Active Directory forest and domain name suggestion

I am trying to plan a naming convention for our new forest/domain (because an old administrator picked an internal domain name we do not own).  We plan to rebuild and/or migrate all systems from our current domain as time permits so both domains must co-exist for some time.  

Here is our current setup:

AD Integrated DNS Zones

AD Domain

Since is not registered to the organization we would like to use our registered domain name  With this in mind, what should the name of our new domain/forest or  Any other suggestions outside of using a .local?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Why are you planning on (seemingly insisting) using a routable domain name as your domain name internally?

My recommendation - USE .LOCAL (Why not?) and make the domain name short and easy.  If your company name is "Acme Basic Goods, Inc" then the domain name should be ABG.local or ABGI.local.  Why?  Why not?  Why not make it simple?  This is an INTERNAL domain name that your customers are not going to see, so make it representative of the company but otherwise SIMPLE.  I've got a couple of clients that use long 10-13 character domain names and the biggest problem is it's slow to type.  And yes, that's my entire argument for short domain names.  But frankly, why is it a bad argument (if someone thinks it is)?
I definitely agree with leew. using .local internally also helps narrowing down name resolution problems that may come up.
Nyah247Author Commented:

Basically states the "the use of unregistered suffixes, such as .local, is not recommended."
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Well, then who should we forward that to at Microsoft?  I mean, if you install a new SBS 2008 server I requires (or at least STRONGLY suggests) using .local... so who should we listen to... Microsoft?  Or Microsoft?

Regardless of using SBS or not, the same issues exist in both environments.  Consider this excerpt with some extra formatting by me) from MS KB 296250 (

The following list describes some of the advantages when you use a separate and private domain name for the local Small Business Server network:
  • The management of the local namespace is controlled by the Small Business Server Server. When you use a private FQDN for local DNS name resolution, the DNS server becomes the start of authority for the local domain. This result means that a query to external DNS root servers is not required for local resource name resolution.
  • The security may be increased for your DNS server by not enabling zone transfers by means of the zone transfer properties of the forward lookup zone. Because dynamic registration of internal hosts can occur with the DNS server, if you disable the zone transfers from external clients, you can limit the exposure of internal host names to the Internet.
  • The natural separation of internal and external networks occurs because of the use of a separate internal namespace. A client query generated from the Internet for www.contoso.local does not return any valid domain information because .local, at the present time, is not a registered domain name. However, by using the Web Publishing rules in Internet Security and Acceleration (ISA) Server, internal Web sites can be hosted externally and viewed by using resolvable domain names. This hosting still requires a registered domain name as well as the appropriate public DNS records that resolve to the external IP address of Small Business Server. Refer to "Configuring Publishing" in ISA Server Help for more information about Web Publishing rules.

    The disadvantages of using the sub-domain of a publicly registered domain name or a publicly registered domain name include, but may not be limited to, the following issues:

  • Internal clients may be able to resolve resources on the internal domain, however, queries to external resources of the domain are not resolved by the DNS server. For example, if the internal network namespace is configured by using the publicly registered domain name of, only resources that have "A" (Host) records in the forward lookup zone for are available to local clients. This behavior can pose a problem if hosts resources, such as, a web server by means of an external provider or Internet service provider (ISP). Any queries from internal clients to are resolved as a negative query by the local DNS server because the "A" record for "www" does not exist in the forward lookup zone for For clients to access external resources, "A" records must be added to the forward lookup zone of the DNS server for those resources.
  • The use of a publicly registered sub-domain name can pose the same problems as described for a publicly registered domain name. If at any time, the start of authority for the registered domain (, in this example) adds records for sub-domains, the currently configured private sub-domain may become public.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I'm with Leew on this one too, (which is for 2008) justifies the recommendation not to use .local vis:-

We recommend that you use DNS names that are registered with an Internet authority in the Active Directory namespace. Only registered names are guaranteed to be globally unique. If another organization later registers the same DNS domain name (or if your organization merges with, acquires, or is acquired by another company that uses the same DNS name), the two infrastructures cannot interact with one another.

Now I don't buy that because if you merge with another company you either want to trash one domain and migrate the users to a single one or you want to keep them seperate; it's pretty unlikely you would want to maintain two infrastructures and setup trusts between them because of the excessive maintenance it involves. That would be as hard in the long run as renaming the forest root.
Nyah247Author Commented:
I think this KB explains what I should plan for:

I addition to this domain rename I need take into accout that we will soon be looking into a massive PKI implementation which must integrate with several external entities.  I am afraid that a .local would not allow for this since it is not resolvable externally.  I agree with leew's rationale and normally would consider the .local if PKI and smart cart authentication wasn't in the long range plan.  

Am I thinking correctly?  Or is there something I am missing?  With that in mind, would the following be valid?

External Non-Windows DNS Server

Internal AD DNS (Internal IPs) (Internal IPs)

Internal Domains/Forests w/ 2-way trusts (will go away)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Hardware

From novice to tech pro — start learning today.