How yes already announced here, you can also find the detailed configuration for my Exchange 2016 organization here. The aim is to set up this environment:
I'm using one of my test domains (frankysweb.org), which is hosted by Strato. I am starting from scratch, only the following things are already prepared:
- 2 x Windows Server 2012 R2 as VM with all Windows updates
- 1 x Fritzbox with configured Internet access and dynamic IP from provider
- 1 x Sophos UTM as VM (WAN port of the UTM to LAN port of the Fritzbox, LAN port of the UTM in the same network as the two Windows servers)
- hosted domain at Strato (frankysweb.com)
The two Windows servers are already configured with static IPs and have been provided with Windows updates, here are the names and IPs:
- DC 172.16.100.12/24
- Exchange: 172.16.100.13/24
The UTM Sophos UTM (basic configuration) listens to the following IPs:
- WAN: 192.168.10.105/24
- LAN: 172.16.100.254/24
The Fritzbox is configured with the following IPs:
- WAN: dynamic from the provider
- LAN: 192.168.10.1
The first part of this article series is about setting up the Active Directory and the configuration.
Installation Active Directory
The server with the descriptive name DC becomes the domain controller for the Active Directory frankysweb.org. The AD is therefore called the same as the domain at Strato. Of course, any other name will also work, but this configuration is nice and simple in small environments.
Here once again the IP settings of the DC server:
Static IP as already mentioned at the beginning, DNS points to the UTM.
To create a new Active Directory, the server role must first be installed, i.e. start the server manager and install the role with the suggested components
Once the role has been installed, the server can be upgraded to a domain controller
A new overall structure with the name frankysweb.org is created in the first dialog.
In the following dialog, only the password for the recovery mode must be assigned, the other settings are left as they are
The warning in the next dialog is normal and means that the authoritative DNS server (in this case Strato) cannot set up a delegation for the server DC, we don't want to do that because we use DNS Split Brain, more on that later.
Der Netbios Name mit nächsten Dialog, kann ebenfalls belassen werden. In meinem Fall ist es „FRANKYSWEB“
The paths can also be adopted, I would not adapt the paths either, because I can immediately think of a few programs that have a problem with other paths,
A summary of the settings is now displayed
Once the prerequisite check has been completed, you can install. The warnings are also normal in this case, as already mentioned above.
The server is restarted automatically after the installation, after the restart the configuration can be carried out.
DNS configuration
Configuring the DNS server is not difficult and can be done quickly. There are just a few things to consider. There are now 2 DNS servers for the frankysweb.org domain, a public DNS server at Strato and an internal DNS server that we have just installed with the AD role. If an internal client, for example a PC, now tries to call www.frankysweb.org, the DC will respond with Non-Existent.
The internal DNS (DC) does not recognize a host with the name www, so it must be created accordingly. So that internally on www.frankysweb.org can be accessed, a HOST-A entry with the name www. must be created. The public IP of the web server at Strato is entered as the IP address:
Now the DNS console looks something like this:
Name resolution from external hosts also works:
As there are to be other public hosts that are to be accessible internally (blog.frankysweb.org or store.frankysweb.org), these hosts must also be entered on the internal DNS server. Of course, we don't have to make our DC known on the public Strato DNS, as it's nobody's business who the domain controller is :-)
Next, the reverse lookup zone must be created so that the reverse resolution also works later:
Zone type: Primary zone
Zone replication area can be left as it is
IPv4 is also nice
Network ID is the corresponding subnet, in my case 172.16.100
And we only allow secure updates
Schon fertig. Jetzt können die PTR Records erstellt werden, also in der Forward Lookup Zone einen Doppelklick auf den DC ausführen und das Häkchen bei „Entsprechenden Zeigereintrag (PTR) aktualisieren“ setzen
This is not necessary for the host www, because we do not have or need a reverse lookup zone for it.
A host entry for the UTM can now also be created directly:
Done. Continue with the Actove Directory
Active Directory configuration
In der Konsole „Active Directory Standorte und Dienste“ legen wir jetzt ein neues Subnetz an
The subnet is specified as the prefix and assigned to the location (default first site name):
That was all. Now you can think about a nice OU structure, here everyone has to consider for themselves how they can best manage users, groups and computers. I have created 4 organizational units for my test environment:
Users, groups, servers and PCs. I have created a few users in the Users OU, here is an example:
Looks suspiciously like a nice e-mail address, doesn't it? :-) I have also created a group and added my user:
That was all.
Summary
At this point we have an Active Directory that is suitable for the installation of an Exchange Server organization. A test user and a group have also already been created. What is important the topic of DNS split Brain, external servers must also be created on the internal DNS so that they can be reached or resolved from the internal network (see example www). In small environments, I think it is perfectly fine to proceed in this way, as there are usually only a few changes and there are only a handful of corresponding entries. For larger environments, there are other concepts (yet another topic for corresponding posts) :-) If anything is unclear, please post in the comments.