The name of the local domain. The correct name is the Active Directory domain. Possible issues with dynamic DNS record registration in single-label forward lookup zones
Choosing a domain name is clumsy, but it shows life to do it often after running dcpromo, the domain name is generated by a vipadkovy rank. There is nothing to worry about, the domain works, the printers work, 1C works. But, unfortunately, there are a number of situations, if the generation of a vipadkovy rank of name, if you don’t see sideways, then you will definitely add trouble. In this small article, I will try to tell you about those, how not to name your domains and why. Information even if you see it, but in real life it shows that the pardons in the name are simply en masse. And the oskіlki procedure for renaming the domain is tse it-shne sado-maso, more often than not, everything is right.
1. The situation is first. Domain name - domainname.local
It goes without saying that the broadest version of the variant is the end of .local, or else there is no other top-level domain that is not vindicated by IANA. (A-la.msk or.test or.loc, etc.) One is to talk about those who, in 2000, when AD showed up at the conference in a demonstration of additional efforts to create such a domain.
That people priynyav tse yak call to diy. Another hypothesis, which does not include pershu, shills to the point that MSFT itself has written a clear recommendation in the literature, after which local and people are encouraged. Why is such an option bad?
Scenarios of a kilka, but I will tell and hurt. Perhaps you install in the middle of an Exchange Server organization that needs a certificate to encrypt client connections. You want a certificate from a commercial center, like people do. Naturally, the certificate must have all the names of the server for which the server will be available. If the original domain belongs to us and easily passed the validation, then the internal domain a la super-firma.moscow is not necessary and when trying to explain to the certification centers that you need to SAN FQDN - exchange.super-firma.moscow, remove the input:
It's not possible, we issue only certificates for real domain names.
At once, push the certificate into the SAN of the certificate, whether it be obscene words, allow the Comodo Certificate Authority, which sounds exactly like the choice of the owner of the certificates, that guarantee, that they will allow the whole thing.
2. The situation of a friend. Im'ya domain AD zbіgaєtsya іz zvnіshnіm іnternet іm'yam domain.
This is not a common option, but for the new problem, there is nothing to check with certificates. Natomist blame the problems of vyrіshennyam іmen. Exit the situation, if the names and internal DNS servers are not connected to each other, but to serve the unconnected zones with the same names. In such a situation, the internal server logically considers itself authoritative for the zone, and if you don’t know about the host, it authoritatively declares - NI! The shards can be used as external resources, naybanal web sites, especially type A records are added to the zone on the external DNS server. Now, if the internal client tries to allow the name of the original resource, it will ask you to spend it on the internal DNS server, (naturally, the same domain client) and the one in the authoritative for zone zone server.
To solve this problem, you will have to register the correct entries in two zones, and the price will inevitably lead to the confusion of that additional routine. If you don’t care, then try for such a scenario to allow internal correspondents to open a corporate website without the www prefix. Zahalom filthy option does not require yoga vikoristovuvat.
Especially welcome to these administrators, who named their internal domains after the names of other people's famous public domains. I think that such a hemorrhoids in such a time is not necessary for you to explain your concerns.
3. The third situation. A flat name for a domain that consists of one word.
As the first two options can be experienced, then for flat domain names, the hour has come to introduce administrative punishment. Single-label domain (single-label domain, SLD) - the same domain, which can only take one name warehouse. I don’t know, but it’s been officially recognized for a long time that SLD domains are not guilty of cheating when prompting IT infrastructures.
When this information is given, such a Canadian button accordion, that you only wonder, the stars of the SLD domain are taken. http://support.microsoft.com/kb/300684.
What do I threaten? The presence of support from the side of Microsoft products is such a configuration. From fresh. Try installing Exchange 2010 SP1 on a domain with flat names, keep an eye out for those that don't support this configuration.
What is the correct domain name?
The clue is simple. Robiti uzgodzheniya expanse of names. Tobto, mayuchi domain site in real world, Active Directory domain work and sub-domain type corp.site. For such a layout, all problems disappear. І not obov'yazkovo work delegation of the DNS sub-domain to the original DNS server. If you want to know more, you can achieve the permission of names on the offending side. (From the internal borders of internal names, from the Internet internal names)
For those who don't think twice, it's good to send: http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx I'll commend you for reading this work.
MCP/MCT Illya Rud
At the end of 2015, the Internet has taken off the mass expansion, the skin company, which I respect for myself, has long had its own website. You don't need to go far - find a skin care clinic and find your own web resources. For one thing, sysadmins have not learned how to create normal names for their domains.
The price for a domain of another equal (for example, bissquit.com) is three times more than 500 rubles per river. It’s not enough to write for the great citizens, like you and me, and the right copies for companies, more so. I added my domain back before I got the idea to "cut" this blog. Tse just zmanochno. Vіzmemo navіt vіddalene connection via rdp - I'll enter the name of my domain, replace the total IP-address.
