Internal (AD) vs. external (Internet) DNS namespace

Discussion in 'Active Directory' started by AI, Jan 30, 2005.

  1. AI

    AI Guest

    I am planning a migration from NT 4.0 to Active Directory, and the first step
    is to design the DNS namespace. There are four options. If the company has
    the registered Internet domain, for AD you can use:

    1. The same namespace as the company's registered domain, i.e

    2. A subdomain, e.g.,,

    3. A different registered domain, e.g.

    4. A fake TLD, e.g. mycompany.local, mycompany.internal

    Since this is a question that anyone designing AD needs to answer before
    beginning, I would have expected to find a wealth of information about it.
    To my surprise and frustration, I have had a remarkably hard time finding any
    good, detailed, specific analysis about the relative merits and demerits of
    each option. To be sure, the topic comes up frequently in articles about AD
    design and technical forums, but it seems that it is always treated very
    superficially. Even Microsoft's own deployment guide doesn't go into the
    topic in any depth. Most discussions either just state what the options are,
    without saying a whole lot about the reasons to use or avoid each one, or
    will simply say "The best practice is X" and "Y is not recommended", without
    going into detail about why (and different articles/discussions contradict
    each other). Whenever reasons are given, they are always very generic and
    vague. I've also tried asking around, but unfortunately I've only been able
    to get answers saying "Here's how I suggest that you do it" or "Here's
    another possibility" or "There's more than one way to do it, you have to
    choose from your options" (thanks, but that was the setup for my question,
    not an answer to it). Sometimes people will answer by discussing one
    particular advantage or disadvantage to one particular option, or two if I'm

    There has got to be some better information or discussion out there about
    such a commonly faced topic. Can anyone provide or point me toward a source
    of specific, detailed, in-depth analysis about the pros, cons, and caveats of
    the different options for internal AD DNS namespace with respect to external
    AI, Jan 30, 2005
    1. Advertisements

  2. AI

    Herb Martin Guest

    There is no "correct" answer -- at least not for everyone.

    It's a matter of choice, style, comfort, etc.

    BTW, you are picking a DOMAIN name, not really a
    "namespace" which is the sum off all domain names that
    can be resolved within a particular hierarchy or by a
    particulary DNS server. One might be choosing within
    which namespace that domain belongs so you will sometimes
    see "namespace planning" which is not technical wrong but
    puts the emphasis in the wrong place.

    There is a slight problem with this (although it is definitely
    workable): It disallows contacting your company web
    server by its DOMAIN name alone FROM INTERNAL
    clients. Internet clients can do that but your internal folks
    will not (generally) be able to type just ""
    but will need to use
    Probably the fewest apologies later -- but you have
    to explain it to your users (sometimes) etc.
    Actually this is practically equivalent to #1, and may
    actually be MORE confusing.

    AND it should always be registered even if you use
    it for nothing else but holding (parking) the name.

    Another variation on this theme -- which may be the
    overall best choice is: (or org etc.)
    if you can get it too.
    Normally called a (purely) Internal or Private name. One not valid
    on the Internet. It is similar to #3 except you MAKE UP something,
    usually 'local'

    Don't pick anything ever likely to actually be added to the
    Internet in this case.
    There really isn't much more than I gave you above
    although there are tons of articles about this in the
    Resource Kit and on the MS site*

    Do be sure to follow the following guideslines:

    All domain names are AT LEAST TWO "labels" or "tags"
    Right: Wrong: domain.
    Also right:

    All "labels" (or "tags") in the name: 14 characters or LESS.
    All labels start with: Alphabetic character
    All labels can have alphanumeric only (after the first) characters

    * Google:
    [ ~choosing domain dns name "active directory" ]
    There really isn't much and they should spend more
    time on the simple rules above, and mention the inability
    to use the bare domain name for the web site FROM INTERNAL
    Yes, the vagueness is legitimate complaint.
    Best is to give a real expert (there are plenty on these
    newsgroups) YOUR setup and let them talk about YOUR

    Have an external name registered, wish to use same name
    for email, etc. etc.
    The Pro's don't go deep here because it isn't worth
    the trouble.

    I personally never use the .local idea -- I just don't like
    it -- but I would if I ran into a company that I thought
    met the criteria for this being the best choice.

    I personally like the SAME NAME -- it's no harder to
    setup correctly despite what you may here or read, but it
    DOES have that bare name for the web site problem. is cool if you really wanted a name different than
    your Internet presence. is no worse than the others except
    sometimes it too will confuse your users because they
    need to use one name for their domain and another for
    their email account. BUT you can setup a UPN that
    uses that parent (main domain/email name) instead.

