Best practice all over the internet would have you believe that the sky will fall on your head if you register company.com
as your public domain name and then use that same domain name in Active Directory here, and here for example. Yet in all those dire warnings, the only concrete reason I have ever seen is that users on internal DNS must type www.company.com
in order to access the external website instead of just company.com
. MS has hinted at some "future compatibility" that will be broken but this wisdom has been around since at least server 2008 judging from forum posts I've read on the subject.
For some reason, it seems that many of these warnings are also assuming that if you are using the same DNS name for AD, that you are exposing your AD zone to the internet and allowing all internal names to be resolved externally. That is most definitely not what I'm asking about.
Let's say I ignore this advice and use company.com
as my AD name. Potential issues are:
Typing
company.com
in a web browser will try to go to a domain controller instead ofwww.company.com
. Not even remotely an issue.Internal names are all still internal. There is no
dc01.company.com
A record in our internet accessible zone file. External names likewww
,vpn
,mail
are all unrelated to our internal DNS.This TechNet article warns of things like "less flexible, less automated DNS operations" and "instable[sic] operations and sub-optimal performance" but offers no details or reasons.
Let's say I follow this advice that so many people have taken to heart and use ad.company.com
. I now have to deal with the following issues:
have a different NETBIOS name that does not match the domain name. That doesn't really bother me but it's something you have to think of.
The default UPN suffix when creating users in ADUC is
@ad.company.com
. The user's UPN suffix should match their email address so anyone who creates users has to know which UPN suffix to use and that it is not the default. One more thing to forget.AD still requires
ad.company.com
DNS zone to run. If I want computers to be resolvable ascomputer.company.com
I have to manage another DNS zone, as well as the DNS registration suffix and search suffix.
All this so people don't have to type "www" (which is so far from an actual problem for me it's not even on my radar)?
What is the actual danger of using the publicly registered domain name as the AD domain name?
Bonus question: What is the purpose of having company.com
point to a domain controller in the first place when AD has a whole _msdcs
namespace for AD related information?