Using xxxx.local vs xxxx.com in AD on W2K3 R2, Which one is better and why?

Hi,

I much need help my company to design the AD.

My company will have host own E-Mail Server soon by using MS Exchange Server 2007 Std. (Only one Server deploy in the DMZ zone, it is mean that no edge Server on DMZ)

And the E-Mail Server have a public Domain Name, like xxxx.com

And our LAN have over 40 PC.

Now I am wonder the LAN AD Design part.

Using xxxx.com or xxxx.local is best? (Where the xxxx is same as the Public DNS we apply already)

Reason is why and on the future, if my company have more money, the E-Mail Server maybe have the Edge Server add to the DMZ and the old server will change to place in the LAN ...

So, I am feeling a bit confused on MS Exchange, since I am new on it, if using xxxx.local, how it service the Public user, if later place it in the LAN?

Thank you.
questions1979Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sliiconmanCommented:
the .local domain name is more secure and less used. The top level domain (tLD) like xxx.com does not need to match the same domain as your LAN. I use the .local for all of my clients and have a seperate .com address also, in some cases many .com address for one server.  

I recommed the .local domain, have always done it and never had an issue.
0
SysExpertCommented:
.Local should always be used for the AD naming convention.
Exchange allows you to change the Email Domains as needed, so there is no conection to the .Local  , and you should not experience any issues.


I hope this helps !

0
sliiconmanCommented:
To answer how Exchange works - you need to tell Exchange what domains to accept the email from as well as the MX record has to point back to you, have to route the external IP to deliver to your email server as well.

You could for instance name your domain mydomainisgreat.local and accept email on companydomainiscool.com even though they are named differently.

Does that help explain?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Jay_Jay70Commented:
I disagree.

I have worked for years with AD and have always promoted a .local address, now after using exchange 2007, i think differently. SP1 for exchange 07 conflicts if you run a .local address

MS have for years said .local is better, but they also have no issues with .com. all their training is infact based on a .com internal domain name and now their products are becomming more and more preferntial to .com

Go .com. Make it match your external name, and you will live a peaceful life. The most you will have to deal with is DNS problems, which can all be resolved using centralised DNS servers and split DNS functionality

http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

I fought this for a long time, but now after dealing with it a lot, i would have to reccomend .com and wish i had used .com for my own, as now i am faced with the exchange 07 Dillemma
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pHppCommented:
Latest "recommendation" I think from MS is using a sub-domain to your external Domain name.
For example corp.xxxx.com according to your own example.

I think this also looks nicer so I would go for it.
0
sliiconmanCommented:
Jay_Jay70

 You need to add it as an accepted domain in Exchange 2007.

Here is a way to set the other :accepted domains"  domains to recieve email. Exchange 2007 by default does accept email on your AD domain name.

http://www.petri.co.il/configure-exchange-2007-recieve-email-other-domains.htm
0
Jay_Jay70Commented:
its got nothing to do with accepted domains - i run 5 domains on my server box :) its not an issue  until SP!, where you receive connectors now need to match either the FQDN or Netbios name of your server - which means when you telnet to it, its reponse to EHLO is now an internal name and not your public face
0
questions1979Author Commented:
Add point to 100

Look like both side also match ..

But using xxx.com, need split the DNS, I think it is a problems ..
I read the Image that your give me the URL, need more DNS Server ...

But my company are SME in HK, no more money to buy as many as server like that.

So, actually, if using xxx.com, but no split DNS, do it will work with Exchange (Only One Server)

It is mean the Network total three Server

Two in LAN (AD) with File Server
One on DMZ (AD) Mail Server ...

Actually, how do Exchange support if using xxx.local?
0
Jay_Jay70Commented:
split DNS can be implemented on any DNS server in your organisation....it has not costs associated with it at all :)

exchange 07 - you will add an accepted domain to make it authorative for your .com domain, you then set a recipient policy to add that address for each user etc
0
questions1979Author Commented:
pHPP,

You said

---> Latest "recommendation" I think from MS is using a sub-domain to your external Domain name.
For example corp.xxxx.com according to your own example.

Where you see this recommendation from Microsoft? Any Microsoft document URL here?

If I using your way, like corp.xxxx.com "Sub-Domain" for the LAN AD using, but the Exchange Server AD using xxxx.com will be problems?

