Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 25 of 25

Thread: Basic Domain Setup

  1. #1
    Join Date
    Nov 2001
    Location
    NY
    Posts
    1,509

    Basic Domain Setup

    Here I hope to answer a few questions that seem to be popping up more recently about the differences between domains and workgroups, and how to properly setup a Windows based domain.

    First off I will be treating every networking device as a seperate entity, even though they are more often than not available as combined products. For example this Linksys WRT54G Wireless router is actually more like four devices in one. It combines the functionlaity of a basic firewall, router, switch, and wireless access point all into one device. There is nothing wrong with this, it makes network setup easier and cheaper for most small networks. It is just a bit easier to explain how everything is working together if we look at each piece all alone.

    The most basic level of network is called a WORKGROUP, a loose connection of computers and devices that has no central managment point. This is what you can create when you have all computers running a desktop operating sysem, but still want to be abel to share files and other resources between multiple users and computers. A simple workgroup would look like this:



    Each PC connects to the switch. All traffic in the network flows through the switch, and the switch will know which port(s) to send information out of. So if you wanted to send a file across the network only it would just send it to the port on which the destination computer is attached. If it is something destined for the internet it will be sent out the port to which the router is attached. So this means that it is totally possible to have a Gigabit LAN setup without needing a Gigabit router, which is a waste as most residential ISPs will provde less than 10Mbps anyway. Each PC is responsible for keeping track of its own security database. This means that if you want multiple people to be able to use each PC you will need to create the same accounts on all of the PCs. Also you would need to do this if you want to share files between computers as the person would need a local account on the remote PC in order to access the files.

    A domain on the other hand has a centralized security control center, the domain controller. This is a server that will hold all of the information about how the domain works. Who has access, who has permission to do what, and what computers are allowed to be a part of the domain. So a domain setup would look more like this:



    Notice how this is basically an identical physical setup, with the addition of a server. This is a key point, as in terms of actual hardware one additional computer is really the biggest difference between a small workgroup and a small domain. So what makes this one extra PC so special? It is running a server operating system, Windows 2000 Server or Windows Server 2003. This is what will allow the creation of a domain, and it will hold all of the information about your domain computers and users. Optionally it can also be used to serve files that you want to be accessible by all users, or at least by users at more than one location within the domain. In a domain this is a much easier task as the credentials are all stored on the server, you create a single domain account and it will take care of the rest.
    Erik

  2. #2
    Join Date
    Nov 2001
    Location
    NY
    Posts
    1,509
    Now on to how to actually create the domain, join computers to it, and create user accounts. As mentioned the key point to a domain is a domain controller running Active Directory (for a modern Windows domain anyway). There are ways to create a domain using Linux or Unix, but that is even more complex than this and beyond what most avergae small scale users would want to do. So we will need to pick out a server that can run Windows Server 2003. There are actually a few different versions of this, which can be looked into on the Microsoft website. I would tend to recommend Small Business Server 20003 for most users that have a need for a dmoain and are not just learning and doing this for the experience of it. It comes bundled with Exchange Server too so it is pretty good for setting up mail and other small business needs. If you are jus interested in doing this as a learning experience then MS actually offers a free 120 day trial for download.

    Now that we have the software we need to decide what kind of PC we will be installing it on. Now a true server is a huge thing that is extremely expensive, and I doubt most people would want/need this thing around. Servers are actually built of multiple computers and kept in racks that are 6' or so tall. The racks alone can be in the thousands of dollars. So we will look to an alternative solution, luckily there are plenty of good ones. It might suprise some people but a server doesn't actually need to be all that powerful of a computer. It does however need a lot of RAM and good hard drive speeds. This is why almost every true server you will see will have RAID arrays of SCSI hard drives and plenty of RAM. Unfortunately SCSI and RAID are also very expensive, and complex to setup, and probably also unecessary for most smaller networks. A good solution is basically any fairly modern PC with SATA drives. These would perform more than adequately for a small domain. If you want a true experience then look for used older servers with SCSI and RAID all included. I run a domain of about 10 computers off of an old 500MHz Pentium 3 server with SCSI and RAID, which actually has slower read times than my SATA drives without RAID. Bottom line is that for a smaller network the server doesn't need to be a stellar performer, just make sure it has plenty of RAM and hard drive space.

    The next step would be to install the server OS onto the server. I will assume here that most of us have done an install of Windows at some point, and luckily the server editions are not all that different. There are a few more steps, and a few different options, but it is all basically self explanitory and should be easy enough to follow. Notice however that you won't be able to create an actual domain at this point, that is done once the server is up and running.

