I'm setting up a new Active Directory instance for my department at a university. I have some experience managing domains at previous jobs (NT4/2k/2003), but there are two unique things about our environment here: The network is 100% public IP address space (effectively no firewalls and all DNS is public DNS) and DNS is centrally managed (BIND on UNIX and they won't delegate me a subdomain nor allow Dynamic DNS updates to their servers.)
Since no private or split DNS is possible, the SRV records for my domain (ad.dept.univ.edu) will be accessible via public DNS. Although the DNS is public, I will firewall to only allow machines on-campus to connect to my domain controllers. I'll have two AD controllers running Windows Server 2008r2. This is basically an authentication only domain, we don't run Windows file servers, most client machines will never join the domain or directly authenticate against the domain controller. This domain will mostly just provide centralized AD-integrated authentication for appliances and applications.
- What's the process for setting up an AD controller without enabling MS DNS?
- Which DNS records (SRV or otherwise) should I add? Should they exist before making the server a domain controller or be added after?
- Is there anything which won't run nicely in such an environment? I know adding/removing DCs will require manually editing DNS, but is that it?
If you think Samba4+OpenLDAP is up to the task, I'm definitely interested, but please ask & self answer a new wiki question instead of just replying here.
Sounds a lot like my environment, only I get to have DNS delegation.
It is possible though very tricky to set up an AD DNS environment that doesn't require dynamic DNS. You'll have to hand-populate all the SRV records, as well as the needed NS and A records for the domain. PTR records aren't as important. Since you aren't going to be adding or removing machines from the domain much, this may even be supportable in the long-run.
Don't sweat the public IP address space. That's what firewalls are for. Just because the evil meanies can look at you doesn't mean they can touch you.
I've done this and managed it via webmin on my DNS server. *Adding DNS records via webmin is very very easy. Much better than doing it manually through config files.
Service Records needed:
Name TTL Priority Weight Port Server
gc.tcp.domain 600 0 100 3268 server-name.domain.
kerberos.tcp.dc._msdcs.domain. 600 0 100 88 server-name.domain.
kerberos.tcp.domain. 600 0 100 88 server-name.domain.
kerberos.udp.domain. 600 0 100 88 server-name.domain.
kpasswd.tcp.domain. 600 0 100 464 server-name.domain.
kpasswd.udp.domain. 600 0 100 464 server-name.domain.
ldap.tcp.dc._msdcs.domain. 600 0 100 389 server-name.domain.
ldap.tcp.gc.msdcs.domain. 600 0 100 3268 server-name.domain.
ldap.tcp.pdc.msdcs.domain. 600 0 100 389 server-name.domain.
ldap.tcp.domain. 600 0 100 389 server-name.domain.
ldap.tcp.domain. 600 0 100 3268 server-name.domain.
msdcs.tcp.domain. 600 0 100 389 server-name.domain.
Select all. | Invert selection.
In addition to your service records, you need the appropriate A record(s):
gc._msdcs.domain. 600 IP-ADDRESS
Also DO NOT FORGET TO REGISTER YOUR DNS on your AD Server via cmd line: ipconfig/registerdns
If it still doesn't work, then in the Event Viewer on your AD server will have clear messages indicating what DNS Records it's trying to hit.
User56886 had most of it which got me started on the right track, but here's the full list of DNS Records (note the leading underscores) which worked for my domain (dept.univ.edu) and my active directory controller (ad.dept.univ.edu). TTL/Weights/Priority are up to you, I used 600, 0, 100 below.
In addition there's also two records (a SRV record and a CNAME) which rely on a generated SECID for your domain:
Also, you (obviously) need an A record for your domain controller.
Reference: page 154 of Oreilly's Active Directory 5th Edition (also available via Safari Books Online).
i would install DNS servers on the machines that you are going to use as domain controllers and let the domain controllers auto-populate the srv records so that you have a copy that you can give the bind admins. after that, it sounds as if the zone data may be fairly static and you should be able to tear down the windows dns servers.
the way you word your question makes it sound as if there may be other Active Directory based forests on campus. How are they solving their DNS issues? any chance of joining an existing domain / forest?
this is possible, although the fact that your entire infrastructure is exposed to the public internets is more than a little bit frightening.
If I were in this situation, I would replicate my ADI required zones to locally managed (i.e., mine) BIND boxes, and then configure views to only allow the slaved ADI zones access from your "known" ip space. Failing the business' willingness to put up the very moderate investment for a couple of additional BIND servers, I would document the hell out of my attempts to convince management just how bad exposing your AD infrastructure to the internet is, and prepare my resume. Because this is going to down in a large, fiery blast...