| Author |
 Topic  |
|
|
mmcna
Welcome Newcomer
3 Posts
Status: offline |
 Posted - 07/05/2012 : 10:27:28 AM
|
What is the latest best practice on domain naming.
Internal and External the same.
Internal a subdomain of the External (dom.example.org)
Internal and External different.
(I thought it was was important to be a unique DNS zone, myself.)
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 07/05/2012 : 11:32:48 AM
|
> I thought it was was important to be a unique DNS zone
It is. Both FQDN and netbios name should be unique as possible, because you cannot create trusts between domains of the same name. If you ever have a merger, that can become expensive. Hint: don't have a netbios name of "AD" ... |
Make it as simple as you can, but not simpler -- Albert Einstein |
 |
|
|
Jazzy
Administrator
Netherlands
1926 Posts
Status: offline |
Posted - 07/05/2012 : 12:10:00 PM
|
On the other hand, don't make it too unique because you don't want to have to rename your AD when the name of the company changes.
Regarding the best practices, there has been much debate about the charactaristics of split DNS or no split DNS. Basically this hasn't changed over time, as far as I know there's not a single best practice. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
mmcna
Welcome Newcomer
3 Posts
Status: offline |
Posted - 07/08/2012 : 08:57:05 AM
|
Let me focus in on the problems with having the Internal and External domain name the same.
I have a vendor that is recomending a local school district do just that. I will use schoolk12.org as a example.
Besides schoolk12.org not resolving on the inside (main web pages), can anyone come up with other problems doing this besides DNS ? |
|
|
|
Jazzy
Administrator
Netherlands
1926 Posts
Status: offline |
Posted - 07/08/2012 : 09:37:43 AM
|
quote:
Besides schoolk12.org not resolving on the inside (main web pages)
This is not a problem. They should maintain the DNS zone schoolk12.org in the internal DNS servers and manually add records for www, webmail, portal or any other records they have in the external zone. If you wish you can call that a disadvantage, a bit more management in maintaining DNS.
The advantage is that if they need a certificate with both internal and external names on it, it's much cheaper. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
mmcna
Welcome Newcomer
3 Posts
Status: offline |
Posted - 07/08/2012 : 11:26:18 AM
|
| So creating a new domain a split-zone would be your recommendation |
|
|
|
Jazzy
Administrator
Netherlands
1926 Posts
Status: offline |
Posted - 07/08/2012 : 11:37:40 AM
|
| I don't think there's a single correct answer for that question. Personally I love split-zone DNS and think there are more pros than cons. But if you believe you increase security by not telling outsiders your internal AD and DNS name, it's probably not for you. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
Pieter
Old Timer
Belgium
522 Posts
Status: offline |
Posted - 07/12/2012 : 02:48:19 AM
|
I'm with Jazzy. I like the split zone setup.
FYI : you can also use any domainname you like for the User Pricipal Name (looks like email address) for logon. That suffix doesn't has to be the same as the domain name.
It gives you the possibility to have 3 different names for
- netbios domain name
- DNS domain name
- domain name for logon (with UPN)
That doesn't makes it easier, but its a possibility.
|
Pieter Demeulemeester |
|
|
|
Jazzy
Administrator
Netherlands
1926 Posts
Status: offline |
Posted - 07/12/2012 : 03:09:04 AM
|
| And if you're planning to use ADFS in the future, you need a UPN which is resolvable on the internet. Another argument for split zone DNS. :) |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
NMDANGE
Honorable But Hopeless Addict
USA
2054 Posts
Status: offline |
Posted - 07/12/2012 : 09:25:47 AM
|
Matching your public domain makes things nicer with UPNs, Exchange, Lync, DFS etc. It is my preferred option as well...
The problem I have with things like .local is they aren't really standard TLDs. I'd rather go with a subdomain than .local |
Michael D'Angelo
(former)MVP-MIIS, Pace University Senior Systems Administrator (Windows)
(MS)NMDANGE
PhoeniX WorX Systems Administrator. If you play Total Annihilation, please join us. http://www.phoenixworx.org |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 07/12/2012 : 1:37:20 PM
|
| +1 to Jetze's comment. O365 ABSOLUTELY needs this if you're going to do anything big. It imposes a new rule... all UPN suffixes must match the domain name. (Bummer... I always liked being able to give people UPNs that matched their favorite personal emails.) |
Mark
tweetin' at mminasi |
|
|
|
Jazzy
Administrator
Netherlands
1926 Posts
Status: offline |
Posted - 07/12/2012 : 4:02:51 PM
|
ADFS needs this, Mark. Okay, Office 365 is the most important reason why businesses start using identity federation.
By the way, besides the implicit UPN (samAccountName@DNSdomain) we can give the user any explicit UPN we want. If your users use a UPN the same as their email address, and those are in four different SMTP domains, you could configure ADFS for those four domains too. Heck for ADFS you can even use a domain that has nothing to do with your existing SMTP or AD domains. So actually my argument for split-zone DNS is not really valid. You need an UPN resolvable on the internet, this can be your AD domain name but can also be a different name. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
aval
Honorable But Hopeless Addict
USA
3272 Posts
Status: offline |
Posted - 07/12/2012 : 6:30:38 PM
|
quote:
But if you believe you increase security by not telling outsiders your internal AD and DNS name, it's probably not for you.
I'm really beginning to wonder to what extent this really protects you?
If you look at the header of an email, you can see the name of the sending server and the internal domain name. Not even sure if address re-writing would do away with that completely (assuming you have an Edge server)?
Not to mention the domain names that may be visible on your certs. |
|
|
|
Jazzy
Administrator
Netherlands
1926 Posts
Status: offline |
Posted - 07/14/2012 : 03:07:26 AM
|
| Agreed, I don't see how not telling your AD domain increases security. In general I see the point, there's no need to publish all technical details of your environment on the public website. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
| |
Topic |
|
AD domain naming
