Name public internet address same as internal domain name?

Ok, if you have an internet presence for a website(like  microsoft.com), what do you call your internal Active Directory domain ?  Do you call it microsoft.com as well?

Or do you call it something like internal.microsoft.com and make it a child domain?

What is the best practice?


At work, our public website  is  state.md.us
And our domain name is called state.md.us
Is "state.md.us" just an address for our website?. And since our domain controller is internal, we can call it the same thing. Right?  Any complications to be made aware of (as far as DNS etc is concerned?)
thanks
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cfairleyCommented:
Here is an awsome link that describes having a split DNS infrastructure.  I think this will answer just about all your questions.  Please post any additional questions.

http://www.tacteam.net/isaserverorg/spskit/9dnsinfrastructure/9dnsinfrastructure.htm

Thanks,
cfairley
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cfairleyCommented:
BTW, hello dissolved.  We have worked together on some other DNS issues, so I'm sure this one can be figured out too.  I am also in the process puting together a one stop website for DNS and AD issues.
0
dissolvedAuthor Commented:
Hi cfairley.  I read a bit on that article.

Looks like I will need two authorative DNS servers for the same domain name. I'm assuming they will both by primary/AD-integrated??  Each DNS server is authoritative for the same domain name, but each contains different RRs according to their respective roles as internal or external DNS servers (so says the article).

  From what I understand, dynamic DNS needs to be disabled on the external DNS. This is because queries destined for external DNS AND dynamic updates use the same tcp port (53). So you cannot filter 53 obviously. You must disable dynamic DNS. This is to prevent a malicious user from updating the hosts file and possibly poisoning it?

Say I have a website called dissolved.com.   My internal domain name is also dissolved.com. Will the configuration look something like this?




EXTERNAL DNS SERVER (ip: 68.34.76.6) (hosted by ISP)  Authorative for domain: dissolved.com
   |
   |
WAN
   |
   |
ROUTER
   |
   |
FIREWALL
   |
   |
FORWARDING DNS SERVER (ip= 192.168.3.2). (Authorative for domain dissolved.com. ) Resolves host names for the internal DNS server below. Anything it cant resolve,    it forwards to ip 68.34.76.5 (external DNS server).
   |
   |
FIREWALL
   |
   |
INTERNAL DNS  (ip = 192.168.4.2) Responsible for local name resolution.  Forwards DNS queries to the "forwarding DNS server" above if it cant find address.
   |
   |
CLIENTS
(ip = 192.168.4.5.  255.255.255.0    gateway= 192.168.4.1      dns    192.168.4.2)


0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

dissolvedAuthor Commented:
I think I have to make my internal forwarding DNS server Authorative for dissolved.com.  And my external DNS server (at ISP's) authorative for dissolved.com.

Please correct any misunderstandings, as I am sure there are some.
thanks
0
cfairleyCommented:
Everything looks pretty good except for the internal and external domain names being the same.  I think it recommended that they be different.  I think that's mentioned in the ariticle I sent.  Your internal DNS domain name should be something like dissolved.xxx.
0
dissolvedAuthor Commented:
If they are different, then wont that defeat the purpose of split-DNS? I was under the assumption that your internal and external are to be the same. Hence users can address everything by one FQDN. I may be way out in left field on this one. But I thought that whats the article said?

Thanks for the assistance. Look forward to hopefully talking about it more tomorrow night!
0
Wayne BarronAuthor, Web DeveloperCommented:
The "Internet & External" Domain Names, can be the same,
This is strickly by prefrence. Not by obbligation.

The Internet Domain name is not accessible to anyone outside of your Network.
Thought the External Domain Name is the same as the Internal, does not
mean that someone can access domain.com and access your internet network structor.

So, this is a prefrence deal.
Either have them both the same, Or change them.

A little advice.

When setting up the Internet Domain Name.
Lets say that you have a Mail Server, Web Server, FTP Server, DNS Server.
All these will know that . domain.com
is the primary domain controller.
So if you bring in another domain1.com (or) domain2.com and so on.
They will be considered "Child Domains" Of the "Primary Domain.com"

HTH
Carrzkiss
0
dissolvedAuthor Commented:
Ok, i'm lost lol

so you can have your website named dissolved.com  and your internal named  private.com.
To do split DNS, you will need both an internal and external DNS server to be authorative for private.com

So basically, split DNS is made possible by authorative servers?


ps:
this is off topic. But are "forwarding" dns servers typically in the DMZ? Or are they usually in the same broadcast domain as the rest of the DNS internal servers.
thanks
0
dissolvedAuthor Commented:
Ok I understand it now. Took a little bit of head hammering.
Thanks guys!
0
Wayne BarronAuthor, Web DeveloperCommented:
Dag my spelling. All over my post I put.
Internet --- Suppose to be ----Internal :-(
Sorry about that.

Glad that I could be of assistance.

Carrzkiss
0
dissolvedAuthor Commented:
no problem bro. Thanks for the help!
thanks to you too chris
0
cfairleyCommented:
Carrzkiss, you must be from the South, because the only other person I've heard use "Dag" is mother-in-law.  I'm from the South also.

Thanks dissolved.  BTW, you post excellent questions on EE!  Keep them comming.
0
Wayne BarronAuthor, Web DeveloperCommented:
:-)
Southern Born and Breed.
Born in the Mountains of "Ashville NC" about 45 miles East of Tennessee.
Now live in "Sanford NC" in the Middle of "Raleigh, Charlotte & Fayetteville NC"

Take Care "cfairly"

Carrzkiss
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.