Do I need "ad" as a part of the name

activedirectory
v7

(Thorsten) #1

NethServer Version: 7.5
Module: Users and Groups

Hi:

Due to multiple errors I recieve at the moment, I decided to do another clean installation.
My first step was to Install an AD which is required for Users and Groups. My Server FQDN is name.mydomain.tld. I left out the suggested “ad.” before mydomain.tld. The set up ended with an error, however AD is accessible from ldap admin. Do I need the “ad.” at all?

Thank you and best regards
Thorsten


(Rob Bosch) #2

the "ad’ part is not mandatory. But if you use a FQDN that also is available somewhere on the internet, you may run into unwanted situations. Therefor it is recommended to use an unique FQDN for active directory domain.

think of a situation where you have a registered domain.tld as domain name. If you have, for instance a mailserver running on a remote server with the name mail.domain.tld and the A record for that server is at your domain registrar, you might get weird resolving problems when you use domain.tld as your AD domain on your local LAN.

More info:
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and/



(Thorsten) #3

Dear Rob,

thanks that helps to understand. I found some articles on best practice on how to assign domain names. But as a non native english person it is a little difficult to interpret correctly.

My setup should be as follows:
Server1 - proxmox VE (physical machine)
Server2 - FreeNAS for ISCSI devices (physical machine)
Server3 - Nethserver running on Server 1 w/wo HDD using Server 2
Server4 - some other server running on Server 1 w/wo HDD using Server 2
Infrastructure1 - e.g. phyiscal Router
Infrastructure2 - e.g. phyiscal Switch
Infrastructure3 - e.g. phyiscal AP1
Infrastructure3 - e.g. phyiscal AP2

Setup requires to have Infrastructure 1-4 in place. Server1 and 2 must be installed first. Afterwarts any other Server can be put online. Server 3 (Nethserver) will run the AD.
Consequently, when owning mydomain.tld, the AD domain will be ad.mydomain.tld.
So before even starting the AD, the following names shall be defined for each (physcial / virtual) device in this order:
Infrastructure1 - myrouter01.ad.mydomain.tld
Infrastructure2 - myswitch01.ad.mydomain.tld
Infrastructure3 - myap01.ad.mydomain.tld
Infrastructure3 - myap02.ad.mydomain.tld
Server1 - myserver1.ad.mydomain.tld
Server2 - myserver2.ad.mydomain.tld
Server3 - myserver3.ad.mydomain.tld
-> Firing up AD as ad.mydomain.tld
Server4 - …

Is this correct or is this nonsens?

THX
Thorsten


(Rob Bosch) #4

Why is it necessary to add the ProxMox (physical) server as client in AD? Same for Server 2.
Since Server3 will be hosting AD (Samba4 conainer) NethServer will automagically join AD when creating Active Directory.
Also your infrastructure. There is no (technical) reason why your router, switch and AP’s should be added as AD clients.

It will make a lot more sense that other clients (laptops, pc’s etc) join AD as clients. And of course all users that will use your infrastructure.
You could argue that the NAS should join AD to be able to use the useraccounts of AD. Most NAS’s (like synology etc) support AD and are able to validate against AD for credentials.


(Thorsten) #5

Dear Robb,

at least for Proxmox I do have an answer :slight_smile:
ProxMox can take advantage of AD to set user permissions.
By the way, do you by change can tell me the differance between Realm and Domain?


(Rob Bosch) #6

Have a look at your NS webinterface and navigate to Status / Domain Accounts and you will have the answer to that.


(Thorsten) #7

So following the docs provided, suggestion is e.g.
Supposing a name rule PS = physical Server; VS = Virtual Server, IS = Infrastucture

PS01.mydomain.tld -> ProxMox
PS02.mydomain.tld -> Freenas
VS01.mydomain.tld -> Nethserver
IS01.mydomain.tld -> Router
IS02.mydomain.tld -> Switch …

while Nethserver fires up ad.mydomain.tld

Is this what you mean?
THX
Thorsten


(Rob Bosch) #8

IF you want them part of your (Samba4) Active Directory domain, you should name them as servername.ad.domain.tld If your AD REALM is ad.domain.tld


(Thorsten) #9

Thanks, that helps