Running an Independent Active Directory

Hi Jack,

This is most likely a DNS issue.  The DC needs to register
(at a 
minimum) SRV and A records for itself, and needs to publish
a GUID so 
your machines can find a global catalog.  Host files only
tell machines 
to resolve somewhere, but Active Directory needs much more
than this 
because AD uses DNS to advertise services.

Pardon the shameless plug, but you'd be better off (and
save a lot of 
time) by joining CalNet AD, which is a free service.

Thanks,

John

Jack Burris wrote, On 8/17/2006 10:31 AM:
> For various reasons, for the time being, our lab has
chosen to not 
> join the campus AD.  It certainly is in the future, but
for now, we're 
> working on setting up about fifty workstations in a lab
environment 
> where drop-in users can log in, get at their files on
the network 
> drive, and do printing which Pcounter does the
accounting for.
>
> The problem I keep running into is when I try and join
one of the 
> workstations to the one and only DC, the workstation
doesn't see the 
> domain on the network (and because it's not really a
registered 
> domain, I have added the IP/host in the HOSTS file for
the workstation).
>
> I HAVE set up the DC (a Windows 2003 Server) to run
it's own domain in 
> its own domain.  I HAVE also set it up as a DNS and
pointed the 
> workstation to it for DNS resolution.
>
> Still no luck.
>
> Is there something on the campus network keeping this
connection from 
> happening?
>
> By the way, this issue happens with or without the
firewalls on both 
> machines off.
>
> Thanks,
> Jack Burris
> SSCL
>
>
------------------------------------------------------------
------------
> The following was automatically added to this message
by the list server:
>
> For information about Micronet, including subscribing
to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web
site:
> <http://micronet.be
rkeley.edu/>.

-- 
John E. Weber
Microsoft Certified Systems Engineer
Infrastructure Services - OneIST
Campus Active Directory Architect, CalNet Active Directory
University of California, Berkeley
johnweberberkeley.edu
2195 Hearst Avenue, #300B-07
(510) 642-8426
http://calnetad.berkeley
.edu 


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

John E. Weber wrote:
> Hi Jack,
> 
> This is most likely a DNS issue.  The DC needs to
register (at a 
> minimum) SRV and A records for itself, and needs to
publish a GUID so 
> your machines can find a global catalog.  Host files
only tell machines 
> to resolve somewhere, but Active Directory needs much
more than this 
> because AD uses DNS to advertise services.

This is all true. Note that when you create a DC, it creates
a file called \WINDOWS\SYSTEM32\CONFIG\NETLOGON.DNS
containing
all the DNS records that you'd need to add to a DNS server
in order for all this to work correctly.

Right now I'm running both my own Active Directory and DNS
server,
and have been doing so for about 4 years. This has all
worked
great, partially because I've been using Windows Active
Directory
integrated DNS servers so all this happens automagically.
However,
I'm very close to giving up running DNS servers in favor of
using
the campus DNS servers, so I'm planning on making use of
the
NETLOGON.DNS files when I add DCs.

> Pardon the shameless plug, but you'd be better off
(and save a lot of 
> time) by joining CalNet AD, which is a free service.

Switching over to this will be my next step. Things are a
little
more difficult when it comes to having student PC labs with
accounts using roaming profiles, but Mike Blasingame assures
me that there are solutions for all this, and I believe him.
There are two main reasons why this would be a good thing,
1) CalNet AD has a bunch of high end redundant equipment
to run the AD, and presumably people around all the time
in case of problems, 2) Maintaining computer accounts for
~1000 students is a big pain so I'd rather use the campus
directory.

Cordially,

-- 
Jon Forrest
forrestce.berkeley.edu
Computer Resources Manager
Civil and Environmental Engineering Dept.
305 Davis Hall
Univ. of Calif., Berkeley
Berkeley, CA 94720-1710
510-642-0904


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Hi John,

Thank you for your wonderful vote of confidence!  :~)

With a couple of exceptions, student user objects are made
available to all OU administrators in the CalNetAD forest as
a 'shared resource'.  When students log on to computer
objects in an OU, the OU Administrator can use loopback
processing of Group Policy to apply user settings for these
student accounts that are not in their OU.

Loopback processing does not allow roaming profiles. 
However, you can use folder redirection to obtain *most* of
the benefits of roaming profiles.

Does this change your vote?

