3

I am setting up a lab/mock-up network and i'm wondering if is considered bad practice to add all my servers to my Windows Domain. Of course the DC must be part of the domain, and any server that users log in to, such as VPN must also be part of the domain.

What about servers that don't necessarily need to be connected to the domain? Like a DHCP server, external web server, or DNS server? Should these be part of the domain, or only connected to the internal network?

ThePopcorn
  • 81
  • 1
  • 2
  • 7
  • In regards to the web server it depends on what's being served. If it's just straight files internally, being on a domain is fine. If you have secure content, leave it off the domain but dual homed. – Techie Joe Nov 15 '13 at 00:36

2 Answers2

6

Only if you like centralized management and single sign on and group policies and security features such as Kerberos.

If you don't like those things then don't use an AD domain.

You might have a case for not putting 'DMZ' servers like public facing web servers on the domain, either because of lack of network connectivity or because of security concerns.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
-2

Active Directory requires an "Active Directory Integrated" DNS server. This implies that the DNS server must be part of the domain; also, your domain members should look ONLY to the AD DNS servers for name resolution. A domain member configured with a DNS server outside of the AD domain will occasionally fail to resolve names within the domain, even if the AD DNS server is listed as primary.

DHCP doesn't need to be in the domain, however doing so gives you the ability to dynamically update your AD DNS as machines lease & release IP addresses.

The web server doesn't need to be in the domain unless it serves as a gateway to domain resources such as Outlook Web Access, Exchange Client Access services, or Remote Desktop.

Jonathan J
  • 584
  • 2
  • 5
  • 11
  • 3
    "Active Directory requires an "Active Directory Integrated" DNS server" - that isn't accurate. – TheCleaner Nov 15 '13 at 21:46
  • 1
    There's some correct info and some incorrect info. In most installs DHCP doesn't update a client's record in DNS - the client does it itself. That's what "Secure Dynamic Updates" are. Using DHCP to proxy DNS updates is actually bad practice in most cases. Also, even though it's typically a good idea to use ADI zones for Active Directory, there's nothing stopping you from using BIND, or even something like an Infoblox appliance assuming dynamic record registration is correctly configured. Don't get me wrong - it's not what I'd want to do - but saying "requires" is misleading. – MDMarra Nov 15 '13 at 22:52