Re: Internal (AD) vs. external (Internet) DNS namespace
From: AI (braces}_at_avivausa.com)
Date: 01/30/05
- Next message: Herb Martin: "Re: Schema mismatch...how to solve?"
- Previous message: CK: "NETLOGON Errors on clients"
- In reply to: Herb Martin: "Re: Internal (AD) vs. external (Internet) DNS namespace"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 30 Jan 2005 09:11:01 -0800
"Herb Martin" wrote:
> There is no "correct" answer -- at least not for everyone.
>
> It's a matter of choice, style, comfort, etc.
I understand that. If there were one correct way to do it, it would be well
documented and I'd follow it. It's precisely because there are several ways
to do it that I'm looking for a better understanding of the specific reasons
for and against each option. What I'm looking for isn't someone to tell me
"this is how you should do it", I'm looking for an explanation of what are
the advantages, disadvantages, and pitfalls of the different options, so that
I have a more complete basis for making the choice.
> > 1. The same namespace as the company's registered domain, i.e
> mycompany.com.
>
> There is a slight problem with this (although it is definitely
> workable): It disallows contacting your company web
> server by its DOMAIN name alone FROM INTERNAL
> clients. Internet clients can do that but your internal folks
> will not (generally) be able to type just "mycompany.com"
> but will need to use www.mycompany.com.
Okay, my understanding is that the issue with using the same domain name
internally and externally is that if you use one set of DNS servers, you
expose your internal hostnames, whereas if you use separate sets of DNS
servers for internal and external resolution, you need to enter the A records
twice for any servers that need to be available to both internal and external
clients.
My first question is: other than the extra administration of adding a few A
records to two DNS servers, are there any other reasons why this is a bad
idea? I often see this option being treated as if it's conventional wisdom
that it's a bad idea, with vague references to "security", but other than
what I outlined above, are there any other problems with this?
My second question is, why wouldn't the internal clients be able to resolve
the company's web site using just the domain name? If both the internal and
external DNS servers have A records for the domain name that point to the web
server's IP address (the "(same as parent folder)" record in Windows DNS),
wouldn't everybody be able to reach the web site by domain name alone,
without the "www"?
> > 2. A subdomain, e.g. corp.mycompany.com, internal.mycompany.com,
> > ad.mycompany.com.
>
> Probably the fewest apologies later -- but you have
> to explain it to your users (sometimes) etc.
You say "probably the fewest apologies later" - why? This is exactly the
kind of information I'm having trouble finding. What "apologies" (i.e.
problems) would I encounter with the other options that I wouldn't with this
one?
Also, if I do choose this option, would there be any problem with choosing a
NetBIOS name for the domain that is different from the lowest level in the
domain name? For example, if I use internal.mycompany.com, would there be a
problem with using MYCOMPANY as the NetBIOS name rather than INTERNAL, so
that when users log on they can select the company name from the domain list?
> > 3. A different registered domain, e.g. mycomp.com.
>
> Actually this is practically equivalent to #1, and may
> actually be MORE confusing.
>
> AND it should always be registered even if you use
> it for nothing else but holding (parking) the name.
>
> Another variation on this theme -- which may be the
> overall best choice is: MyCompany.net (or org etc.)
> if you can get it too.
Okay...*why* is this the overall best choice? What advantages does it have
over the other choices?
> There really isn't much more than I gave you above
> although there are tons of articles about this in the
> Resource Kit and on the MS site*
Can you point to any? As I said, I've looked through everything I could
find, and it's always been very vague, generic, and skimpy on specific
reasons.
> [ ~choosing domain dns name "active directory" site:microsoft.com ]
Believe me, I've googled this topic to death.
> > To be sure, the topic comes up frequently in articles about AD
> > design and technical forums, but it seems that it is always treated very
> > superficially. Even Microsoft's own deployment guide doesn't go into the
> > topic in any depth.
>
> There really isn't much and they should spend more
> time on the simple rules above, and mention the inability
> to use the bare domain name for the web site FROM INTERNAL
> machines.
Are you saying that there largely aren't too many reasons why it matters,
and that with the exception of a few minor issues each way works just as well
as the next?
> Best is to give a real expert (there are plenty on these
> newsgroups) YOUR setup and let them talk about YOUR
> setup....
Well, I have tried that before, but the problem with that is that it tends
to lead toward "this is what you should do" type answers, rather than
information about the different options that would help *me* make a decision.
Also, I do think it would be useful to understand the considerations for
different types of setups, and whether certain options fit certain
circumstances better than others. In other words, rather than just having
someone say "Here's the right fit IMUO (in my unexplained opinion) for your
specific environment", I want to know what benefits and limitations each
option has to offer.
However, here's what we have currently: We have a single NT 4.0 domain, and
will be migrating to a single AD domain. I don't forsee the need to add
child domains in the life of the AD implementation. We have a registered
Internet domain name, mycompany.com. Two Win2k DNS servers in the DMZ
provide resolution to external clients for this domain. We have two internal
DNS domains, corp.mycompany.com and corp.oldcompanyname.com. Resolution is
provided by Win2k DNS servers on the internal LAN. These servers forward to
the DNS servers in the DMZ, and the servers in the DMZ use root hints.
Keeping things similar to the way they are now is NOT a major consideration.
The current DNS structure is rather messy, and I'm more interested in
scrapping everything and doing it right than trying to keep things as much
the same as possible. In fact, I don't want to use corp.mycompany.com for AD
because I'm going to be restructuring rather than upgrading in place (i.e.
the AD environment will be set up alongside the existing NT 4.0 environment,
and the accounts, objects, policies, and servers will be migrated into the AD
domain). I think this process would be better served by not using the
existing internal domain for AD, so that the two domains can coexist during
the migration process. Using a subdomain other than "corp", however, such is
internal.mycompany.com, is a viable option.
> Have an external name registered, wish to use same name
> for email, etc. etc.
Okay, I've seen references to using the same name for e-mail internally and
externally before, but again, it's not clear what the issue is. We currently
have Exchange 5.5, and might be migrating to 2003. Internally, users select
names from the GAL, and externally, people e-mail to username@mycompany.com.
As long as internal users are all using Outlook in the Exchange client
configuration and selecting recipients from the GAL, is there any potential
for problems or confusion if the internal domain name is different from the
external domain name?
> I personally never use the .local idea -- I just don't like
> it -- but I would if I ran into a company that I thought
> met the criteria for this being the best choice.
Are there any particular reasons why you don't like .local? I've seen
articles saying that this is the best way to go (without much explanation),
but Microsoft's deployment guide says that it's "not recommended" (again,
without explaining why).
> child.domain.com is no worse than the others except
> sometimes it too will confuse your users because they
> need to use one name for their domain and another for
> their email account. BUT you can setup a UPN that
> uses that parent (main domain/email name) instead.
To reiterate the question from above, in case it gets overlooked - if I use
child.domain.com, would I still be able to use DOMAIN as the NetBIOS name, so
that users select the company name when they log on, rather than the
subdomain ("CHILD" in this case)? Are there any problems with the mismatch
if there will only be one AD domain?
- Next message: Herb Martin: "Re: Schema mismatch...how to solve?"
- Previous message: CK: "NETLOGON Errors on clients"
- In reply to: Herb Martin: "Re: Internal (AD) vs. external (Internet) DNS namespace"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
