Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, September 27, 2012 12:09 AM
In Windows Server 2008 R2 and Windows Server 2012, when I set up a new AD DS server for a new forest, why is there always a "Default-First-Site-Name" listed in the "DNS Manager > msdcs.newforest.com > dc > sites" folder? I've also seen it in Active Directory Sites and Services.
How come when AD DS / DNS is first set up on the first server of a forest, the setup process doesn't automatically use the name entered for the new forest as the name of the first site??
Example:
New forest: corp.contoso.com
New First Site Name: corp.contoso.com
One last question: Is it okay to rename "Default-First-Site-Name" to the name entered for the new forest? Would this result in a name-collision or something??
Thanks!
All replies (4)
Thursday, September 27, 2012 6:33 PM âś…Answered | 1 vote
I wouldn't be separating departments by subnets, rather by building. However, some folks will design and implement something like that.
And no, if all the "department" subnets were in the same building, I would not create Sites for each, because remember, Sites are used to localize logon (authentication and authorization) traffic, and to control DC replication traffic. Therefore, you need a DC for each AD Site. So if you were to create a Site for each department subnet, then you need that many DCs for each Site. It doesn't make sense, and frankly it's overkill.
For reverse zones, I would create a single reverse zone encompassing all subnets in that block. For example, I would create a 10. reverse zone. As all machines register, for each octet to the right of 10. it wikll create a subfolder. In your example, you would see:
10.0.0.0
1
1
10.1.1.36 PTR machine.domain.com (this is an example workstation)
2
etc
If you only have 50 machines and one building, then one subnet and one Site will do the trick. But in this case, you will never see a Site's features come into play, because there's only one Site.
.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, September 27, 2012 12:11 AM
Correction: New First Site Name: corp-contoso-com (periods not allowed)
Thursday, September 27, 2012 5:55 AM | 3 votes
The Default-First-Site-Name is the first AD Site that gets created by that name, for the brand new DC in a brand new domain in a brand new forest to be put into. Yes, you can rename it.
Sites are usually not named based on the domain name, rather the company's location, hence the word "Site." We can have one domain spam numerous locations (sites) around the world. That's why it's named "Default-First-Site-Name," because it's left for you to rename it appropriately.
Don't forget, when you configure your site in Active Directory Sites and Services console (not the DNS console), to create subnet objects for each subnet in your location that will be associated with the site. If you have multiple sites, you will be using the Default-Ip-Site-Link. Chop the replication down to 15 min from the default 180 minutes.
And the data you are looking at in DNS is part of the SRV records that are registered automatically by the Netlogon service, which gathers all pertinent information from the DC its on, and registers it into DNS. Each DC registration, provides all the data in DNS for all DCs in the infrastructure. The Sites subfolder has info on what DCs are in that site for a client to choose a DC in their own site to send logon information to.
.
And in case you were wondering what a Site really does:
AD Sites basically control two things: Replication and Logon/Authentication from clients. This in conjunction wtih all DCs in a single AD domain should be GCs, will help clients use the local GC to logon and not traverse the WAN looking for a GC. The DNS settings on the remote site's client machines and the DC should point to the local DC as the first entry, the home office as the second entry. Plus creating sites will make the KCC create partnerships with only DCs in it's own site. And the KCC in conjunction with the ISTG (Intersite Topology Generator) determines DC partnerships between the bridgheads in each site.
.
Managing sites in Active Directory involves adding new subnet, site, and site link objects when the network grows, as well as configuring a schedule and cost for site links. You can modify the site link schedule, cost, or both, to optimize intersite replication. When conditions no longer require replication to a site, you can remove the site and associated objects from Active Directory. Jan 6, 2003 ... Lot's of good info on the KCC, Bridgheads, TCP/IP settings, ISTG, etc. Most of it applies to Windows 2008 & 2008 R2, too.
http://technet.microsoft.com/en-us/library/bb727051.aspx
Video How-To: Create Active Directory Site To Control The Replication Traffic
http://www.youtube.com/watch?v=02BIfL_gqvE&feature=related
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, September 27, 2012 6:06 PM
Sites are usually not named based on the domain name, rather the company's location, hence the word "Site." We can have one domain spam numerous locations (sites) around the world. That's why it's named "Default-First-Site-Name," because it's left for you to rename it appropriately.
Hi Ace,
Thanks so much for the fast reply! You should write for MS's tech library ;)
You answered this question, but now I have another question arising from the paragraph I quoted:
When studying DNS naming conventions and best practices, I read somewhere along the line that domains should not be named after the departments of a company, because department names change and so on. So it is not advised to create a domain named billing.contoso.com for example. On top of this, when studying network design, I read somewhere that it is highly advised to create subnets for each major department or group of users. Let's say I created the following subnets (Created on a hardware firewall, separate from Windows Server):
10.1.1.0/24 designated for all low-level/minimum access employees
10.1.2.0/24 designated for VoIP server and IP Phones
10.1.3.0/24 designated for all Windows Servers (VMs included)
10.1.4.0/24 designated for all WiFi devices (printers, admin phones, etc...)
Maximum foreseeable connected devices < 50. So a small office environment with no branch locations or hosted public web servers.
Okay, here's the question:
*Should I create a Site in AD Sites and Services for each subnet?
*Should I create Forward/Reverse Lookup Zones for each subnet?
*If yes to both, which one should I create first, or does it matter?
Thanks!!!