internal DC with public domain

If I purchase a domain name (www.mycompany.com) how do I integrate it our active directory server ? can we use the same mycompany.com as my domain FQDN?

What is the procedure?

I just curious to know .Not want to implement.
LVL 11
sumeshbnrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Frosty555Commented:
When you are first creating your domain controller, you just pick the domain name you want to use in the wizard. You type whatever you want, there is no special registration needed with an external provider. You don't even need to have registered the domain externally.

But as for WHAT to pick for your internal network, there's two schools of thought:

1) Your windows domain name is the same as your external domain name, that is, you use "mycompany.com" as your domain.

This is an elegant solution because you automatically have a "split DNS" setup - inside the network, xxxxx.mycompany.com is resolved by your internal DNS server. Outside of the network, xxxxx.mycompany.com is resolved by the user's ISP's DNS servers, which in turn talk to your external DNS server (e.g. typically, these are the nameservers provided by your web host).

This is especially useful if you're setting up an Exchange server, where "mail.mycompany.com", "owa.mycompany.com", etc. needs to resolve differently internally than externally.

It also makes SSL certificates easier to work with - for example you can purchase a single wildcard SSL certificate for *.mycompany.com, and use it for everything, inside and out.

Also, with SSL authorities like Geotrust, NetworkSolutions, GoDaddy etc no longer accepting internal hostnames or non-FQDNs as subject-alternative-names on the certificate, it's awfully convenient if your domain happens to be the same inside and out.

This was the default and the best practice for SBS 2003, Server 2003 etc.

However, the downside is that any external hostnames that are defined by your web hosting provider, such as "www.mycompany.com", "mail.mycompany.com", "ftp.mycompany.com" must also be explicitly defined in your internal DNS server, otherwise your company website (which is probably hosted outside your network), don't resolve. It's a bit of extra duplication of work, and you have to manually make sure your external hostnames are defined correctly inside your network.


2) You use a different name, such as "mycompany.local" as your domain name.

This was the standard best practice for SBS 2008 and I believe Windows Server 2008. It means that you have a different internal domain name, which makes it easy to see what URLs are supposed to resolve internally, and which ones resolve externally.

You don't have a split-DNS by default, and you don't have the problem of needing to manually define your external URLs of your website like "www.mycompany.com" and "mail.mycompany.com" in your internal DNS server - they automatically get handled by your web hosting provider's external DNS servers.

However, I'm fairly sure that Microsoft has recently rescinded their original advice to use the ".local" domain.

http://en.wikipedia.org/wiki/.local#Microsoft_recommendations



I've done both... and personally I recommend going with Option #1.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sumeshbnrAuthor Commented:
Thanks .Excellent information . Sure you are open-handed .I am waiting for some others experience too.
0
ZenVenkyArchitectCommented:
I would recommand option 2 that frosty555 mentioned. Meaning you have to use .local or somthing else as internal and .com as external that way your Active Directory is not exposed to outside world and will be secured. Otherwise anyone can hack your domain from outside.

Reference:

http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

sumeshbnrAuthor Commented:
Oops ! Sorry  I forgot to add link in my comment

See the assisted and accepted solution here http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26360540.html

Try those troubleshooting steps
0
footechCommented:
Otherwise anyone can hack your domain from outside.
?????  Your domain name has nothing to do with whether you will be hacked.

Option 2 posted by Frosty555 was the default for SBS 2003 as well.  Even with DNS configured this way, sometimes you had to configure a split DNS so that queries for a network resource which were inside your network wouldn't resolve to a public IP.  The reason for this is that many firewalls (not all) will block queries that originate inside the network from coming back in on the external interface.

I'm not a huge fan of option 1 myself, because of the need to create DNS records internally for any resources that have public DNS records that resolve to externally hosted services.  Also, you can't have a name like "company.com" resolve to an external site, it will always resolve to your domain controllers.  The SSL argument is valid though.

Another option which I like is to have your internal domain name as a subdomain of your public.  So if your public domain is "example.com", your internal AD could be "corp.example.com".  You can still set up a split DNS if you need to, and any queries for the example.com domain can still be forwarded on to internet name servers for resolution.  With this you will also be able to purchase SSL certificates for internal resources from public CAs in the future as well.

I wouldn't say there's a best solution for everyone, but that there are pros and cons to each.  Here's another link for a good discussion.
http://msmvps.com/blogs/acefekay/archive/2009/09/07/what-s-in-an-active-directory-dns-name-choosing-a-domain-name.aspx
0
sumeshbnrAuthor Commented:
Thanks all

Can some one guide me for How to do Split DNS ? I just want a brief intoducation .

Say I need to configure THIS in my internal DNS and THIS in my domain controlpanel etc..
0
footechCommented:
Split DNS basically just means that you have a domain (zone) loaded on different DNS servers (e.g. 1- your internal DNS servers, and 2- your public DNS servers) where the records within each zone are not the same.  There is no zone transfer or any knowledge by the one group of servers about the other group.  So, for example, for users inside your network "mail.example.com" might resolve to 10.0.10.30 (an internal/private IP), while for users outside your network "mail.example.com" might resolve to your public IP (and then be forwarded on to the machine in your internal network by your firewall).
0
sumeshbnrAuthor Commented:
Thanks all for your thoughts
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.