Not need Split DNS like Jay Jay70 way do? I still feeling Jay Jay70's way is too complex for a newbie, and his document is base on ISA Server that I have not, my company using SonicWALL TZ190 Firewall with Layer 2 DMZ (Public IP for all server NIC, not using 192.168.1.10 etc address)

So consider the Exchange Server and the LAN and the DMZ, corp.xxxx.com with Exchange (xxxx.com) will be the way to go is better?

Thank you and welcome debate.

I will add more point later, so each one will be have the point if my newbie question response
0
sliiconmanCommented:
I havent experienced the issues that Jay_Jay70 said. The link I showed you is without OWA. With that being said I do not dooubt Jay_Jay70 at all. Everyones environments is different.

do you have a test lab or at least a single server that VMware could be loaded?
0
sliiconmanCommented:
I meant without ISA not OWA. need more coffee...
0
questions1979Author Commented:
And how do using this way

Sub-Domain on LAN Side like corp.xxxx.com
Exchange using xxxx.com.

Both AD are independent

Since I think the Mail Server in Layer 2 DMZ, so LAN AD can not join to xxxx.com, right?
0
questions1979Author Commented:
sliiconman,

Yes, my notebook have VMWare, but I am Exchange newbie too.

Just my company need it, but my company is starting from 0, mean the the Internet still not build up, and the firewall still not buy, but we it on schedule by me soon.

Now we bought the Server for LAN using as Database and File Server and AD Center, so I need starting plan how to design the AD that can meet the need for the Exchange (The account Login can independent, me that the LAN AD is for LAN only, Mail for Mail only also ok, and it is my original plan)

I had experience on standalone Windows Server experience and firewall on Web, and Mail (Using 3rd Mail, like hMAilServer and MDomain etc that not need consider the AD problems)

So by the Exchange plan, it is hard side for me. so I post here ask about the AD Design, I don't want to later need change or rename the AD ...
0
questions1979Author Commented:
Oh, Thank you.

Look like using .local is better idea ...

Actually, on my deploy plan, let we thinking that.

Forget the internal LAN, thinking it is not a Domain Based Network, like workgroup.

Then have the Firewall, on the DMZ area, the Exchange thinking it a standalone box like hMailServer etc.

Then do this work fine like that?
0
Jay_Jay70Commented:
The split DNS is a 10 second solution, it solves all issues with DNS problems, its relevant for any environment that runs .com as an internal domain name that matches their external. the ISA site just gives a good reference

You WILL have problems with exchange 2007 SP1, the world is having problems with it, if you choose to ignore that advice then im going to give you my best wishes and bow out

Like i said, i have been a .local advocate for years, but i have worked and seen enough that now both will work fine, except with things like Exch 2007 SP1 - which i am dealing with now and so are numerous other admins i know....feel free to jump into the same mess that others are dealing with - but if you choose to do that, why would you even post a question here, you obviously dont think our advice is worth listening too
0
sliiconmanCommented:
I agree with Jay_Jay70. I put some reaserch time into this one and apparently a lot of people are caught in trouble. Accept his solution and roll with it. You will be better off.
0
Jay_Jay70Commented:
the split dns thing is probably confusing and a bit unnecessary so i should relent on that - mine is a little more complex so i use it - but simple pointer records to external sources will fix you up
0
questions1979Author Commented:
Jay_Jay70,

Ok ... I will go for using Split DNS, but still a bit question need help here.

I plan apply a new Domain for The Mail Server (It will be DNS Integration with AD, the DNS on this case will be External DNS in the Split DNS, right?)

The New Domain for this Mail Server will be xxxcorp.com
And it AD is only for the five Domain Mail User only

Then on my Internal LAN, I will using a Domain (Unregistered or register is better? This Domain name not need to want Internet know, and maybe not integration with the Exchange ...)
like xxxad.com forInternal, and it AD have it own User.

Do this is the way what you said of the Split DNS with AD using? So I just need management two AD user account, but better security for the LAN, right?

Thank you and all other here that give me suggestion and help.
0
questions1979Author Commented:
Hi all,

Please also read this ...
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2854659&SiteID=17&mode=1

It is the other way I am thinking, Two Forest, One for the LAN Only, one for the Exchange Only, both using .com not using local

Management two AD User Account ... This one look like simply more that can not integration the internal Format/Domain, right?
0
Jay_Jay70Commented:
ok, what i would be doing.

