Manage Learn to apply best practices and optimize your operations.

Best practices for DNS on a new domain

ITKnowledge Exchange member "TheVyrys" had a question about what happens with the DNS when changing a domain name; read the advice other forum members gave.

ITKnowledge Exchange member "TheVyrys" had a question about what happens with the DNS when changing a domain name; read the advice other forum members gave. Read the whole thread.

Want to join in on a similar conversation? Register for ITKnowledge Exchange and fill out your profile so you can ask specific sets of people your IT questions and also help out your fellow geeks.

ITKnowledge Exchange member "TheVyrys" asked:
I'm looking for some direction on DNS and domain naming. I am setting up a fresh Windows 2003 domain. I have two DCs, one Exchange server and one Web server. All clients are running on Windows XP and the servers are all Windows 2003.

Our ISP takes care of DNS right now on our NT domain. We have a Web server in place that is behind firewall with NAT. Our ISP points "" to our Web server's public IP address, then I NAT it to our Web server.

My question is: When I create a name for my new domain, what is the best practice for DNS? Should I use or should I just use completely separate, like domain.local?

If we change our Web site's name (such as to, how will this affect my internal domain structure if I use

First things first: Put your Web server in a DMZ environment. It sounds like you have it inside the firewall on your internal network according to your initial question. That's a bad idea because if they own your Web server, your domain controller is not far behind.

Second, it doesn't matter what you name your internal network because you should have a totally separate DNS (a.k.a., split DNS). Your internal servers should not use your external servers and likewise for the external ones. The internal servers know about the inside systems and the external one knows about what's outside and in the DMZ only.

Consequently, if your company changes it's name from companya to companyb, you would most likely change your domain structure to match anyway. It wouldn't matter if it were,, companya.local, etc. If it has companya associated with it, you'd probably want to change it.

I like the idea of using because it specifies that it is both active directory and internal (of course, it's not fun to type all of the time). The external servers will be .com, .net or .org, depending on what you are using. Then you also do not have a problem resolving to your own Web and FTP servers from the inside domain because they would simply query the root servers and make their way back to your external DNS to resolve your server IP correctly.

Domain.local or domain.lan is a rubbish way of doing it, even in Windows. If you ever want any sort of integration in the future, then rip your domain apart. Using <internal> is loads better and any non-Windows techs will thank you for using DNS properly. I'd also recommend getting your DNS back from your ISP, unless you want a load of stale records polluting your DNS for the next 10 years.

This was last published in June 2005

Dig Deeper on Network management and monitoring

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.