Change internal private domain name to public domain name

We have a private internal Windows 20102 R2 domain (.local)

We have a publicly registered domain for websites, mail, etc (.net)

Is it possible to change our internal domain to the external one?

We now wish to use signed SSL certificates for web-portals, filtering, monitoring, etc

I'm guessing not because... if  our Windows domain controller has a DNS zone it will not Forward out DNS queries to the public dns servers (to resolve cname or mx records, etc)?

Any advice would be greatly appreciated
matedwardsAsked:
Who is Participating?
 
footechConnect With a Mentor Commented:
@Shaun - what exactly do you disagree with?  If you think it's recommended to have your public and AD domains to be the same, then... just... wow.

It really just increases the burden of what you have to manage in regards to DNS.

Here's a scenario which I have come across many times.  Someone is using the same domain internally and externally.  Their website is hosted in such a way that it is only accessed by the name "mydomain.net".  If you try to access it via "www.mydomain.net", it just redirects to "mydomain.net".  No amount of DNS trickery is going to resolve that for users on the internal network.  If the web host platform is good, the redirect can be removed and allow full access via "www.mydomain.net", but some don't have that option (and sometimes politics dictate that the site be available at "mydomain.net").  Only options then are to change the internal domain, or move the site to a different platform that doesn't have that redirect.  Neither of those is what I would call simple.


For the web-portal, you should be able to configure DNS such that the portal is accessible via your public name (e.g. portal.mydomain.net), and then your publicly signed cert should work just fine on it.
2
 
footechCommented:
Is it possible, but...
DON'T DO IT!
I hope that was emphatic enough.

You can run into a number of pitfalls with DNS when your AD domain is the same as your public one.  You can set up split-DNS to overcome many of these, but there are certain problems that just can't be avoided.
Example:  you have a public website that you want to be able to reach (or can only reach) via the name "mydomain.net".  You would have a zone on your internal DNS for "mydomain.net", and any lookups for "mydomain.net" should only resolve to the IPs of your domain controllers, not anywhere else.

Recommended practice is to have your internal name be a subdomain of your public (e.g. "mycorp.mydomain.net").

You may want to describe your setup a bit more.  What's your need for SSL certificates?  You can always set up your own certificate authority to issue certificates for your own domain.  Considerations include what names need to be used, whether they need to be trusted publicly, etc.
1
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
I disagree with the above. All those issues have simple solutions. For example, adding www to the public website.

You can rename the domain depending on what systems you use but I recommend you rebuild and migrate resources with a tool such as ADMT.
www.microsoft.com/en-za/download/details.aspx?id=19188
1
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
matedwardsAuthor Commented:
Hahahaha.. Thanks footech.. Very emphatic.!!

For example; we have a web-portal that needs https and (being a school) a filtering-monitoring system that needs to do https decryption and re-encryption.
Trying to install it's root cert into Trusted Root Certificate Authorities is proving impossible for students to deal with. If we had a publicly signed certificate (eg GoDaddy) then we could avoid all the warnings.
Hope that helps...
0
 
Shaun VermaakConnect With a Mentor Technical Specialist/DeveloperCommented:
@Shaun - what exactly do you disagree with?  If you think it's recommended to have your public and AD domains to be the same, then... just... wow.
Yes
Here's a scenario which I have come across many times.  Someone is using the same domain internally and externally.  Their website is hosted in such a way that it is only accessed by the name "mydomain.net".  If you try to access it via "www.mydomain.net", it just redirects to "mydomain.net".
Fix it on the host, no need for DNS trickery
0
 
footechCommented:
Fix it on the host.  Absolutely!  When that's an option.

Here's some good reading on best practices from MS.
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
You do know that that is an opinionated article written by an individual and the reference links point to retired content?

99% of my clients are configured like this, all enterprises, and I have not faced any issue which I couldn't address.

I find the "issues" listed greatly exaggerated and made me chuckle a bit
  • instable(sic) operations and sub-optimal performance
  • network issues

Subdomain or just the external domain name, both are perfectly fine. Just make sure you understand how to configure them
0
 
footechCommented:
I could point to others that are written by other Microsoft MVPs (and I know of one by a MS employee), and I haven't gone through every link it includes but I did check a couple links and it was not retired content.  But I won't try to convince you further.  I would be interested if you could point to any articles that support your opinion.

It's certainly possible to configure as you've said, but people are more likely to run into an issue (there are so many questions here that involve using the same name for public and AD) where they need help.  I think small businesses have a greater chance because they're more likely to be using a variety of platforms where they don't have complete control.

Moving away from this debate now...
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
I do not care about a document written by an individual, only vendor document that says it is against best practices (not "we recommend" etc.) to have external and internal the same.

I do not see moving a website to WWW as an issue and virtually all complaints are about that
0
 
matedwardsAuthor Commented:
Having checked we others, who do have an internal domain the same as their external, I will probably go down the sub-domain route. If only to avoid editing DNS twice. Plus, thanks for the certificate name tip. Not available on Sophos firewalls yet but it is a feature request.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.