Why should I choose a subdomain of my registered domain for AD (besides having to type "www" to access the comapny website?)

Question

Best practice all over the internet would have you believe that the sky will fall on your head if you register company.com as your public domain name and then use that same domain name in Active Directory here, and here for example. Yet in all those dire warnings, the only concrete reason I have ever seen is that users on internal DNS must type www.company.com in order to access the external website instead of just company.com. MS has hinted at some "future compatibility" that will be broken but this wisdom has been around since at least server 2008 judging from forum posts I've read on the subject.

For some reason, it seems that many of these warnings are also assuming that if you are using the same DNS name for AD, that you are exposing your AD zone to the internet and allowing all internal names to be resolved externally. That is most definitely not what I'm asking about.

Let's say I ignore this advice and use company.com as my AD name. Potential issues are:

• Typing company.com in a web browser will try to go to a domain controller instead of www.company.com. Not even remotely an issue.

• Internal names are all still internal. There is no dc01.company.com A record in our internet accessible zone file. External names like www, vpn, mail are all unrelated to our internal DNS.

• This TechNet article warns of things like "less flexible, less automated DNS operations" and "instable[sic] operations and sub-optimal performance" but offers no details or reasons.

Let's say I follow this advice that so many people have taken to heart and use ad.company.com. I now have to deal with the following issues:

• have a different NETBIOS name that does not match the domain name. That doesn't really bother me but it's something you have to think of.

• The default UPN suffix when creating users in ADUC is @ad.company.com. The user's UPN suffix should match their email address so anyone who creates users has to know which UPN suffix to use and that it is not the default. One more thing to forget.

• AD still requires ad.company.com DNS zone to run. If I want computers to be resolvable as computer.company.com I have to manage another DNS zone, as well as the DNS registration suffix and search suffix.

All this so people don't have to type "www" (which is so far from an actual problem for me it's not even on my radar)?

What is the actual danger of using the publicly registered domain name as the AD domain name?

Bonus question: What is the purpose of having company.com point to a domain controller in the first place when AD has a whole _msdcs namespace for AD related information?

Answer 1

have a different NETBIOS name that does not match the domain name. That doesn't really bother me but it's something you have to think of.

Not at all, when creating a domain, you are definitely able to specify the NetBIOS name of the domain.

The default UPN suffix when creating users in ADUC is @ad.company.com. The user's UPN suffix should match their email address so anyone who creates users has to know which UPN suffix to use and that it is not the default. One more thing to forget.

If not there already, one should be rapidly approaching the time of automated, or scripted on-boarding of new accounts. This will alleviate your concerns about what might happen if a user was created with the wrong UPN suffix.

Alternatively, it is a trivial matter to simply have a nightly clean up task that looks for user accounts with the incorrect UPN suffix and updates accordingly.

All this so people don't have to type "www" (which is so far from an actual problem for me it's not even on my radar)?

No; I believe the purpose is to avoid Split-brain DNS where two different DNS infrastructures are responsible for the same namespace. Though, the fact that it is not a problem for you now does not mean that it will not become a problem in the future for you or your successors - especialy since this is a best practice, so solution vendors may start to design solutions with that in mind.

What is the actual danger of using the publicly registered domain name as the AD domain name?

I don't know that there is a huge "danger" (certainly not one that you would view as a danger - since you have not referenced any of the other potential concerns in the article); however, it has been my experience that when one is presented with a generally accepted (and actual - as defined by the vendor) "Best Practice" one does not deviate from the best practice without a valid business or technical reason.

---

Edit: For what its worth - in the most respectful way possible - I do not see any valid business or technical reason presented that would justify why Best Practices should be ignored. So, I would suggest to be kind to your employer and your successors - and start with an environment that is aligned with best practices.

Answer 2

The user's UPN suffix should match their email address so anyone who creates users has to know which UPN suffix to use and that it is not the default.

There's no technical reason that the UPN Suffix needs to match the email address.

Microsoft's idea was that users remember their email addresses more readily then they remember their usernames, so using a UPN Suffix/User Principal Name that matches the email address would make the logon process easier and more intuitive for users. The problem is that it never really caught on.

One reason that you might want the UPN Suffix to match the email address is if you're synchronizing your on premises users to Office 365. Again, this isn't a technical requirement, but it makes things easier and more intuitive for the users when accessing Office 365 services, like Exchange Online and Sharepoint Online.