On the Internet, on the "active directory domain best practices" request, on the skin site, there are written recommendations on how to name AD domains and an explanation is given why it is necessary to do so. Let's take a look at the report about some recommendations to go:
- For the AD domain name, tag the subdomain of your officially registered organization domain.
You all understood correctly, only one joy. Tse everything! You can mirror a lot about the details and tribnі nuances, but 80-90% of the mirroring is made up to one single reason, voiced higher. All problems come from what a person knows, what is so necessary to work, but not to understand why it is impossible or not recommended to work in a different way. From this moment, report.
1. Why can't you win internal names like .local, .corp, .lan?
It's possible, it's possible. More yak you can. More of them themselves wink. I have a few known people who have 2000+ people in their organizations and win a domain.local. All problems will clear up, so that you can become a necessary reference AD domain. This can also be the case with vicarious hybrid gloomy larynxes (exchange buttstock + Office365). "Why not just rename the domain, even if it's still possible with the original version of AD?" - Ask you. So, in principle, you can, but you happen to be stuck with the folds of migration of domain-dependent services. Among them is the same Exchange and іn, but here і one Exchange is more and more sufficient.
2. "Ok, my real name is my-company.com, also called an AD domain" - also not an option. Blame the problem on other resources hosted at my-company.com, such as the company's website. That and before that, your DNS servers will not be authoritative for this domain, if you want to be like that. Tse also cause problems.
There are also other domain name mappings, including the creation of a similar real domain name in another TLD. And yet, there is no great sensation, so there is no work, even if some of the problems are all left alone, and there are simply no obvious advantages in the corp.my-company.com domain (it's taken as an example).
For lovers of work, everything in its own way, recently, there will be more problems with certificates, so there is no sense of winning internal names at once.
The choice of the name of the domain technically rests in a row, in which you write down the name of the creation of the AD domain and no more. However, in the end, if you cause the wrong choice of name, in the future you will have a lot of problems and that at the planning stage it is important to do everything right. Zayviy times it’s bad to read the stats of the buvalih admins
In a few cases before the administrator of the domain services, you may need to assign a task to rename a streaming domain. The reasons can be different, but such a situation is entirely possible. Irrespective of those that the task cannot be called trivial, but it’s sometimes necessary to stick with it, it’s important to do everything right, so that in a different situation the result may be critically unsafe, right up to a completely non-working corporate infrastructure. Also, in this article, you will know about the front lines for the next operation, the deduction, and also about those, how you can change your domain. First of all, let's not forget about it: don't change your domain in the laboratory environment, don't change your test domain away from the laboratory environment. Let's do it.
Front widows
Before that, start renaming your domain name on the next page:
- Functional rating for the Active Directory. It is only possible to change the task from renaming domains in that case, as all domains in the forest are equipped with at least the Windows Server 2003 operating system (the editors have no such exchanges). Moreover, the functional level is to be blamed for the upgrade to the level of Windows Server 2003. If you have the functional level of Windows Server 2000, then the offensive operation will become impossible;
- Domain placement. Lіsі Active Directory may have different domain names. Tobto, you can either use an okremy domain, or you can include child domains. If you change the domain controller's status in the middle of the forest, you will have to create a trusted blue;
- DNS zone. Even before the renaming operation, the domain needs to create a new DNS zone;
- Administrative data. For vikonanny operation renaming the domain you are guilty of vikonati entered to the system under the administrative oblіkovym record, which is a member of the group of enterprise administrators (Enterprise Admins);
- Distributed File System (DFS) servers. Yakshcho, at your corporate cortical Social Service, the operation of the DFS School of Lalashtovani Profіlі, Shcho to shift, then I am the respect for those Korenevi dfs-Service of the Mini, PID Keruvanni systems of the Windows Servers 3 abolia ;
- Inconsistency with Microsoft Exchange Servers. The most important moment is that if your Active Directory mailbox fires up the Microsoft Exchange Server 2003 Service Pack 1 mail server, then the domain rename will be deleted without any problems, but the coristuvach record will be renamed, if the process of renaming the domain is a member of the group Full Exchange Administrator. All of the most recent mail servers (including those from Exchange Server 2016) are insane with domain rename operations.
Also, pay respect to those who, for an hour, rename the domain and are guilty of freezing all possible operations with the configuration of the Active Directory file. In other words, it is your fault that the configuration of your file is not changed by the dot, the operation to rename the domain will not be completed again (I will report the information about the change of the domain below). До таких операцій можна віднести: створення або видалення доменів всередині вашого лісу Active Directory, створення або видалення розділів каталогу додатків, додавання або видалення контролерів домену в лісі, створення або видалення встановленої безпосередньої довіри, а також додавання або видалення атрибутів, які будуть репліковані в глобальний catalog.
