[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

I am about to setup a new Windows 2003 Domain.

Posted on 2004-08-24
8
Medium Priority
?
154 Views
Last Modified: 2010-04-19
I would like to know what the best practice is for choosing the AD domain namespace. Example I have heard that you should not use same name as your registered domain name. I have also heard that you should use .local instead of .com for the AD domain name. For example: mydomain.local

Thoughts?
0
Comment
Question by:TeamPyro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 11885453
I have done all three.
I have a client with domain.local
I have a client with domain.com
and I have another one with ad.domain.com

My personal preference is the third one (ad.domain.com) and using domain.com for local resources that I want the users to access over DNS - intranet.domain.com etc.

Microsoft were recommending .local originally but I now believe they have changed to either of the other two.
The only reason not to use domain.com is clashing with external resources. However if you make the correct DNS settings then this problem can be overcome.

The only other reason I can think to use another name would be for security - if someone is trying to hack your system then they may try your domain name first. For that to be any value though you should use another name altogether internally.
You could also use a generic name, especially if you have more than one "company" that will use the domain.

Simon.
0
 

Author Comment

by:TeamPyro
ID: 11885671
Thanks, but i already found the answer:

Choosing Your Domain Namespace
The first step in the actual design of the Active Directory structure is the decision on a common domain name system (DNS) namespace that Active Directory will occupy. Active Directory revolves around, and is inseparable from, DNS, and this decision is one of the most important ones to make. The namespace chosen can be as straightforward as microsoft.com, for example, or it can be more complex. Multiple factors must be considered, however, before this decision can be made. Do you really want your namespace registered on the Internet and exposed to potential intruders? Do you need to tie multiple namespaces into the same forest? These and other questions must be answered before the design process can proceed.

External (Published) Namespace
The simplest method of implementing an Active Directory structure is through the use of a single, common DNS namespace that reflects the company's name and is registered on the Internet. Microsoft.com is an obvious example, and a myriad of other possibilities exist as well. Several advantages to a published namespace are that it is readily accessible from the Internet and there is less confusion on the end user's part in regards to the location on the network and on the Internet. For example, a user named Peter Pham working for the CompanyABC Corporation will be represented in the network through its user principal name (UPN) as Peter@companyabc.com. This name can be set up to exactly match his e-mail address, limiting confusion for the end user.
The limitations to this type of namespace strategy are primarily security based. Publishing your Active Directory namespace leaves potential hackers with the name of your domain system and part of what is needed to compromise user accounts. Administering your firewall to block internal DNS queries also becomes less intuitive when the namespace is the same as the published Internet namespace for the organization. If the namespaces were separate, for example, a simple rule could be written to block any traffic to the internal domain structure. Another limitation would arise if an organization currently employs multiple namespaces to identify itself, and all those namespaces need to be joined into the same forest; in this case, a common namespace design is not an option. Mergers and acquisitions or even multiple business units within the same corporate parent can present these types of problems.

Internal Namespace
If desired or required by your organization, the namespace that the Active Directory structure inhabits can be internal, or not published to the Internet. Using internal namespaces adds a layer of complexity to your network because users' UPNs are different from their e-mail addresses. However, the increase in security that is realized from this design is also a factor that leads organizations to choose this route. Another factor that may influence your decision to choose an Internet namespace is that you are no longer limited to the Internic standard namespaces of .com, .net, .biz, .info, and so on. In other words, with an internal namespace, you can finally have that moogoo.funk domain that you always wanted.
Keep in mind that it is important to secure an internal namespace from registration any-where on the Internet other than in your own network. In other words, if you register internalnetwork.net and another organization on the Internet registers the same domain name for its network, you could cause naming conflicts with applications and other systems that perform DNS lookups against your forest. For example, if an application on a laptop usually attempts to access your internal namespace but then tries to access it remotely through an ISP, the ISP's DNS will forward you to the registered DNS name on the Internet. In a nutshell, if you are going to design your domain with an unpublished namespace but use a standard such as .net or .org that someone else could theoretically register, it is best to register and reserve that domain but not point it anywhere. Another common tactic is to name your domain something that will never be published, such as a root with your company's stock ticker symbol (for example, network.msft).

0
 

Author Comment

by:TeamPyro
ID: 11896139
Completed
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 104

Expert Comment

by:Sembee
ID: 11896670
You need to either close the question yourself or request another action in the support forum - click on "Support" in the top right corner.

Simon.
0
 

Author Comment

by:TeamPyro
ID: 11896711
How do I close my own question?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11897063
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question