2

I have purchased a domain, example.com. Per everything I have read, my Active Directory server should NOT be named the same. As such, my servers are now:

DC-1.example.com [Active Directory]
Web-1.exmaple.com [Web]
Mail-1.example.com [Mail]

If I understand correctly, example.com and should actually resolve to Web-1.example.edu

So the DNS for example.com:

A - [IP of Web-1.example.com]
MX - [IP of Mail-1.example.com]
SRV - [IP of DC-1.example.com]

Can anyone verify this is the correct way of doing this? I just want to make sure the configuration is proper.

REF:

Windows Active Directory naming best practices?

http://support.microsoft.com/kb/300684/en-us

DR913
  • 23
  • 4
  • Your question doesn't make sense. You say that you know your AD domain should not be example.com and then you name your hosts example.com. Also, what does Web-1.uta.edu have to do with it? – joeqwerty Sep 06 '13 at 17:53
  • what they mean is your AD domain shouldn't be example.com if your external domain is example.com. Since internal hosts will override/shadow external hosts(you might want this). normally I've seen internal AD domains called things like example.dom or example.lan – Doon Sep 06 '13 at 18:03
  • I'm with @joeqwerty, but will say that your SRV record and A record for the parent AD domain (in your case example.com) will be auto-created and will be the IP of the DC. You don't want to resolve "example.com"'s A record to your website. The MX record is correct though. – TheCleaner Sep 06 '13 at 18:06
  • More info to add to my comment since Evan states it well: http://serverfault.com/questions/31686/active-directory-is-it-required-that-the-a-record-for-a-domain-point-to-a-dom?rq=1 – TheCleaner Sep 06 '13 at 18:16
  • Looks like I'm the one misunderstanding. My DC should actually be named something like DC-1.internal.exmaple.com and then have my web server still be web-1.example.com. In that case, I would have two DNS zones, correct? – DR913 Sep 06 '13 at 19:13
  • 2
    This explains a lot. I attended uta.edu and you never could get to the external website while on the internal network. Still haven't figured it out, eh? :) – Ryan Ries Sep 06 '13 at 19:49
  • @RyanRies I do attend UTA, but I don't know anything about what they do. I just realized some of my homework got mixed in. Sorry! – DR913 Sep 06 '13 at 20:07
  • The recommendation is to use a subdomain so you don't end up with 'split' DNS. I believe Microsoft suggest this these days as well. I tend to prefer ad.example.com as it's short, or I might use corp.example.com for a company big enough for the 'corporate' tag to apply. – USD Matt Sep 06 '13 at 20:18

1 Answers1

1

Close...

Your external domain is example.com.

So, you should name your internal Active Directory something like corp.example.com.

That way, the FQDN of your servers will be like DC1.corp.example.com, Web1.corp.example.com, Mail.corp.example.com, etc.

Active Directory will automatically populate SRV records for corp.example.com. You should not have to manually create any SRV records unless you are doing something special.

MX records should be named the same name as their domain. In Microsoft DNS it will literally say "(Same as parent folder)" as the name of the MX record. (Or an @ symbol.) It should point to the name of a mail server, not an IP address. You can have many MX records for the same domain, with different priorities, if you want.

You will manage your external DNS separately from your internal DNS. Your internal DNS for corp.example.com will be hosted on your AD domain controllers. Your external DNS will be managed through someone like GoDaddy, though you are free to change the name servers to your own NS servers if you please. But they need to be authoritative for example.com. (And right now your internal AD domain controllers are not authoritative for example.com. They are authoritative for corp.example.com.)

If you have an external website that you want to host on web1.corp.example.com, you probably want your internet visitors to just be able to type in www.example.com in their web browsers. It's pretty typical to go to your external name servers (like on the GoDaddy web portal for instance,) and make a new A (host) record named www, and the IP points to the external IP that NATs to the internal IP of your web server behind your router. Or, you might make example.com itself point to the external IP of your web server, (@), and make www an alias (CNAME) for @.

That last bit right there is why you will have a bad time if you try to host an external website where the Active Directory is the same FQDN as your external domain. Let's say for example you named your internal Active Directory example.com. Well then example.com would resolve to the authoritative name servers for example.com which at that point would be your domain controllers, and not your web server.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • So just to make sure I have everything you are say correct: My servers are named: dc-1.internal.example.com, mail-1.internal.example.com, and web-1.internal.example.com. I have my DYN DNS point to my web server\mail server. And I have internal DNS set to point internal.example.com to my AD (DC-1). Do I have this right now? – DR913 Sep 06 '13 at 21:26