• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1032
  • Last Modified:

internal DC with public domain

If I purchase a domain name (www.mycompany.com) how do I integrate it our active directory server ? can we use the same mycompany.com as my domain FQDN?

What is the procedure?

I just curious to know .Not want to implement.
3 Solutions
When you are first creating your domain controller, you just pick the domain name you want to use in the wizard. You type whatever you want, there is no special registration needed with an external provider. You don't even need to have registered the domain externally.

But as for WHAT to pick for your internal network, there's two schools of thought:

1) Your windows domain name is the same as your external domain name, that is, you use "mycompany.com" as your domain.

This is an elegant solution because you automatically have a "split DNS" setup - inside the network, xxxxx.mycompany.com is resolved by your internal DNS server. Outside of the network, xxxxx.mycompany.com is resolved by the user's ISP's DNS servers, which in turn talk to your external DNS server (e.g. typically, these are the nameservers provided by your web host).

This is especially useful if you're setting up an Exchange server, where "mail.mycompany.com", "owa.mycompany.com", etc. needs to resolve differently internally than externally.

It also makes SSL certificates easier to work with - for example you can purchase a single wildcard SSL certificate for *.mycompany.com, and use it for everything, inside and out.

Also, with SSL authorities like Geotrust, NetworkSolutions, GoDaddy etc no longer accepting internal hostnames or non-FQDNs as subject-alternative-names on the certificate, it's awfully convenient if your domain happens to be the same inside and out.

This was the default and the best practice for SBS 2003, Server 2003 etc.

However, the downside is that any external hostnames that are defined by your web hosting provider, such as "www.mycompany.com", "mail.mycompany.com", "ftp.mycompany.com" must also be explicitly defined in your internal DNS server, otherwise your company website (which is probably hosted outside your network), don't resolve. It's a bit of extra duplication of work, and you have to manually make sure your external hostnames are defined correctly inside your network.

2) You use a different name, such as "mycompany.local" as your domain name.

This was the standard best practice for SBS 2008 and I believe Windows Server 2008. It means that you have a different internal domain name, which makes it easy to see what URLs are supposed to resolve internally, and which ones resolve externally.

You don't have a split-DNS by default, and you don't have the problem of needing to manually define your external URLs of your website like "www.mycompany.com" and "mail.mycompany.com" in your internal DNS server - they automatically get handled by your web hosting provider's external DNS servers.

However, I'm fairly sure that Microsoft has recently rescinded their original advice to use the ".local" domain.


I've done both... and personally I recommend going with Option #1.
sumeshbnrAuthor Commented:
Thanks .Excellent information . Sure you are open-handed .I am waiting for some others experience too.
I would recommand option 2 that frosty555 mentioned. Meaning you have to use .local or somthing else as internal and .com as external that way your Active Directory is not exposed to outside world and will be secured. Otherwise anyone can hack your domain from outside.


Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

sumeshbnrAuthor Commented:
Oops ! Sorry  I forgot to add link in my comment

See the assisted and accepted solution here http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26360540.html

Try those troubleshooting steps
Otherwise anyone can hack your domain from outside.
?????  Your domain name has nothing to do with whether you will be hacked.

Option 2 posted by Frosty555 was the default for SBS 2003 as well.  Even with DNS configured this way, sometimes you had to configure a split DNS so that queries for a network resource which were inside your network wouldn't resolve to a public IP.  The reason for this is that many firewalls (not all) will block queries that originate inside the network from coming back in on the external interface.

I'm not a huge fan of option 1 myself, because of the need to create DNS records internally for any resources that have public DNS records that resolve to externally hosted services.  Also, you can't have a name like "company.com" resolve to an external site, it will always resolve to your domain controllers.  The SSL argument is valid though.

Another option which I like is to have your internal domain name as a subdomain of your public.  So if your public domain is "example.com", your internal AD could be "corp.example.com".  You can still set up a split DNS if you need to, and any queries for the example.com domain can still be forwarded on to internet name servers for resolution.  With this you will also be able to purchase SSL certificates for internal resources from public CAs in the future as well.

I wouldn't say there's a best solution for everyone, but that there are pros and cons to each.  Here's another link for a good discussion.
sumeshbnrAuthor Commented:
Thanks all

Can some one guide me for How to do Split DNS ? I just want a brief intoducation .

Say I need to configure THIS in my internal DNS and THIS in my domain controlpanel etc..
Split DNS basically just means that you have a domain (zone) loaded on different DNS servers (e.g. 1- your internal DNS servers, and 2- your public DNS servers) where the records within each zone are not the same.  There is no zone transfer or any knowledge by the one group of servers about the other group.  So, for example, for users inside your network "mail.example.com" might resolve to (an internal/private IP), while for users outside your network "mail.example.com" might resolve to your public IP (and then be forwarded on to the machine in your internal network by your firewall).
sumeshbnrAuthor Commented:
Thanks all for your thoughts
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now