3

I was always taught to use an internal domain name (company.local or company.corp) for Active Directory instead of (company.com or company.pl). Recently we were thinking that by using external domain name we can get some advantages for stuff like certificates for Exchange, Sharepoint, and alike where the internal and external names would be exactly the same making it unnecessary to buy special certificates.

What are the advantages and disadvantages of both? What could be a potential problem when doing so and what could be a big advantage?

MadBoy
  • 3,725
  • 15
  • 63
  • 94

3 Answers3

3

I've built and supported dozens of Active Directory forests over the last decade from building 10-user SBS servers to taking over management of 6,000 user forest with 50+ DC's and redesigning the whole thing. I can say I see no reason to NOT use your .com Internet domain name for the AD forest name if you plan properly. Microsoft stopped recommending using .local domain years back due to Bonjour incompatiblities with older Mac OS X versions, and for the reasons you're citing. The idea from Win2000 days to make a "memberless" root domain with your main domain being a sub-domain is also out the window due to better tools and management now.

Reasons to do "split-brain" DNS with Internet and AD domain's being the same:

  1. Best reason: URL's for web apps are same inside and out for users (recommend adding your internal domain name to IE intranet security zone through GPO)
  2. option to easily make logon's and email address the same (NT4 way of logon is domain\user but in modern windows it also takes username@domain.com)
  3. OCS/Lync SIP address same as email and login
  4. You can use your public certs for internal servers rather then your private CA

Negatives:

  1. split-tunnel VPN's The complexity comes into play when client computers outside your network need to decide to use either the public IP for website.domain.com or the internal one. Often companies (in order to be cheap and save bandwidth) setup client Windows VPN settings for split-tunnel which tells Windows to only send traffic to intranet that is destined for internal names/IPs. When DNS can resolve the same names inside and outside the network, which should it choose to use? Windows will give you mixed results for which DNS records (private or public) to use for the client. My recommendation: don't allow split-tunneling in client VPN's.
Bret Fisher
  • 3,973
  • 2
  • 21
  • 25
1

DNS management is the primary headache that you'll run into.

  • Domain resolution:

Systems in the domain expect to be able to resolve for the domain controllers when they request the FQDN of the domain. This is an issue if your users, say, want to access the web site by putting company.com in their browsers; that DNS entry must point instead to the domain controllers (and the users will need to enter www.company.com for the web site).

  • Double zone management:

Similarly, your Active Directory servers will be set to be authoritative for the company.com zone. So, you'll effectively be managing two copies of the zone; the one in active directory, and the one that internet users will see. All the entries that your internal users will need to access will need to be created and updated in both places.

The advantage that you cited for certificates can be had with some DNS trickery, without necessarily needing to commit to overlapping forever. On the other hand, it's helpful from a usability perspective for users' email address to match their User Principle Name.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
1

having been involved in a lengthy (and very expensive) ad migration project, i have become a fan of having an internal ad that is "generic" with regards to your business name. if you are in a business that may be bought or merged with another business, you may find that you don't necessarily need to change your ad domain because of a business decision.

for example if you are in the shoe business you could purchase a domain name like corpshoe.net and only use it for active directory. your corporate website and email can stay the same as your regular domain names, and if your company changes, your ad doesn't have to.

i also believe that you should own your ad name in the external world. it just makes everything easier.

johnh
  • 595
  • 4
  • 9
  • 1
    We need to change our domain name now because we have single lable domain name which brings us a lot of problems so we're looking into proper rename options – MadBoy Mar 20 '11 at 20:43
  • +1 I am not a fan of sharing the AD domain with anything external even if it can technically be done. IMO, you're just promoting confusion. We even make it a point to break out our internal AD DNS forward zone from other OS'es so that there is no confusion there either. – BoxerBucks Mar 21 '11 at 19:26