Active Directory Configuration

Scope of this document

The purpose and scope of this document is limited to a network environment where Active Directory is integral to the network, but ADAM is running in standalone or gateway mode.

Summary of Best Settings

DHCP Server: Active Directory
DHCP Options: Gateway: ADAM host
DNS: ADAM host(s)
Other options: as required by environment
Forwarding list: your internal domain.local
Forwarding list redirected to: Active Directory
Forwarding list turned on: All Rulesets (including Unfiltered ones)

Example configuration:

Company Internet domain: yourcompany.com
Company internal domain: your internal domain.local
IPv4 subnet: 10.20.30.0/0 (10.20.30.0/255.255.255.0)
ADAM LAN IP: 10.20.30.1
Active Directory Server IP: 10.20.30.10
DHCP Scope: 10.20.30.100-199
DHCP Option of Gateway: 10.20.30.1
DHCP Option of DNS Server(s): 10.20.30.1 (be sure not to specify 10.20.30.10 as secondary)
Forwarding list of “Internal domains” : yourinternaldomain.com
30.20.10.in-addr.arpa
Forwarding list re-directed to: 10.20.30.10
DHCP running on ADAM host: NO
DHCP running on Active Directory Server: YES

Configuration Details

(note: Forwarding List was previously named Rainbow List)

This is what a Forwarding list looks like on your dashboard.adamnet.works -> Manage Rules -> My Lists

Rule should be turned on for all Rulesets.

Windows 2012 DHCP Server configuration

Windows 2012 DNS Server configuration for yourinternaldomain.local and Reverse DNS

Redundancy Recommendation

When devices have primary and secondary DNS servers, unlike the common perception, the secondary is not a backup DNS server per se. Instead, DNS clients typically issue the same query to all DNS servers received via DHCP at the same time. For this reason, you do not want a primary DNS server of ADAM host and a secondary of AD.

Instead, to achieve redundancy and business continuity for a ADAM environment, you want to have two instances running simultaneously with the same configuration. It’s worth pointing out that the second ADAM instance could be in private server/standalone mode if the first ADAM instance is in gateway mode.

Also in configuration of multiple AD controllers, the DNS settings on the AD servers themselves should be as follows:

SERVER DNS settings on IP configuration
ADC1 Self (ADC1), ADC2
ADC2 Self (ADC2), ADC1

For example, if AD1 is a host at 10.20.30.10 and ADC2 is 10.20.30.11, the settings would be as follows:

SERVER DNS Settings
ADC1 10.20.30.10, 10.20.30.11
ADC2 10.20.30.11, 10.20.30.10

At the time of this writing, this can be achieved via support@adamnet.works to assist multiple BoxIDs at the same location. In the future, this process will be automated and part of the UI.

Benefits of the above suggested configuration:

The advantages of this configuration over having devices all make DNS queries directly to AD are numerous:

  • Offloads DNS load from AD to the gateway for queries that AD would be forwarding upstream anyway.
  • Allows ADAM per-device filtering to work. (When devices go to AD first for DNS answers, ADAM is unaware of the query’s origin, so per-device filtering couldn’t work in an AD-first scenario)
  • All AD and PTR record functionality is maintained and DHCP/DNS on AD is optimized, requiring answers only for itself.
  • Allows you to provide additional security for AD servers by building a “Microsoft Essentials” whitelist only, which allows it to obtain Windows updates, but otherwise makes use of the fact that it’s on a whitelist from an Internet access perspective.