AD Domain Name

Okay, so this is a somewhat complex situation and I'm trying to find out the answer before a big project.

I recently started working for a company that uses their public domain name for their internal domain as well (let's just say company.org). Because we handle medical data, we need to ensure we are HIPAA compliant, and the security risks associated with this domain name could cause some problems. We are doing a major overhaul of the network, including replacing the servers, over the next 2 months or so.

What I would like to do is create a new domain and migrate all users, Exchange, etc. to this new domain name in order to get away from the issue described above. In order to ensure we are using best practice, I want to call the new domain name something under our registered domain (for instance, internal.company.org).

In order to migrate everything easily, we'd need to create a forest trust between these two domains, as they will have different IP schemes (again, replacing all the servers and modifying the network setup, which includes this change as well) and will not actually be part of the same domain (I'm not just creating a child domain). However, I fear that when I try to create conditional forwarders and the forest trust, I may encounter difficulty with this related to the fact that my new domain looks like a child domain of the existing one.

Anyone know if that will be an actual problem, and how I might get around this if so?
LVL 7
CorinTackNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nadav SolomonCommented:
I dont see any reason for a problem, if you do want to be sure a small lab before a big project is alway good.
Jason CrawfordTransport NinjaCommented:
Will the internal.company.org domain be a part of AD on a separate server?  Are you planning on using ADMT to migrate Active Directory?
CorinTackNetwork EngineerAuthor Commented:
That is the intent, yes; the internal.company.org domain will be set up completely separately, not actually as a child domain.

I will be using ADMT to migrate Active Directory, and manually moving over the Exchange, and other items (user folders, SQL, everything else) as part of the project.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Jamie McKillopIT ManagerCommented:
Hello,

I don't understand the root of your problem. Why do you feel using the same domain name internally and externally is a security issue? This is a common setup. I'm not familiar with the details of HIPAA. Is there something specific in those requirements that prevents you from using the same domain name internally and externally?

-JJ
Jason CrawfordTransport NinjaCommented:
I've done exactly this project (for a hospital no less) minus the sub-domain issue and found this article very helpful:

http://blogs.technet.com/b/sachinf/archive/2012/10/17/moving-to-a-new-forest-and-retaining-the-same-smtp-domain-with-native-scripts-part-i.aspx

In my project I moved from abc.local to xyz.local so there was no sub-domain to consider...yikes.

I see what you mean regarding the forwarder, but the first thing I think of is just a sub-domain within your Forward Lookup Zone for company.org, no?  Any chance of convincing the client to just use a new AD domain (internal.company.com maybe?) to avoid the problem all together?  I'm guessing no since that would be entirely too easy.
CorinTackNetwork EngineerAuthor Commented:
Jamie - It causes security issues because there have been, apparently (not something I've encountered, but I've not run into anyone doing this in the past) it is possible to end up with your external DNS pointing into your network, which is always bad. Additionally, it force you to use split DNS, which is also not really a good practice (and, as I'm discovery, is a huge pain in the butt).

Keyser - Yeah, I've found plenty of stuff to help with the Exchange move. Sadly, you can't create a trust between the domains/forests with a sub-domain in Forward Lookup (I've tried that with another domain that exists here internally for a sub-company, let's just say that one is tech.org) and the trust won't establish a connection unless you specifically use forwarders. Also, no, they're not going to go for using company.com, as that would mean that they should purchase that domain as well to ensure no one ends up buying out that domain and redirecting traffic.
Jamie McKillopIT ManagerCommented:
I would not say split-DNS is bad practice and is commonly used, especially if you use Exchange. You basically have two choices with Exchange: Use split-DNS or purchase another domain to use internally.

