Domain used internally / externally?

[Jackal]

Dear all,
If I have a registered domain such as abc.com, can I also adopt this domain
internally used for company domain? Will there be any side effect or is it a
wise choice? Thanks very much for your suggestions in advance.

Cheers,
Jackal

 

[Herb Martin]

Dear all,
If I have a registered domain such as abc.com, can I also adopt this domain
internally used for company domain? Will there be any side effect or is it a
wise choice? Thanks very much for your suggestions in advance.

It's an ok choice but there are side-effects, or rather issues
to be accepted and dealt with.

You won't be able (to easily) use your BARE domain name
from internal sites to reach your web server, e.g., domain.com
rather than www.domain.com.

The DCs register this name too and the internal machines must
resolve through internal DNS. This has no effect on the outside
users, and inside user can just be taught to type:

domain CTRL-ENTER in Explorer

You will have to run shadow DNS but that isn't a big deal either;
it just takes a little explaining at first (to the admins.)

 

[Jackal]

Thank you very much, Herb. But there're still some points I wish to
make them clear with you. If you would like to, of course.

1. What did you mean by "to run shadow DNS"? Is this kinda tool to do
this job or it can be done inside DNS management console?
2. If I didn't misunderstand what you said, the only side effect to use
the same internal domain name as used externally is the users must
type the entire URL to reach the web site such as "www.abc.com"?
Again, thanks very much in advance.

Cheers,
Jackal

 

[Guest]

Jackal

DO NOT USE your external domain for your internal purposes

As MARTIN suggest, the use is possible but you have to configure very fine all the environment and some problems can appear later

In your case, I strongly suggest you to use a different domain for your internal environment; for example, if your external domain is ABC.COM, for the internal WAN you can use ABC.WAN or ABC.LOCAL

Using this you will have no problems in the future

Hope this help

bye

Moren


----- Jackal wrote: ----

Dear all
If I have a registered domain such as abc.com, can I also adopt this domai
internally used for company domain? Will there be any side effect or is it
wise choice? Thanks very much for your suggestions in advance

Cheers
Jacka

 

[Cary Shultz [A.D. MVP]]

Jackal,

One of the main things is that your internal clients will not be able to
access http://www.abc.com 'out-of-the-box'. However, this is easily
resolved. All you need to do is in your DNS Forward Lookup Zone create a
Host Record ( aka A Record ) called 'www' - without the quotes - and give it
the Public IP Address of your website.

There is nothing wrong with having a split-brain DNS setup. We have many
many many clients who have the same internal DNS namespace as external DNS
namespace. In fact, if you do a search in this NewsGroup you will find that
this question is posted at least once a week. If you hop on over to the DNS
NewsGroup you might find it a bit more often. This is also one of the more
hotly contested topics. There are two camps: those who use the same
internal / external DNS namespace ( split-brain DNS ) and those who do not.
Really, both ways work.

From a security point of view you might want to consider abc.local for
internal and abc.com for external. This situation helps to prevent your
internal DNS 'stuff' getting published to the outside world. However, with
a properly setup Firewall this should not be an issue anyway!

However, both ways requires a bit of tweaking. For those who do, you have
to know this 'www' record trick. For those who do not, you have to know how
to use the Recipient Policy in Exchange 2000 ( as your clients will have a
(e-mail address removed) e-mail address - they might also need a (e-mail address removed)
e-mail address for the 'outside world' ).

HTH,

Cary

Thank you very much, Herb. But there're still some points I wish to
make them clear with you. If you would like to, of course.

1. What did you mean by "to run shadow DNS"? Is this kinda tool to do
this job or it can be done inside DNS management console?
2. If I didn't misunderstand what you said, the only side effect to use
the same internal domain name as used externally is the users must
type the entire URL to reach the web site such as "www.abc.com"?
Again, thanks very much in advance.

Cheers,
Jackal

is

 

[Herb Martin]

1. What did you mean by "to run shadow DNS"? Is this kinda tool to do

this job or it can be done inside DNS management console?

No, it's an 'architecture' not a technical setting.

You run two versions of your zone -- same name -- one externally
an one internally with their own "Primaries" so that you break
replication between them.

It's really TWO zones with the same name but I am about the only
one who says that out loud.

And it's better to leave your external zone with your Registrar or,
(second best) your ISP, if that is possible.

2. If I didn't misunderstand what you said, the only side effect to use
the same internal domain name as used externally is the users must
type the entire URL to reach the web site such as "www.abc.com"?

I think that is the only one, but it is the only noticable issue for most
people.

So many people screwed themselves up by not implementing
shadow dns (aka "split DNS") that many people here claim that
Same-Name is a poor choice.

It's not poor, you just have to do it right and it isn't that hard, but
it is also easy for beginners to mess up.

--
Herb Martin

Thank you very much, Herb. But there're still some points I wish to
make them clear with you. If you would like to, of course.


Cheers,
Jackal

is

 

[Herb Martin]

One of the main things is that your internal clients will not be able to

access http://www.abc.com 'out-of-the-box'. However, this is easily

Not if he runs shadowed DNS.

You just duplicate ALL of the external records on the internal
DNS rather than do it piecemeal the way it usually gets recommended
to people who start having trouble.

This would mean FTP.abc.com and everything else just gets replicated
MANUALLY to the internal version of the zone from the start.

 

[Herb Martin]

DO NOT USE your external domain for your
internal purposes.

As MARTIN suggest, the use is possible but you have to configure very fine

all the environment and some problems can appear later.

No, if you do it right you will not have problems. It's only
beginners and amateurs that really have a hard time with this.

In your case, I strongly suggest you to use a different domain for your

internal environment; for example, if your external domain is ABC.COM, for
the internal WAN you can use ABC.WAN or ABC.LOCAL.

Too strong a warning.

Using this you will have no problems in the future.

And doing it right causes no serious problems beyond the
bare name issue for internal users.

It isn't hard if you take a minute to UNDERSTAND DNS.

 

[Enkidu]

No, it's an 'architecture' not a technical setting.

You run two versions of your zone -- same name -- one externally
an one internally with their own "Primaries" so that you break
replication between them.

It's really TWO zones with the same name but I am about the only
one who says that out loud.

It's really two zones in two seperate DNS systems.

And it's better to leave your external zone with your Registrar or,
(second best) your ISP, if that is possible.

Hmm, I'm not sure about that one, Herb. If you leave it with the
registrar you will most likely have a horrible web based interface,
whereas with the ISP if you have a good relationship with them you can
get them to set up cool non-standard tricks. (eg wild card Domain
Names.

I think that is the only one, but it is the only noticable issue for most
people.

Is this so? Wouldn't the Domain Name be appended if set?

So many people screwed themselves up by not implementing
shadow dns (aka "split DNS") that many people here claim that
Same-Name is a poor choice.

It's not poor, you just have to do it right and it isn't that hard, but
it is also easy for beginners to mess up.

Yes. I think it is because they think of DNS as part of AD. DNS is NOT
part of AD, though it may use some of AD's facilities eg replication
in the case of AD Integrated DNS.

Cheers,

Cliff

{MVP}

 

[Herb Martin]

Hmm, I'm not sure about that one, Herb. If you leave it with the

registrar you will most likely have a horrible web based interface,
whereas with the ISP if you have a good relationship with them you can
get them to set up cool non-standard tricks. (eg wild card Domain

Not horrible at all. And for the SMALL number of entries and
infrequent changes of the public name-addresses it is more than
sufficient.

I find Registrer.com's web interface to be about as easy as the
MS GUI. What you don't have is the ability to make mass
changes from the command line via a script program (Perl etc.)

You are much more likely to want to change ISPs than Registrars.
When you do, managing to move your DNS becomes a pain.

Many/Most? ISPs don't even have an interface as the registrars
typically do and so you must call or email for each change and
typically wait for some "update cycle" at night etc.

Is this so? Wouldn't the Domain Name be appended if set?

What are you asking? "appended if set"????

Yes. I think it is because they think of DNS as part of AD. DNS is NOT
part of AD, though it may use some of AD's facilities eg replication
in the case of AD Integrated DNS.

Yes. I actually make a big deal of this distinction in my
classes. No one is likely to say (consciously), "DNS is
AD" but those of use who REALLY know DNS and AD
forget how joined at the hip they can seem to people who
learn them for the first time together, rather than separately.

 

[Enkidu]

Not horrible at all. And for the SMALL number of entries and
infrequent changes of the public name-addresses it is more than
sufficient.

Well, I must admit that for work I have the luxury of my own DNS
servers..... I have maybe two to three changes per week for my
clients. I wouldn't fancy doing that through a web interface, but if
it were sufficiently flexible....

I find Registrer.com's web interface to be about as easy as the
MS GUI. What you don't have is the ability to make mass
changes from the command line via a script program (Perl etc.)

I use Domain Monger for registering .com Domain Names. They are pretty
good. The situation in the .nz namespace is not so good but getting
better, with the monopoly registry/registrar being split up into two
companies...

You are much more likely to want to change ISPs than Registrars.
When you do, managing to move your DNS becomes a pain.

The advantage of having your own DNS servers is apparent!

Many/Most? ISPs don't even have an interface as the registrars
typically do and so you must call or email for each change and
typically wait for some "update cycle" at night etc.

Yes. This has both good and bad aspects, of course.

What are you asking? "appended if set"????

I was asking for clarification but messed up. In the properties of the
NIC you can set a DNS suffix for the connection. I was asking if you
were saying that with the same Domain Name externally and internally
you would have to supply the full URL to access an external machine,
ie http://www would not work?

Yes. I actually make a big deal of this distinction in my
classes. No one is likely to say (consciously), "DNS is
AD" but those of use who REALLY know DNS and AD
forget how joined at the hip they can seem to people who
learn them for the first time together, rather than separately.

Yes, I often say that the DNS could be on the moon if it supports the
SRV records and so on.

Cheers,

Cliff

 

[Herb Martin]

Well, I must admit that for work I have the luxury of my own DNS

servers..... I have maybe two to three changes per week for my
clients. I wouldn't fancy doing that through a web interface, but if
it were sufficiently flexible....

It sounds like you are running DNS for a number of clients --
a completely different situation. You are closer to playing the
role of the ISP if that is the case (or at least the DNS service.)

The advice is for the guy who is running his own domain and
perhaps a handful of servers (Web, FTP, SMPT etc.) or so.

I have about 30 DNS names and mine is much better serviced
by being at Register.com even though I have a DNS server
on the Internet (it does caching for me) backbone.

And technically there is a (business) requirement and best
practice to have at least two DNS servers for .com and
other names. Many people don't have but one public
server for everything.

24/7 support; backbone presence; highly cached servers
(their in almost everyone's caches) etc. Average admin
has no business trying to duplicate and equal this quality
of service.