Internal versus external Domains

tlatter-isis
tlatter-isis used Ask the Experts™
on
We are creating a new internal domain for our file/print server.  If we name our internal domain ‘abc.ca’ (this is not registered) and our external web domain is named ‘ def.ca’ (we have registered this domain name);  is there any implication for not have “.local” in the internal domain name?   Is there also a problem with naming our internal domain the same name as the external domain?  Would this be a problem with the local DNS?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Chris DentPowerShell Developer
Top Expert 2010

Commented:

> is there any implication for not have “.local” in the internal domain name?  

No :)

> Is there also a problem with naming our internal domain the same name as the external domain?  Would this be a problem with the local DNS?

There are two issues. One is easy, the second is not.

The easy one:

Duplication of records: Anything you create in your public DNS zone must be duplicated into your private zone if you expect people to be able to use it.

The hard one:

You will not be able to use http://domain.com (or indeed domain.com) for any external resource, AD needs it and you cannot change that short of using a different domain name.

HTH

Chris
Remember as well that it will search for the existing name in case there are any duplicates.

Author

Commented:
I am sorry, but I don't understand the last comment.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

President, IT4SOHO, LLC
Commented:
Let's see if I can be more descriptive (and comprehensive)...

A little background first:
Windows USED to use its own name resolution service (WINS). You remember -- there was a hostname and a workgroup name.

Then, in Windows 2000, Microsoft switched and started to use the "real" DNS and implemented Active Directory as an "overlay" onto the standard DNS. (AD uses a lot of SRV records instead of A and PTR records). Never the less, instead of separate WINS name services for LAN systems and DNS name servers for Internet systems, all are now basically tied to DNS.

SO... getting to the nuts and bolts of your questions:
1) if you create an AD domain called abc.ca (and it's not a registered ICANN domain name) and have a def.ca domain name (that IS registered with ICANN) all will be fine... UNTIL someone comes along and registers abc.ca. HOWEVER, the only real problem will be that YOUR (Active Directory) DNS servers will resolve abc.ca addresses, even though there is now an Internet abc.ca that undoubtedly has different entries!

2) If you create an AD domain called ghi.ca and it is the SAME ghi.ca domain that you have registered with ICANN, then you MAY have some potential security issues. Basically, it all boils down to the fact that you'll have to have SEPARATE DNS servers for the AD dhi.ca and the Internet ghi.ca -- and you'll have to manually make sure that the information that they have in common remains synchronized.

Now you COULD just make your AD server's DNS service available to the Internet -- but that's a bad... Bad... BAD... no, actually it's a TERRIBLE idea! Windows AD servers are NOT designed to be directly Internet connected, and while is CAN BE safe to run IIS or some other web-based services on an AD server, DNS is NOT one of the services that an AD server should have exposed to the Internet! (Talk about information leakage!)

Combine the examples above and you can see why "best practices" manuals almost universally say to make your AD domain end in .local (promised by ICANN to never become a TLD, in much the same way that they promise to never use the RFC 1918 address spaces of 10/8, 172.16/12, and 192.168/16).

NOTE: Some large companies create their AD forests with the company name as the TLD... so it's store15.mcdonalds or itdept.citibank (not REAL examples -- even if I DID actually work for either of those companies, I would never share their infrastructure data like that!)

I hope this clears things up....

Dan
IT4SOHO
Chris DentPowerShell Developer
Top Expert 2010

Commented:

It's actually quite difficult to find .local in the MS best practices :) The only catch with .local is older versions of Apple OSX and their love of it. Otherwise it's pretty safe.

MS best practices are here (should be current):

http://support.microsoft.com/kb/909264

They introduce the format I prefer to use, corp.publicdomain.com. corp is the private part (a made-up label) of the domain, still nicely separate from the public name, but not greedy :)

Other suggestions include:

int.domain.com
ad.domain.com
etc

Whatever you do, don't go and use a domain ending with .int. That's reserved for organisations created by internation treaty, makes it really painful if you ever need to get a certificate from a public authority using that name.

Chris

Author

Commented:
I have not tested this solution and I still have a couple of issues.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial