internal vs. external name space

All replies

• 

  

  3

  Sign in to vote

  Internal & External domain name can be same or different like corp.ab.com for Internal & corp.com for external or any other name, but single label domain is not a preferable. Internal domain is used for hosting AD for internal purpose such as authorization as well as defining permission for the objects where as External domain name is used for Hosting website for public & their DNS records are mostly on ISP's DNS server.

  AD contains private data & used for internal purpose like authentication for domain resources can be confidential files or other information shared along with other users for business purpose, but if its exposed to internet, there is huge risk of sustaining attack, but being in internal Lan, it can be more secured to allowing very restricted ports to be opened followed by firewall implementations.

  Naming conventions in Active Directory for computers, domains, sites, and OUs
  

  http://support.microsoft.com/kb/909264

  External domain is just used for hosting websites & you are not using for  hosting any websites. Normal DNS is configured at ISP end for allowing user to access the published information. Internal domain is used for joining computer to the domain, since AD is hosted internally & you have control of it.

  Normally, websites are registered with ISP & their DNS is used for external name resolution instead of spending money to get your own DNS server hosted which requires maintenance & administration cost, so normally it is given to ISP & records is registered with them.
  

  Split Brain DNS is used for different namespace for internal & external domain name.

  Split-Brain DNS

  http://msdn.microsoft.com/en-us/library/ms954396.aspx

   

  Regards

  ---

  MVP-Directory Services 

  Awinish Vishwakarma| CHECK MY BLOG  

  Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Marked as answer by Arthur_LiMicrosoft contingent staff Friday, July 8, 2011 1:22 AM

  Wednesday, July 6, 2011 4:17 PM
• 

  

  1

  Sign in to vote

  From what I've gathered, Microsoft recommends a scenario like this:  You buy a domain name from your Registrar "company.com".  That's your external namespace.  For your internal name space, you'd create a child domain of the root domain called "corp.company.com".  (I've mostly dealt with different internal vs. external name spaces, like "company.com" and "domain.local".

  Where have you found that?

  1)  When you join a computer to the domain, which domain are you joining?  Or, would you have a choice between the two?  At the computer's logon screen, what would it say under "log on to"?  would it be COMPANY, CORP.COMPANY, COMPANY.COM, OR CORP.COMPANY.COM?

  You are joining your Active Directory domain. For logon you use domain NetBIOS / DNS name of your domain.

  2)  Some Registrars allow you to specify your own name servers (SOA's?).  Can you use Microsoft DNS servers as name servers?  How is this secure -- how do you not expose Active Directory contents?  Would those DNS servers be joined to the domain, or no?  If so, which domain would they be joined to?  Would it be more secure to keep those DNS servers independent, and on the perimeter of your network?

  You have to specify your need and you environment so that we give you details. 

  3)  If the AD domain "corp.company.com" was hosting websites for other businesses with other domain names, what would you need to do?  What kind of DNS setup does Microsoft recommend for a small business web hosting company?  How could you leverage Active Directory to host web sites?  Or, would it be better to keep the DNS and IIS servers independent (stand-alone)?

  To host a domain with website.com dns name, you can create a new zone named website.com and create a www A record with the wanted IP address.

  For IIS questions, post here: http://forums.iis.net/

   

  Please detail your need or give a detailed scenario. Note that if your domain name is the same as your public DNS name, split DNS can be used in specific scenarios.

   

  ---

  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Microsoft Student Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator: Security
  Microsoft Certified Systems Engineer: Security
  Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise Administrator

   

   

   

  Wednesday, July 6, 2011 4:34 PM
• 

  

  0

  Sign in to vote

  I guess overall I'm concerned with the relationship between the name you use internally, and the external name held with the registrar.  What IS that relationship?  How does AD deal with it?  What is the real advantage of using the same external name, or a child of that domain, for your internal space?  My point is, if the Registrar's name servers are authoritative (not your internal domain), then why choose the same name?

  1.)  I supported several small & med-sized businesses whose internal and external name spaces differed.  Domain.local was used internally, whereas company.com was used externally.  A and MX records used "company.com", but pointed to the IP address of the resources that were required from the internal domain (smtp, RDP, http, https, etc.)

