ISP scenario for AD and DNS "Mike Sharp" <rdcpro[ at ]hotmail.com> 6/29/2007 8:32:24 PM I need help configuring DNS and AD...sorry for the length of this post, but I want to get as much info in here up front, so I don't waste your time trying to figure what I want to do. ;^) Here's my configuration: Two servers, located in a datacenter. * Server 1 (Win2k3): Database Server, also functioning as a domain controller for now. I know this isn't optimum, but at the moment there isn't a lot of traffic. I'll set up a separate DC later when the traffic warrants. * Server 2 (Win2k2 Web Ed): Web Front End (WFE) for my web application (Windows SharePoint Services). The servers are each connected to the internet via a NIC with static IP. There is also a cross-connect between the two servers, over a local subnet (10.0.0.1 and 10.0.0.2 are their IP addresses). The cross-connect is there because otherwise any traffic between the two would be metered for bandwidth. Here's what I want to do: My intent is to host WSS sites (think extranet/portal) for customers, who obviously won't be on my internal network, which only has the two servers. However, the web front end needs to authenticate with an AD domain because of licensing issues, and because as this grows, I'll have several WFE servers per database server. For the time being I have only the two servers, and the DB server will be doubling as a DC. Ultimately, some customers will have a WSS site with a FQDN like: wss.mysite.com where mysite.com is their separately hosted web site, and wss.mysite.com is their WSS site hosted with me. Other customers will have a subdomain of my own domain. If my domain is coolwsshosting.com, they might have joeswidgets.coolwsshosting.com But if someone goes to coolwsshosting.com, I want them to see my home page. I have public DNS service with godaddy, the domain registrar. They support A, CNAME, SRV, MX and TXT records, but obviously (I think) don't have dynamic dns enabled, and they're obviously not a windows shop. Here's my problem: Most of the books I've read are concerned more with this scenario where there is an internal corporate network, and don't explicitly cover my needs, which is more of an ISP scenario. All the customers will need AD accounts either in my domain (organized by OU, I suppose), or in child domains of my domain. I believe, from what I've read, that I should use an empty root domain (coolwsshosting.com). But if I do that, how will people who browse to coolwsshosting.com find my site, which is on the WFE, not the DC? Isn't there supposed to be a host record for the domain, and if so, how does that work? But the main questions are: 1. How do I set up DNS with GoDaddy so that my local domain controller can function as I need it? 2. How do I set up my DC AD and DNS? 3. How do I set up the DNS entries on the NICs so everybody is happy, and talking over the right network cards? Godaddy allows SRV records with the following fields: Name The host name or domain the SRV is linked to. For example, "server1." If you want to link the record to your domain, enter the [ at ] symbol. Service The service name of this SRV record. For example, "_ldap," "_ftp," "_smtp." Protocol The protocol used for the service. For example, "_tcp" or "_udp." Priority The priority for the SRV record. For multiple records that have the same Name and Service, clients use the priority number to determine which Target to contact first. Weight The weight of the SRV record. For multiple records that have the same Name, Service, and Priority, clients use the weight number to determine which Target to contact first. Port The port of the service. For example, "80" or "21." Target The host name of the server that provides the service described by this record. For example, "ftp.coolexample.com." Please note that this host name must be an "A" or "AAAA" type in the DNS zone for the domain that provides the service. Thanks in advance! Regards, Mike ps. If you do consulting in this subject, and are in the Seattle area, contact me by email. Rdcpro is the user name and hotmail.com is the host.

