CodeBetter.Com
Sign in | Join | Help
in Search
CodeBetter.Com
RSS 2.0 via Feedburner
           Do you Twitter? Follow us @CodeBetter

Peter's Gekko

public Blog MyNotepad : Imho { }

Setting up a simple internet server (pt2) : it's all about AD

I'm in the middle of setting up a web server for my site. In a previous post I had blogged on getting the machine up and running. In this post I will take a closer look at Active Directory which proved even more central than I had expected. Again this is nothing deep. IT pro guys are probably laughing their heads off reading this. But hey you guys: you're speaking a different language than us developers. Again these are just some things I wish I had known in advance and were hidden to deep in the docs.

Adding features to a Windows 2003 is a matter of enabling roles. My hard earned advice is to start always with the Domain Controller role. This will install and set up active directory. The setup will ask for the name of the domain the server is going to control. This is a point of  "Think first, start the setup later". Why ?

  • A domain control can only control one domain (name). Period. My server is going to host my old GekkoSoftware.nl domain but also PetersGekko.net as well as PetersGekko.com. I had to chose one of these names as the domain name. Internet request for the other domain names can be handled by this server as well, more on that in a later post, but there is no way to administer that in AD on a single server.
  • Adding the AD role will also configure the DNS role. In case you already set up that one things might get messed up.

In case things do get messed up there is a very nice MS support article which really helped me. In title it is directed at Windows 2000, but it did help me very well in straightening my 2003 box.

Active directory is everywhere and I am really beginning to like it; in one place I have an overview of all computers, users, shares and the kitchen sink. There are several ways for machines to join. They can join themselves from the system part in their control panel. Having done that I can than manage the client PC straight from a server management console. But you can also add a machine from the server. In my network I have a Maxtor network storage drive. So far I had to manage and monitor it in a browser. Having added a computer named Maxtor in AD I now have a view on what's going on over there straight from the AD console.

It even shows things it's web-based management interface keeps hidden. Like the folder path's of the shares. Pleasant surprise.

Active directory controls everything. As mail server I installed Exchange. It took me some time to find the place to add and manage mailboxes and email addresses. It is right in the heart of AD user management, a right click away.

By default the property pages of an AD user already has three rows of tabs. Exchange will add even another row.

So setting up the server all boils down to Active Directory management. In the next and (intended) last post I'll describe the pitfalls I encountered setting up incoming traffic. After all, that's what a web server really is about.


Published Feb 22 2006, 07:51 AM by pvanooijen

Comments

Mark said:

Couple of suggestions and observations:
1. You (normally) really *DON'T* want your AD domain to be the same as an internet registered domain name. Trust me, for all but the largest enterprises, it's not a good idea. I believe the current recommendation is to name your AD domain company.local (I prefer company.lan myself, but I think the .local syntax is more standard). You can still serve DNS and SMTP for your internet domain from the same box. This was a big pain point when Win2000 first arrived and everyone was struggling to understand the role DNS and AD played. Having worked in the SMB market for a few years during that time as a network consultant, believe me that it's easier to just go with .local unless you know otherwise.

2. I hope you've got a good (layer 7) firewall in place. Having your AD controller internet accessible and serving mail, DNS, and web requests is normally not a good idea from a security standpoint. I do, however, understand the allure of having a single machine to manage (and pay for!), but you should (a) be very careful about what services/ports to allow on the external network, (b) invest in a decent layer 7 firewall (don't just use a router for this. A router can only allow/deny requests based on IP and port information. You're going to need more.), and (c) backup religiously (and know how to restore a DC/Exchange machine, it's not as simple as a regular PC or server) because odds are good that it'll eventually get compromised.

3. I'm not sure how that Maxtor drive allows you to manage it with MMC/Computer Management (perhaps it's using Windows Storage Server?), but it's not related to the computer account you created. Since the Maxtor never joined the domain using that computer account, it never got the domain SID (security identifier) nor generated it's own. AFAIK, except for scripting it, there really is no way to join a PC to a domain strictly from the server - the client must be involved.

You're just using plain ol' NetBIOS to manage the Maxtor. The Computer Management console really has little to do with AD - you can do the same thing to a non domain PC (or a PC in another domain even) assuming you can make NetBIOS calls to it and have an account on it. The whole right click and manage from AD Users and Computers is really just a shortcut. Right clicking the top node in the Computer Management console allows you to select (or type) any other computer to manage.

Not that it's a bad idea to have the Maxtor in AD Users and Computers - we used to do the same thing with Win9x machines (that technically couldn't join a domain because they didn't support SIDs) just so we knew the names of the machines out there.
# February 23, 2006 7:26 AM

pvanooijen said:

Thank you very much for the god advice. That's IT pro language I do understand :)

I'll dive deeper into the firewall stuff in a coming post. And link bank to these remarks tehere.

Concerning the Maxtor: I just don't what's in there. The thing just works :)
# February 24, 2006 4:08 AM

Mischa Kroon said:

Mind you the .local will give problems with OS X machines in the same network, but there are work arounds for it :P

also AD / webserver on the same box sounds like a security risk.
# March 3, 2006 6:09 PM

Peter's Gekko said:

In two previous post I described my first steps in setting up my own internet server.

Part 1 described...
# June 6, 2006 7:47 AM

Peter's Gekko said:

When an asp.net application is started it processes the web.config file. Doing so it is combined with...
# June 21, 2006 3:48 PM

Leave a Comment

(required)  
(optional)
(required)  

Enter the numbers above:
Add
Check out Devlicio.us!

This Blog

Syndication

Tags

News


CodeBetter.Com Home

Subscribe with Bloglines
I'm test-driven!

Links

About CodeBetter.Com

CodeBetter.Com FAQ
Our Manifesto
Advertisers should contact Brendan

Subscribe

Google Reader or Homepage
del.icio.us CodeBetter.com Latest Items
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
Subscribe with myFeedster
Add to My AOL
Furl CodeBetter.com Latest Items
Subscribe in Rojo

Member Projects

WSMQ - Brendan Tompkins
Sarasota Web Design - David Hayden
Patterns & Practices - David Hayden
dotMath - Steve Hebert
EZWeb - Jeffrey Palermo
Structure Map - Jeremy D. Miller
StoryTeller - Jeremy D. Miller
The Code Wiki - Karl Seguin

 

Friends of CodeBetter.Com

Red-Gate Tools For SQL and .NET
 BlogJet
CodeSmith 3.0
 SourceGear Vault
Telerik
 ComponentArt
VistaDB
JetBrains - ReSharper
 Beyond Compare
 .NET Memory Profiler
NDepend
AliCommerce
Ruby In Steel
SlickEdit
SmartInspect .NET Logging
NGEDIT: ViEmu and Codekana
LiteAccounting.Com <-- NEW Friend!


Site Copyright © 2007 CodeBetter.Com
Content Copyright Individual Bloggers

Community Server (Commercial Edition)