About all sorts of things, I’ll please you again by creating a new backup copy of the system on the skin controller domain in the Active Directory. At the time of vikonannya tsgogo zavdannya, tsya oberezhnіst definitely will not be a zayvo.
In that case, as your infrastructure has changed to a more important proxy and all necessary backup copies have been made, you can reverse the process of renaming the domain.
The process of renaming an Active Directory domain
For the cob, in order to change the name of your domain on the cob, you can check the authority of the system. As you can see from this illustration, my domain name is "Biopharmaceutic.local":
Rice. 1. Verification of the mail name of the Active Directory domain
Now we need to create a new DNS zone “biopharm.local” so that after a successful rename of the domain, your private servers and clients can easily access the new domain name. For whom you wish DNS Manager» ( DNS Manager) and changing into “ Direct view zones» ( Forward Lookup Zone) select the option to create a new zone. In fact, the zone is created like a dream: on the first side, the master created a new zone, read the introductory information and go to the other side. On the side of the zone type, select the main zone ( Primary Zone) and pay attention to those who have activated the zone saving option in Active Directory. On the side of the replication area, the following option is left out, selected for locking - " For all DNS servers that work on domain controllers in this domain: Biopharmaceutic.local» ( On all DNS servers, they are monitored by home controllers in any booth: Biopharmaceutic.local). On the side of the zone name, enter the new domain name (biopharm.local), and on the side of the dynamic update, also leave the option " Allow more secure dynamic updates (recommendations for Active Directory)» ( Allow only secure dynamic updates (recommended for Active Directory)), yak was taken for zamovchuvannyam. Dekіlka etapіv sstanovlenija novі ї zone you can see below:
Rice. 2. Creation of a new DNS zone
The next step is to rename the domain to create a description of the flow become a fox. In fact, this is the first operation to rename the domain, in which there is a command line utility Rendom. For the help of this utility, a text description of your streaming structure will be generated in the form of an XML file with the Domainlist.xml names. This file should include a list of all distributions in the domain directory, as well as distributions in the program directory, which are found in your Active Directory. Skin record for skin distribution to the domain directory and XML tagging program
To create such a file, use the following command line and in the new viconate the command “ random /list". The generated file will be saved in the root directory of the koristuvach's oblique record. They gave you the need to open the file for the help of a text editor.
In the middle of the file, you need to change the name of the domain in the middle of the section, as it is surrounded by tags
On the next illustration, you can see the process of seeing the next command, rewriting the Domainlist.xml file and changing it for the first section of the file. In my case, my domain name in this configuration will be changed 4 times:
Rice. 3. Generating and changing the Domainlist.xml file
In order to reconcile that you have made the necessary changes to the original file, you can type the command " random/showforest". Like you are on the next illustration, all my entries have changed to Bopharm:
Rice. 4. Review of potential changes
When vikonannі offensive team ( random /upload) the Rendom utility translates the new structure of the file, specified in the edited file, into a sequence of instructions for updating the directory, so that it can be run locally and remotely on the skin controller domain in the file. To put it simply, at what stage in the distribution of the domain naming master configuration directory will changes be made to rename the Active Directory domain. First of all, a Dclist.xml file will be created, which will be used to check progress and become a skin controller for the domain in the forest for the operation of renaming the domain. Otherwise, at this point, the Rendom utility will freeze your Active Directory after changes have been made to the current configuration. The process of typing the command can be seen below:
Rice. 5. Wicking the rendom/upload command
The next command is checked to check the readiness of domain controllers before renaming the domain. At the end of the hour of the end of the next stage, you are to blame, run the command to prepare the reverification skin controller domain in lisi. It is necessary to ensure that the Active Directory database on the skin controller domain in the forest is in the correct state and is ready to be changed so that your domain can be changed. Otzhe, hit the command random /prepare”, as broken down on the next illustration:
Rice. 6. Preparing the domain before renaming
The most important moment. Vikonannya command " random /execute". Under the hour of vikonannya tsієї commands on the domain vikonuyutsya instructions how to rename the domain. As a matter of fact, at this moment you are sent to the domain skin controller in the text individually, which changes the domain skin controller to follow the instructions for renaming the domain. After the end of the operation, the skin controller of the domain will be revanquished. The process of renaming the domain to marvel at the next illustration:
Rice. 7. Domain rename process
But still not all. Irrespective of what your domain is, in fact, even renames, you can still set up a group policy object to be corrected after the domain rename operation is completed. To update group policy objects, as well as send GPO to a skin renamed domain, use the command line utility gpfixup.exe. You can't mess with the procedure through those that, without її twisting, after the completion of the operation of renaming the domain in the new list, the group policy simply does not function correctly. Please note that this command can only be run once on a skin-renamed domain. Father, hit the command once gpfixup with parameters /olddns:Biopharmaceutic.local(old name of the domain you renamed) that /newdns:Biopharm.local(new the name of the renamed domain), and then the command gpfixup with parameters /oldnb:Biopharmaceuticі /newnb:Biopharm(depending on the old and new NETBIOS name of your domain). The procedure can be seen below:
Rice. 8. Correction of group policy objects
Vikonati lost two more teams: command random/clean”, which allows you to see all messages sent to the old domain names in the middle of your Active Directory, as well as the command “ random/end”, which, in fact, unfreezes the Active Directory after making changes to the same configuration. The process of following these commands can be seen in the following illustration:
Rice. 9. Complete renaming of the Active Directory domain
In order to change zastosovuvalis on a number of servers and terminal clients, you happen to re-vantagize their computers. However, you will need to change the domain controller manually. As you can see from the attacking illustration, the name of my domain controller has become old.
