This has been a fun topic of discussion on Server Fault. There appear to be varying "religious views" on the topic.
I agree with Microsoft's recommendation: Use a sub-domain of the company's already-registered Internet domain name.
So, if you own foo.com
, use ad.foo.com
or some such.
The most vile thing, as I see it, is using the registered Internet domain name, verbatim, for the Active Directory domain name. This causes you to be forced to manually copy records from the Internet DNS (like www
) into the Active Directory DNS zone to allow "external" names to resolve. I've seen utterly silly things like IIS installed on every DC in an organization running a web site that does a redirect such that someone entering foo.com
into their browser would be redirected to www.foo.com
by these IIS installations. Utter silliness!
Using the Internet domain name gains you no advantages, but creates "make work" every time you change the IP addresses that external host names refer to. (Try using geographically load-balanced DNS for the external hosts and integrating that with such a "split DNS" situation, too! Gee-- that would be fun...)
Using such a subdomain has no effect on things like Exchange email delivery or User Principal Name (UPN) suffixes, BTW. (I often see those both cited as excuses for using the Internet domain name as the AD domain name.)
I also see the excuse "lots of big companies do it". Large companies can make boneheaded decisions as easily (if not moreso) than small companies. I don't buy that just because a large company makes a bad decision that somehow causes it to be a good decision.
The page you linked states quite clearly that read only 2008/2008R2 domain controllers are not supported; standard (i.e. writable) DCs are supported.
It also states that 2008/2008R2 domain and forest functional levels are supported.
What is not supported is running Exchange 2003 on a 2008/2008R2 server.
Best Answer
Aha!
Yes, you can manage a 2003 FL domain with the AD PowerShell Modules. (I do it myself... well, 2k3 R2... and check this [old] thread at PowerShell Community.)
However, the modules themselves are intended to be installed on Server 2k8 or Win7, and though I've seen reference to hacks to install it on XP or 2k3, that seems pretty foolish to me. Get a Win7 workstation and you can manage your 2k3 domain from it with the AD PowerShell Module you mention.
Also, as from that PS Community thread, you will require ADWS, which is available for Server 2003, and your DCs may also require some patches and updates to the .NET 3.5 framework. Two years later, I'd hope that's already the case in your environment, but you never know.
EDIT: And here's a technet blog about how to set it up, the important bits of which are posted below in case the link goes dead or whatever.
Required tools/patches:
[And as usual, you only want to install the hotfixes if you need them, and you have to hunt through the KB article and then go through the email-us-to-get-a-download-link junk to actually download them.]
Installation/Setup:
On your 2003 DC:
On your Windows 7 workstation:
Add the Windows 7 RSAT features bolded below (Control Panel, Programs, Turn Windows features on or off):
Remote Server Administration Tools
Fire up PowerShell and punch in
Import-Module ActiveDirectory
. Sure beats VB or ADSI Edit, huh?