Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
15 juillet 2013 1 15 /07 /juillet /2013 11:09

Choosing the right domain name is a strategic step when setting up Windows Server DNS and Active Directory. We'll see briefly the right way to do it. Next, we'll see why other ways may create troubles and shouldn't be used.

We'll see things from a practical, professionnal point of view, ie taking into consideration the custommer needs like public access ( website, ftp site ), domain name securing, sites / firms acquisition and merging issues, ...






The right way to choose and design the domain name :



Domain name authority


We should have an internet-accessible domain name, for present and future access needs ( Web Server, FTP Server, ... ). We need it too for identity / visibility locking on the Internet.


We too need a second domain name :

We don't want to be authoritative over a whole unique domain name. It is only fit in very special situations or for big firms. Otherwise, it requires too a heavy duty ( having several physical located DNS Servers, facing DNS flooding and poisoning attacks, ... ).

So we have to use two domain names : one for external accessed services ( Web Server, FTP Server, ... ) and one for internal services ( DHCP, DNS, Active Directory, .. ). The external-domain name management will stay at the registar level, our DNS server will only manage our internal domain name.



Domain name design


To be able to use these two domain names, we can choose either subdomain or distinct domain name design :

two domains using a subdomain





In this case we use a subdomain of our registered, external use domain name. I like to use 'int' ( as for internal ), but you can use corp, ad ( as for active directory ), ...
exemple :

external services ( Web server, ... ) :              example.com
internal services ( DNS, AD, .. ) :                    int.example.com

This is clear, convinient, althrough it will require a litte Windows Server extra settings for perfect design of mail and Active Directory easy and short loggings. But this is only a cosmetic issue.

of course, int.example.com will have to not be used or registered at the example.com authoritative DNS servers.

two domain names using 2 distincts domain names




In this case we use a separate, registered, domain name for internal services ( DNS Server, Active Directory Server, Exchange Server, ... ) and another one for external public-accessibles services ( web server, ftp server, etc ... ).
either changing the tld ( top level domain, ie .com, .net, ... ) or the first subdomain ( 'example' here ).exemple :

external services ( Web server, ... ) :                example.com
internal services ( DNS, AD, .. ) :                      example.net

this creates a clear distinction / decoupling between inside needs and outside needs.
AD and mail loggings are slick and easy
Furthermore, in case of firm aquisition or merging, only the external domain name has to change. We can keep the Internal domain name, avoiding an Active Directory migration.
Best of all is if we did chose a 'vendor-neutral' internal domain name.

Why these 2 options are the right choices

. The domain names are registered, so guaranteed to be uniques. Futur sites / firms mergings will be simple at the Active Directory level
. Our domains names are registered, thus secured. So we won't be forced to change our domains names, for various causes, with an Active Directory migration as a consequence.

. We avoid the task of public DNS management, only managing our internal DNS needs.

The choices that shouldn't be done, and why

. using a single label domain name ( ie without a tld, like 'example' ). Some softwares will get confused and messy


. using invented but not registered domain names. They are not guaranteed to be uniques, so futures sites / firms mergings will get complicated. Beside, there may be som legal issues there.


. using an invented tdl : your domain name isn't registered then, so you have the same problems as with using a non-registered domain name. Furtermore, this invented tld may be registered further in time, creating a conflict risk.


. use .local tld : this is used by Apple's Bonjour network services, and may cause conflicts.



RFC technical details

RFC 6761 and RFC 6762 describe some reserved tlds. They are :

.test                             reserved for internal testing
.example                    reserved for documentation
.localhost                   reserved for loopback addressing
.invalid                        reserved for tagging ( self-explainatory )
.local                           private, Multicast DNS link local

they describe too reserved domain names :

example.com             reserved for documentation
example.net               reserved for documentation

example.org               reserved for documentation



A possible Lab choice

for testing labs, the tld .test may be used, with an invented subdomain. Private DNS Servers can resolve them, if explicitly configured to do so. Public DNS Servers won't.

otherwise, for private use, as well as for testing labs, registering a domain name is the best idea. It's only 7€/$ a year !

Partager cet article

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article



  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact