Internal vs External Domain Names

[XXXXXXXXXXX]

Hi Everyone:

I am planning an Windows 2003 Active Directory domain for a client company.
The external domain name, for example, MYDOMAIN.com is registered and has an
active website on the Internet. The web server is hosted externally by a
third party outside the client's LAN. The internal domain name under AD is
inside.MYDOMAIN.com.

Also, Exchange 2000 server is on the internal network to process mail on
user accounts such as (e-mail address removed) and (e-mail address removed) who is
the same end user.

1) Is this separations sufficient to maintain security between the
external vs. internal domains? (Assume hardware firewalls are in place
etc.)

2) Would AD see inside.MYDOMAIN.com as the root domain or would it
be seen as some kind of child domain?

3) What other domain issues should I be concerned about?

4) What other Exchange issues should I be concerned about?

Thanks for any input and help.

Oren

 

[Chriss3]

Please see answers inline

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

Hi Everyone:

I am planning an Windows 2003 Active Directory domain for a client company.
The external domain name, for example, MYDOMAIN.com is registered and has an
active website on the Internet. The web server is hosted externally by a
third party outside the client's LAN. The internal domain name under AD is
inside.MYDOMAIN.com.

Also, Exchange 2000 server is on the internal network to process mail on
user accounts such as (e-mail address removed) and (e-mail address removed) who is
the same end user.

1) Is this separations sufficient to maintain security between the
external vs. internal domains? (Assume hardware firewalls are in place
etc.)

[Christoffer Andersson] If you have an external AD domain it should absolute
be a separated forest and even not pyhisical connect to your LAN, of coruse
a firewall is needed everyware

2) Would AD see inside.MYDOMAIN.com as the root domain or would it
be seen as some kind of child domain?

3) What other domain issues should I be concerned about?

[Christoffer Andersson] Active Directory will see this as the root forest
domain if you named your root domain like this. How ever you are in the
hands of your external name space. This can be a dns resolve porblem or it
will be i think, a better solution is to name it MYDOMAIN.local then you not
are in the hand of any external name space.

4) What other Exchange issues should I be concerned about?

[Christoffer Andersson]
There should not be any issues here, of course you have to setup a recipent
policy with the external name space.

 

[Bob]

mydomain.local can cause issues for Macs. You might want
to try mydomain.lcl

regards,

Bob

-----Original Message-----
Please see answers inline

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
for a client
company. registered and has
an

(e-mail address removed) who

is

the same end user.

1) Is this separations sufficient to maintain security between the
external vs. internal domains? (Assume hardware firewalls are in place
etc.)

[Christoffer Andersson] If you have an external AD domain it should absolute
be a separated forest and even not pyhisical connect to your LAN, of coruse
a firewall is needed everyware

2) Would AD see inside.MYDOMAIN.com as the root domain or would it
be seen as some kind of child domain?

3) What other domain issues should I be concerned about?

[Christoffer Andersson] Active Directory will see this as the root forest
domain if you named your root domain like this. How ever you are in the
hands of your external name space. This can be a dns resolve porblem or it
will be i think, a better solution is to name it MYDOMAIN.local then you not
are in the hand of any external name space.

4) What other Exchange issues should I be concerned

about?
[Christoffer Andersson]
There should not be any issues here, of course you have to setup a recipent
policy with the external name space.

Thanks for any input and help.

Oren

.

 

[Chriss3]

Thanks for the information, I have even not touch a Mac yet

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

mydomain.local can cause issues for Macs. You might want
to try mydomain.lcl

regards,

Bob

-----Original Message-----
Please see answers inline

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
for a client
company. registered and has
an

(e-mail address removed) who

is

the same end user.

1) Is this separations sufficient to maintain security between the
external vs. internal domains? (Assume hardware firewalls are in place
etc.)

[Christoffer Andersson] If you have an external AD domain it should absolute
be a separated forest and even not pyhisical connect to your LAN, of coruse
a firewall is needed everyware

2) Would AD see inside.MYDOMAIN.com as the root domain or would it
be seen as some kind of child domain?

3) What other domain issues should I be concerned about?

[Christoffer Andersson] Active Directory will see this as the root forest
domain if you named your root domain like this. How ever you are in the
hands of your external name space. This can be a dns resolve porblem or it
will be i think, a better solution is to name it MYDOMAIN.local then you not
are in the hand of any external name space.

4) What other Exchange issues should I be concerned

about?
[Christoffer Andersson]
There should not be any issues here, of course you have to setup a recipent
policy with the external name space.

Thanks for any input and help.

Oren

.

 

[Enkidu]

Hi Oren,

Your setup below is much the same as my own. See my comments inline.

Cheers,

Cliff

{MVP Directory Services}

Hi Everyone:

I am planning an Windows 2003 Active Directory domain for a client company.
The external domain name, for example, MYDOMAIN.com is registered and has an
active website on the Internet. The web server is hosted externally by a
third party outside the client's LAN. The internal domain name under AD is
inside.MYDOMAIN.com.

Also, Exchange 2000 server is on the internal network to process mail on
user accounts such as (e-mail address removed) and (e-mail address removed) who is
the same end user.

1) Is this separations sufficient to maintain security between the
external vs. internal domains? (Assume hardware firewalls are in place
etc.)

Yes, although it's not a *security* problem as such Only in so far as
you don't give away any information that may help an attacker. Your
internal DNS will not be known to the external DNS, but your internal
DNS will be able to access the external DNS if configured correctly.

2) Would AD see inside.MYDOMAIN.com as the root domain or would it
be seen as some kind of child domain?

Yes, it will be the root Domain of the forest.

3) What other domain issues should I be concerned about?

You probably won't need any other Domains. Do you mean "what other
*DNS* issues should I be concerned about?" If so, the only ones that I
can think of would be if you wanted to make internal machines visible
through the firewall. Then you would give them an *external* name
(such webmail.mydomain.com) and point the external name at the
firewall's IP address. The firewall would then then NAT the *IP*
address to an internal IP address, and the name is irrelevant.

4) What other Exchange issues should I be concerned about?

Your Exchange server would presumably need to connect with the outside
world. SMTP traffic for it would need to arrive at the firewall and
get NATted to the internal Exchange server.

Say the internal Exchange server is on 10.1.1.25 (internal name
mail.internal.mydomain.com). To communicate with say
mail.somedomain.com, the Exchange server sends packets to the LAN
gateway (firewall), which NATs the source IP from 10.1.1.25 to your
external IP address, and off it goes. When a packet arrives back at
the firewall, its destination address (which was the external firewall
IP address) gets NATted to the internal address 10.1.1.25.

DNSwise, the internal address of the server in the internal DNS
(mail.internal.mydomain.com) is matched to the internal address
10.1.1.25. Externally the *same* machine has a DNS entry of, say,
mail.mydomain.com and an IP address of the external IP of the
firewall. The firewall takes care of the conversion between the
external and internal IP addresses.

(It is usual to have an external MX record for "mydomain.com" related
to something like "mail.mydomain.com" and "mail.mydomain.com" has an A
record with the IP address in the above scenario of the firewall. This
allows you to send mail to (e-mail address removed), but the external name
of mail server is actually mail.mydomain.com.)