Internal Domain name would match my external domain name. All dns is integrated with AD. Now within that DNS zone, if you need to access say www.domain.com all you would need to do is enter a pointer for www and enter the external IP....its not really split DNS as such it just tells the server where to look etc

Now, with exchange, all your mail flow and settings will be nice and simple as everything matches, you wont run into problems with SSL, you wont have to spend a lot of money on additional Certs or make any work around configurations, which a lot of us have had to do

Keep it all as one single LAN, one single point, one AD, one Forest etc, there is no need for anything other than that, and as far as security is concerned, as long as you maintain your firewall, you arent going to run into any problems, one of the best guys i know with exchange runs ALL his clients on a matching internal and external domain name - it really comes down to the admins pref most of the time - except now there are problems to deal with too :)

Hope i didnt come across too harsh, just dont want anyone else going through this mayhem that i am :)

James
0
questions1979Author Commented:
Jay_Jay70,

On this way (One Public Domain),

Do the Exchange Server just need placed in the Private LAN (Using same IP Range as the LAN as like 192.168.1.X)

And The Exchange Server then join to the Exist Domain like (domain.com here), it is all?

Then setting the Firewall, the hold the NAT of the External IP forward to the Internal LAN Exchange Server is ok?

Sound like that of the total Network Design, right?

1000X Thank you
0
questions1979Author Commented:
On this way, the DMZ is not need lo, right?
0
Jay_Jay70Commented:
correct brother - all you need is your exhange server as a member of the domain, and you forward port 25 traffic through to the internal IP of your exchange server

your external MX records simply point to your external IP and the natting takes care of the rest :)

nice and simple
0
questions1979Author Commented:
Jay_Jay70 and other,

Please help me check the Network Diagram below I draw, see do it is correct of the Total Design
(Please see the attached Image, if not, go here to view
http://www.hkpcd.org/NetworkDiagram.jpg
)

The key point on this is the External DNS (For example GoDaddy.com)
Have the A & MX Record point to the External of the Firewall, on this Diagram,  it is
external IP

Then on the Firewall make it NAT Forward to Internal LAN's Exchange Server, on this Diagram, it is
192.168.1.191

Then all thing will work safe and simply, right?

One more question, on this design, do it is mean all user just need using mycorp.com can accross File Server (DFS) and the Mail? If so, then it is need very high password, else other can from outside access the File Server?

1000x Thank you.


NetworkDiagram.jpg
0
questions1979Author Commented:
Add point to 170
0
Jay_Jay70Commented:
correct, you need your MX record to point to your A record, which in turn points to the public IP of your firewall.

On your firewall, you then direct port 25 traffic through to .191 on your LAN.

Your exchange configuration and access will not control or affect your file sharing accessibility

What you want to open for exchange on your firewall is, 25 - smtp for mail routing, 80 - for http access to webmail, 443 - for SSL access to Webmail. You want to buy an SSL cert for your OWA access - point all these ports through to your .191 server and it will be secured

No-one can access your file server through those ports, its purely mail server and http functionality - its perfectly ok

one more thing to add, you should look at spam solution, exchange 07 has some built in, but there it is no comparison comapred to products like mailguard, securence or even GFI spam filtering
0
questions1979Author Commented:
Jay_Jay70and other,

I still have a problems, I starting the building ....

But all Workstation are in Domain, Join the Domain mycorp.com, It is mean the Workstation using the
ad01.mycorp.com and ad02.mycorp.com as DNS Server

The Mail Server are mail.mycorp.com

I open the ad01.mycorp.com and add the MX Record point to mail.mycorp.com
It IP is 192.168.1.191 ....

Then how the LAN user using the Mail Server? It is not external IP ...

Do it have problems? And do my setting is right that all Workstation's DNS Point to 192.168.1.181 (If not point to this IP, using other DNS IP can not login to the Domain)

Thank you.
0
Jay_Jay70Commented:
why are you touching internal DNS? your mx changes are made in the outside world

your clients and internal DNS servers have nothing to do with this
0
questions1979Author Commented:
Install AD need DNS, no DNS how AD can install?
0
questions1979Author Commented:
I am using dcpromo install AD, it will ask me build the DNS, then I do.

Not the server still under test, so, if something wrong, I can reinstall, what is wrong on this?

Internal client with Internel DNS on this case will not work with Exchange 2007 SP1?

Thank you.
0
Jay_Jay70Commented:
internal DNS is one thing, external DNS is another. For things that affect the outside world, you have to use external DNS....your internal DNS is used purely for internal things - mail, is external, so you need to hit the outside world
0
questions1979Author Commented:
I am feeling a bit confused now if it can not work with Internal DNS (This DNS just resolve mycopr.com) OTher zone are forward to using External IP DNS to resolved while using dcpromo install the AD with DNS integration ....

