). This procedure is visible below:
Rice. 8. Fixing Group Policy Objects
There are only two commands left to execute: the command “ rendom/clean", which allows you to remove all references to old domain names within your Active Directory, as well as the command " rendom/end", essentially unfreezing the Active Directory forest from making changes to its configuration. You can see the process of executing these commands in the following illustration:
Rice. 9. Complete the Active Directory domain rename
For the changes to apply to member servers and end clients, you will have to reboot their computers twice. However, you will have to rename the domain controllers manually. As you can see in the following illustration, my domain controller name remains the same.
What is a domain controller
Domain controller provides centralized management network devices, that is, domains. The controller stores all information from the accounts and parameters of network users. These are the security settings, local politics and many others. This is a kind of server that completely controls a specific network or network group. A domain controller is a kind of set of special software that runs various Active Directory services. The controllers run certain operating systems, such as Windows server 2003. The Active Drive Setup Wizard allows you to create domain controllers.
In the operating room Windows system NT, as the main server, uses a primary domain controller. Other servers in use are used as backup controllers. Basic PDC controllers can solve various tasks related to user membership in groups, creating and changing passwords, adding users and many others. After which the data is transferred to additional BDC controllers.
Can be used as a domain controller software Samba 4, if operating system is installed Unix system. This software also supports other operating systems such as windows 2003, 2008, 2003 R2 and 2008 R2. Each of the operating systems can be expanded if necessary, depending on specific requirements and parameters.
Using Domain Controllers
Domain controllers are used by many organizations in which computers are located that are connected to each other and to the network. Controllers store directory data and control how users log in and out of the system, as well as manage interactions between them.
Organizations using a domain controller need to decide how many will be used, plan for data archiving, physical security, server upgrades, and other necessary tasks.
If a company or organization is small and uses only one domain network, then it is enough to use two controllers that can provide high stability, fault tolerance and high level network availability. In networks that are divided into a certain number of sites, one controller is installed on each of them, which allows achieving the necessary performance and reliability. By using controllers on each site, user login can be made much easier and faster.
Network traffic can be optimized; to do this, you need to set the time for replication updates when the load on the network is minimal. Setting up replication will significantly simplify your work and make it more productive.
Achieve maximum performance in the operation of the controller, it is possible if the domain is a global catalog, which will allow you to request any objects for a specific weight. It is important to remember that enabling the global catalog entails a significant increase in replication traffic.
It is best not to enable the host domain controller if more than one domain controller is used. When using a domain controller, it is very important to take care of security, because it becomes quite accessible to attackers who want to take possession of the data necessary for deception.
Features of installing additional domain controllers
In order to achieve higher reliability in the operation of the necessary network services, it is necessary to install additional domain controllers. As a result, you can achieve significantly higher stability, reliability and safety in operation. In this case, network performance will become significantly higher, which is a very important parameter for organizations that use a domain controller.
In order for the domain controller to work correctly, it is necessary to perform some preparatory work. The first thing to do is check the TCP/IP settings, they must be set correctly for the server. The most important thing is to check DNS names for mappings.
For safe work domain controller, you must use the NTFS file system, which provides higher security compared to FAT 32 file systems. To install on the server, you need to create one partition in file system NTFS on which the system volume will be located. Access to the DNS server from the server is also required. The DNS service is installed on this or an additional server, which must support resource records.
To properly configure a domain controller, you can use the Configuration Wizard, which allows you to add specific roles. To do this, you will need to go to the administration section through the control panel. You must specify a domain controller as the server role.
Today, a domain controller is indispensable for networks and sites used by various organizations, institutions and companies in all areas of human activity. Thanks to it, high productivity and safety are ensured, which computer networks has special meaning. The role of a domain controller is very important because it allows you to manage domain areas built on computer networks. In each operating system There are certain nuances associated with the operation of domain controllers, but the principle and its purpose are the same everywhere, so understanding the settings is not as difficult as it might seem at the very beginning. However, it is very important that domain controllers are configured by experts to ultimately ensure high performance and security during operation.
Spring has come, and with it a heightened desire to give birth to fundamental material that answers a question that seems obvious, but at the same time is critically important when designing: what name to give the Active Directory domain so that it won’t be excruciatingly painful later?
In this article, I will try to take you from the worst Active Directory domain name options to what I believe are the best. the best option, simultaneously pointing out the rake to be overcome.
A domain with a single-label name is not suitable for use in a production environment, and the only correct way is to get rid of it as soon as possible.
Invalid characters in the domain name
For example, an underscore. Although previous versions of Windows Server allowed this character when selecting a DNS domain name, it does not comply with the RFC 1123 standard for DNS. New Windows versions Server no longer allows you to name domains contrary to the standard. If a domain with a name containing an underscore was inherited, big trouble awaits. For example, you cannot install Exchange 2007 and higher. There is only one solution - to get rid of invalid characters in the domain name by migrating to another domain (preferable), or by renaming the domain (unsafe).
Disjoint namespace
One of the special cases of Disjoint namespace is the situation when the Netbios name of the domain differs from the leftmost part of the DNS name of the domain.
Netbios Name = TEST
DNS Name = lab.site
From a functionality point of view, this configuration is fully supported. But I still recommend avoiding it so as not to create confusion and ambiguity.
