I'm setting up a new Active Directory instance for my department at a university. I have some experience managing domains at previous jobs (NT4/2k/2003), but there are two unique things about our environment here: The network is 100% public IP address space (effectively no firewalls and all DNS is public DNS) and DNS is centrally managed (BIND on UNIX and they won't delegate me a subdomain nor allow Dynamic DNS updates to their servers.)
Since no private or split DNS is possible, the SRV records for my domain (ad.dept.univ.edu) will be accessible via public DNS. Although the DNS is public, I will firewall to only allow machines on-campus to connect to my domain controllers. I'll have two AD controllers running Windows Server 2008r2. This is basically an authentication only domain, we don't run Windows file servers, most client machines will never join the domain or directly authenticate against the domain controller. This domain will mostly just provide centralized AD-integrated authentication for appliances and applications.
- What's the process for setting up an AD controller without enabling MS DNS?
- Which DNS records (SRV or otherwise) should I add? Should they exist before making the server a domain controller or be added after?
- Is there anything which won't run nicely in such an environment? I know adding/removing DCs will require manually editing DNS, but is that it?
If you think Samba4+OpenLDAP is up to the task, I'm definitely interested, but please ask & self answer a new wiki question instead of just replying here.
Answer
User56886 had most of it which got me started on the right track, but here's the full list of DNS Records (note the leading underscores) which worked for my domain (dept.univ.edu) and my active directory controller (ad.dept.univ.edu). TTL/Weights/Priority are up to you, I used 600, 0, 100 below.
_service._proto.name TTL class SRV priority weight port target
_gc._tcp.dept.univ.edu. 600 IN SRV 0 100 3268 ad.dept.univ.edu.
_gc._tcp.Default-First-Site-Name._sites.dept.univ.edu. 600 IN SRV 0 100 3268 ad.dept.univ.edu.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._tcp.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._tcp.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._udp.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kpasswd._tcp.dept.univ.edu. 600 IN SRV 0 100 464 ad.dept.univ.edu.
_kpasswd._udp.dept.univ.edu. 600 IN SRV 0 100 464 ad.dept.univ.edu.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.Default-First-Site-Name._sites.dc.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.dept.univ.edu. 600 IN SRV 0 100 3268 ad.dept.univ.edu.
_ldap._tcp.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.gc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.pdc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
In addition there's also two records (a SRV record and a CNAME) which rely on a generated SECID for your domain:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs.dept.univ.edu CNAME ad.dept.univ.edu.
_ldap._tcp.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
Also, you (obviously) need an A record for your domain controller.
Reference: page 154 of Oreilly's Active Directory 5th Edition (also available via Safari Books Online).
No comments:
Post a Comment