    Once Windows server is installed you will need to make a few different steps than a typical Windows install. You will want to make sure to use a static IP address, as a server that changes its IP is pretty worthless. Right click on My Network Places and choose properties, and from the list of available connections choose your LAN connection. Again right click and choose properites, and then TCP/IP, and click the properties button. Here is where you will need to enter the IP information that is specific to your network. The default gateway should be the IP of your router, and the DNS serevr the IP of the server you are setting up.

    Now you can do Windows Update, and will probably need to reboot at least once. Now you can start configuring your server to act as a server.
    Erik

  3. #3
    Join Date
    Nov 2001
    Location
    NY
    Posts
    1,509
    The first step in properly setting up the domain and using the server is to turn DHCP off at your router. You will want to use the DHCP server feature on the new server as it is more robust and offers more features. More importantly it will allow you to set custom settings that make everything work together seemlesly.

    After a reboot you should be greeted by a nice screen giving you various options to setup your server. The first thing you will want to do is run the Active Directory setup wizard (dcpromo). This will create the role of Domain Controller on the server. It will also promopt you to do an install of DNS server, do this as it is a necessary step for a working domain. The instructions are pretty clear and simple for a small and simple domain. Basically you just chose a name to call your domain and enter that. As long as it won't be publically accessible, ie a webserver, it doesn't really matter what you use. Other than that you can pretty much just read over everything, and if you don't really understand what is being asked use the default.

    At this point you should have AD and DNS up and running. Now we need to install DHCP server so that other PCs will be able to get IPs and join to the domain. Again just run the wizard and it will walk you through the steps of setting up a basic DHCP server. A few things to keep in mind though. It is always good to have some IPs set aside for static use, so don't put your whole IP address range in as the scope. Also create a scope slightly larger than what you think you will need as you will always add computers later on easily this way. Give the address of your router as the router option (actually becomes the default gateway). Then go to the DHCP server from the Administrative Tools menu, and on the Actions menu choose to activate the server. You are now at a place where you can start bringing up the client PCs and join them to the domain.
    Erik

  4. #4
    Join Date
    Nov 2001
    Location
    NY
    Posts
    1,509

    Joingin A PC to A Domain

    Joining PCs to a domain is a simple process really. You will need to have an account with the ability to join computers to the domain (if you have been following use the default administrator account at this point). You can either do this as you install Windows on the PC, it will ask if you want to join a Workgroup or Domain, or after it has been running already. To change membership to the newly created domain just right click on My Computer and choose properties. Then from there the Computer Name tab, and click the change button. From there just select the Domain radio button, enter the domain name and click OK. You will be prompted for the account name and password, enter them. You should soon see a Welcome to the domain pop up. You will now need to reboot the PC. When it comes back up you will be greeted with a Domain login box, and need to hit Ctrl-Alt-Del.
    Erik

  5. #5
    Join Date
    Mar 2006
    Location
    Somerset
    Posts
    612
    Excellent thread Erik,
    I have been considering doing this with my "spare" pc.. but the thought of having to spend out on server software just for a learning experience put me off a bit ..

    Didn't know that MS gives that 120 day freebie!!..might just give this a go and see what happens.. at the very least I might just find out how thick I really am!!..
    Vox clamantis in deserto..

    Member of ASAP (Alliance of Security Analysis Professionals)

  6. #6
    Join Date
    Oct 2001
    Location
    Derby, England
    Posts
    2,282
    If I plugged all pc`s stright into a router instead of a switch do I follow these instructions in the same way ?

  7. #7
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,383
    If I plugged all pc`s stright into a router instead of a switch do I follow these instructions in the same way ?
    In a peer to peer situation (no domain server), yes.

    Home routers combine several functions as Erik already pointed out in his initial post. They combine the router function with a switch.
    The router can assign client addresses, making it easier to add PCs to the LAN.

    If you are connecting a switch without a router, the LAN addresses will have to be manually assigned to each client PC, since no device on the LAN is performing that function.

  8. #8
    Join Date
    Oct 2001
    Location
    Derby, England
    Posts
    2,282
    So that means I can plug all direct into a router and have a domain server on my LAN network ?

  9. #9
    Join Date
    Aug 2003
    Location
    Northern California
    Posts
    13,383
    You can have a router with DHCP turned off and a domain server providing the DHCP services.

  10. #10
    Join Date
    Jul 2004
    Location
    Fulda, Germany
    Posts
    996
    Does any one actually have the need to have a domain for their home network? I would argue that a workgroup is more than sufficient in most home environments.