Thanks,
-Mike Blasingame


-----Original Message-----
From: owner-micronet-listlists.berkeley.edu
[mailto:owner-micronet-listlists.berkeley.edu] On
Behalf Of Jon Forrest
Sent: Thursday, August 17, 2006 11:30 AM
To: micronet-listlistlink.berkeley.edu
Subject: Re: [Micronet] Running an Independent Active
Directory

John E. Weber wrote:
> Hi Jack,
>
> This is most likely a DNS issue.  The DC needs to
register (at a
> minimum) SRV and A records for itself, and needs to
publish a GUID so
> your machines can find a global catalog.  Host files
only tell machines
> to resolve somewhere, but Active Directory needs much
more than this
> because AD uses DNS to advertise services.

This is all true. Note that when you create a DC, it creates
a file called \WINDOWS\SYSTEM32\CONFIG\NETLOGON.DNS
containing
all the DNS records that you'd need to add to a DNS server
in order for all this to work correctly.

Right now I'm running both my own Active Directory and DNS
server,
and have been doing so for about 4 years. This has all
worked
great, partially because I've been using Windows Active
Directory
integrated DNS servers so all this happens automagically.
However,
I'm very close to giving up running DNS servers in favor of
using
the campus DNS servers, so I'm planning on making use of
the
NETLOGON.DNS files when I add DCs.

> Pardon the shameless plug, but you'd be better off
(and save a lot of
> time) by joining CalNet AD, which is a free service.

Switching over to this will be my next step. Things are a
little
more difficult when it comes to having student PC labs with
accounts using roaming profiles, but Mike Blasingame assures
me that there are solutions for all this, and I believe him.
There are two main reasons why this would be a good thing,
1) CalNet AD has a bunch of high end redundant equipment
to run the AD, and presumably people around all the time
in case of problems, 2) Maintaining computer accounts for
~1000 students is a big pain so I'd rather use the campus
directory.

Cordially,

--
Jon Forrest
forrestce.berkeley.edu
Computer Resources Manager
Civil and Environmental Engineering Dept.
305 Davis Hall
Univ. of Calif., Berkeley
Berkeley, CA 94720-1710
510-642-0904


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

On Thu, 17 Aug 2006, Mike Blasingame wrote:
[...]
> Loopback processing does not allow roaming profiles. 
However, you can use folder redirection to obtain *most* of
the benefits of roaming profiles.
[...]

If you have more than a couple of hundred distinct users on
a given 
workstation you have to think about controlling local
profile bloat. 
It mainly boils down to either restricting things like
browser cache 
size and erasing on logout, or just erasing the profile
completely. 
Logon/off scripts help a lot.

We map the Desktop and My Documents to the file server. We
also create 
a drive letter mapping on logon that points to the
individual's 
filespace for some applications that work better that way.


Graham

--
Graham Patterson, System Administration
Dept. of Economics, UC Berkeley (510)643-5397




------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

Here at the Law School, we've used campus AD for our
student lab since the campus AD started (2003?). For this
semester we're moving our students from using windows file
share based home directories to the campus WebFiles service.
We purchased the client software from Xythos to make the
drive map just like a regular windows drive mapping so to
the students it should be nearly seamless. This eliminates
our need to maintain a file server for student data and lets
our students take advantage of the free 50Mb that WebFiles
gives them (though we did pay IST to have their quotas
increased). 

I expect that next year we will ditch roaming profiles
entirely and just use loopbacks because the profiles become
less and less useful to our students each year as more
applications move to the web. Right now it's really just IE
bookmarks and some Office preferences. Once that's done, we
won't need to take ownership of the student objects and all
we'll need to do is add the community student objects into
the right groups so they have permissions. It couldn't be
easier, and I look forward to spending about 10 minutes to
set up our 1000+ students every year.

In addition, moving to WebFiles means that we don't have to
deal with giving all of our students the campus VPN software
and helping them set it up to access files from home.

Ryan

> -----Original Message-----
> From: owner-micronet-listlists.berkeley.edu 
> [mailto:owner-micronet-listlists.berkeley.edu] On
Behalf Of 
> Mike Blasingame
> Sent: Thursday, August 17, 2006 12:10 PM
> To: Jon Forrest; micronet-listlistlink.berkeley.edu
> Subject: RE: [Micronet] Running an Independent Active
Directory
> 
> Hi John,
> 
> Thank you for your wonderful vote of confidence!  :~)
> 
> With a couple of exceptions, student user objects are
made 
> available to all OU administrators in the CalNetAD
forest as 
> a 'shared resource'.  When students log on to
computer 
> objects in an OU, the OU Administrator can use loopback

