Doain Naming

The situation I have is that we are currently in a Mixed WIndows 200 Domain
Enviroment and have to move to a Windwos 2003 Doamin enviroment. What I want
to do i build a new domain form scratch that way we have a brand new clean
network.

The question we our current domain ad.company.com which seems to pose a
prblem with cleints that launch IE7 for the first time it apprently
automatically tries to automatically detect the settings and tries to I
assume connect ot the proxy of the internet registered proxy of company.com
which is not our dns registered address even though we are using it as part
of internal name space.


What I have for this new project is 10 production dc's and 1 test dc. I
want to create two domains one for production and one forthe test domain.
Can I create two doamins in the same forest even though the internal domain
name space will not be strating at the top of the forest. For example I want
to use corpoarate.comapny.net and test.company.net?

Also our DNS is such that we only resolve intenal resoultion requests
internally and everything else is forwarded to our ISP's DNS server. Nothing
even for our public web servers is hosted internally everything is hosted on
the ISP's end. So th einternally DNS servers are used only for internal DNS
resolution. mY question is for our DNS namespace can I used our registered
DNS name space which is also our email domain? Typical this is considered a
security risk if we were resolving both internal and external resolution
since a attacker coyuld learn of the cleints on our internal domain if we
hosted everything? Since our ISP does all public resolution for our web
presence would this still be a risk? Is it still advisiable in this case to
segemnt the intenral DNS name space form the public domain names?

George Schneider <(E-Mail Removed)> wrote:
> The situation I have is that we are currently in a Mixed WIndows 200
> Domain Enviroment and have to move to a Windwos 2003 Doamin
> enviroment. What I want to do i build a new domain form scratch that
> way we have a brand new clean network.

Wow, that sounds like a lot of extra work - and probably not necessary
unless AD was originally set up by rhesus monkeys. And the ones at the
bottom of their class.

>
> The question we our current domain ad.company.com which seems to pose
> a prblem with cleints that launch IE7 for the first time it apprently
> automatically tries to automatically detect the settings and tries to
> I assume connect ot the proxy of the internet registered proxy of
> company.com which is not our dns registered address even though we
> are using it as part of internal name space.

No - if you're using ad.company.com, and your clients all have
ad.company.com as their primary DNS suffix, and are using the internal DNS
server only, that can't be it.

You can turn off the proxy stuff entirely via group policy, you know.
>
>
> What I have for this new project is 10 production dc's and 1 test dc.
> I want to create two domains one for production and one forthe test
> domain. Can I create two doamins in the same forest even though the
> internal domain name space will not be strating at the top of the
> forest. For example I want to use corpoarate.comapny.net and
> test.company.net?

You can, but why a separate domain at all?
>
> Also our DNS is such that we only resolve intenal resoultion requests
> internally and everything else is forwarded to our ISP's DNS server.

That's good.


> Nothing even for our public web servers is hosted internally
> everything is hosted on the ISP's end.

That's good too.

> So th einternally DNS servers
> are used only for internal DNS resolution. mY question is for our
> DNS namespace can I used our registered DNS name space which is also
> our email domain?

You can, but it isn't recommended. What would be the benefit? There are many
downsides to a "split brain DNS" configuration, if you aren't very careful.
What you have now, ad.mycompany.com, is a lot easier to manage. Your
internal clients will always be able to find yourservers.ad.mycompany.com -
and when they want to find www.mycompany.com, your internal DNS server won't
think it's supposed to resolve it locally, and will hand the request off to
the forwarders. this works well.

> Typical this is considered a security risk if we
> were resolving both internal and external resolution since a attacker
> coyuld learn of the cleints on our internal domain if we hosted
> everything?

No - that isn't the issue. It isn't for security reasons, because of course
you are not hosting your public DNS in house, and nobody on the Internet is
looking up DNS on your network (they shouldn't be able to access those ports
through your firewall).

The real issue is administration.

> Since our ISP does all public resolution for our web
> presence would this still be a risk? Is it still advisiable in this
> case to segemnt the intenral DNS name space form the public domain
> names?

Well - "segment" isn't the right word. Your public and private DNS must
*never* mix. The issue is, why would you *want* to name your private and
public namespace the same thing? What would be the benefit?

Unless there's some other compelling reason to rebuild your AD, I can't see
why you'd want to bother. Certainly not for reasons like the name.