    Great thread, Erik. I would agree with just about verything you said, except the part where you said that RAID is complex to setup. Our new IBM Blades come with a tool that make setting up the RAID a piece of cake. You just choose the drives, tell which RAID level you want, and whalaahhh - your RAID is configured. Makes it easy - even for me...:>)

  11. #11
    Join Date
    Jan 2004
    Location
    Here
    Posts
    10,355
    Good job Erik. Glad to see it's been made a sticky.
    8 Pro 64bit
    AMD FX 8350
    Asus Sabertooth 990FX R2.0
    24GB GSkill/Corsair 1866MHz
    2x XFX 6870 1GB
    SSD - OCZ V4 128GB/Kingston 120GB
    HDD - 3TB/2x 750GB/500GB/250GB
    Corsair TX850M
    Cooler Master HAF 932 Red
    CM Hyper 212 EVO w/2x SickleFlow 120mm Red
    12x BD-ROM
    Logitech X540 5.1 Surround
    2X Acer 23" LED - Eyefinity: 3840x1080
    Microsoft Sidewinder x4 KB

    "The significant problems we face cannot be solved at the same level of thinking we were at when we created them."
    - Albert Einstein

  12. #12
    Join Date
    Nov 2000
    Location
    The Mountain State
    Posts
    23,359
    I made it sticky within a few minutes of being posted...no sense letting something this good get buried before it becomes sticky.
    AV, Anti-Trojan List;Browser and Email client List;Popup Killer List;Portable Apps
    “When men yield up the privilege of thinking, the last shadow of liberty quits the horizon.” - Thomas Paine
    Remember: Amateurs built the ark; professionals built the Titantic."

  13. #13
    Join Date
    Nov 2001
    Location
    NY
    Posts
    1,509

    Adding User Accounts

    Is a domain needed for a home network? No, not at all. It is just nice to have, and in my case as I work in the field it is nice to be able to play around with things. If I need to test something at work and it messes up a production machine it could millions lost, at home it means some time to format and reinstall.

    RAID isn't impossible to setup. It is just more difficult than doing the single drive scenario. It is also just one more thing to trouble shoot if things aren't working right. It is very handy, especially RAID 5 with a designated hot spare.

    Now to pickup where I left off...

    The next logical step would be to add user account to the domain. On the domain controller you need to go to Active DIrectory Users and Computers. If you click on the Users in the left pane it will list all of the existin accounts in the right pane. In the action menu you can choose to Add a new user. The wizard is pretty straight forward, real name, user name, password.

    That leaves like a shell of a user account. It grants access to the domain, but doesn't do much else. The next step would be to setup roaming profiles (or better yet folder redirection), and home drives. If you double click on the user you just created it will bring up a window with all of the information for that user. On the profile tab you can set a UNC path to the location of the profile on a server and a homedrive that should be mapped when the user logs in. Create a shared folder on the server called profiles. So lets say you name your server dcserver and have a shared folder that gives all user read/write access called profiles. The UNC path to the user profile would be like \\dcserver\profiles\username. If you make it username$ then it will be an invisible folder when viewed over the network. You will need to know the exact path in order to map to it. You can then copy a user profile into this folder once it is setup as you want, and from now on the user will use this instead of a local profile.
    Erik

  14. #14
    Join Date
    Apr 2005
    Location
    Kaunas, Lithuania
    Posts
    129
    Basically you just chose a name to call your domain and enter that. As long as it won't be publically accessible, ie a webserver, it doesn't really matter what you use.
    If my network is behind a NAT and I want to make some services accessible from the internet (for example, ftp or web server), and I own a domain, will everything work is the "domain" I choose for my network is not the same as the domain I own?

    Will computers that are not members of the domain be able to access services (mostly, file sharing) on those computers that are members of the domain?


    I want to try to create a domain mainly because I want to be able to connect to any computer without having to reenter user name and password and I want to try to use RADIUS server for Wi-Fi...

  15. #15
    Join Date
    Nov 2003
    Posts
    399
    If my network is behind a NAT and I want to make some services accessible from the internet (for example, ftp or web server), and I own a domain, will everything work is the "domain" I choose for my network is not the same as the domain I own?

    Yes your registered "domain name" is public and is for DNS name services, your "windows domain" is a seperate entity all together (but can be named the same if you like). a windows domain is used to define a group of computers under one administrative authority, a DNS Domain name is just a name you use to map to an IP address opposed to users using IP addresses to connect to your services.


    Will computers that are not members of the domain be able to access services (mostly, file sharing) on those computers that are members of the domain?
    yes but they would need to authenticate first.


    I want to try to create a domain mainly because I want to be able to connect to any computer without having to reenter user name and password and I want to try to use RADIUS server for Wi-Fi...
    That would be a reason for creating a microsoft domain. there are alternatives though.
    Last edited by juniper; 10-25-2006 at 10:55 AM.
    Everything I write is just my opinion so dont hold me liable.