   I've never had the opportunity to see an environment with more than one domain.  So, I'm just curious to know what would happen if you have a forest containing "company.com" and "corp.company.com"....  Will they both show up as a joinable domain?

  2.)  I have no example to give other than I'd like to control my own internet records rather than using the Registrar or ISP.  Assuming it is possible, it would just be my prerogative.  I'm curious to know how to configure DNS, and where to put it on my network, in a situation like that.

  3.)  That is helpful.

   

  Wednesday, July 6, 2011 5:14 PM
• 

  

  1

  Sign in to vote

  Hello,

  1. this depends where in your LAN the machine should be added to, the child domain as in your example, then you use the NetBios Name of the child doamin or the FQDN from the child domain. The name you have bought for External use has nothing to with the step of joining machines to the domain.

  2. sure, you must have a domain internal DNS server anyway, no DNS server, no domain controller installation, as you already realized.

  3. you have to create new zones in the DNS forward lookup zone for the new name and add the records for the web server that are used for this.

  For all details see the articles Awinish already post ed the links, especially about split brain DNS and also see:

  http://technet.microsoft.com/en-us/library/cc759036(WS.10).aspx

  ---

  Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • Marked as answer by Arthur_LiMicrosoft contingent staff Friday, July 8, 2011 1:22 AM

  Wednesday, July 6, 2011 5:17 PM
• 

  

  0

  Sign in to vote

  I guess overall I'm concerned with the relationship between the name you use internally, and the external name held with the registrar.  What IS that relationship? 

  No relationship.

  How does AD deal with it?

  AD uses your internal DNS servers for DNS resolution.

  What is the real advantage of using the same external name, or a child of that domain, for your internal space?

  I don't see the advantage. For security reasons, they should not be the same.

  My point is, if the Registrar's name servers are authoritative (not your internal domain), then why choose the same name?

  What you mean?

  I've never had the opportunity to see an environment with more than one domain.  So, I'm just curious to know what would happen if you have a forest containing "company.com" and "corp.company.com"....  Will they both show up as a joinable domain?

  If these are public DNS names then they can not be joined as they are not based on AD, they are just DNS zones with DNS records.

  2.)  I have no example to give other than I'd like to control my own internet records rather than using the Registrar or ISP.  Assuming it is possible, it would just be my prerogative.  I'm curious to know how to configure DNS, and where to put it on my network, in a situation like that.

  For internal DNS resolution control, create a zone with the same name as the external. Add records you want and use it for internal DNS resolution.

  For changes on an external zone, you have to contact your ISP.

   

  ---

  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Microsoft Student Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator: Security
  Microsoft Certified Systems Engineer: Security
  Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise Administrator

  Wednesday, July 6, 2011 5:23 PM
• 

  

  2

  Sign in to vote

  Hello rldean,

  What is the real advantage of using the same external name, or a child of that domain, for your internal space?  Each has its pros and cons.  For your users, its easiest to have the same internal and external name.  For security, its best to have completely seperate names.  I generally go with the same internal and external name.  However, I have many years of experience and understand the extra managment and configuration that this option requires to maintain service availability and security.  here is some information with regard to that option...

  Active Directory Domain Name Considerations when Using the Same Internal and External Domain Name
  http://www.anitkb.com/2010/03/active-directory-domain-name.html

  My point is, if the Registrar's name servers are authoritative (not your internal domain), then why choose the same name?  I generally choose the same so that the end users do not have to distinguish internal from external resources.  When they need to access a resource, they just have to know the host name, the domain name is the same internally and externally.  Generally, you use a split-DNS design to accomodate this option.

  I've never had the opportunity to see an environment with more than one domain. So, I'm just curious to know what would happen if you have a forest containing "company.com" and "corp.company.com".... Will they both show up as a joinable domain?  So in an AD forest, all domains trust each other by default.  That does not necessarily give you/end user the ability to join any domain that you wish.  That's all handled by rights and permissions.  However, A user in the forest could log into one domain and access resources in another if the resource has been shared and the end user granted the appropriate permissions.  From a logon dialog box (for example from XP), yes you would see the option to log onto more than domain.  A user can only log on a domain that they have an account defined on.

  ---

  Visit: anITKB.com, an IT Knowledge Base.