Re: ISP scenario for AD and DNS "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 6/30/2007 12:30:28 AM Read inline please. In news:%23qY8ayouHHA.3640[ at ]TK2MSFTNGP05.phx.gbl, Mike Sharp <rdcpro[ at ]hotmail.com> typed: <snip> [Quoted Text] > Most of the books I've read are concerned more with this scenario > where there is an internal corporate network, and don't explicitly > cover my needs, which is more of an ISP scenario. > ************* > All the customers will need AD accounts either in my domain > (organized by OU, I suppose), or in child domains of my domain. Why do you say this? Local accounts will be just as well unless you are providing a service to them that requires Active Directory, like Exchange, I haven't seen anything in this post about having an Exchange server, and SQL and WSS doesn't need a domain. ************ > I believe, from what I've read, that I should use an empty root domain > (coolwsshosting.com). But if I do that, how will people who browse to > coolwsshosting.com find my site, which is on the WFE, not the DC? Your internal Domain can be any DNS compatible domain name, it does not have to be in a public TLD, it could be coolwsshosting.mike if you want, the name won't be used by internet users anyway. ************ > Isn't there supposed to be a host record for the domain, and if so, > how does that work? From the internet, it doesn't matter, internet users won't see the internal name, internally the AD Domain name must resolve to all Domain Controller IP addresses that have file sharing enabled. ************ > But the main questions are: > 1. How do I set up DNS with GoDaddy so that my local domain > controller can function as I need it? When you set up DNS at GoDaddy you don't need to consider you Domain Controller as a part of it. Your DC will not need to see the Public DNS Servers at GoDaddy. You have to think of the Public Domain and your internal AD Domain as two totally separate entities, with the same name. The Public users won't get to see the internal DNS server at all, and shouldn't. The internal DNS is for internal machines and users locating and Authenticating with the Domain Controller. The GoDaddy Servers need records with public (routable) IPs for locating web sites, ftp sites, mail servers and other internet related services only. Users on the internet will not and should not be Authenticating with Active Directory, allowing access to the AD services are all done internally. ************** > 2. How do I set up my DC AD and DNS? The DC should be running its own DNS with AD Integrated zones that allow only secure updates, the DC will use its own address for DNS, and the Web server will also be using the DC for DNS for its own internal resolution. Unless this web server is hosting an Exchange Server (Don't recall if the web edition can even run Exchange anyway) it shouldn't be a member of the domain. Any Authentication done in WSS is done with local accounts. **************** > 3. How do I set up the DNS entries on the NICs so everybody is happy, > and talking over the right network cards? All internal name resolution must be done to internal IP addresses, so the internal servers(machines) will point only to internal DNS servers, which need to have zones for each domain, but its records have internal IP addresses. It doesn't matter how small you network is, even if it has only one or two machines internal name resolution needs to be to local IP addresses so the internal machines can communicate unrestricted without going through a firewall. **************** > GoDaddy allows SRV records with the following fields: Unless you are providing a service to internet users that uses SRV records, like some Instant Messaging services use, you don't need to create any public SRV records. Other applications like web browsers do not query for or see SRV records. You certainly don't want to create any SRV records for your DC on the internet DNS, you would basically have to open your firewall wide open, and hackers would have a field day. The only records that you will be concern with are A, CNAME, MX and TXT RR Types. You may possibly some day need AAAA (IPv6) RR types. At this point in time, I'd say most routers on the internet don't support IPv6 anyway. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: ISP scenario for AD and DNS "Mike Sharp" <rdcpro[ at ]hotmail.com> 6/30/2007 8:01:08 PM Hi Kevin, Thanks for your response...I'll have to digest all this a bit (I'm a programmer more than a network engineer), but to answer your first question, WSS needs a domain account to connect with a non-local SQL Server. With WSS on the W2k3 web edition, licensing requires a non-local SQL Server, so it has to be a member of a domain. Besides, while using W2k3 Standard edition as the web front end and a local SQL server would be easy to set up, it won't scale as well. The other architecture allows me to scale to around 4-5 WFE per SQL Server. While Exchange is a future plan, I'm not thinking about it too much about it as yet. Thanks, Mike "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> wrote in message news:%231M4c3quHHA.5028[ at ]TK2MSFTNGP02.phx.gbl... [Quoted Text] > Read inline please. > > In news:%23qY8ayouHHA.3640[ at ]TK2MSFTNGP05.phx.gbl, > Mike Sharp <rdcpro[ at ]hotmail.com> typed: > <snip> > >> Most of the books I've read are concerned more with this scenario >> where there is an internal corporate network, and don't explicitly >> cover my needs, which is more of an ISP scenario. >> > > ************* >> All the customers will need AD accounts either in my domain >> (organized by OU, I suppose), or in child domains of my domain. > > Why do you say this? > Local accounts will be just as well unless you are providing a service to > them that requires Active Directory, like Exchange, I haven't seen > anything > in this post about having an Exchange server, and SQL and WSS doesn't need > a > domain. > > ************ >> I believe, from what I've read, that I