Re: Internal vs External Domain Names
From: Enkidu (enkidu_at_xyzcliffpxyz.com)
Date: 04/29/04
- Next message: Enkidu: "Re: Newbie question"
- Previous message: Jesse_James: "Group Scope - Which one?"
- In reply to: XXXXXXXXXXX: "Internal vs External Domain Names"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 29 Apr 2004 22:30:41 +1200
Hi Oren,
Your setup below is much the same as my own. See my comments inline.
Cheers,
Cliff
{MVP Directory Services}
On Wed, 28 Apr 2004 07:20:25 -0700, "XXXXXXXXXXX" <XXXXXX@lvcm.com>
wrote:
>Hi Everyone:
>
>I am planning an Windows 2003 Active Directory domain for a client company.
>The external domain name, for example, MYDOMAIN.com is registered and has an
>active website on the Internet. The web server is hosted externally by a
>third party outside the client's LAN. The internal domain name under AD is
>inside.MYDOMAIN.com.
>
>Also, Exchange 2000 server is on the internal network to process mail on
>user accounts such as user@MYDOMAIN.com and user@inside.MYDOMAIN.com who is
>the same end user.
>
> 1) Is this separations sufficient to maintain security between the
>external vs. internal domains? (Assume hardware firewalls are in place
>etc.)
>
Yes, although it's not a *security* problem as such Only in so far as
you don't give away any information that may help an attacker. Your
internal DNS will not be known to the external DNS, but your internal
DNS will be able to access the external DNS if configured correctly.
>
> 2) Would AD see inside.MYDOMAIN.com as the root domain or would it
>be seen as some kind of child domain?
>
Yes, it will be the root Domain of the forest.
>
> 3) What other domain issues should I be concerned about?
>
You probably won't need any other Domains. Do you mean "what other
*DNS* issues should I be concerned about?" If so, the only ones that I
can think of would be if you wanted to make internal machines visible
through the firewall. Then you would give them an *external* name
(such webmail.mydomain.com) and point the external name at the
firewall's IP address. The firewall would then then NAT the *IP*
address to an internal IP address, and the name is irrelevant.
>
> 4) What other Exchange issues should I be concerned about?
>
Your Exchange server would presumably need to connect with the outside
world. SMTP traffic for it would need to arrive at the firewall and
get NATted to the internal Exchange server.
Say the internal Exchange server is on 10.1.1.25 (internal name
mail.internal.mydomain.com). To communicate with say
mail.somedomain.com, the Exchange server sends packets to the LAN
gateway (firewall), which NATs the source IP from 10.1.1.25 to your
external IP address, and off it goes. When a packet arrives back at
the firewall, its destination address (which was the external firewall
IP address) gets NATted to the internal address 10.1.1.25.
DNSwise, the internal address of the server in the internal DNS
(mail.internal.mydomain.com) is matched to the internal address
10.1.1.25. Externally the *same* machine has a DNS entry of, say,
mail.mydomain.com and an IP address of the external IP of the
firewall. The firewall takes care of the conversion between the
external and internal IP addresses.
(It is usual to have an external MX record for "mydomain.com" related
to something like "mail.mydomain.com" and "mail.mydomain.com" has an A
record with the IP address in the above scenario of the firewall. This
allows you to send mail to george@mydomain.com, but the external name
of mail server is actually mail.mydomain.com.)
- Next message: Enkidu: "Re: Newbie question"
- Previous message: Jesse_James: "Group Scope - Which one?"
- In reply to: XXXXXXXXXXX: "Internal vs External Domain Names"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