What is a domain controller
The domain controller ensures centralized management of fenced-in buildings, that is, domains. The controller collects all the information from the oblique records and the parameters of the data sheet. These are the parameters of security, local politics and many others. Tse, in its own way, is a server, which is more controllable than merezhu chi merezhu group. A domain controller is a kind of typing of special software that enables the launch of other Active Directory services. Domain controllers work under certain operating systems, such as Windows Server 2003. The Active Drive installation wizard allows you to create domain controllers.
In the Windows NT operating system, the main domain controller is chosen as the main server. Other servers are vikorated as backup controllers. The main controllers of the PDC can change the order related to membership in groups, change passwords, add passwords and many others. After that data is transmitted to the additional BDC controllers.
As a domain controller, the Samba 4 software can be installed, as if the Unix operating system is installed. This software also supports other operating systems, such as windows 2003, 2008, 2003 R2 and 2008 R2. The skin of the operating systems can be expanded in the field depending on specific factors and parameters.
Domain controller logging
Domain controllers are victorious with rich organizations, in some distribution of computers, connected to each other. The controllers save catalog data and control the entry and exit of the system, as well as managing the interaction between them.
Organizations, like the domain controller, need to win, check the links, plan the archiving of data, physical security, update the server and other necessary tasks.
If the company or the organization is small and in this country there is only one domain line, it is enough to win two controllers, as a building to ensure high stability, water quality and high level of availability of the measure. At the borders, which are divided into a single number of sites, one controller is installed on the skin of them, which allows access to the necessary practicality and superiority. Zavdyaki vykoristannyu kontrollerіv on the skin site, you can significantly increase the input of coristuvačіv to the system and robiti yogo shvidshim.
Merezhevy traffic can be optimized to increase it, it is necessary to set the replication update time, if the traffic on the merezh will be minimal. The establishment of replication allows you to significantly forgive the robot and make it productive.
It is possible to achieve maximum productivity in the controller's robot in that way, as the domain will be a global catalog, which will allow you to query whether objects are for a specific vag. It is important to remember that the inclusion of the global catalog causes a significant increase in replication traffic.
It is better not to turn on the domain controller of the master, as more than one domain controller is won. When a domain controller wins, it’s important to take care of security, so that the wine becomes quite accessible to evil-doers, as if it’s possible to get the money necessary for deception.
Features of installing additional controllers in a domain
In order to reach a higher level of reliability in the work of the necessary merging services, it is necessary to install additional domain controllers. As a result, you can achieve significantly more high stability, reliability and safety in robots. In such a time, the company code will become a significant thing, which is an even more important parameter for organizations, like winning a domain controller.
In order for the domain controller to work correctly, it is necessary to do the preparation work. The first thing you need to do is to check the TCP/IP settings, the stench may be set correctly for the server. It's more important to check DNS names for setting.
For secure operation of the domain controller, it is necessary to fix the NTFS file system, which provides more high security in parity with FAT 32 file systems. Also, access to the DNS server from the server is required. The DNS service is installed on any additional server that can support resource records.
In order to set up the domain controller correctly, you can turn on the master master, for the help of which you can add singing roles. For whom it will be necessary to go to the administrative division through the administration panel. As a server role, it is necessary to assign a domain controller.
The domain controller for today is indispensable for the businesses and sites, which correspond to different organizations, established by the company in all areas of activity. Zavdyaki youmu is safe at a high level of productivity in robots and that safety, as in computer systems can be especially important. The role of the controller of the domain is very important, the shards allow you to control the areas of the domain that are located on the computer networks. The skin operating system has a few nuances that are related to the robot controllers of the domain, but the principle and its recognition are the same, so it’s not so easy to figure out how to fix it, as it’s on the cob. Tim is not less, it’s important, so that fakhivts were engaged in fixing the controllers of the domain, in order to achieve high productivity and security for an hour of work.