-JJ
Jeff GloverSr. Systems AdministratorCommented:
I have to say, Jamie is correct. Although it is obvious you are not comfortable with split-brain. As far as DNS pointing inside your domain, as long as you are using Internal addressing )10.x.x.x, 172.16.x.x - 172.31.x.x, or 192.168.x.x, then no one can get inside anyway.  At least not without hacking your firewall. You will probably have to use a delegation in your current DNS pointing to your new server if you want to go the route of internal.company.com. Then you should be able to setup the trust. Personally, I would go with an internal name and split-brain although I will tell you, the same name internal and external makes things so much easier, especially if you ever go Office 365
Jason CrawfordTransport NinjaCommented:
Yea I agree split-DNS is not the enemy when used with a firewall capable of DNS Fixup (aka U-Turn, Doctoring, etc).  Sonicwalls do this out of the box, and Cisco requires an extra config but basically your firewall will redirect external DNS queries pointed inside your network to the appropriate internal resource.  This allows you to forego setting up an internal Forward Lookup Zone for your external domain which in turn allows you to restrict the TLD of your internal domain to .local, .internal, .ronaldmcdonald, or any other non-existent external TLD.

I've heard the arguments against a .local domain and I'm not biting, and in my experience matching your internal/external domain causes more problems than it fixes.  Yes I know 3rd party SSL support for .local domains died a few months ago, but there's an easy work around.  For Exchange all you have to do is match the internal URLs for OAB, ActiveSync, EWS, etc to match the external URL value and configure client and IIS authentication to accept basic auth (with an SSL cert of course).  If you really need SSL internally just spin up an Enterprise CA for internal use and go with a trusted 3rd party CA for everything external.
Jamie McKillopIT ManagerCommented:
" If you really need SSL internally just spin up an Enterprise CA for internal use and go with a trusted 3rd party CA for everything external."

This will not work as you can only install one cert on an Exchange server. Though i don't recommend it, you can get away without using SSL internally on Exchange 2010 and below. Starting with Exchange 2013, the connections are HTTPS exclusively. No more RPC. This means SSL is required, even internally.

-JJ
Jason CrawfordTransport NinjaCommented:
I never advised to use an Enterprise CA cert for Exchange although that is an option.  My suggestion to spin up an Enterprise CA would be for any other application internally.
Jamie McKillopIT ManagerCommented:
Right but he specifically says he is using Exchange so he needs a solution that will work with Exchange. Using an Enterprise CA will not work in his situation. You cannot use an Enterprise CA with Exchange unless you plan on forcing all your connections through a VPN, which is unrealistic in most cases. As I stated previously, he has two options:

1. Use split-DNS.
2. Purchase an additional domain for internal use only.

Actually, there is a third option. If his network equipment is capable of doing it, he can have the network equipment return an internal IP instead of the external IP when the hostname is queried internally. This doesn't work in all situations but generally works for simple deployments. For example, it wouldn't work for multiple-site DAGs.

Most Exchange deployments are using split-DNS as it is the easiest and most cost effective.

-JJ
Jason CrawfordTransport NinjaCommented:
This question is being thrown off track.  Exchange is a secondary concern, and the original question was regarding DNS and internal domain names.  Yes we realize an Enterprise CA isn't the best option for Exchange, and that was never suggested.  Thank you for your contribution.
CorinTackNetwork EngineerAuthor Commented:
Regarding the discussion of split DNS specifically, I don't like using it for a number of reasons, and I know it's causing the current network some issues, which is just one reason I want to get away from it. It is also very much not best practice, and may cause issues with Microsoft Server products moving forward (see the article here: https://technet.microsoft.com/en-us/library/jj574166.aspx)

Specifically, the section which reads:
Warning: Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.

Given this comes directly from Microsoft's TechNet site, I'm going to take this as an indicator of best practice, regardless of what people are or have been doing for years.

So far, it seems that my original question is going to have to be answered in a test on my end. I'll have to build a single server, promote it to a DC and give it the name internal.company.org, and see if I can create the trusts necessary to make everything work, as no one seems to know yet whether that will function as I'd like. I'll let you know what I find out.
Jamie McKillopIT ManagerCommented:
Split-DNS is not the same as naming your AD forest the same as your external DNS. You can have split DNS setup for company.com but name your AD forest company2.com. If you don't want to use split-DNS for your own personal reasons, that's fine. Just be aware that you will need to purchase a second domain and set it up internally. You will then need to purchase a SAN cert for Exchange, which includes your internal and external DNS names.

Since you need to purchase a new domain anyway, my suggestion would be that you just use that domain for your new AD forest. It would greatly simply things. If your current AD forest is named company.com, you cannot create a new forest called internal.company.com since is occupies the same namespace.

-JJ
CorinTackNetwork EngineerAuthor Commented:
Jamie, I'm not saying those are the same thing, necessarily, but using the same domain name internally and externally does force you to use split DNS if you want to avoid issues related to DNS resolution of your external website names internally (which is what's causing the issues on the network now).

Regarding the initial question, then, you're saying that it will not, in fact, be possible to create the trust if I name the new forest internal.company.org because the existing AD will see it as a child domain and give an error when trying to set up DNS forwarding?
Jamie McKillopIT ManagerCommented:
I think we are on the same page. You would need to use split-DNS to use the same domain externally and internally. If you want to avoid that, you can certainly use a different domain internally. I just want to make sure you are aware of the certificate requirements that would impose for Exchange.

Correct. You cannot create a separate forest in the same namespace. You could create it as a child domain only. It isn't the DNS forwarding that is the issue. You can delegate a subdomain to a different DNS server. It is that AD will not let you create the forest trust. A contiguous namespace must encompass a forest tree.

-JJ
CorinTackNetwork EngineerAuthor Commented:
I thought that might end up being the case with regards to trusts and a child domain.

Is it possible for me to create this as a child domain, transfer everything there, and then somehow remove the parent domain without getting rid of the child domain to accomplish what I want with having a 'child' domain of my external DNS be my internal AD domain?

I can't seem to find anything about whether that's possible, and how; every search I try just returns how to retire child domains.
Jamie McKillopIT ManagerCommented:
You cannot remove the root domain but you could migrate everything to the child domain and just have the root domain there as an empty placeholder. The problem you would run into is that you would still have a split-DNS setup.

-JJ

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeff GloverSr. Systems AdministratorCommented:
As you can see, there is no end of opinions out there. If you really want to migrate AD, then I would recommend buying another domain name (a domain name is pretty cheap nowadays and DNS is normally included) or even using a .local or similar (even though this has fallen out of practice and takes a little extra work.) But, remember this, if your SMTP namespace is different than your internal domain name, you will still need split-brain DNS unless you are using Exchange 2010 or earlier. Exchange 2013 uses the primary SMTP namespace for Autodiscover and if your internal clients cannot resolve it internally, you could end up with a case of hairpinning your firewall (some can handle that).
Lastly, about your reference to a Microsoft Technet article. Yes, it says what you read but it is also dated from 2012. Best practices have changes since then, especially with the growth of Office 365. In 2005 and earlier, they recommended an empty root domain and a .local internal domain. No longer.

Just my opinion though.
Jamie McKillopIT ManagerCommented:
You don't need split-brain DNS with Exchange 2013. You can use a different DNS namespace internally and externally by setting the internal URLs in Exchange. Internally, Outlook will use the SCP to find the autodiscover URL, which is whatever you set for the autodiscoverInternalURI property. The only caveat with using different DNS namespaces is the cert needs to includes hostnames for both.

-JJ
Jeff GloverSr. Systems AdministratorCommented:
True, as long as your internal name is a valid domain name such as .com, .org, etc..... But why would he use a different valid domain name internally if he stated they did not want to buy another domain? But in essence, you are correct. If he uses a valid name internally, and buys a UCC cert with the internal and external name in it, would work fine. But, it rules out any non routable domain names.
  But personally, this all is besides the point. The thing he wants to do is migrate and as far as I can see, the only way to do that in one step is to buy another domain or use an internal name. In theory, he could do it in 2 steps, using an interim domain if he had the hardware and time (also depending on the size).
Jamie McKillopIT ManagerCommented:
He really has two conflicting goals: 1. Doesn't want to use split-brain DNS and 2. Doesn't want to purchase another domain.

To get this to work, he is going to have to give up one of those two goals. Using a private (ie .local) domain is not advisable and he can't anyway as you can't purchase SSL certs with private domains any longer.

There is really only one option here and that is to purchase a new domain, use that to setup a new AD forest, and migrate everything over.

-JJ
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.