    Another choice.
    Herb Martin, Jan 30, 2005
    1. Advertisements

  3. AI

    AI Guest

    I understand that. If there were one correct way to do it, it would be well
    documented and I'd follow it. It's precisely because there are several ways
    to do it that I'm looking for a better understanding of the specific reasons
    for and against each option. What I'm looking for isn't someone to tell me
    "this is how you should do it", I'm looking for an explanation of what are
    the advantages, disadvantages, and pitfalls of the different options, so that
    I have a more complete basis for making the choice.
    Okay, my understanding is that the issue with using the same domain name
    internally and externally is that if you use one set of DNS servers, you
    expose your internal hostnames, whereas if you use separate sets of DNS
    servers for internal and external resolution, you need to enter the A records
    twice for any servers that need to be available to both internal and external

    My first question is: other than the extra administration of adding a few A
    records to two DNS servers, are there any other reasons why this is a bad
    idea? I often see this option being treated as if it's conventional wisdom
    that it's a bad idea, with vague references to "security", but other than
    what I outlined above, are there any other problems with this?

    My second question is, why wouldn't the internal clients be able to resolve
    the company's web site using just the domain name? If both the internal and
    external DNS servers have A records for the domain name that point to the web
    server's IP address (the "(same as parent folder)" record in Windows DNS),
    wouldn't everybody be able to reach the web site by domain name alone,
    without the "www"?
    You say "probably the fewest apologies later" - why? This is exactly the
    kind of information I'm having trouble finding. What "apologies" (i.e.
    problems) would I encounter with the other options that I wouldn't with this

    Also, if I do choose this option, would there be any problem with choosing a
    NetBIOS name for the domain that is different from the lowest level in the
    domain name? For example, if I use, would there be a
    problem with using MYCOMPANY as the NetBIOS name rather than INTERNAL, so
    that when users log on they can select the company name from the domain list?
    Okay...*why* is this the overall best choice? What advantages does it have
    over the other choices?
    Can you point to any? As I said, I've looked through everything I could
    find, and it's always been very vague, generic, and skimpy on specific
    Believe me, I've googled this topic to death.
    Are you saying that there largely aren't too many reasons why it matters,
    and that with the exception of a few minor issues each way works just as well
    as the next?
    Well, I have tried that before, but the problem with that is that it tends
    to lead toward "this is what you should do" type answers, rather than
    information about the different options that would help *me* make a decision.
    Also, I do think it would be useful to understand the considerations for
    different types of setups, and whether certain options fit certain
    circumstances better than others. In other words, rather than just having
    someone say "Here's the right fit IMUO (in my unexplained opinion) for your
    specific environment", I want to know what benefits and limitations each
    option has to offer.

    However, here's what we have currently: We have a single NT 4.0 domain, and
    will be migrating to a single AD domain. I don't forsee the need to add
    child domains in the life of the AD implementation. We have a registered
    Internet domain name, Two Win2k DNS servers in the DMZ
    provide resolution to external clients for this domain. We have two internal
    DNS domains, and Resolution is
    provided by Win2k DNS servers on the internal LAN. These servers forward to
    the DNS servers in the DMZ, and the servers in the DMZ use root hints.

    Keeping things similar to the way they are now is NOT a major consideration.
    The current DNS structure is rather messy, and I'm more interested in
    scrapping everything and doing it right than trying to keep things as much
    the same as possible. In fact, I don't want to use for AD
    because I'm going to be restructuring rather than upgrading in place (i.e.
    the AD environment will be set up alongside the existing NT 4.0 environment,
    and the accounts, objects, policies, and servers will be migrated into the AD
    domain). I think this process would be better served by not using the
    existing internal domain for AD, so that the two domains can coexist during
    the migration process. Using a subdomain other than "corp", however, such is, is a viable option.
    Okay, I've seen references to using the same name for e-mail internally and
    externally before, but again, it's not clear what the issue is. We currently
    have Exchange 5.5, and might be migrating to 2003. Internally, users select
    names from the GAL, and externally, people e-mail to .
    As long as internal users are all using Outlook in the Exchange client
    configuration and selecting recipients from the GAL, is there any potential
    for problems or confusion if the internal domain name is different from the
    external domain name?
    Are there any particular reasons why you don't like .local? I've seen
    articles saying that this is the best way to go (without much explanation),
    but Microsoft's deployment guide says that it's "not recommended" (again,
    without explaining why).
    To reiterate the question from above, in case it gets overlooked - if I use, would I still be able to use DOMAIN as the NetBIOS name, so
    that users select the company name when they log on, rather than the
    subdomain ("CHILD" in this case)? Are there any problems with the mismatch
    if there will only be one AD domain?
    AI, Jan 30, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.