Re: Internal (AD) vs. external (Internet) DNS namespace

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/30/05 

Date: Sat, 29 Jan 2005 23:44:59 -0600

"AI" <{adi-spf4}{remove this text and the braces}@avivausa.com> wrote in
message news:BF1BAD08-D1C8-4493-AC63-9E96707F3ECF@microsoft.com...
> I am planning a migration from NT 4.0 to Active Directory, and the first
step
> is to design the DNS namespace. There are four options. If the company
has
> the registered Internet domain mycompany.com, for AD you can use:

There is no "correct" answer -- at least not for everyone.

It's a matter of choice, style, comfort, etc.

BTW, you are picking a DOMAIN name, not really a
"namespace" which is the sum off all domain names that
can be resolved within a particular hierarchy or by a
particulary DNS server. One might be choosing within
which namespace that domain belongs so you will sometimes
see "namespace planning" which is not technical wrong but
puts the emphasis in the wrong place.

> 1. The same namespace as the company's registered domain, i.e
mycompany.com.

There is a slight problem with this (although it is definitely
workable): It disallows contacting your company web
server by its DOMAIN name alone FROM INTERNAL
clients. Internet clients can do that but your internal folks
will not (generally) be able to type just "mycompany.com"
but will need to use www.mycompany.com.

> 2. A subdomain, e.g. corp.mycompany.com, internal.mycompany.com,
> ad.mycompany.com.

Probably the fewest apologies later -- but you have
to explain it to your users (sometimes) etc.

> 3. A different registered domain, e.g. mycomp.com.

Actually this is practically equivalent to #1, and may
actually be MORE confusing.

AND it should always be registered even if you use
it for nothing else but holding (parking) the name.

Another variation on this theme -- which may be the
overall best choice is: MyCompany.net (or org etc.)
if you can get it too.

> 4. A fake TLD, e.g. mycompany.local, mycompany.internal

Normally called a (purely) Internal or Private name. One not valid
on the Internet. It is similar to #3 except you MAKE UP something,
usually 'local'

Don't pick anything ever likely to actually be added to the
Internet in this case.

> Since this is a question that anyone designing AD needs to answer before
> beginning, I would have expected to find a wealth of information about it.
> To my surprise and frustration, I have had a remarkably hard time finding
any
> good, detailed, specific analysis about the relative merits and demerits
of
> each option.

There really isn't much more than I gave you above
although there are tons of articles about this in the
Resource Kit and on the MS site*

Do be sure to follow the following guideslines:

    All domain names are AT LEAST TWO "labels" or "tags"
            Right: domain.com. Wrong: domain.
            Also right: child.domain.com.

    All "labels" (or "tags") in the name: 14 characters or LESS.
    All labels start with: Alphabetic character
    All labels can have alphanumeric only (after the first) characters

* Google:
[ ~choosing domain dns name "active directory" site:microsoft.com ]

> To be sure, the topic comes up frequently in articles about AD
> design and technical forums, but it seems that it is always treated very
> superficially. Even Microsoft's own deployment guide doesn't go into the
> topic in any depth.

There really isn't much and they should spend more
time on the simple rules above, and mention the inability
to use the bare domain name for the web site FROM INTERNAL
machines.

> Most discussions either just state what the options are,
> without saying a whole lot about the reasons to use or avoid each one, or
> will simply say "The best practice is X" and "Y is not recommended",
without
> going into detail about why (and different articles/discussions contradict
> each other). Whenever reasons are given, they are always very generic and
> vague.

Yes, the vagueness is legitimate complaint.

> I've also tried asking around, but unfortunately I've only been able
> to get answers saying "Here's how I suggest that you do it" or "Here's
> another possibility" or "There's more than one way to do it, you have to
> choose from your options" (thanks, but that was the setup for my question,
> not an answer to it). Sometimes people will answer by discussing one
> particular advantage or disadvantage to one particular option, or two if
I'm
> lucky.

Best is to give a real expert (there are plenty on these
newsgroups) YOUR setup and let them talk about YOUR
setup....

Have an external name registered, wish to use same name
for email, etc. etc.

> There has got to be some better information or discussion out there about
> such a commonly faced topic. Can anyone provide or point me toward a
source
> of specific, detailed, in-depth analysis about the pros, cons, and caveats
of
> the different options for internal AD DNS namespace with respect to
external
> namespace?

The Pro's don't go deep here because it isn't worth
the trouble.

I personally never use the .local idea -- I just don't like
it -- but I would if I ran into a company that I thought
met the criteria for this being the best choice.

I personally like the SAME NAME -- it's no harder to
setup correctly despite what you may here or read, but it
DOES have that bare name for the web site problem.

.net is cool if you really wanted a name different than
your Internet presence.

child.domain.com is no worse than the others except
sometimes it too will confuse your users because they
need to use one name for their domain and another for
their email account. BUT you can setup a UPN that
uses that parent (main domain/email name) instead.

Another choice. 

-- 
Herb Martin
>

Relevant Pages

  • Re: Windows Server 2003 DNS & Active Directory Installation?
    ... I like to differentiate between the internet namespace and the local ... For your A/D setup - I would use joseta.local rather than joseta.com - ... forwarders on the dns server to query your isp's dns server for "All ... Guide to setting up A/D - and forwarders for Internet DNS Queries ...
    (microsoft.public.windows.server.general)
  • RE: Choosing a DNS namespace for AD
    ... The question of namespace is one that is personal and relates to how your ... purposes was to essentially "mask" the internal systems from the internet ... I recommend using an empty root as an extra layer ... > internal DNS servers authoritative for the domain corp.mycompany.com. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing .local to .com
    ... the internet namespace. ... That doesn't exactly make anything internet though, ... proper DNS Zones, and then build a domain in the new namespace. ... > "Scott Harding - MS MVP" wrote:>>> You do not want to do this. ...
    (microsoft.public.windows.server.dns)
  • Re: .local and .com
    ... I would NOT recommend using the .local namespace, ... sub-namespace of your publicly registered namespace. ... Split DNS ~ For running internal network in same namespace as internet ... > We will be implementing a Windows Small Business 2003 Server using> Exchange ...
    (microsoft.public.windows.server.dns)
  • Re: How is .local Used?
    ... The CEICW (connect to the internet item, ... list) accepts your internet FQDN as input and modifies Exchange to handle ... > namespace definitions and the implications associated with their setup. ... >> The Domain Name System name recommendations for Small Business Server ...
    (microsoft.public.windows.server.sbs)