Solved

windows 2008 r2 infrastructure

Posted on 2014-03-12
9
336 Views
Last Modified: 2014-03-31
dear gurus good day

we need clarification point a new domain controller

1) if domain name build as tmsa.local , what r beneits of this as compare to
2) if we build tmsa.com , this is global domain

3) laptop join domain has any issues, security as this is to implement compliance for all users same policy expiry password lenght etc

where purpose is to let user login to local domain ad dns printer file server permission only serve

what is the ideal way or professional practise for local lan wan vpn branches interconnect

our website email work from outside network , i mean hosted with isp and work fine no issue

this is to orgnaise network
0
Comment
Question by:tmsa12
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
Comment Utility
we need clarification point a new domain controller

1) if domain name build as tmsa.local , what r beneits of this as compare to
2) if we build tmsa.com , this is global domain

ANS:
You have to "tmsa.com"domain. For more info refer below link:
http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html


3) laptop join domain has any issues, security as this is to implement compliance for all users same policy expiry password lenght etc.

Ans:
There is no issue. Only you have enable cache login for laptops


4: where purpose is to let user login to local domain ad dns printer file server permission only serve
Ans: To manage user and printer centrally. You can deploy or apply policy easily as per your requirement.



5) what is the ideal way or professional practise for local lan wan vpn branches interconnect.
ANS:
Please refer below link:
http://searchenterprisewan.techtarget.com/Choosing-WAN-connectivity-and-services-wisely


Q: our website email work from outside network , i mean hosted with isp and work fine no issue

Ans: There no issue for your website and email you have to create a records in your internal domain point to your e-mail and website public IP.
this is to orgnaise network
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Hi tmsa12,

That's quite a big question really, as its all about design and function.


As a quick overview, it's all about what you want to reveal to the outside world, mainly through DNS.

If you use a proper, real world domain for your internal AD you may end up with some overlap and could end up revealing some of your internal systems to the outside world. (eg your DNS would contain the internal names & IPs of all your servers and may be accessible to anyone on the internet)

This generally only happens if your DNS/nameserver is shared between the internet and your internal systems.

If you have separate DNS/nameservers (called split brain DNS) this is kinda irrelavent as the outside world never uses your internal DNS in the first place.
(eg public domain reg & nameserver with godaddy.com, internal DNS on your DC)

Best practice these days is not to use made up internal domains (internal SSL certs are no longer possible for example)
it's your choice if you use your 'real' domain for your AD or not, but creating a child domain isn't possible on SBS so take that into account if you use SBS.
0
 

Author Comment

by:tmsa12
Comment Utility
dear gurus thanks for your advise

but again 1 concern it says if u need rename domain.local u face issue for exchange and some other server

here we want to have other than internet domain names should be pick and choose to avoid attack or expose master ad dns to internet
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Although recent versions of server can handle a change of AD domain name, exchange really cant handle it. Thinking about it and getting the right name now is definitely better than trying to change it later.

have you decided what DNS model you will be using? this is probably the best place to start in your case as it will help you work out your most likely option.

Most importantly, will your Domain Controller be serving DNS for the internet (often known as nameservers) or just for your internal systems?

also, what are the chances of you changing your external domain (email/website address) in the future?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
One thing should be clarified: while it's no longer a good idea to use .local or some other non-public DNS suffix in your domain name, it's also not a good idea to use a two-label public domain name (like domain.com) for your internal domain, especially if you already have a registered public domain name. Instead, your internal domain should have a three-label name based on your registered name - corp.domain.com or ad.domain.com, for example.

Even though it looks like corp.domain.com is a child of domain.com, it's not, unless you explicitly configure a delegation from domain.com to it. They're two separate namespaces, and they don't have to be connected in any way. You can create individual DNS records in the public namespace to expose servers that need to have a public presence rather than exposing your entire internal domain.
0
 

Author Comment

by:tmsa12
Comment Utility
dear gurus, this question really very complex everytime answer and point of view different.

purpose to achive only ready local lan infrastructure for AD/DNS to survive server+users

so let us simply in terms
if we use
domain.local
domain.lan

or if we use
ad.domain.com
int.domain.com

their pros and crons side effect

can user be still doing browsing through gateway, firewall i mean right no issue

is the dns keep resolving all local internet address etc

advise plz
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
Comment Utility
if you use anyone domain as you mention .local, domain.lan or ad.domain.com int.domain.com there is no issue for user browsing internet or anything through gateway, firewall and your dns also resolve if you configured dns server properly.

My personal recommendation is use domain.com as your ad domain there is no issue.
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Regardless of the option you chose users would be able to browse the internet etc without an issue.
(The only exception to this is browsing your own website if you chose to use your external domain for your AD too. This would simply rely on you having the appropriate www record(s) in your internal DNS.)

if we use
domain.local
domain.lan
Pros
Easier to setup
no complicated DNS issues to worry about
isn't affected if you ever change our email domain or company name
Cons
Cannot issue SSL certificates for .local or .lan addresses
no longer a 'recommended' option, but still widely used
or if we use
ad.domain.com
int.domain.com
Pros
looks professional
allows options for future expansion
Cons
not possible on SBS based systems
can be a little tricker to setup
may be an issue if you ever change name or email domain

additional 3rd option:
use 'domain.com' for your AD domain, the same as your public domain.
Pros
looks professional
easier when setting up autodiscover email accounts
Cons
may be an issue if you ever change name or email domain
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
Comment Utility
My personal recommendation is use domain.com as your ad domain there is no issue.

Here's the major problem with using the same name for your registered domain and your AD domain:

Let's say both domains are named domain.com. This results in two different DNS namespaces with the same name. Now let's say your company has a website. If the website answers to the FQDN www.domain.com, you'll need to create a host record named www in both namespaces so that people inside and outside your office can reach the site. That's a tiny bit of extra work, but it's really not so bad.

However, what happens if the website answers simply to domain.com rather than www.domain.com? This is increasingly common nowadays, for reasons I don't understand. In fact, a lot of websites nowadays will redirect www.domain.com to domain.com. (You'll see the website address change in your browser when this happens.) It's simple enough to make this work for folks outside the office: just make sure there's a blank host record in the public namespace pointing to your website. Your web host and/or domain registrar may even take care of that for you.

What about folks inside the office, though? It's not so simple to make things work for them; in fact, it's impossible, because Active Directory uses blank host records - which will have the name "(same as parent folder)" in the Windows DNS console - to designate domain controllers. So people browsing to domain.com from inside your office are going to be directed to one of your domain controllers rather than your website. You can create a blank host record pointing to the website, but because of how round-robin DNS works, your internal users will only reach the website a fraction of the time unless you delete the other blank host records, which will cause problems in Active Directory.

If you host your own website or can convince your web host to make sure the site responds to www.domain.com and not just domain.com, you can make this work, but there's still extra administration required for no real benefit.

In my opinion, using your registered domain name for your internal domain is the worst of the three options. Using a .local suffix is almost as bad, but you can actually make that one work.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now