?
Solved

Domain Name

Posted on 2008-10-16
12
Medium Priority
?
288 Views
Last Modified: 2013-12-05
We are currently running a single active directory doamin/forest.  Our interanl domain is ad.compnay.com.  This internal domain is actualy different than our external domain of company2.com.  We have come across some issues with the fact that our internal domain is actualy regsitered external to another compnay especialy with IE7 where it seems to try to connect to this companies proxy automatically unless we run the configuration to not auto detect a proxy.   In any case for this and other reasons we want to build a entirely new forest/domain dor our new Windows 2003 R2 structure and eventually take decommison the Windows 2000 domian/forest.  The question is it bad securtity practice to have the same external and internal domain especially if the domain is the same as the domian for email?  Would it better to change the internal domain to something like comapny3.local instead of company2.com?  Also should we have out domain further down int he structure to include an ad.company3.local as well?
0
Comment
Question by:georgedschneider
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 18

Accepted Solution

by:
exx1976 earned 1840 total points
ID: 22731151
It was always considered best practice by MS to use .local for domain names.  If you use a publicly resolvable domain name, you run into the problems you listed above, especially with DNS..  Just let your ISP host your DNS records for your domain and use .local...
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22731194
Yes You would be better off using a .local domain for internal networks.

company.local

And that should solve your issues.
0
 

Author Comment

by:georgedschneider
ID: 22731395
is using a top level level domain such as company.local good design or should I create a lower level domain such as us.comapny.local as an example?  We will only be having a single domain/forest at this point
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Assisted Solution

by:WebSvrPro
WebSvrPro earned 80 total points
ID: 22731441
well no you don't have to, but to be honest I would reccomend keeping just the one, it makes things alot simpler

I would stick with the standard company.local therefore if you do come across any issues you can call microsoft for support. becuase if you call them with you current domain they will just ask you to replace it.
0
 

Author Comment

by:georgedschneider
ID: 22731659
I agree.  I think what I was think was if the internal domain was publicaly routable across the internet it would make sense  from a security perspective to make it more difficult to hack the network.  Am I mistaken on this?
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22731808
Yes it would unless your willing for fork out for a Juniper Netscreen, we have a few where i work, do the job, and behind a few firewalls its more then safe. Plus if you were to do that you can have staff login with the domain username and password and can all be managed from the one AD server account.

0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 22734398
I personally like using the same internal dns name as the publically registered on. It makes it a LOT easier on end users.

It will work flawlessly IF DNS is setup properly.

Internal clients need to point ONLY to your internal AD DNS servers (as always with domains). These internal DNS servers will respond back with the correct internal IP. If you happen to host anything with xxx.yourdomain.com externally, just create an A record to that external IP on your AD DNS server.

External clients will get your publicly available xxx.yourdomain.com DNS queries from whoever hosts your external DNS (or from you, if you host your own external DNS).

>>I think what I was think was if the internal domain was publicaly routable across the internet it would >>make sense  from a security perspective to make it more difficult to hack the network.  Am I mistaken on >>this?

Yes you are mistaken. Your company's internal domain name being the same as its external poses NO more security risk. Think about it.... how would it make it easier for someone from the outside to get in? The internal name structure is 1. only a name structure 2. internal.

0
 

Author Comment

by:georgedschneider
ID: 22742292
I guess this goes back to my original question.  Is it best practices for a single forest/doamin enviroment to use a name of company.local or ad.comapny.local?  What is perferred for security reasons as well as overall functioanlity?
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 80 total points
ID: 22745339
There is no need to create a subdomain in your case from what I can see. What purpose would the AD in AD.company.local serve?

Again, there are no security considerations at all with an internal naming structure for two reasons.

1. it's just a naming structure
2. its internal only.

 
0
 

Author Comment

by:georgedschneider
ID: 22768416
According to the two Microsoft articles it appears the recommended way is to create the internal domain as a subdomain of your public DNS space.  Although it appears this is only the case if the plan is make internal resources available to the outside.  The two links are:

http://technet.microsoft.com/en-us/library/cc739077.aspx
http://technet.microsoft.com/en-us/library/cc759036.aspx

What are your thoughts on this?  
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22791987
The simple answer is it does not matter, you can use the sane name internally and externally if you want. There have been many posts on this on EE - I suggest you do a search :-)
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month14 days, 16 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question