Solved

I am about to setup a new Windows 2003 Domain.

Posted on 2004-08-24
8
141 Views
Last Modified: 2010-04-19
I would like to know what the best practice is for choosing the AD domain namespace. Example I have heard that you should not use same name as your registered domain name. I have also heard that you should use .local instead of .com for the AD domain name. For example: mydomain.local

Thoughts?
0
Comment
Question by:TeamPyro
  • 3
  • 3
8 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 11885453
I have done all three.
I have a client with domain.local
I have a client with domain.com
and I have another one with ad.domain.com

My personal preference is the third one (ad.domain.com) and using domain.com for local resources that I want the users to access over DNS - intranet.domain.com etc.

Microsoft were recommending .local originally but I now believe they have changed to either of the other two.
The only reason not to use domain.com is clashing with external resources. However if you make the correct DNS settings then this problem can be overcome.

The only other reason I can think to use another name would be for security - if someone is trying to hack your system then they may try your domain name first. For that to be any value though you should use another name altogether internally.
You could also use a generic name, especially if you have more than one "company" that will use the domain.

Simon.
0
 

Author Comment

by:TeamPyro
ID: 11885671
Thanks, but i already found the answer:

Choosing Your Domain Namespace
The first step in the actual design of the Active Directory structure is the decision on a common domain name system (DNS) namespace that Active Directory will occupy. Active Directory revolves around, and is inseparable from, DNS, and this decision is one of the most important ones to make. The namespace chosen can be as straightforward as microsoft.com, for example, or it can be more complex. Multiple factors must be considered, however, before this decision can be made. Do you really want your namespace registered on the Internet and exposed to potential intruders? Do you need to tie multiple namespaces into the same forest? These and other questions must be answered before the design process can proceed.

External (Published) Namespace
The simplest method of implementing an Active Directory structure is through the use of a single, common DNS namespace that reflects the company's name and is registered on the Internet. Microsoft.com is an obvious example, and a myriad of other possibilities exist as well. Several advantages to a published namespace are that it is readily accessible from the Internet and there is less confusion on the end user's part in regards to the location on the network and on the Internet. For example, a user named Peter Pham working for the CompanyABC Corporation will be represented in the network through its user principal name (UPN) as Peter@companyabc.com. This name can be set up to exactly match his e-mail address, limiting confusion for the end user.
The limitations to this type of namespace strategy are primarily security based. Publishing your Active Directory namespace leaves potential hackers with the name of your domain system and part of what is needed to compromise user accounts. Administering your firewall to block internal DNS queries also becomes less intuitive when the namespace is the same as the published Internet namespace for the organization. If the namespaces were separate, for example, a simple rule could be written to block any traffic to the internal domain structure. Another limitation would arise if an organization currently employs multiple namespaces to identify itself, and all those namespaces need to be joined into the same forest; in this case, a common namespace design is not an option. Mergers and acquisitions or even multiple business units within the same corporate parent can present these types of problems.

Internal Namespace
If desired or required by your organization, the namespace that the Active Directory structure inhabits can be internal, or not published to the Internet. Using internal namespaces adds a layer of complexity to your network because users' UPNs are different from their e-mail addresses. However, the increase in security that is realized from this design is also a factor that leads organizations to choose this route. Another factor that may influence your decision to choose an Internet namespace is that you are no longer limited to the Internic standard namespaces of .com, .net, .biz, .info, and so on. In other words, with an internal namespace, you can finally have that moogoo.funk domain that you always wanted.
Keep in mind that it is important to secure an internal namespace from registration any-where on the Internet other than in your own network. In other words, if you register internalnetwork.net and another organization on the Internet registers the same domain name for its network, you could cause naming conflicts with applications and other systems that perform DNS lookups against your forest. For example, if an application on a laptop usually attempts to access your internal namespace but then tries to access it remotely through an ISP, the ISP's DNS will forward you to the registered DNS name on the Internet. In a nutshell, if you are going to design your domain with an unpublished namespace but use a standard such as .net or .org that someone else could theoretically register, it is best to register and reserve that domain but not point it anywhere. Another common tactic is to name your domain something that will never be published, such as a root with your company's stock ticker symbol (for example, network.msft).

0
 

Author Comment

by:TeamPyro
ID: 11896139
Completed
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 104

Expert Comment

by:Sembee
ID: 11896670
You need to either close the question yourself or request another action in the support forum - click on "Support" in the top right corner.

Simon.
0
 

Author Comment

by:TeamPyro
ID: 11896711
How do I close my own question?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 11897063
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now