"George Schneider" <(E-Mail Removed)> wrote in message
news:46676331-1189-4586-995A-(E-Mail Removed)...
> The situation I have is that we are currently in a Mixed WIndows 200
> Domain
> Enviroment and have to move to a Windwos 2003 Doamin enviroment. What I
> want
> to do i build a new domain form scratch that way we have a brand new clean
> network.
>
> The question we our current domain ad.company.com which

That is too many "dots". There should only be one "dot". With two "dots"
you are telling it that you have a:

Machine called "ad"
a Domain called "company"
Top-Level Domain called "com"

"ad" could be a Child Domain but nothing you have described elsewhere
implies that this is the case (unless I missed it).

> seems to pose a
> prblem with cleints that launch IE7 for the first time it apprently
> automatically tries to automatically detect the settings and tries to I
> assume connect ot the proxy of the internet registered proxy of
> company.com
> which is not our dns registered address even though we are using it as
> part
> of internal name space.

IE is not going to detect anything unless the DNS Service the machine is
using has been configured to use Proxy Auto-detection with WPAD. It would
just try in vain for a few seconds,...give up,...and move on without a
proxy.

> What I have for this new project is 10 production dc's and 1 test dc.

Unless you have 10,000 or more users there is no point in 10 DCs. Two is
enough

> want to create two domains one for production and one forthe test domain.
> Can I create two doamins in the same forest even though the internal
> domain
> name space will not be strating at the top of the forest. For example I
> want
> to use corpoarate.comapny.net and test.company.net?

Having multiple Domains of that nature is "old-school" from the days of NT4
and flat domains,...the new modern pilosophy now is "...have as few domains
as possible,...perferably only one". There are valid Master/Child Domain
scenarios, but unless you have 10,000 users and multiple physical location
separated by slow WAN links there is no point in it. If you have a "test
domain" then it should logically be as separate and distinct and as
independent as possible,...and more importantly *expendable* without
screwing up your Forest.

Create two Forests,..one Domain per Forest. Then establish a flat trust
between the two Forests. Then if you screw up the Test Domain (as most
people do eventually) you just break the Trust and all is well,...no damage
done to the schema of the "good" Forest.

> resolution. mY question is for our DNS namespace can I used our
> registered
> DNS name space which is also our email domain?

Email domains are totally irrelevant to this.
Whether your AD Domain and your Public Domain are spelled the same is
*almost* irrelevant and is pretty much a personal *preference*. There are
pros and cons to either way of doing it and they are fairly easy to overcome
in either case.

> security risk if we were resolving both internal and external resolution
> since a attacker coyuld learn of the cleints on our internal domain if we
> hosted everything? Since our ISP does all public resolution for our web
> presence would this still be a risk? Is it still advisiable in this case
> to
> segemnt the intenral DNS name space form the public domain names?

There is no security element to it although there is probably plenty of
"superstition" in the industry that there might be a security risk.

Split-brain DNS has a role to play no matter which way you do it. It is
just done slightly different depending on if the spelling is the same or
different. Split-DNS is not hard to deal with but you do have to know a
little bit about DNS and keep in mind that you did in fact use Split-DNS,
and therefore have to manage DNS with the fact in mind that you did actually
use Split-DNS.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Hello,

Thank you for your post as well as to Lanwench and Phillip for the
information sharing.

According to your description, my understanding is that you now are in
planning to build a new domain environment. Your main concern is whether it
will cause any security risk if the private namespace is named the same as
the public namespace.

This issue appears to be consulting in nature. Please note, although this
newsgroup provides break/fix resolution, we are happy to provide general
information and suggestions on it here and you may receive suggestions from
other partners on this topic here. However, please know that we are not the
best support resource for advisory issues. For this kind of issue, I highly
recommend you contact our CSS advisory service at
http://support.microsoft.com/gp/advisoryservice.

Having said the above, the following are some basic information for your
reference:

When planning your DNS and Active Directory namespace, it is recommended
that you use a differing set of distinguished names that do not overlap as
the basis for your internal and external DNS use.

You might refer to the following two articles:

Namespace planning for DNS
http://technet2.microsoft.com/window...1-6b1a-48ec-bd
3e-d8d43bc814311033.mspx?mfr=true

DNS Naming Conventions
http://www.microsoft.com/technet/pro...eskit/distrib/
dsbb_act_wbaj.mspx?mfr=true

I hope this helps.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions.

Please feel free to respond to the newsgroups if I can assist further.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.