DNS and AD Design question

[Guest]

Just wanted to throw this out to see everyone's thoughts. It's an old question, Should you match your Active Directory Domain name with your externally registered internet name. Microsoft gives two common answeres to this question:

1) The forest root domain should be a generic domain (root.local instead of microsoft.com)

or

2) The internal and external domain names should not match to prevent overlapps from occuring during the name resoltuion process. In other words, you would have to maintain a public DNS server and an internal DNS server to prevent clients from getting a public IP when trying to access an internal web server (or similiar problems).
But here's the deal, personally...I think split brain DNS is a smart choice. I've been setting up networks like that for the last two years (not the AD domains, but using Split-Brain DNS) and it works like a charm. I like it because it keeps external requests for resolution off of my internal DNS servers and it makes for less questions having a single namespace internally and externally. I understand that you can modify and add your own UPN suffix's to hide your internal domain name to keep confusion to a minimum...but one of the Best Practices to Network Administration is "Simplicity". Using Split Brain DNS gives all that to me and still allows me to use the same domain name internally and externally.

I was just curious what other people thought. My biggest problem with doing it the way I want to is that you can't rename domains in Windows 2000 (and you can't rename forest root domains in Windows 2003). So..to me the question because..should I use a generic root domain or not... Everybodies thoughts welcome on any part of it.

 

[Brian Desmond [MVP]]

I recommend split dns whilst using your internet namespace, usually with
something like ad.mycompany.net, or something like that. You could also go
for mycompany.local with split DNS. Hosting external DNS in the same zone as
AD is something i would not do, personally.


--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

Just wanted to throw this out to see everyone's thoughts. It's an old

question, Should you match your Active Directory Domain name with your
externally registered internet name. Microsoft gives two common answeres to
this question:

1) The forest root domain should be a generic domain (root.local instead of microsoft.com)

or

2) The internal and external domain names should not match to prevent

overlapps from occuring during the name resoltuion process. In other words,
you would have to maintain a public DNS server and an internal DNS server to
prevent clients from getting a public IP when trying to access an internal
web server (or similiar problems).

But here's the deal, personally...I think split brain DNS is a smart

choice. I've been setting up networks like that for the last two years (not
the AD domains, but using Split-Brain DNS) and it works like a charm. I like
it because it keeps external requests for resolution off of my internal DNS
servers and it makes for less questions having a single namespace internally
and externally. I understand that you can modify and add your own UPN
suffix's to hide your internal domain name to keep confusion to a
minimum...but one of the Best Practices to Network Administration is
"Simplicity". Using Split Brain DNS gives all that to me and still allows me
to use the same domain name internally and externally.

I was just curious what other people thought. My biggest problem with

doing it the way I want to is that you can't rename domains in Windows 2000
(and you can't rename forest root domains in Windows 2003). So..to me the
question because..should I use a generic root domain or not... Everybodies
thoughts welcome on any part of it.

 

[David Adner]

I vote separate DNS namespace internal, too. However, if you don't want
an entirely separate namespace, you can work off your public one. For
example, if you're public name is company.com, your AD could be
corp.company.com.

And, unless I'm mistaken, you can actually rename the forest root with
Server 2003. You can't change which Domain is the forest root, but
you're able to rename it. Not sure just how easy that is, though.

 

[druid_ro]

A question :

How do you set up the external dns zone?


Suppose you have an AD domain example.com with the internal DNS set up
as AD integrated.

In case you want to separate DNS internal from external, what shoul I
do? Should I put up a dns server in the external network with same
zone, and configured as master, and use it as a forwarder for the
internal DNS?

Second, which SOA should I enter in the external DNS? The same SOA as
in the internal zone, or the actual name of the server hosting the
zone?

Thanks


druid_ro

 

[David Adner]

Let's see if I have this right. I'm probably not the best person to
ask. Hopefully one of the DNS experts will validate (or invalidate)
this.

If you want to also have example.com as your external DNS, you setup
your external DNS to be authorative (ie: has an SOA record) and only
contain the records that your external clients need to hit. Then for
the internal, you also make it authorative. Since both DNS systems
think they're authorative, they can't sync or forward to each other.
Because of this, you have to manually create records in either zone that
you need accessible from each other. For example, you'll manually
create your public web site's name in your internal DNS so your internal
clients can still access it. I think that's pretty close.