Solved

External vs Internal Domain Name

Posted on 2015-01-22
6
591 Views
Last Modified: 2015-01-25
Hello,

We are considering changing our public domain name, and investigating the possibility of having the same or different names for the public/external domain and internal Active Directory domain. The authoritative DNS servers for the public domain and Web Servers will be hosted on our site (managed internally).

What are the advantages/disadvantages of each way? Are there any security issues, when having the same name for external and internal domain? It seems that the management is much easier in that case. I guess in order for internal users to also be able to access the servers of the public domain, a DNS zone for the public domain must also be configured on the the internal DNS servers.

Please let me know your opinion.

Thanks,
0
Comment
Question by:Harrris
6 Comments
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 84 total points
ID: 40566762
There are many reasons not to have the same internal and external domain name.  This separation is good from a security standpoint but also makes accessing external resources on the external domain from the internal one much easier.

The .local domains exist for many of the same reasons that the private IP subnets do.  By having a non-public domain name, you limit the mixing of the inside and outside.
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 84 total points
ID: 40566764
I strongly recommend against using the same name for your internal and external domains. This typically causes more problems than it solves, and administration may end up being more complex rather than simpler. For example, one common issue that arises in that scenario is an externally hosted website that can't be reached by users in the office. (Searching EE will show you numerous examples of this.) Say your site is written to respond to the FQDN mydomain.com (without www or any other prefix, as is pretty common nowadays). External users can get to the site with no problem, as long as the public DNS records are configured correctly, but for internal users, mydomain.com will resolve to the IP address of one of your domain controllers. This is by design, and the only way around it is to recode the site so that it responds to www.mydomain.com, then add a www host record to your internal DNS. If the site is hosted on a shared-hosting server or cluster with multiple IP addresses that don't always remain the same, this can get nasty.

I also don't recommend using the same actual domain internally and externally (using one or more of your domain controllers as the authoritative DNS server for your external domain and making it externally accessible, in other words). You generally want to keep your internal domain as separate from the internet as you can, for security reasons.

What I recommend instead is making your internal domain a child of your external domain. If your external domain is named mydomain.com, give your internal domain a name like corp.mydomain.com. You don't have to actually make it a child domain from an external perspective; just name it that way. The two domains will still have two separate namespaces, and you'll be free to unite them in some fashion later if you choose.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 83 total points
ID: 40566775
I suggest this as good reading.
http://blogs.msmvps.com/acefekay/2009/09/07/what-s-in-an-active-directory-dns-name-choosing-a-domain-name/

Personally, I wouldn't recommend managing your own public DNS servers unless you really know what you're doing.
I wouldn't provide internet access to any DNS that is AD-integrated.  So whether you choose the same name internally and externally or not, I would set up separate DNS servers that would be accessed by the internet vs. what you use internally.  In general, I think the current recommendation as best practice is to make your internal domain a subdomain of what you use externally.  So if you have an external/public domain of example.com, your internal could be corp.example.com.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 83 total points
ID: 40566787
Just adding to DrDave242's comments.  I've set up domains both ways, and I actually don't find it to be that much of a problem to have the same internal and external domain name. However, if you're concerned about security issues and particularly if you're going to be hosting your external DNS zone on-site, I would agree with the comments about having 2 separate domain names. You will obviously need to have a firewall between your internal and external DNS zones anyway, for security purposes, so it makes a bit more sense to have 2 different domain names.  The ".local" terminology doesn't fly any more for the most part, so I agree the recommendation to use a "mydomain.com" and "corp.mydomain.com" type of naming convention.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 83 total points
ID: 40566790
I also second the Public DNS comment by footech. It also makes it very challenging when you manage your own Public DNS doing DR related work.

Will.
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 83 total points
ID: 40566823
You will get a few opionions, each with their pros and cons. Here is what I do, you can decide for yourself which one you prefer.

I use something.domain.com. Sometimes it's corp.domain.com, sometimes it's i.domain.com (for internal). For multisite forests it's location.corp.domain.com. This allows you to have a public dns (not your own) for your website and all external subdomains. No duplicating ftp.domain.com or using an internal dns server publically. Because it's not a "fake" domain like .local or .lan, you can actually route it if you need to. You can also get 3rd party certs for domain controllers and other internal sites because they have real top level domains (dc.i.domain.com)

I chose this path about 4 years ago and have never regretted it.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question