.local or ICANN
In many tutorials you can see domain names like company.local . Indeed, there is no crime in using such names for training and testing purposes. It’s worse when real domains are named using the same scheme:
- The name contradicts the ideology of the global DNS: it does not guarantee the absence of collisions with other similar domains (when it comes time to establish trust relationships)
- It is not possible to use this name for access from the global network (when it’s time to publish)
- A public SSL certificate cannot be obtained for a domain whose ownership cannot be verified. This limitation is especially relevant with the development cloud services, when the boundaries between on-premise and cloud services are blurred. Just an example: for Single Sign On to work with Office 365 services, AD Federation Services with a public certificate is required
Therefore, I recommend that when naming a domain, you always use an officially registered global name in the ICANN (Internet Corporation for Assigned Names and Numbers) hierarchy, which is guaranteed to eliminate the disadvantages described above.
website
argon.com.ru
irom.info
Select or merge
Let's imagine that we are designing a domain structure for the Argon company, which has a website at the address site, and also uses email addresses in the same domain.? But it is better not to do this for the following reasons:
- If within the network of such an organization we enter the address http://site/ in the browser, then we will not get to the company’s website, but to the first domain controller we come across.
- Administration of public and internal DNS records is difficult: all public DNS records in the site zone that are used from the internal network must be duplicated in the internal DNS zone. It is also necessary to somehow ensure the synchronization of these records.
For example, on the Internet there is a website www.site. In order for users from the internal network to be able to access it, it is necessary to create a similar entry in the internal DNS zone
- There is a possibility of collisions between internal and external resource names.
For example, the server ftp.site is widely used on the internal network. Suddenly there was a need to provide Internet users with a file service at the same address ftp.site. What happened? Internal users cannot connect to the external service using the specified name...
Thus, it is better for an Active Directory domain to have a dedicated namespace that is different from the namespace on the Internet (company website and the like). And here too there is a choice:
- Use a completely different name for AD (site for a site, argon.com.ru for AD)
- Use a child name for AD (site for site, lab.site for AD)
Both options satisfy the DNS ideology and are free from the disadvantages listed above, but the second option with a child domain may be more convenient from the following points of view:
- support for registered domain names (payment for registration and DNS hosting of only one domain)
- availability of beautiful names for registration (no need to register)
- obtaining public SSL certificates (just one wildcard certificate can be used both for the company’s website and when publishing internal network resources)
So, I suggest choosing a dedicated domain for AD, but a domain that is a child of the organization’s website.
lab.site
corp.microsoft.com
Split-brain
Split-brain DNS means using one domain name to publish resources both on the internal network and on the Internet. In this case, DNS servers on the internal network resolve addresses like portal.lab.site into internal IP addresses, and public DNS servers on the Internet, respectively, into external IPs. Example:
| DNS name | On the internal network | In the Internet |
|---|---|---|
| portal.lab.site | 10.18.0.20 | 77.37.182.47 |
| smtp.lab.site | 10.18.0.40 | 78.107.236.18 |
Thanks to split-brain, such useful things are achieved as, uniform addresses to access resources both from the internal network and from the Internet. The user only needs to know one address portal.lab.site, through which he can get to his documents, and it doesn’t matter where he is: in the company’s office or in a hotel.
From an infrastructure perspective, it is convenient to have the same address for CRL or OCSP in SSL certificates issued by internal CAs.
In the absence of a split-brain, it may be necessary to create so-called pinpoint zones on internal servers DNS, such “spot” zones will contain only those records for which it is necessary to replace “public” values with “private” ones characteristic of the internal network (the situation is similar to that described under the heading “Select or combine”).
Example of a pinpoint zone:
| DNS name | On the internal network | In the Internet |
|---|---|---|
| _sipinternaltls._tcp.lab.site | sip.lab.site | lync.argon.com.ru |
Clarify or summarize
In the literature you can find advice to name domains (especially the root) with a generic word, like Bank, Company or Corp. There are reasons for this, since nowadays companies can regularly experience mergers and acquisitions and brand changes. And as you know, changing a domain name is very difficult.
On the other hand, with the same mergers and acquisitions of companies, migration of users from one domain to another is very likely. In practice, I came across a situation where I needed to migrate users from a dozen domains with the same name Bank. As you know, establishing trust relationships between domains with the same names (whether DNS or Netbios) is not possible. You will have to either rename these domains or migrate the data in two stages, through a third domain.
I am inclined to believe that it is better to name a domain specifically and endure the old name after the company is renamed, than to name it generically and end up with serious technical problems when it comes to migration or establishing trust relationships.
The final touches on the path to perfection
- globally registered
- dedicated (child of the company website domain)
- specific
- use split-brain
lab.site
corp.microsoft.com
That being said, it would be nicer to use shorter user@site addresses for email and SIP addresses in Lync. There is nothing stopping us from doing this, but there will be inconveniences.
The user's email address = user@site, login login = lab\user, user principal name = [email protected]. It’s easy to get confused here not only for the user, but also for programs like Outlook and Lync.
After minor account modifications, users will have a user principal name equal to their email address. There will be less confusion, and programs such as Lync and Outlook will stop asking for the user’s login; it will be enough for them to know the e-mail or SIP address.
My fundamental works:
Articles on other resources:
- Active Directory Domain Naming Considerations - here comes a dry guide from Microsoft
- Naming conventions in Active Directory for computers, domains, sites, and OUs - see subsection Forests that are connected to the Internet
- Why you shouldn’t use .local in your Active Directory domain name - similar article from a foreign colleague
| Heading | |
|---|---|
| Tags | |
| Published |