Solved

Domain Name

Posted on 2008-10-16
12
282 Views
Last Modified: 2013-12-05
We are currently running a single active directory doamin/forest.  Our interanl domain is ad.compnay.com.  This internal domain is actualy different than our external domain of company2.com.  We have come across some issues with the fact that our internal domain is actualy regsitered external to another compnay especialy with IE7 where it seems to try to connect to this companies proxy automatically unless we run the configuration to not auto detect a proxy.   In any case for this and other reasons we want to build a entirely new forest/domain dor our new Windows 2003 R2 structure and eventually take decommison the Windows 2000 domian/forest.  The question is it bad securtity practice to have the same external and internal domain especially if the domain is the same as the domian for email?  Would it better to change the internal domain to something like comapny3.local instead of company2.com?  Also should we have out domain further down int he structure to include an ad.company3.local as well?
0
Comment
Question by:georgedschneider
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 18

Accepted Solution

by:
exx1976 earned 460 total points
ID: 22731151
It was always considered best practice by MS to use .local for domain names.  If you use a publicly resolvable domain name, you run into the problems you listed above, especially with DNS..  Just let your ISP host your DNS records for your domain and use .local...
0
 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22731194
Yes You would be better off using a .local domain for internal networks.

company.local

And that should solve your issues.
0
 

Author Comment

by:georgedschneider
ID: 22731395
is using a top level level domain such as company.local good design or should I create a lower level domain such as us.comapny.local as an example?  We will only be having a single domain/forest at this point
0
 
LVL 2

Assisted Solution

by:WebSvrPro
WebSvrPro earned 20 total points
ID: 22731441
well no you don't have to, but to be honest I would reccomend keeping just the one, it makes things alot simpler

I would stick with the standard company.local therefore if you do come across any issues you can call microsoft for support. becuase if you call them with you current domain they will just ask you to replace it.
0
 

Author Comment

by:georgedschneider
ID: 22731659
I agree.  I think what I was think was if the internal domain was publicaly routable across the internet it would make sense  from a security perspective to make it more difficult to hack the network.  Am I mistaken on this?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Expert Comment

by:WebSvrPro
ID: 22731808
Yes it would unless your willing for fork out for a Juniper Netscreen, we have a few where i work, do the job, and behind a few firewalls its more then safe. Plus if you were to do that you can have staff login with the domain username and password and can all be managed from the one AD server account.

0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 22734398
I personally like using the same internal dns name as the publically registered on. It makes it a LOT easier on end users.

It will work flawlessly IF DNS is setup properly.

Internal clients need to point ONLY to your internal AD DNS servers (as always with domains). These internal DNS servers will respond back with the correct internal IP. If you happen to host anything with xxx.yourdomain.com externally, just create an A record to that external IP on your AD DNS server.

External clients will get your publicly available xxx.yourdomain.com DNS queries from whoever hosts your external DNS (or from you, if you host your own external DNS).

>>I think what I was think was if the internal domain was publicaly routable across the internet it would >>make sense  from a security perspective to make it more difficult to hack the network.  Am I mistaken on >>this?

Yes you are mistaken. Your company's internal domain name being the same as its external poses NO more security risk. Think about it.... how would it make it easier for someone from the outside to get in? The internal name structure is 1. only a name structure 2. internal.

0
 

Author Comment

by:georgedschneider
ID: 22742292
I guess this goes back to my original question.  Is it best practices for a single forest/doamin enviroment to use a name of company.local or ad.comapny.local?  What is perferred for security reasons as well as overall functioanlity?
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 20 total points
ID: 22745339
There is no need to create a subdomain in your case from what I can see. What purpose would the AD in AD.company.local serve?

Again, there are no security considerations at all with an internal naming structure for two reasons.

1. it's just a naming structure
2. its internal only.

 
0
 

Author Comment

by:georgedschneider
ID: 22768416
According to the two Microsoft articles it appears the recommended way is to create the internal domain as a subdomain of your public DNS space.  Although it appears this is only the case if the plan is make internal resources available to the outside.  The two links are:

http://technet.microsoft.com/en-us/library/cc739077.aspx
http://technet.microsoft.com/en-us/library/cc759036.aspx

What are your thoughts on this?  
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22791987
The simple answer is it does not matter, you can use the sane name internally and externally if you want. There have been many posts on this on EE - I suggest you do a search :-)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Know what services you can and cannot, should and should not combine on your server.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now