Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Best Practice for internal domain names

Posted on 2013-01-02
6
Medium Priority
?
2,149 Views
Last Modified: 2015-06-23
Hello everyone. We have been having some internal debates as to the current Best Practice for internal domain names. I run an IT consulting firm, and we typcially work with small & mid-size businesses, those with 10-200 computers. They are almost always a single Forest and single domain.

Since around the time that Windows 2000 was released, our company standard has been to use theircompanyname.local for the internal domain name for all of the networks for our clients.  I believe it was promoted as the Microsoft Best Practice at the time, but to be honest, it was quite a while ago and I really don't recall the details.

I see some suggestions that .local should not be used.  In some cases, the reason mentioned is because of some issue with Macs and the Bonjour service (although there seems to be a fix for that.)  I also see suggestions to use .lan and .internal.

Lately, I have seen suggestions that the best practice is now to use a subdomain of a registered top level public domain name - such as corp.theircompanyname.com or ad.theircompanyname.com or internal.theircompanyname.com.

And I have also seen suggestions to use a separate/different top level public domain name, such as theircompanyname.net (a real TLD that the company has registered).

Virtually everything that I have seen says that you should ways use different names for the internal network and the external public network (ie. don't use theircompanyname.com for the internal network, and the same theircompanyname.com for their external public network. Although I have talked with one person who insists using the same name is the best way to go.

I am curious to learn what others are doing, and why.  I would also love to find a formal document from Microsoft that states their current position on this practice. I searched, but douldnt find anything.

Thanks in advance.

Lloyd
0
Comment
Question by:wolfconsultinginc
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 100 total points
ID: 38736931
Are you planning to use office 365 or dir sync at some point, if so good blog from Mark

http://markparris.co.uk/2011/03/08/active-directory-local-domain-design-and-office-365/

Our internal domain name is different and many are still different.  We don't plan to change because a domain rename is a pain.  

Thanks

Mike
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 100 total points
ID: 38736941
Please have a Read of GoDaddy's statement regarding Internal Domain Names:

http://support.godaddy.com/help/article/6935/using-intranet-and-reserved-ip-addresses-as-the-primary-domain-or-subject-alternative-name-in-ssls

The .local is going to be dead in the water and as to what standard best practise is going to be, that is anyone's guess.

Either subdomain.domain.com or domain.com should be fine, all that needs to be working is DNS and if you use the same name internally as externally, then you need to replicate DNS settings in internal DNS and External DNS.
0
 
LVL 28

Assisted Solution

by:Bill Bach
Bill Bach earned 100 total points
ID: 38736944
I can give you our own reasoning:

I never really liked the ".local" naming convention.  I think this was done for companies that lacked Internet access.  I might consider this for a company today if all computers were really off-'Net, but I haven't run into a company like this in some time.

Using the "real" domain isn't a good idea either.  For one, if they have an internally-hosted server (like www) that is visible from the outside, as well as inside, then the name resolution can get sticky.  You have to have an internal DNS server for providing internal addresses, and an external DNS server for providing internal addresses.  Now, you're maintaining two sets of DNS entries -- Ugh!  It asks for trouble.

Our solution has been to use subdomains. This is easy to do, and you can easily set up a permanent DNS server at a DNS provider for all global addresses from the outside world.  Then, you can create an internal subdomain of DNS on the internal server (that nobody else knows about) for all local computers and local addresses inside the firewall. It's hard to say if this increases security (though if the DNS subdomain is inaccessible from the outside, it definitely helps hide computer names) or not, but it does appear to make it easier to use.  Then, a user who wants to hit an internal server from inside the network knows that he can hit www.local.mydomain.com, and if he wants to hit the public side (outside the firewall), he can use www.mydomain.com.

The downside to this is that users may need to be a bit more savvy -- remembering to add the "local." in front of the name, but it does make it very clear which resource you are accessing, then.
0
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 100 total points
ID: 38736959
MS recommend domain.local i.e. you company is northwind traders and you have external registered name of northwind.com you would use northwind.local

if you have a separate internal and even better a generic internal name i,e, company.local then you don't have to deal with things like split DNS which causes issues with Exchange, wbe sites etc.
It also means that data leakage from your domain is generic and not very useful to people trying to hack
It also means if you get bought or you buy you don't get issues like needed to change the domain name to either get rid of a company name because you can't legally use it any more or incorporate assets from another company easily
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40845588
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question