Change internal private domain name to public domain name

We have a private internal Windows 20102 R2 domain (.local)

We have a publicly registered domain for websites, mail, etc (.net)

Is it possible to change our internal domain to the external one?

We now wish to use signed SSL certificates for web-portals, filtering, monitoring, etc

I'm guessing not because... if  our Windows domain controller has a DNS zone it will not Forward out DNS queries to the public dns servers (to resolve cname or mx records, etc)?

Any advice would be greatly appreciated
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is it possible, but...
I hope that was emphatic enough.

You can run into a number of pitfalls with DNS when your AD domain is the same as your public one.  You can set up split-DNS to overcome many of these, but there are certain problems that just can't be avoided.
Example:  you have a public website that you want to be able to reach (or can only reach) via the name "".  You would have a zone on your internal DNS for "", and any lookups for "" should only resolve to the IPs of your domain controllers, not anywhere else.

Recommended practice is to have your internal name be a subdomain of your public (e.g. "").

You may want to describe your setup a bit more.  What's your need for SSL certificates?  You can always set up your own certificate authority to issue certificates for your own domain.  Considerations include what names need to be used, whether they need to be trusted publicly, etc.
Shaun VermaakTechnical Specialist/DeveloperCommented:
I disagree with the above. All those issues have simple solutions. For example, adding www to the public website.

You can rename the domain depending on what systems you use but I recommend you rebuild and migrate resources with a tool such as ADMT.
matedwardsAuthor Commented:
Hahahaha.. Thanks footech.. Very emphatic.!!

For example; we have a web-portal that needs https and (being a school) a filtering-monitoring system that needs to do https decryption and re-encryption.
Trying to install it's root cert into Trusted Root Certificate Authorities is proving impossible for students to deal with. If we had a publicly signed certificate (eg GoDaddy) then we could avoid all the warnings.
Hope that helps...
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

@Shaun - what exactly do you disagree with?  If you think it's recommended to have your public and AD domains to be the same, then... just... wow.

It really just increases the burden of what you have to manage in regards to DNS.

Here's a scenario which I have come across many times.  Someone is using the same domain internally and externally.  Their website is hosted in such a way that it is only accessed by the name "".  If you try to access it via "", it just redirects to "".  No amount of DNS trickery is going to resolve that for users on the internal network.  If the web host platform is good, the redirect can be removed and allow full access via "", but some don't have that option (and sometimes politics dictate that the site be available at "").  Only options then are to change the internal domain, or move the site to a different platform that doesn't have that redirect.  Neither of those is what I would call simple.

For the web-portal, you should be able to configure DNS such that the portal is accessible via your public name (e.g., and then your publicly signed cert should work just fine on it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical Specialist/DeveloperCommented:
@Shaun - what exactly do you disagree with?  If you think it's recommended to have your public and AD domains to be the same, then... just... wow.
Here's a scenario which I have come across many times.  Someone is using the same domain internally and externally.  Their website is hosted in such a way that it is only accessed by the name "".  If you try to access it via "", it just redirects to "".
Fix it on the host, no need for DNS trickery
Fix it on the host.  Absolutely!  When that's an option.

Here's some good reading on best practices from MS.
Shaun VermaakTechnical Specialist/DeveloperCommented:
You do know that that is an opinionated article written by an individual and the reference links point to retired content?

99% of my clients are configured like this, all enterprises, and I have not faced any issue which I couldn't address.

I find the "issues" listed greatly exaggerated and made me chuckle a bit
  • instable(sic) operations and sub-optimal performance
  • network issues

Subdomain or just the external domain name, both are perfectly fine. Just make sure you understand how to configure them
I could point to others that are written by other Microsoft MVPs (and I know of one by a MS employee), and I haven't gone through every link it includes but I did check a couple links and it was not retired content.  But I won't try to convince you further.  I would be interested if you could point to any articles that support your opinion.

It's certainly possible to configure as you've said, but people are more likely to run into an issue (there are so many questions here that involve using the same name for public and AD) where they need help.  I think small businesses have a greater chance because they're more likely to be using a variety of platforms where they don't have complete control.

Moving away from this debate now...
Shaun VermaakTechnical Specialist/DeveloperCommented:
I do not care about a document written by an individual, only vendor document that says it is against best practices (not "we recommend" etc.) to have external and internal the same.

I do not see moving a website to WWW as an issue and virtually all complaints are about that
matedwardsAuthor Commented:
Having checked we others, who do have an internal domain the same as their external, I will probably go down the sub-domain route. If only to avoid editing DNS twice. Plus, thanks for the certificate name tip. Not available on Sophos firewalls yet but it is a feature request.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.