# Guidance on 2008R2 Server in Home Environment



## cjconrad (Sep 2, 2008)

Hi All,

I am very experienced in many things technical, but am not very savvy on DC and AD. I have had a Windows 2003 Server in my home for many years and I had stumbled through its installation originally, including it being a DC and an AD. I even had the home PCs logging into the domain (each of my 5 children had their own LAN PC, as well as a couple others). However, over time I realized that logging into the domain complicated things at the desktops, and the individual PCs could just as easily be setup on a workgroup, and connect to the server's shared drives, use the mail server, etc -- no apparent loss of function. So, none of them log in that way any longer (they are back to being in workgroup, though the server still is a DC and has AD.

Now I am setting up a new server (to replace the old) with Windows 2008R2. I only have one child left at home, so the number of "desktop clients" has shrunk dramatically. Thus far, the new server now has all of the shared user and media files, as well as the media servers (Plex, PlayOn/PlayLater), while the old server is still running the IIS, mail server, etc. I have NOT set the new server to be a DC nor does it have AD on it, and there is not relationship between the old and new servers. I want to complete the unhooking of the old server, which means that I have to move the IIS and mail services over. Before I do that, I need to know if I *should* setup the new server as DC/AD.

Other info that may or may not be relevant:

On the old server, all the userids were in the "Domain Users" group in AD, and one was additionally in the "Domain Admins" and "Remote Desktop Users" groups.
I sometimes enable Remote Desktop, but only using the single admin session (ie, I don't have Terminal Services role)
There are four internet domains that all route to my home IP address. Currently, all of the applicable ports are then forwarded to my old server (which will be changed to my new server when ready, of course)

===================

Questions:

What are the advantages of doing so (setting up DC/AD), versus just setting up IIS (web, FTP) and the mail server (MDaemon) without it?
If I do it now, will I have lost (or have to re-do) anything done thus far (users' shares/data, applications, etc)?
When setting up my old server years ago, I couldn't figure out what name to give, and ended up with the following (assume that my internet domain name is "MyHome.net":
the AD domain name is "MyHome.net" (that was what I had entered in the wizard, though the later "New Domain Name" screen had "Conrad.MyHome.net" in it
the NETBIOS Domain name is "MYHOME"
in the Configuration Panel in the wizard, the "Full Domain Name" was "MyHome.net"
Is that what one should do, or is there otherwise any advantage to one name (or convention) over another?
If I should be using the same names as used in the old server, is there some process I must follow to "decommission" the old one first?
I see that I had DNS setup on the old server, but in thinking about it, I can't see that it would have been used, as I would expect the router/ISP should be doing all of this for the LAN. Is there any value to having this setup on the new one? If so, should it point to the router or directly to the ISP?

I don't know why I'm a bit reluctant to setup DC/AD, but I'd like some expert guidance before I take that step! Many, many thanks in advance for any advice.

Craig


----------



## zx10guy (Mar 30, 2008)

1. Setting up a DC/AD server provides the ability to centrally manage user permissions as one of the features as well as creating group policies for users and devices in the domain. If you're environment is small, it's better not to deal with the complexities of setting up a DC and just manage the environment with local user accounts/permissions. Not having a DC will not affect you running IIS or a mail server.

2. The security/share permissions will be affected but you won't lose any data.

3. MyHome.net is the name of your Windows domain. When you see a name such as Conrad added to the domain name such as Conrad.MyHome.net, this means Conrad is a device registered on the domain. So you have a box on your network that is named Conrad that is part of the MyHome.net domain.

4. I think you might have conflict issues with the naming of the servers having the same name.

5. DNS is essential for the DC and active directory. When you set up a DC, it was mandatory that a DNS server be running on the network somewhere either on the DC or on a separate server where the DC can point to. In the old days a Windows domain ran fine with WINS and didn't need DNS. That's not the case now. I did try to just have WINS running which allowed me to login to the domain via a workstation but I couldn't get group policies to work correctly. It forced me point my workstation's DNS to the DNS server on the DC and not directly use my ISP's DNS server. If you want to run a DC, then you'll have to point your workstations to the local DNS server you have running on your network. To get Internet name resolution working, you'll have to configure the local DNS to use the ISP or your router if it acts as a DNS relay as forwarders.