What will happened on my case?

I can not make full test, since my company still waiting the apply of ISP give you 4M/4M with 8 IP install...

So now the above Deploy, I am using the two server we bought, and make a install see what happened ....

Anyone can help me or tell me how to do on this External DNS and Internal DNS with AD on above Network Diagram, or something wrong here?

1000x Thank you.
0
Jay_Jay70Commented:
if you cant use the external world then you cant test it completely...you can create some mock accounts within your DNS but thats going to be way too advanced to try and explain on the boards - you need connection to the outside world for this to work
0
questions1979Author Commented:
Jay

Please try, just give me step by step...
I can not waiting the ISP help us make the Line

Since the Account Software base on the SQL will go to our company install the software on this Sat.

I need decided the xxx.local or xxx.com before this install.
0
questions1979Author Commented:
So, what is wrong on my original network diagram design?

AD with DNS what is wrong? Not easy one using AD also install like that (Each LAN have the Internal DNS auto after installed AD)???
0
Jay_Jay70Commented:
i cant give you step by step i dont know your environment, and to be blunt dont have the time do document a process that big - it would have to be hands on DNS hosting, with port mapping and redirection from your firewall, external DNS zones setup with your ISP etc etc

Just make the call on .com or .local. Testing exchange isnt going to make a difference for your domain naming....my advice right this moment is a .com internal address, if the issues with SP1 for exchange go away then i will go back to a .local reccomendation - thats about all i can give you
0
questions1979Author Commented:
Oh ...

This is me the Internal LAN Client Workstation will work using 192.168.1.191 with the Mail Server? Can ignore using External / Internal with DNS AD here?

Just like you see the Network Diagram above, External DNS hosting the mycorp.com, and I just give it the MX and A record. My ISP have no DNS Zone, they will give us IP, Gateway and their DNS IP (External IP), it is all the ISP will do like now I am using, just the different is we now only one IP and home router ...
after upgrade to 4M/4M, they will give us 8 IP
The DNS ISP give as same as now, they give me this DNS (218.102.62.71, and 205.252.144.126)


Then On the Firewall received the External IP of 125.215.149.37 port 80, Port 443, Por 25 will be forward to Internal IP 192.168.1.191 here ...

It is work fine the client is outside my LAN, right?

The feeling a bit confused is about the Internal LAN Client Workstation while they are all point to using ad01.mycorp.com as DNS server, it will bring them to 192.168.1.191 to using the mail server ...

I just wonder do it will have problems?
0
Jay_Jay70Commented:
if you have no current mail server in use then just go about it the way we have shown above, external sends to your mx records....internal looks at your internal DNS to find the name of the server internally and connect.
0
questions1979Author Commented:
Now my network are one Public IP, and my home router (Will change to SonicWALL firewall soon)

ISP have not block port, so do I can using this environment to make the sample test?

The DNS Name mycorp.com I already registered ... and can login to the management interface by godaddy.com

Thx
0
Jay_Jay70Commented:
correct, you can do it all in that environment without a problem at all
0
questions1979Author Commented:
No, it see like not same a bit. since the Internal AD integration with DNS, and I setting each AD DC DNS will forwarder all not this zone to using External DNS Server to resolve ..

So if xxx.local, it will using the ISP's DNS to resolved the mycorp.com, it will response my client 125.215.149.37

But if using mycorp.com to build the AD with DNS (Build AD can not no DNS Server integration, right?) Then the ad01.mycorp.com will have a DNS Zone here whatever mail.mycorp.com join the Domain, and whatever I am set up DNS forward the Domain this not resolve by it hold (On this case, it will hold the mycorp.com here) so it will response my LAN Client PC 192.168.1.191 ..

I am wonder how to change this DNS give the client response to using 125.215.149.37, or just not need do anything is ok that let it using 192.168.1.191 on the LAN Client PC to communication to the mail server will no problem?

Thx
0
Jay_Jay70Commented:
lan communications does not use external DNS, EXTERNAL IPS, EXTERNAL anything. it works purely on LAN basis.

The only thing that uses external is the outisde world. For the sake of time conservation, the fact that you gave this low points and we have been working on it 3 days and for your own learning and peace of mind, i would highly recommend getting a consultant in
0
questions1979Author Commented:
Now my company's ISP multi IP WAN set up finished, and I am using my notebook that testing ...

It work okay like Jay Jay said, using .com for the Internal is no problems and easy to management!

Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.