Home > Articles > Operating Systems, Server > Microsoft Servers

  • Print
  • + Share This
From the author of

Your Domain Name and the Internet

If you plan on having a private network with no presence on the Internet, choosing your domain name is relatively easy. If you want your company to have a presence on the Internet and use the same domain name in your Active Directory implementation, you have a little more work to do. First, if your company already has an Internet presence, you can use your existing domain name in your network. If your company does not, you need to determine your domain name and then register that domain name with Network Solutions (http://www.networksolutions.com) (or your ISP can handle this task for you for a fee). This process will reserve the name and allow you to use it on the Internet for an annual fee. If you want the Internet and your local network to have the same domain name, you should make certain that you can reserve that domain name on the Internet before installing the root domain in the Active Directory. For example, let's say that Smith, Inc. is a new company that wants the domain name of smith.com. When employees register with Network Solutions, they learn that the name is already taken. They now have some decisions to make concerning the domain name they will use. Of course, you do not have to use the same domain name for your local network as the one on the Internet, but most organizations prefer this seamless approach.

Another issue concerns Internet connectivity. If your organization connects to the Internet, your Active Directory DNS root must be unique on the Internet, and it must conform to DNS standards for Internet domain-naming rules. Even if you do not have a presence on the Internet and do not plan to, you should consider registering your DNS name with Network Solutions to avoid potential problems.

However, even if you have an Internet presence, that does not mean you do not have other naming options for your Active Directory implementation. A number of organizations prefer to keep the DNS structure of their private network separate from the Internet for further security. The following sections point out some of the major options you may want to consider.

Use a Subdomain

You can use a subdomain of your root domain for your Active Directory implementation. For example, let's say that adamsint.com is the domain name of the company called Adams International. The Adams International managers use adamsint.com as the domain name on the Internet, but they want their Active Directory implementation to be a subdomain of the root. They could begin the Active Directory root as a subdomain, such as local.adamsint.com. This action separates the internal DNS structure from the public structure. However, when they use a subdomain, the DNS names in the Active Directory will be longer because they are beginning with a subdomain instead of the root. For example, if this company has several child and grandchild domains, a potential DNS name could be server1.acct.corp.east.namerica.local.adamsint.com. As you can see, this can get out of hand. If they choose the subdomain method, the subdomain should be created in a separate zone on a DNS server that will serve the subdomain. They also need to configure the DNS server that is authoritative for the root domain with a delegation record to the other DNS server in the new subdomain.

Firewall

If you want more security, but you do not want to use two different root domains or a subdomain for your Active Directory implementation, you can separate your private and public network with a firewall (or proxy server). This action allows you to create two DNS zones with the same root domain on either side of the firewall. The DNS server on the public side of the network has the records for servers that can be accessed by individuals from the Internet; the internal DNS server contains the network records for the Active Directory. This way, external users can access only certain servers (such as Web servers) inside of the network. Internal clients can access the public DNS server through the file wall for Internet access. Although this configuration is effective, it can be complex—you have to maintain two zones and the records for those zones. The advantage is that you can use one domain root while protecting your private network. Figure 6 shows an example of this configuration.

Figure 6 Same root domain with a firewall division.

Private DNS Name

There is a new draft for the .local first-level domain reserved by the InterNIC for private use. This first-level domain allows you to have an Active Directory naming scheme, such as txcorp.local. The .local domain is designed for private use, and it cannot be registered on the Internet. It is a good solution for separating an existing Internet presence from your private network, but the downside is that the name cannot be used on the Internet. This locks you into a private network; to change the root domain, you have to reinstall the Active Directory forest. Also, any hosts within your network using the .local domain will not be resolved or recognized on the Internet. But for many smaller businesses, this is an effective solution because they can use any name they want without having to worry about registering it.

  • + Share This
  • 🔖 Save To Your Account