> processing of Group Policy to apply user settings for
these 
> student accounts that are not in their OU.
> 
> Loopback processing does not allow roaming profiles.  
> However, you can use folder redirection to obtain
*most* of 
> the benefits of roaming profiles.
> 
> Does this change your vote?
> 
> Thanks,
> -Mike Blasingame
> 
> 
> -----Original Message-----
> From: owner-micronet-listlists.berkeley.edu 
> [mailto:owner-micronet-listlists.berkeley.edu] On
Behalf Of 
> Jon Forrest
> Sent: Thursday, August 17, 2006 11:30 AM
> To: micronet-listlistlink.berkeley.edu
> Subject: Re: [Micronet] Running an Independent Active
Directory
> 
> John E. Weber wrote:
> > Hi Jack,
> >
> > This is most likely a DNS issue.  The DC needs to
register (at a
> > minimum) SRV and A records for itself, and needs
to publish 
> a GUID so 
> > your machines can find a global catalog.  Host
files only tell 
> > machines to resolve somewhere, but Active
Directory needs much more 
> > than this because AD uses DNS to advertise
services.
> 
> This is all true. Note that when you create a DC, it
creates 
> a file called \WINDOWS\SYSTEM32\CONFIG\NETLOGON.DNS

> containing all the DNS records that you'd need to add
to a 
> DNS server in order for all this to work correctly.
> 
> Right now I'm running both my own Active Directory and
DNS 
> server, and have been doing so for about 4 years. This
has 
> all worked great, partially because I've been using
Windows 
> Active Directory integrated DNS servers so all this
happens 
> automagically. However, I'm very close to giving up
running 
> DNS servers in favor of using the campus DNS servers,
so I'm 
> planning on making use of the NETLOGON.DNS files when I
add DCs.
> 
> > Pardon the shameless plug, but you'd be better
off (and 
> save a lot of
> > time) by joining CalNet AD, which is a free
service.
> 
> Switching over to this will be my next step. Things are
a 
> little more difficult when it comes to having student
PC labs 
> with accounts using roaming profiles, but Mike
Blasingame 
> assures me that there are solutions for all this, and I
believe him.
> There are two main reasons why this would be a good
thing,
> 1) CalNet AD has a bunch of high end redundant
equipment to 
> run the AD, and presumably people around all the time
in case 
> of problems, 2) Maintaining computer accounts for ~1000

> students is a big pain so I'd rather use the campus
directory.
> 
> Cordially,
> 
> --
> Jon Forrest
> forrestce.berkeley.edu
> Computer Resources Manager
> Civil and Environmental Engineering Dept.
> 305 Davis Hall
> Univ. of Calif., Berkeley
> Berkeley, CA 94720-1710
> 510-642-0904
> 
> 



------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.

John E. Weber wrote:
> Hi Jack,
> 
> This is most likely a DNS issue.  The DC needs to
register (at a 
> minimum) SRV and A records for itself, and needs to
publish a GUID so 
> your machines can find a global catalog.  Host files
only tell machines 
> to resolve somewhere, but Active Directory needs much
more than this 
> because AD uses DNS to advertise services.

This is all true. Note that when you create a DC, it creates
a file called \WINDOWS\SYSTEM32\CONFIG\NETLOGON.DNS
containing
all the DNS records that you'd need to add to a DNS server
in order for all this to work correctly.

Right now I'm running both my own Active Directory and DNS
server,
and have been doing so for about 4 years. This has all
worked
great, partially because I've been using Windows Active
Directory
integrated DNS servers so all this happens automagically.
However,
I'm very close to giving up running DNS servers in favor of
using
the campus DNS servers, so I'm planning on making use of
the
NETLOGON.DNS files when I add DCs.

> Pardon the shameless plug, but you'd be better off
(and save a lot of 
> time) by joining CalNet AD, which is a free service.

Switching over to this will be my next step. Things are a
little
more difficult when it comes to having student PC labs with
accounts using roaming profiles, but Mike Blasingame assures
me that there are solutions for all this, and I believe him.
There are two main reasons why this would be a good thing,
1) CalNet AD has a bunch of high end redundant equipment
to run the AD, and presumably people around all the time
in case of problems, 2) Maintaining computer accounts for
~1000 students is a big pain so I'd rather use the campus
directory.

Cordially,

-- 
Jon Forrest
forrestce.berkeley.edu
Computer Resources Manager
Civil and Environmental Engineering Dept.
305 Davis Hall
Univ. of Calif., Berkeley
Berkeley, CA 94720-1710
510-642-0904


------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.