• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

Domain Name

We are currently running a single active directory doamin/forest.  Our interanl domain is ad.compnay.com.  This internal domain is actualy different than our external domain of company2.com.  We have come across some issues with the fact that our internal domain is actualy regsitered external to another compnay especialy with IE7 where it seems to try to connect to this companies proxy automatically unless we run the configuration to not auto detect a proxy.   In any case for this and other reasons we want to build a entirely new forest/domain dor our new Windows 2003 R2 structure and eventually take decommison the Windows 2000 domian/forest.  The question is it bad securtity practice to have the same external and internal domain especially if the domain is the same as the domian for email?  Would it better to change the internal domain to something like comapny3.local instead of company2.com?  Also should we have out domain further down int he structure to include an ad.company3.local as well?
0
georgedschneider
Asked:
georgedschneider
  • 4
  • 3
  • 2
  • +2
3 Solutions
 
exx1976Commented:
It was always considered best practice by MS to use .local for domain names.  If you use a publicly resolvable domain name, you run into the problems you listed above, especially with DNS..  Just let your ISP host your DNS records for your domain and use .local...
0
 
WebSvrProCommented:
Yes You would be better off using a .local domain for internal networks.

company.local

And that should solve your issues.
0
 
georgedschneiderAuthor Commented:
is using a top level level domain such as company.local good design or should I create a lower level domain such as us.comapny.local as an example?  We will only be having a single domain/forest at this point
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
WebSvrProCommented:
well no you don't have to, but to be honest I would reccomend keeping just the one, it makes things alot simpler

I would stick with the standard company.local therefore if you do come across any issues you can call microsoft for support. becuase if you call them with you current domain they will just ask you to replace it.
0
 
georgedschneiderAuthor Commented:
I agree.  I think what I was think was if the internal domain was publicaly routable across the internet it would make sense  from a security perspective to make it more difficult to hack the network.  Am I mistaken on this?
0
 
WebSvrProCommented:
Yes it would unless your willing for fork out for a Juniper Netscreen, we have a few where i work, do the job, and behind a few firewalls its more then safe. Plus if you were to do that you can have staff login with the domain username and password and can all be managed from the one AD server account.

0
 
mikeleebrlaCommented:
I personally like using the same internal dns name as the publically registered on. It makes it a LOT easier on end users.

It will work flawlessly IF DNS is setup properly.

Internal clients need to point ONLY to your internal AD DNS servers (as always with domains). These internal DNS servers will respond back with the correct internal IP. If you happen to host anything with xxx.yourdomain.com externally, just create an A record to that external IP on your AD DNS server.

External clients will get your publicly available xxx.yourdomain.com DNS queries from whoever hosts your external DNS (or from you, if you host your own external DNS).

>>I think what I was think was if the internal domain was publicaly routable across the internet it would >>make sense  from a security perspective to make it more difficult to hack the network.  Am I mistaken on >>this?

Yes you are mistaken. Your company's internal domain name being the same as its external poses NO more security risk. Think about it.... how would it make it easier for someone from the outside to get in? The internal name structure is 1. only a name structure 2. internal.

0
 
georgedschneiderAuthor Commented:
I guess this goes back to my original question.  Is it best practices for a single forest/doamin enviroment to use a name of company.local or ad.comapny.local?  What is perferred for security reasons as well as overall functioanlity?
0
 
mikeleebrlaCommented:
There is no need to create a subdomain in your case from what I can see. What purpose would the AD in AD.company.local serve?

Again, there are no security considerations at all with an internal naming structure for two reasons.

1. it's just a naming structure
2. its internal only.

 
0
 
georgedschneiderAuthor Commented:
According to the two Microsoft articles it appears the recommended way is to create the internal domain as a subdomain of your public DNS space.  Although it appears this is only the case if the plan is make internal resources available to the outside.  The two links are:

http://technet.microsoft.com/en-us/library/cc739077.aspx
http://technet.microsoft.com/en-us/library/cc759036.aspx

What are your thoughts on this?  
0
 
KCTSCommented:
The simple answer is it does not matter, you can use the sane name internally and externally if you want. There have been many posts on this on EE - I suggest you do a search :-)
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now