  • Marked as answer by Arthur_LiMicrosoft contingent staff Friday, July 8, 2011 1:22 AM

  Wednesday, July 6, 2011 6:03 PM
• 

  

  0

  Sign in to vote

  So, it sounds like I'm overcomplicating the issue.  You're all telling me that the internal infrastructure (AD, DNS, DC's) has nothing to do with external Internet records (A, MX, etc.).  I should not confuse the two; they are completely independent of each other.  A DC will not update the Registrar's internet records, and vice versa.

  ...but...

  Is there an instance where you'd want your company's DNS server to act as an internet name server (SOA, record holder, etc., not the ISP or registrar)?  The idea being that, you wouldn't have to manage internet records at a separate location...  So, you add a mail server, join it to the domain, and this updates DNS, and at the same time, updates the internet records...

  Do most big businesses use a scenario like that?  Or, do they manage their internet records separately though the ISP/Registrar?

  
  ---also---

  I noticed in my current company's infrastructure, I can join either "company.com" OR "companycom".  The root of AD says "company.com".  We only have one internal domain (as far as I can tell).  "Company.com" is also our external A record.... Does this mean we have a split-brain DNS?  How can I tell if we're split-brained?

  
  

  Wednesday, July 6, 2011 9:09 PM
• 

  

  1

  Sign in to vote

  Hi.

  Here are some various namespace designs for different situations, while I mostly recommend a delegated namespace in a externally registered namespace for example corp.company.com while you keep the infrastructure for your public namespace separated from the namespace/zone that you reserve for Active Directory. Having a such DNS Design you decide to never use the reserved namespace “corp” externally and for nothing else than AD, meaning you can’t setup a external website being for example web1.corp.company.com cause that would cause an issue for internal clients as they will always ask the internal DNS for *corp.company.com and assume DCs/DNS used for AD are responsible for that zone. (This is possible to solve, and the design falls under the “Segmented Namespace Design” and will cause administrative overhead as you have to update records both internally and externally).

   

  FYI: Be careful with using internal namespaces such as company.local as this will be the primary and default UPN suffix for accounts in your forest, the UPN are used for Smart Card logons and are also used in various Cloud authentication scenarios today, for example BPOS and Office 365 where you need top be able to claim that you own the UPN for users using the service. UPN’s can be changed and doesn't have to match the domain/forest namespace, however changing that later on may be difficult if you have issued certificate to a couple of 1000 smart card users.

   

  Active Directory DNS Namespace Design

  Single Namespace:

  ·        Simple design – BUT risk external exposure of namespace and SRV records

  ·        Potential complex set of permissions to update and manage DNS zone information

  ·        SRV records are intermingled with all resource records in the organization

  Delegated Namespace:

  ·        Subzone of public namespace is delegated to AD

  ·        Segregates AD SRV records from pub available records

  ·        Management of specific portion of DNS

  Internal Namespace:

  ·        Alleviates concerns over who will manage AD portion of DNS

  ·        Can hamper the scalability of AD

  Segmented Namespace:

  ·        Allows same namespace for AD both int and ext but not same DNS infrastructure

  ·        Allows isolation of AD DNS infrastructure

  ·        Preserve public scalability

  ·        Most likely manual replication of entries

   

  ----------------------------------------------------------
  
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  
  

  "rldean" wrote in message news:cd27e9a2-3fb9-4a5d-86a7-129392d50bb3...

  I've been working with Active Directory for a good 10 years, but there is one thing I'd like to get a better understanding of, and that is internal vs. external names spaces.

  From what I've gathered, Microsoft recommends a scenario like this:  You buy a domain name from your Registrar "company.com".  That's your external namespace.  For your internal name space, you'd create a child domain of the root domain called "corp.company.com".  (I've mostly dealt with different internal vs. external name spaces, like "company.com" and "domain.local".

  1)  When you join a computer to the domain, which domain are you joining?  Or, would you have a choice between the two?  At the computer's logon screen, what would it say under "log on to"?  would it be COMPANY, CORP.COMPANY, COMPANY.COM, OR CORP.COMPANY.COM?

