3

Is there any reason why I shouldn't use example.com as my AD domain versus example.local or some other non-existant variant?

WedTM
  • 301
  • 4
  • 16

3 Answers3

5

Don't use your "real domain name" for an Active Directory domain name. The reason that AdamB gave as a "PITA factor" is exactly the reason not to, and it's not just a "PITA".

It's bad practice to put up a DNS server that's authoritative for a domain that already has authoritative nameservers elsewhere. If you do it, you'll soon want to resolve the "already authoritative" names and have a mess of manually duplicating records into your internal DNS servers.

If you want a namespace contiguous with your "real" domain name, try something like "ad.company.com". Leave "company.com" out of it.

Edit:

Now I think I see where you're going. You should really real up on how DNS is used by Active Directory (http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx). You really do want to host the DNS for Active Directory locally!

The DNS for your Internet domain name (for your email, website, etc) absolutely should be hosted externally, but that doesn't have to be (and really shouldn't be) the same domain name you use for your Active Directory domain name.

Your external DNS host is likely not going to support all the features that you need to make Active Directory work properly in their DNS servers. In particular, they're probably not going to support dynamic DNS registration or GSSAPI-based secure updates.

Beyond that, all of your domain-member client and server computers are going to need DNS to do basic things like logons and application of group policy. You don't want to tie that to your Internet connection being up!

You've got to use a Windows Server computer to host Active Directory itself. It's common practice to also use those domain controller computers to host DNS for the Active Directory (and often to forward requests for other names to the ISP's DNS servers or the root DNS servers) and to use these DNS servers as the DNS servers for all domain-member client and server computers.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I guess I'm missing the whole point of "authoritive" nameservers. If I assign my NS records to ns1.example.com and ns2.example.com and both ns1 and ns2 are part of my AD domain, wouldn't that make them the only authoritative servers? – WedTM Jul 14 '09 at 18:17
  • It would. Microsoft and I both don't recommend using Internet-facing DNS servers as the DNS servers for Active Directory. What you're describing, though, wouldn't cause multiple DNS servers to believe they are authoritative for the same domain (which is a bad thing and not fun to have to deal with what w/ the manual labor involved). – Evan Anderson Jul 14 '09 at 18:25
3

I like this approach...The only PITA factor I've found with this is if you make a change to your external DNS (for public services, not AD-linked) server, you have to remember to change/add the entry into your internal DNS server.

So, for example, if you move your website to another IP address and change your entry with register.com (or godaddy or wherever), you have to go in and change the IP on your local DNS server.

EDIT: I came across an MS article called "Naming Conventions for Active Directory for computers, domains, sites, and OUs".

In that document, they say:

A DNS namespace that is connected to the Internet must be a subdomain of a top-level or second-level domain of the Internet DNS namespace.

Further in that document, they recommend something like corp.yourdomain.com as an example.

Adam Brand
  • 6,057
  • 2
  • 28
  • 40
  • What if I'm hosting all my DNS records locally? If that's the case then there shouldn't be any real issue, right? – WedTM Jul 14 '09 at 18:12
  • 4
    You don't want to expose your _msdcs.company.com records to the Internet, so if you're going to put your AD into the same DNS as your Internet-facing DNS you'll want to create a "view" that hides the _msdcs.company.com records from the Internet. – Evan Anderson Jul 14 '09 at 18:15
  • 1
    @Evan Anderson - What issues are there with exposing _msdcs.company.com and how would you go about setting up the "view" you suggest? – boflynn Jul 14 '09 at 18:19
  • I wouldn't host external DNS locally...just my preference, but it is such a critical service that I prefer it elsewhere. Services like register.com, godaddy, or neustar have much better infrastructures for this. – Adam Brand Jul 14 '09 at 18:20
  • Take one more look at my answer. I don't care about the "rep", but you're setting yourself up for a really, really miserable time if you try and host the DNS for Active Directory in an off-site name server. – Evan Anderson Jul 14 '09 at 18:30
  • BTW Evan I'm not suggesting you host the DNS for Active Directory on an off-site name server. I'm suggesting the DNS for AD is local, and then there is an external DNS for the public services (web, mail). I've set it up this way many times before with no issues other than the PITA factor. It's nice because users have a familiar way to login (their email address), and the split DNS takes away the risk of hosting the external DNS internally. – Adam Brand Jul 14 '09 at 18:47
  • @AdamB: I didn't think you were suggesting that, but thanks for the clarification. FYI, though, the user-principal-name (user@domain.com format) can be the same as the Internet domain name regardless of the DNS name of the Active Directory domain. Read up on UPN suffixes-- you can have as many as you want and they have nothing to do with DNS at all. Having suffered through Customers who insisted on using their Internet DNS name for their AD domain name I won't recommend to anyone that they do it (and won't do it for Customers). – Evan Anderson Jul 14 '09 at 19:24
  • @boflynn: You'd need to use a DNS server that supported "views" (i.e. returning different data in responses depending on the source IP address of the query), and Microsoft DNS doesn't (BIND 9 does). The _msdsc.company.com records provide lots of nice information to an attacker about your AD sites, domain controllers, and internal IP address scheme. You really shouldn't be showing that to the Internet. – Evan Anderson Jul 14 '09 at 19:26
  • @Evan - UPN suffixes look like a good option. What is the "suffering" that doing split DNS results in, other than adding in entries manually? – Adam Brand Jul 14 '09 at 20:03
3

I inherited a network where the internal and external DNS names were the same. This was a relatively small business, with only a few external hosts so the problems I had were minor. The internal DNS was hosted locally, and I would strongly recommend you do the same. The external DNS was hosted at an ISP and only included records for hosts that needed to be accessible from the Internet. The (minor) problems I had were primarily in making sure I duplicated any Internet-accessible hosts on both the internal and external DNS.

For example, mail.company.com was accessible both inside and outside the network, as were the hosts vpn and www. I needed to make sure both DNS servers were changed when any of those hosts changed (which they did a few times).

Bottom line - this is not a best practice. But if you only have a few Internet-accessible hosts, it's not that big a deal. You should really, really host your AD DNS on your local domain controllers. You probably shouldn't expose your local DNS to the Internet.

Carl C
  • 1,038
  • 3
  • 10
  • 19
  • 1
    Invariably someone is going to want to know why they can't put "http://company.com" into a browser and get to "http://www.company.com". Since "company.com" will resolve to all the DCs IP addresses you'll end up having to install IIS on the DCs to send redirects to "http://www.company.com". – Evan Anderson Jul 14 '09 at 19:46
  • Good point - http://company.com address was an issue in that environment. I was fortunate that there few enough people that they could work around the problem by entering the www. – Carl C Jul 14 '09 at 23:16