"Brianna" <none@NO_SPAM_FOR_ME.com> wrote in message...
>So, if you have a domain called company.com could you setup the AD Domain
>as company.dept.net? Are there any >negative effects in doing this?
Certainly. If you have a domain called company.com you could setup the AD
Domain as company.dept.net.
There are three basic different views to this classic question and while
they ultimately depend upon company preference, much of the direction will
be driven by administrator experience. The three basic options outlined
below are the most commonly given answers to the question. Some companies
use a combination of these scenarios. When explained it to a relative
beginner asking the question, many advanced AD/DNS administrators routinely
omit explanatory detail from their responses. The explanations that follow
contain further explanatory detail.
Option #1: Same internal and external DNS domain name. The administrator
maintains entirely separate DNS implementations (no zone transfers, etc.),
where the internal AD/DNS domain has manually configured static records
(web, mail, etc..) to get to frequently used IP hosts in the public DNS zone
of the same name (currently most likely provided by your ISP, unless you are
a very large company). The private AD/DNS zone is protected inside the
network perimeter and is used to support the internal AD. This is known as
"shadow DNS", "split DNS", split-brain DNS, or split-horizon DNS.
Advantages:
1) Security. Each DNS zone is authoritative for the zone of that name so
therefore the external DNS zone and internal AD/DNS zone will NOT replicate
with each other thereby prevent internal company records to be visible to
the outside Internet.
2) Short namespace. Users don't have to type in (or see) a long domain name
when accessing company resources either internally or externally. Names are
"pretty".
Disadvantages:
1) Any changes made to the public DNS zone (such as the addition or removal
of an important IP host such as a web server, mail server, or VPN server)
must added manually to the internal AD/DNS zone if internal users will be
accessing these hosts from inside the network perimeter (a common
circumstance).
2) VPN resolution is problematic at best. Company users accessing the
network from the Internet will easily be able to reach IP hosts in the
public DNS zone but will not easily reach internal company resources inside
the network perimeter without special (and manual) workarounds such as
maintaining hosts files on their machines (which must be manually updated as
well everytime there is a change to an important IP host in the public
zone), or they must use special VPN software (usually expensive).
For further reading on this scenario:
http://www.isaserver.org/tutorials/Y...Split_DNS.html
http://homepages.tesco.net./~J.deBoy...ver-names.html
---------------------------------------------------------------------------------------
Option #2: Delegated subdomain. This is subdomain of the public DNS zone.
For example, externaldnsdomain.com and subdomain.externaldnsname.com.
Advantages:
1) Like Scenario 1, this method also isolates the internal company network
but note this at the same time is also a disadvantage (see below).
2) Better than Scenario 1, internal company (Active Directory) clients can
resolve external resources in the public DNS zone easily, once proper DNS
name resolution mechanism such as forwarding, secondary zones, or delegation
zones are set up.
3) Better than Scenario 1, DNS records for the public DNS zone do not need
to be manually duplicated into the internal AD/DNS zone.
4) Better than Scenario 1, VPN clients accessing the internal company
network from the Internet can easily navigate into the internal subdomain.
It is very reliable as long as the VPN stays connected.
Disadvantages:
1) While there is security in an isolated subdomain, there is a limited
potential for exposure to outside attack. The potential for exposure of
internal company resources to the outside world, lies mainly in the fact
that because when the public zone DNS servers receives a query for
subdomain.externaldnsname.com, they will return the addresses of the
internal DNS servers which will then provide answers to that query. Hackers
could use this information to gather information about your network. To the
extent however that internal networks only accessible to the outside world
via VPN (and/or exists within a non-Internet routable IP range) then this
scenario is not a security disadvantage.
2) Longer DNS namespace. This may not look appealing (or "pretty") to the
end-users.
The scenario is the recommendation from the Windows Server 2003 Deployment
Guide. It states to the external registered name and take a sub zone from
that as the DNS name for the Forest Root Domain
http://www.microsoft.com/resources/d...us/default.asp
---------------------------------------------------------------------------------------
Option #3:
Different internal and external DNS domain names. For example, dnsname.com
and dnsname.local. The administrator(s) maintain external records on the
external DNS servers, and internal records on the internal DNS servers.
This option is usually best for beginners b/c it's the easiest to implement
primarily because it prevents name space conflicts from the very beginning
with the public domain and requires no further action on your part with
respect to that. But this option does makes VPN resolution difficult (like
option 1) and Exchange headers when examined closely will show the company
internal AD name which looks unprofessional. You can use any extension you
want here such as .ad, .int, .lan, etc...
Disadvantages:
1) The chief disadvantage to this approach comes in when users have to
access resources and don't use FQDNs. A Windows 2000/XP box where a user
types "ping server1", for example, or types "server1" in IE, could
potentially get unexpected results.
For example, there is a machine named server1.internalname.com and there is
also a server named server1.externalname.com. If a user opens IE and simply
types "server1" in the address bar (happens often), then which "server1" is
really the correct answer? The answer may notbe what the user was looking
for, and it will base off of the configuration settings for DNS under TCP/IP
properties, the machine's domain membership, whether or not it is using a
proxy server, and finally the DNS suffix search order.
2) Another disadvantage is the inability of many administrators to escape a
very common pitfall when internal and external domain names are the same.
If one is not careful, setting the internal AD domain to the same name as
the external (public) DNS domain name will typically have such consequnces
of internal user not being able to resolve the public website and slow
logins to the internal AD *if* the internal clients configure a public DNS
server in their TCP/IP properties.
3) Another disadvantage is VPN clients trying to access internal resources.
Newer VPN clients, such as those offered by Cisco and Nortel, once
connected, provide name resolution by passing internal name servers (WINS,
DNS) to the TCP/IP stack. If the VPN client cannot do this, add the host
names of important internal hosts to the internal (WINS, DNS) name servers
so that the VPN client will be able to resolve these names. Otherwise, you
will need to use a Hosts (and Lmhosts if necessary) file, which is both
manually intensive and will need to be updated whenever one of the listed IP
host changes it's name or changes it's IP address, which happens often in an
enterprise environment.
For a broad overview of this entire topic, see below.
DNS Namespace Planning
http://support.microsoft.com/default...b;en-us;254680
Assigning the Forest Root Domain Name
http://www.microsoft.com/resources/d..._logi_kqxm.asp
Conclusion:
All three approaches will have to take both security and the end-user
experience into perspective. This perspective is colored by company size,
budget, and experience of personnel running Active Directory and the network
infrastructure (mostly with respect to DNS and VPN). No one approach should
be considered the best solution under all circumstances. For any host name
that you wish to have access from both your internal network and from the
external Internet you need option 1, although it is the most DNS-intensive
over time. If you do not select this option and go with option 2 or 3
only, consideration will have to be given to the fact that company end-users
will need to be trained on using different names under different
circumstances (based on where they are (at work, on the road or at home).
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
Similar Threads
Linear Mode
