Active Directory: The need for AD controllers

In this series, Active Directory expert Laura E. Hunter helps readers with problems such as creating a new AD domain and distinguishing between Windows Server 2000 and 2003.

This Content Component encountered an error

The following is a collection of expert responses to reader questions by Laura Hunter.

We are going to rebuild our Windows 2003 Active Directory Servers. Our AD servers are currently being used as SMS and antivirus servers also. I have talked to others and have been advised that the AD should have AD controllers only. I cannot find anything on the Microsoft Web site to support this comment. Your input is appreciated. Thanks in advance.

Laura Hunter: While it's not a hard-and-fast rule, most AD administrators will tell you that a domain controller should not run other applications. Since your domain controllers are the "keys" to your network "kingdom", you should do your best to isolate them from attack. By adding additional applications to run on a DC, you are increasing the number of ways that a malicious user can attack that DC. Depending on the size of your network, having dedicated domain controllers may also improve performance in terms of user authentication, logon times, etc.

Could you briefly outline for me what the major differences are between Windows Server 2003 and Windows Server 2000?

LH: Windows Server 2003 has made a number of improvements over Windows 2000, particularly in the area of security and Active Directory internals. For a detailed look at the new features available in 2003, check out the links on this page from Microsoft's Web site . This is a portal page that will take you to different pages detailing the new features in File & Print Services, security, Active Directory and more.

I need a step-by-step lesson on creating a trust between two AD domains. Lets say I have two domains:

1. web.agni.com (FQDN)Windows 2003 Server
2. web1.jis.com (FQDN)Windows 2000 Server

When I used the dcpromo command in both the servers it created separate domains as well as a separate DNS for each. Right now I want to create a trust relationship between these two domains. Can you help?

LH: To create a trust between a Windows Server 2000 and a Windows Server 2003 domain, you'll need to configure an external trust, as described here.

We are currently using a Windows 2000 server. The Active Directory name is the same name as our Web site that is being hosted elsewhere. This is a problem because in the office when we try to go to our Web site it goes to our server instead and we can't get to our site from there. Can I change the AD name without messing things up? If so how?

LH: There isn't a very good way to rename a Windows 2000 domain. However, you should be able to have a website like www.company.com that is accessible even if it's not being hosted externally from your internal AD network. You should verify how the DNS records for your internal AD domain and the web server are configured, particularly any CNAME records that are referencing the www hostname.

I have a simple NT domain in one location with 60 user accounts configured as shown.

1- PDC (NT4.0 sp6a)
1- BDC (NT4.0 sp6a)
1- 2000 member server.

Here is my question: If I upgrade my PDC to a Windows 2003 server should I create it as a new domain in a new forest? My current domain name is welkernet.com and I am not sure if the new 2003 DC should have the same domain name or a different one.

LH: You can perform an in-place upgrade from NT4 to Windows Server 2003 without needing to create a brand new forest and domain. I would recommend installing a new NT4 server and temporarily configuring it as your PDC so that you are performing the upgrade on a "clean" machine. See the upgrade center here for white papers and details on the NT4-2003 upgrade process.

Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at laurahcomputing@gmail.com.

This was first published in March 2006

Dig deeper on Microsoft Active Directory

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close