----------



## cjconrad (Sep 2, 2008)

Zx10guy: I am very grateful for your response. Regarding #3, is there any naming convention for the Windows Domain? Specifically, should it have any semblance to the name used for the internet domain?

I'm still a bit confused about DNS. If I have DC/AD, would the server's DNS then somehow be forwarding resolution requests from the LAN to the ISP? Would workstations (those that do NOT login to the domain) use this DNS or should they just point to the router (which itself forwards to the ISP)?

Thanks SO much!


----------



## zx10guy (Mar 30, 2008)

Because the way AD works now, you have to follow how things are named with DNS and how things are named on the Internet. So yes, you'll have to follow the naming convention of a Internet domain.

If the workstation is part of your Windows domain, then yes, you have to point that workstation to the local DNS server. If the workstation is not part of your Windows domain, then it is optional as to whether you set the DNS server for that workstation to the local DNS server, your router, or the ISP's DNS server. I have this mixed environment right now in my home network.


----------



## cjconrad (Sep 2, 2008)

Zx10guy: My continuing thanks, and a few more questions!

1. Is there some security advantage (e.g. more difficult to hack) to using DC/AD?
2. if my home network is pointed to by two internet domain names (e.g. MyHome.net and HerHome.net), what name would be given to the AD?
3. If the AD name is determined completely by the internet domain name, then if one were to later build a replacement for the server, I assume there must be some complicated way to facilitate the transition as services are migrated from old to new over time?
4. Is there some way here on techguy.org to recognize/reward helpful responses?

I'm sorry for asking so many questions, but I appreciate the opportunity to learn from you!


----------



## zx10guy (Mar 30, 2008)

1. Not sure what you have in your mind as hacking.

2. I would think you would want a different domain name than the ones you've used for the public/Internet side. Something like HomeLAN.net or something like that.

3. Doing what I'm talking about above would make this issue nonexistent.

4. I don't think there is an official way to do this. Usually for many of us here, a thank you is sufficient.


----------



## cjconrad (Sep 2, 2008)

1. By "hacking", I was asking if an AD/DC makes the server more secure (e.g. lowering the possibility of someone coming from the internet side and illicitly logging in).

2. I am a bit confused by this. When I asked something similar earlier, you wrote "Because the way AD works now, you have to follow how things are named with DNS and how things are named on the Internet. So yes, you'll have to follow the naming convention of a Internet domain." Can you clarify?

3. Noted

4. Then, THANK YOU, THANK YOU!


----------



## zx10guy (Mar 30, 2008)

1. No.

2. Can you explain more about what your question is getting at?


----------



## cjconrad (Sep 2, 2008)

I've never liked it when people ask a question, get some response(s), and never tell everyone how it all turned out. So, I am back just to: (a) thank zx10guy for the help; and (b) tell the outcome.

It has taken some time to finish setup of my server (life seems to get in the way of these things sometimes!), but I finally gutted my old server today and tossed out its remains. My new server is running everything the old one did (and much more), and doing it quite splendidly. I did NOT set it up as a Domain Controller. The only things that seem to be negative about that decision are: (1) most server/IIS questions I research on the internet provide answers that *assume* you have DC/AD in your setup; (2) there are a couple of features ("virtual users", I think was one -- where you use that ID in IIS for some permissions and the system auto-maintains the password) that you must have AD for; (3) all users (which I had to define to allow them to have file permissions to link to the shared folders) appear on the login screen (maybe this is how Windows 2008 works, not a DC/AD thing, but it wasn't that way for me in Windows 2003).

In any case, it seems to be working fine now, and I do appreciate the help.

Craig


----------