should use an empty root domain >> (coolwsshosting.com). But if I do that, how will people who browse to >> coolwsshosting.com find my site, which is on the WFE, not the DC? > > Your internal Domain can be any DNS compatible domain name, it does not > have > to be in a public TLD, it could be coolwsshosting.mike if you want, the > name > won't be used by internet users anyway. > > ************ >> Isn't there supposed to be a host record for the domain, and if so, >> how does that work? > > From the internet, it doesn't matter, internet users won't see the > internal > name, internally the AD Domain name must resolve to all Domain Controller > IP > addresses that have file sharing enabled. > > ************ >> But the main questions are: >> 1. How do I set up DNS with GoDaddy so that my local domain >> controller can function as I need it? > > When you set up DNS at GoDaddy you don't need to consider you Domain > Controller as a part of it. Your DC will not need to see the Public DNS > Servers at GoDaddy. You have to think of the Public Domain and your > internal > AD Domain as two totally separate entities, with the same name. > The Public users won't get to see the internal DNS server at all, and > shouldn't. The internal DNS is for internal machines and users locating > and > Authenticating with the Domain Controller. > The GoDaddy Servers need records with public (routable) IPs for locating > web > sites, ftp sites, mail servers and other internet related services only. > Users on the internet will not and should not be Authenticating with > Active > Directory, allowing access to the AD services are all done internally. > > ************** >> 2. How do I set up my DC AD and DNS? > > The DC should be running its own DNS with AD Integrated zones that allow > only secure updates, the DC will use its own address for DNS, and the Web > server will also be using the DC for DNS for its own internal resolution. > Unless this web server is hosting an Exchange Server (Don't recall if the > web edition can even run Exchange anyway) it shouldn't be a member of the > domain. Any Authentication done in WSS is done with local accounts. > > **************** >> 3. How do I set up the DNS entries on the NICs so everybody is happy, >> and talking over the right network cards? > > All internal name resolution must be done to internal IP addresses, so the > internal servers(machines) will point only to internal DNS servers, which > need to have zones for each domain, but its records have internal IP > addresses. It doesn't matter how small you network is, even if it has only > one or two machines internal name resolution needs to be to local IP > addresses so the internal machines can communicate unrestricted without > going through a firewall. > > > **************** >> GoDaddy allows SRV records with the following fields: > > Unless you are providing a service to internet users that uses SRV > records, > like some Instant Messaging services use, you don't need to create any > public SRV records. Other applications like web browsers do not query for > or > see SRV records. You certainly don't want to create any SRV records for > your > DC on the internet DNS, you would basically have to open your firewall > wide > open, and hackers would have a field day. > > The only records that you will be concern with are A, CNAME, MX and TXT RR > Types. You may possibly some day need AAAA (IPv6) RR types. At this point > in > time, I'd say most routers on the internet don't support IPv6 anyway. > > > -- > Best regards, > Kevin D. Goodknecht Sr. [MVP] > Hope This Helps > > =================================== > When responding to posts, please "Reply to Group" > via your newsreader so that others may learn and > benefit from your issue, to respond directly to > me remove the nospam. from my email address. > =================================== > http://www.lonestaramerica.com/ > http://support.wftx.us/ > http://message.wftx.us/ > =================================== > Use Outlook Express?... Get OE_Quotefix: > It will strip signature out and more > http://home.in.tum.de/~jain/software/oe-quotefix/ > =================================== > Keep a back up of your OE settings and folders > with OEBackup: > http://www.oehelp.com/OEBackup/Default.aspx > =================================== > >

Re: ISP scenario for AD and DNS "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 7/1/2007 4:21:28 AM Read inline please. In news:O$m3mF1uHHA.3356[ at ]TK2MSFTNGP03.phx.gbl, Mike Sharp <rdcpro[ at ]hotmail.com> typed: [Quoted Text] > Hi Kevin, > > Thanks for your response...I'll have to digest all this a bit (I'm a > programmer more than a network engineer), but to answer your first > question, WSS needs a domain account to connect with a non-local SQL > Server. With WSS on the W2k3 web edition, licensing requires a > non-local SQL Server, so it has to be a member of a domain. Besides, > while using W2k3 Standard edition as the web front end and a local > SQL server would be easy to set up, it won't scale as well. The > other architecture allows me to scale to around 4-5 WFE per SQL > Server. SQL doesn't require you to use domain accounts, it can use its own accounts or Windows local machine accounts. The issue with using a Web server being a member of a domain is when web users have access to domain account it gives them a higher level of Privileges because a domain account can be used to access and member of the domain. Local accounts work only on the local machine and SQL accounts have work within a specific application. > > While Exchange is a future plan, I'm not thinking about it too much > about it as yet. Exchange does require Active Directory, but if your thinking of Exchange 2007, it is a giant leap forward in technology with about ten years backwards in ease of management. Just about all management on Exchange 2007 uses the new command shell with very long command lines. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================