• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 234
  • Last Modified:

Why is it so bad to run a DC over a public namespace?

Ok, I'm sure i'm opening up a can of work with this one, But Why is it taboo to have a domain controller over a public namespace?  I have never heard a definitive answer. I have heard this is wrong wrong wrong, but didn't that used to be common practice?
0
jesseja
Asked:
jesseja
  • 3
  • 2
  • 2
  • +4
5 Solutions
 
Todd GerbertIT ConsultantCommented:
My AD domain name corresponds to our public domain name.  It can be a bit of a pain (e.g. opening Internet Explorer and going to http://domain.com/ gets you our Domain Controller, not our website).

Can't say I really have any issues other than that, and needing to manually maintain some DNS records.
0
 
oBdACommented:
It's not taboo, but in general, your AD domain is for your internal management, and this has nothing to do with your internet presence. It can be confusing when both are the same domains. in addition, if your web presence or other services are hosted by an ISP, then you'll have to manually create host entries in your internal DNS server to be able to access your external servers.
A nice comparison is here, it actually applies to most ADs, not only SBS:
The Domain Name System name recommendations for Small Business Server 2000 and Windows Small Business Server 2003
http://support.microsoft.com/kb/296250
0
 
Toni UranjekConsultant/TrainerCommented:
Hi jesseja,

It's not taboo. You only have to maintain split brain DNS, your internal namespace and external namespace are the same but not equal. Usually the only problem is accessing external web page from internal network, which is usually sorted out with A record pointing to external IP on internal DNS server.

HTH

Toni
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
AmericomCommented:
if you are refering to why shouldn't you a internal domain name the same as a public domain ,then the answer is it was never a common practice. it was always bad practice. it create confusion, it's bad practice for security reason, it's also going to create extra works and wasting more time for troubleshooitng problem. An example is when an internal user tryign to access the internal domain, which is same a the pulic domain, you are creating extra work there in your DNS. It complicate your DNS infrastructure etc..
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Here is an explanation of the some of the ups and downs:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24088264.html

The principle thing that needs to happen is the domain.com registration must be up to date and never lost to another entity.

Philip
0
 
oBdACommented:
MPECSInc,
even if you'd be using a public domain name for your AD, there's no technical requirement to own the respective domain name. You can happily create an AD domain "microsoft.com"; you'll have the obvious problems trying to access the real Microsoft domain, but your AD domain "microsoft.com" will run without problems.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
I beg to differ on that one.
DNS becomes quite messed up if the domain name is not owned and is published on the Internet by another organization. We have seen the problems on client domains set up by previous techs that did not warn them to keep ownership of the external domain.
Even if DNS gets split, what happens when the www IP address gets shifted by the domain owner, or a subdomain IP gets moved, or if the internal domain network people need to implement a subdomain that already exists, etc., etc., etc. Way too much of a headache.
The recommendation, as in best practice, for this situation is to own the domain.
Besides the technical, there are the legal and brand issues at hand too.
Philip
0
 
jessejaAuthor Commented:
does this type of network create some great security risk?  I manage a network like this and are having some trouble with it, and experts are refusing to help me. I do as well wish to do things the right way, but this is the way it was set up, I need to fix it, unless the outcome is sooo bad, sooo unsecure. I'm torn.
0
 
jessejaAuthor Commented:
we own our domain, just for the record.
0
 
AmericomCommented:
it's not as bad as it sounds, but to eliminate on going issue, and avoid this expanded to something even more complicated due to on on going acquission or merge with other buisness etc, it may not be an bad idea to rename it or rebuild it so that you don't have to worry about it.  
But if your business is not expanding or with any major change and everthing else is working fine, then leave it or just rename the domain, if not too much work for your enviornment...
0
 
Todd GerbertIT ConsultantCommented:
I don't think there are any security issues, and is technically a supported configuration.

I inherited my configuration this way as well, and don't have any issues - though I only host my own internal DNS and web servers, our public DNS and web servers are hosted for us (which, I think, simplifies things).
0
 
Chris DentPowerShell DeveloperCommented:

Current MS best practices are here:

http://support.microsoft.com/kb/909264

MS currently advocate use of a made up sub-domain of your public domain name (if you read through enough of the article).

That is, if your public domain name was company.com then you could potentially use corp.company.com for AD. The "corp" portion can be anything you want.

This convention has a number of advantages:

1. You can do what you please with company.com (such as that http://company.com thing)
2. You don't have to worry about Split Brain (maintaining public records on your internal DNS)
3. You don't have to maintain a separately registered domain
4. No issues with obtaining certificates from public authorities for your domain name

If your company is extremely large, or likely to change name within the lifetime of the forest you might consider purchasing a generic public domain name and using that for AD. e.g. "corpAD.co.uk". Nothing to do with the company, entirely arbitrary, and not going to cause you grief in a company name change.

Still, there's nothing to stop you using company.com (your public domain name). There are no security implications unless you decide to host your public DNS service on a Domain Controller (not at all recommended, stick with hosted).

Chris
0
 
jessejaAuthor Commented:
Thank you everyone for you input!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now