Want to join in on a similar conversation? Register for ITKnowledge Exchange and fill out your profile so you can ask specific sets of people your IT questions and also help out your fellow geeks.
|ITKnowledge Exchange member "TheVyrys" asked:
I'm looking for some direction on DNS and domain naming. I am setting up a fresh Windows 2003 domain. I have two DCs, one Exchange server and one Web server. All clients are running on Windows XP and the servers are all Windows 2003.
Our ISP takes care of DNS right now on our NT domain. We have a Web server in place that is behind firewall with NAT. Our ISP points "mycompany.com" to our Web server's public IP address, then I NAT it to our Web server.
My question is: When I create a name for my new domain, what is the best practice for DNS? Should I use domain.mycompany.com or should I just use completely separate, like domain.local?
If we change our Web site's name (such as mycompany.com to newcompany.com), how will this affect my internal domain structure if I use domain.mycompany.com?
First things first: Put your Web server in a DMZ environment. It sounds like you have it inside the firewall on your internal network according to your initial question. That's a bad idea because if they own your Web server, your domain controller is not far behind.
Second, it doesn't matter what you name your internal network because you should have a totally separate DNS (a.k.a., split DNS). Your internal servers should not use your external servers and likewise for the external ones. The internal servers know about the inside systems and the external one knows about what's outside and in the DMZ only.
Consequently, if your company changes it's name from companya to companyb, you would most likely change your domain structure to match anyway. It wouldn't matter if it were companya.com, companya.net, companya.local, etc. If it has companya associated with it, you'd probably want to change it.
I like the idea of using ad.company.local because it specifies that it is both active directory and internal (of course, it's not fun to type all of the time). The external servers will be .com, .net or .org, depending on what you are using. Then you also do not have a problem resolving to your own Web and FTP servers from the inside domain because they would simply query the root servers and make their way back to your external DNS to resolve your server IP correctly.
Domain.local or domain.lan is a rubbish way of doing it, even in Windows. If you ever want any sort of integration in the future, then rip your domain apart. Using <internal>.mydomain.com is loads better and any non-Windows techs will thank you for using DNS properly. I'd also recommend getting your DNS back from your ISP, unless you want a load of stale records polluting your DNS for the next 10 years.
This was first published in June 2005