  2)  Some Registrars allow you to specify your own name servers (SOA's?).  Can you use Microsoft DNS servers as name servers?  How is this secure -- how do you not expose Active Directory contents?  Would those DNS servers be joined to the domain, or no?  If so, which domain would they be joined to?  Would it be more secure to keep those DNS servers independent, and on the perimeter of your network?

  3)  If the AD domain "corp.company.com" was hosting websites for other businesses with other domain names, what would you need to do?  What kind of DNS setup does Microsoft recommend for a small business web hosting company?  How could you leverage Active Directory to host web sites?  Or, would it be better to keep the DNS and IIS servers independent (stand-alone)?

   

  ---

  Enfo Zipper Christoffer Andersson – Principal Advisor

  Wednesday, July 6, 2011 9:49 PM
• 

  

  1

  Sign in to vote

  In response to...

  Is there an instance where you'd want your company's DNS server to act as an internet name server (SOA, record holder, etc., not the ISP or registrar)?  The idea being that, you wouldn't have to manage internet records at a separate location...  So, you add a mail server, join it to the domain, and this updates DNS, and at the same time, updates the internet records...

  Do most big businesses use a scenario like that?  Or, do they manage their internet records separately though the ISP/Registrar?

  So yes, there are many instances where your company would have an external facing internet server rather than the registrar.  It usually ends up with which solution costs less and provides a higher degree of reliability.  Its not cheap to set up a highly available, redundant set of DNS servers, externally facing.  You have the cost of the hardware, licensing, and managment of these boxes.  For small companies, its cheaper just to use whats included when you register the domain name.  For medium-large companies, you can make a case for why you would host your own DNS.

  For most (all in my opinion) implementations, your internal DNS servers used for internal name resolution/hosting of AD records, should NOT be externally facing.  You do not want to expose your DNS server that hosts your AD zone to the world.  Not a good idea, unless you dont care of your internal records can be queried from the internet.

   

  ---

  Visit: anITKB.com, an IT Knowledge Base.

  Thursday, July 7, 2011 1:15 AM
• 

  

  0

  Sign in to vote

  JM:

  Thank you for your replys.  Like you described, that is the scenario I've always seen.  But, assume for a moment we're dealing with a gigantic corporation.  Assume the IT Administrators are tenacious...  They want to use 2 Windows 2008 servers the company's Internet records... Can DNS be installed independently of AD?  (I think AD requires DNS, but DNS does not require AD).  Where would they put the DNS servers on the network?  Would it be the "exterior" network (not on the same business-facing subnet).  Would the DNS servers be joined to a domain, or independent (workgroup mode)?

  Thursday, July 7, 2011 2:03 PM
• 

  

  1

  Sign in to vote

  So, DNS does NOT require AD.

  If your administrators want to host their own DNS solution, the general practice is to deploy at least two DNS servers on the DMZ network.  However, with today's networking technologies, they can be placed on internal segments and just have a Network Device on the perimiter doing Reverse Load BAlancing, App Firewall Filtering, etc..

  To keep the concept simple, they would go on the DMZ.  For ensuring reliability, they should go on seperate DMZ segments (if possible), different racks, supplied by different power circuits.

  So in reality, as long as the internet traffic can get to them, you can place them where you see fit. 

  They do not have to be domain joined, although they can be.  Its up to you according to your network/security design.  Many times, the external facing DNS servers are not domain joined, no AD, and are locked down systems.

   

  ---

  Visit: anITKB.com, an IT Knowledge Base.

  Thursday, July 7, 2011 3:46 PM
• 

  

  0

  Sign in to vote

  I wanted to thank JM, Christoffer, Mr. X. Meinolf, and Awinish for their insight into my theoretical setup.  Thank you for your time, and allowing me to bounce ideas around.

  The links they provided:

  Naming conventions in Active Directory for computers, domains, sites, and OUs
  http://support.microsoft.com/kb/909264

  Split-Brain DNS
  http://msdn.microsoft.com/en-us/library/ms954396.aspx

  --other links--
  http://technet.microsoft.com/en-us/library/cc759036(WS.10).aspx

  Active Directory Domain Name Considerations when Using the Same Internal and External Domain Name
  http://www.anitkb.com/2010/03/active-directory-domain-name.html

  • Marked as answer by rldean Thursday, July 7, 2011 5:31 PM

  Thursday, July 7, 2011 5:30 PM