When creating a new forest in Active Directory on my domain controller running Windows Server 2012 R2, I was prompted to specify a root domain name. Must the domain name be registered and owned by me? What would happen if I enter a domain registered and owned by other people like microsoft.com? Later on when I try to add a Windows computer to this domain, will it go out onto the internet and search for microsoft.com or would it search only in it's subnet (my domain controller)? Would it be safe/preferable to just enter a domain that is owned like microsoft.com?

  • 43
  • 1
  • 1
  • 3

2 Answers2


The name of an Active Directory domain is only for internal usage, thus you could name it anything you want; however, in an Active Directory environment, the domain name also acts as the DNS suffix for all computers in the domain, and the domain controllers act as internal DNS servers which are (or at least behave as they were) authoritative for that DNS domain.

What this means is, if the AD domain name conflicts with an actual domain name that exists on the Internet, all DNS queries for that domain would be answered by your DCs, and not by the actual Internet DNS servers which manage it. In your case, if you name your domain "microsoft.com", then you would have all sorts of problems when trying to connect to Microsoft sites or services, because you wouldn't be able to query the public DNS servers for that domain (as your internal DNS servers would believe they rightfully own it).

Incidentally, the same is true if you use your real public DNS domain as your Active Directory domain: things are of course a lot simpler because you actually own them both, but this still requires you to mantain two distinct DNS setups for the same domain, one for the Internet and one for your internal network.

As a best practice, you should use a subdomain of your public DNS domain as your AD domain name; if f.e. your public domain is "domain.com", you could use "internal.domain.com" or "ad.domain.com" or whatever, as long as it's a valid subdomain; this wil ensure no conflicts and a lot less headaches.

You should, anyway, not use any domain name you don't actually own, even if it's not currently active (because it still could be registered later by someone else than you, and headaches would ensue).

  • 68,714
  • 56
  • 196
  • 319
  • Thank you so much for the constructive answer! Could you clarify more on what you mean by "Active Directory domain is only for internal usage"? Does it mean that if I want the Windows PCs to join the domain, they must be in the same network, meaning they can't join my domain through the internet without a VPN? Does it also mean that Windows PCs connected to the domain can only logon on the domain and not offline/through the internet (if I specify them to authenticate with the domain controller)? Also, does it mean that I must have a VPN to access files stored on that server? – Aaron Aug 11 '15 at 12:56
  • An Active Directory domain is managed by Domain Controllers, which should *never* be directly exposed on the Internet (that would be a *massive* security hole). Consequently, yes, only computers that are physically connected to your network or using a VPN connection can join the domain and talk to other domain computers. – Massimo Aug 11 '15 at 12:58
  • 1
    There is, however, an exception: if a user successfully logs in to his computer using his domain account while the computer is connected to the network, and then the computer is disconnected (such as a laptop which is brought home), then the user can continue to log in, because his credentials are cached by the computer. However, he can't access internal network resources unless he comes back to office, or establishes a VPN connection. – Massimo Aug 11 '15 at 13:01
  • Let's say I have simple network that looks like this: Internet --> Router --> Domain Controller --> PCs. The DC only runs AD, DHCP & DNS. In this case, is my domain controller exposed on the internet? Is the only ways of protecting my domain controller from the internet through not having a physical connection to the internet or a firewall, or is it settings inside Windows Server? – Aaron Aug 11 '15 at 13:08
  • It depends on your network setup; usually, a router performs NAT for your internal network, thus your computers are unreachable from the outside unless you explicitly publish something. However, this is getting quickly out of scope, and it's better suited for a different question. – Massimo Aug 11 '15 at 13:12
  • The NAT part answered my question. Thank you so much for your help, I really appreciate it! – Aaron Aug 11 '15 at 13:18

As a bestpractice you only configure the local DC as a DNS for the computers (no external DNS).

Thus it mean that all query for *Microsoft.com will be answered by your DC and will mostly make them fail as unknown if they try to go at site like support.microsoft.com or anywhere else.

With country tld now you can have a lot of domain name and it cost nothing, no reason at all to not own it.

  • 16,300
  • 4
  • 26
  • 48