Scope of this document
The purpose and scope of this document is limited to a network environment where Active Directory is integral to the network, but ADAM is running in standalone or gateway mode.
Summary of Best Settings
|DHCP Server:||Active Directory|
|DHCP Options:||Gateway:||ADAM host|
|Other options:||as required by environment|
|Rainbow list:||your internal domain.local|
|Rainbow list redirected to:||Active Directory|
|Rainbow list turned on:||All Rulesets (including Unfiltered ones)|
|Company Internet domain:||yourcompany.com|
|Company internal domain:||yourinternaldomain.local|
|IPv4 subnet:||10.20.30.0/0 (10.20.30.0/255.255.255.0)|
|ADAM LAN IP:||10.20.30.1|
|Active Directory Server IP:||10.20.30.10|
|DHCP Option of Gateway:||10.20.30.1|
|DHCP Option of DNS Server(s):||10.20.30.1 (be sure not to specify 10.20.30.10 as secondary)|
|Rainbow list of “Internal domains”:||yourinternaldomain.com
|Rainbow list re-directed to:||10.20.30.10|
|DHCP running on ADAM host:||NO|
|DHCP running on Active Directory Server:||YES|
When devices have primary and secondary DNS servers, unlike the common perception, the secondary is not a backup DNS server per se. Instead, DNS clients typically issue the same query to all DNS servers received via DHCP at the same time. For this reason, you do not want a primary DNS server of ADAM host and a secondary of AD.
Instead, to achieve redundancy and business continuity for a ADAM environment, you want to have two instances running simultaneously with the same configuration. It’s worth pointing out that the second ADAM instance could be in private server/standalone mode if the first ADAM instance is in gateway mode.
Also in configuration of multiple AD controllers, the DNS settings on the AD servers themselves should be as follows:
|SERVER||DNS settings on IP configuration|
|ADC1||Self (ADC1), ADC2|
|ADC2||Self (ADC2), ADC1|
For example, if AD1 is a host at 10.20.30.10 and ADC2 is 10.20.30.11, the settings would be as follows:
At the time of this writing, this can be achieved via email@example.com to assist multiple BoxIDs at the same location. In the future, this process will be automated and part of the UI.
Benefits of the above suggested configuration:
The advantages of this configuration over having devices all make DNS queries directly to AD are numerous:
- Offloads DNS load from AD to the gateway for queries that AD would be forwarding upstream anyway.
- Allows ADAM per-device filtering to work. (When devices go to AD first for DNS answers, ADAM is unaware of the query’s origin, so per-device filtering couldn’t work in an AD-first scenario)
- All AD and PTR record functionality is maintained and DHCP/DNS on AD is optimized, requiring answers only for itself.
- Allows you to provide additional security for AD servers by building a “Microsoft Essentials” whitelist only, which allows it to obtain Windows updates, but otherwise makes use of the fact that it’s on a whitelist from an Internet access perspective.