Solved

I am about to setup a new Windows 2003 Domain.

Posted on 2004-08-24
8
147 Views
Last Modified: 2010-04-19
I would like to know what the best practice is for choosing the AD domain namespace. Example I have heard that you should not use same name as your registered domain name. I have also heard that you should use .local instead of .com for the AD domain name. For example: mydomain.local

Thoughts?
0
Comment
Question by:TeamPyro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 11885453
I have done all three.
I have a client with domain.local
I have a client with domain.com
and I have another one with ad.domain.com

My personal preference is the third one (ad.domain.com) and using domain.com for local resources that I want the users to access over DNS - intranet.domain.com etc.

Microsoft were recommending .local originally but I now believe they have changed to either of the other two.
The only reason not to use domain.com is clashing with external resources. However if you make the correct DNS settings then this problem can be overcome.

The only other reason I can think to use another name would be for security - if someone is trying to hack your system then they may try your domain name first. For that to be any value though you should use another name altogether internally.
You could also use a generic name, especially if you have more than one "company" that will use the domain.

Simon.
0
 

Author Comment

by:TeamPyro
ID: 11885671
Thanks, but i already found the answer:

Choosing Your Domain Namespace
The first step in the actual design of the Active Directory structure is the decision on a common domain name system (DNS) namespace that Active Directory will occupy. Active Directory revolves around, and is inseparable from, DNS, and this decision is one of the most important ones to make. The namespace chosen can be as straightforward as microsoft.com, for example, or it can be more complex. Multiple factors must be considered, however, before this decision can be made. Do you really want your namespace registered on the Internet and exposed to potential intruders? Do you need to tie multiple namespaces into the same forest? These and other questions must be answered before the design process can proceed.

External (Published) Namespace
The simplest method of implementing an Active Directory structure is through the use of a single, common DNS namespace that reflects the company's name and is registered on the Internet. Microsoft.com is an obvious example, and a myriad of other possibilities exist as well. Several advantages to a published namespace are that it is readily accessible from the Internet and there is less confusion on the end user's part in regards to the location on the network and on the Internet. For example, a user named Peter Pham working for the CompanyABC Corporation will be represented in the network through its user principal name (UPN) as Peter@companyabc.com. This name can be set up to exactly match his e-mail address, limiting confusion for the end user.
The limitations to this type of namespace strategy are primarily security based. Publishing your Active Directory namespace leaves potential hackers with the name of your domain system and part of what is needed to compromise user accounts. Administering your firewall to block internal DNS queries also becomes less intuitive when the namespace is the same as the published Internet namespace for the organization. If the namespaces were separate, for example, a simple rule could be written to block any traffic to the internal domain structure. Another limitation would arise if an organization currently employs multiple namespaces to identify itself, and all those namespaces need to be joined into the same forest; in this case, a common namespace design is not an option. Mergers and acquisitions or even multiple business units within the same corporate parent can present these types of problems.

Internal Namespace
If desired or required by your organization, the namespace that the Active Directory structure inhabits can be internal, or not published to the Internet. Using internal namespaces adds a layer of complexity to your network because users' UPNs are different from their e-mail addresses. However, the increase in security that is realized from this design is also a factor that leads organizations to choose this route. Another factor that may influence your decision to choose an Internet namespace is that you are no longer limited to the Internic standard namespaces of .com, .net, .biz, .info, and so on. In other words, with an internal namespace, you can finally have that moogoo.funk domain that you always wanted.
Keep in mind that it is important to secure an internal namespace from registration any-where on the Internet other than in your own network. In other words, if you register internalnetwork.net and another organization on the Internet registers the same domain name for its network, you could cause naming conflicts with applications and other systems that perform DNS lookups against your forest. For example, if an application on a laptop usually attempts to access your internal namespace but then tries to access it remotely through an ISP, the ISP's DNS will forward you to the registered DNS name on the Internet. In a nutshell, if you are going to design your domain with an unpublished namespace but use a standard such as .net or .org that someone else could theoretically register, it is best to register and reserve that domain but not point it anywhere. Another common tactic is to name your domain something that will never be published, such as a root with your company's stock ticker symbol (for example, network.msft).

0
 

Author Comment

by:TeamPyro
ID: 11896139
Completed
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 104

Expert Comment

by:Sembee
ID: 11896670
You need to either close the question yourself or request another action in the support forum - click on "Support" in the top right corner.

Simon.
0
 

Author Comment

by:TeamPyro
ID: 11896711
How do I close my own question?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11897063
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question