  16. #16

    Thumbs up Great work! Erik

    Great work! friends but...
    I am concerned about the licensing though?
    How much it is going to cost (server and station), if I have; suppose 7 computers in my domain also which one you think is better; per server or per seat for a company with 7 computers doing 8-4 shift. Also I need 2 vpn connections. Also what are the other expenses you can think of; I need to keep in mind during setup. Thanks!
    Last edited by ant_inmypant; 11-16-2006 at 12:13 PM. Reason: improve

  17. #17
    Join Date
    Nov 2001
    Location
    NY
    Posts
    1,509
    Licensing is actually pretty simple. You need one per user or one per device, depending on which method you decide to use. Basically if you have a single user with multiple machines then per user might be better for you. If you have multiple users sharing a machine then per machine is better.

    Cost? You will need to talk with your suppliers and see. You will need the base server OS, the CALs, and a XP Pro license for each workstation. Then add in any network devices you need. What do you mean by 2 VPN connections? For two users or to two remote sites?
    Erik

  18. #18
    Quote Originally Posted by Erik View Post
    Cost? You will need to talk with your suppliers and see. You will need the base server OS, the CALs, and a XP Pro license for each workstation. Then add in any network devices you need. What do you mean by 2 VPN connections? For two users or to two remote sites?
    Thanks Erik! Well I mean if I need to connect 2 computer using vpn, to my companies server. Precisely one for myself for remote handling and troubleshooting and second for my boss to work with his file from home. I am not sure, I think 2 connections are free with any server????? Do you have any better idea for same. Thanks again:-)

  19. #19
    Join Date
    Nov 2001
    Location
    NY
    Posts
    1,509
    You might want to start a new thread as this i kind of getting off topic.

    Anyway I prefer hardware VPN through a firewall. As far as server licensing goes Basically any computer/user connecting counts against your licenses. So there is no free lunch, so to speak. You either have the right number of licenses for all the connections (local and remote) or your don't.
    Erik

  20. #20
    I have a few computers, that when I go to setup shared folders and assign users access, they do not detect the domain. I have put them on the domain, but they still don't detect. Any ideas?

  21. #21
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Quote Originally Posted by Raphael View Post
    I have a few computers, that when I go to setup shared folders and assign users access, they do not detect the domain. I have put them on the domain, but they still don't detect. Any ideas?
    Welcome to PCGuide....

    Please start a new thread and provide as many details as possible about your network and computers... You will not get help with only vague questions...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  22. #22
    Quote Originally Posted by Erik View Post
    The next logical step would be to add user account to the domain. On the domain controller you need to go to Active DIrectory Users and Computers. If you click on the Users in the left pane it will list all of the existin accounts in the right pane. In the action menu you can choose to Add a new user. The wizard is pretty straight forward, real name, user name, password.

    That leaves like a shell of a user account. It grants access to the domain, but doesn't do much else. The next step would be to setup roaming profiles (or better yet folder redirection), and home drives. If you double click on the user you just created it will bring up a window with all of the information for that user. On the profile tab you can set a UNC path to the location of the profile on a server and a homedrive that should be mapped when the user logs in. Create a shared folder on the server called profiles. So lets say you name your server dcserver and have a shared folder that gives all user read/write access called profiles. The UNC path to the user profile would be like \\dcserver\profiles\username. If you make it username$ then it will be an invisible folder when viewed over the network. You will need to know the exact path in order to map to it. You can then copy a user profile into this folder once it is setup as you want, and from now on the user will use this instead of a local profile.
    My boss recently created a domain for our office and assigned a username and pword to everybody, with "very limited" privileges. Needless to say that he alone has the administrator pword. My problem is that I have some programs and apps already running on the administrator acount prior to the domain creation and need to access them. Is there any way I can do this w/out having access to the pqword? Can I log in as an administrator w/out the administrator pword?

  23. #23
    Join Date
    Nov 2000
    Location
    The Mountain State
    Posts
    23,359
    Twice...maybe you will get tongue lashing....after all.
    AV, Anti-Trojan List;Browser and Email client List;Popup Killer List;Portable Apps
    “When men yield up the privilege of thinking, the last shadow of liberty quits the horizon.” - Thomas Paine
    Remember: Amateurs built the ark; professionals built the Titantic."

  24. #24
    Quote Originally Posted by mjc View Post
    Twice...maybe you will get tongue lashing....after all.
    Sorry....no more of that silly hacking business. But seriously, sometimes it helps to know these things though - u never know when u'd need it. It's how one decides to use the knowledge that's a different kettle of fish altogether. Thanks 4 d advice.

  25. #25
    Yea, gret thread, I know that it was quite long ago, but it is still up to date!!!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •