Just a few days ago, I’ve got a question from a customer regarding the DNS naming best practices for internal DNS and AD domains…
As it’s not a daily job to setup a new AD domain and internal DNS (from scratch…), so it might help to share the results of my investigation, that have lead to confirm my practical experiences.
Apparently it’s a pretty frequent topic on AD and network platforms. Plus there are some strict technical guidelines that apply here, even for internal DNS configurations…
The short answer, as best practice:
- Microsoft strongly recommends to register a public domain and use subdomains for the internal DNS.
- So, register a public DNS name , so you own it. Then create subdomains for internal use (like corp.pgeelen.be, dmz.pgeelen.be, extranet.pgeelen.be) and make sure you’ve got your DNS configuration setup correctly.
Below more detailed explanation. Luckily enough there is some nice reading material out there to prove the statement, so make sure you bookmark this page 😉
But first we need to clarify a few things…
AD Domain vs DNS name
The AD domain name is NOT the same as the DNS name, but they are linked.
AD Domain names are mainly used within AD operations, mostly LDAP queries for AD functionality, while DNS is rather a network level solution for name resolution on IP level (to solve the machines or application names to IP addresses).
Essentialy this difference allows you to use a ‘internal’, private AD domain name and use a public, registered DNS name.
When you look into discussions and documentation on this topic, you’ll also see that the AD domain short name is referred as NetBIOS Name (as in the AD logon name <DOMAIN>\<username>).
For example
- AD Domain name: CORP
- DNS name: corp.pgeelen.be
See here for more explanation: https://technet.microsoft.com/en-us/library/bb676377
You can also ‘unlink’ the AD domain name from the DNS name, then you get a disjoint namespace, as explained in previous link.
For Example
- AD Domain naam : CORP
- DNS naam: intranet.pgeelen.be
Check this forum discussion: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f6ac34e8-4b35-4c3b-a60f-179f68d6eb24/ad-domain-name-vs-dns-domain-name?forum=winserverDS
And also: https://technet.microsoft.com/en-us/library/cc978018.aspx
Dummy DNS name vs official DNS name
In the past, lots of people chose to use a dummy, unofficial TLD (top-level-domain) for their internal network, likedomain.lan, domain.local of domain.internal (and also domain.internalhost)
But this can get you in serious trouble.
Because these names are not supported by internet standards, the most important RFC on this is: RFC 2606 (http://tools.ietf.org/html/rfc2606)
This RFC standard is very explicit on chosing domain names for voor private testing and documentation
- .test
- .example
- .invalid
- .localhost
But also for documentation some 2nd level domains are reserved
- example.com
- example.net
- example.org
As you can see, these names are created for testing and not for production.
Plus, if the public naming standards change or additional names are released you might be using a name you don’t own and that can be routed to the internet, which conflicts with the initial use.
Therefore the technical conclusion is fairly straight forward: register a public DNS name and use it for your internal DNS resolution.
So the use of <yourinternaldomain>.be is technically correct but it doesn’t stop there.
There are some important consequences.
Allow me to take the discussion a step further.
You have to make a choice on the DNS zones:
- using a single DNS zone
- Using subdomains
- using different DNS zones
Using a single namespace (for internal and external hosts)
Some customers use the same DNS zone for internal and external usage. But there are some important disadvantages:
- mismatch between security zones (like intranet, extranet, dmz and) and DNS naming
- when adding / merging domains the DNS is subject to redesign
- less flexible, less automated DNS operations
- conflict in authority with internal DNS and external DNS (managed by internet provider)
You might face some practical issues like:
- conflicts in DNS,
- instable operations and sub-optimal performance
- network issues
- complex configuration
- less or no automated DNS operations, more manual operations
- keeping DNS under control is less obvious
Plus, you’ll face some consequences regarding network security, by the lack of segregation of (DNS) duties.
So: Single DNS domain is absolutely not advised.
Using different DNS names and zones
It’s completely the opposite of the previous approach. From DNS level, this is fairly simple setup, but you need to duplicate or multiply DNS configurations. And from a user perspective it might be complex or confusing, or not transparent, and inconsistent
DNS sub-domains
This is a frequently used technique to use the same TLD (top level domain) and separate the zones by subdomain. Eg “intranet”, “extranet”, “DMZ” for ‘internal’ zones en just plain <domain>.<tld> for public DNS.
For example:
- intranet.pgeelen.be or corp.pgeelen.be (if your AD is named ‘CORP’ )
- extranet.pgeelen.be for applications or partner facing websites
- DMZ.pgeelen.be for applications that need DMZ for data protection or publication,
- and master suffix .pgeelen.be for public websites (managed by your Internet Provider)
The forum post I mentioned earlier discusses a technique called “DNS split brain”:
In fact you have one DNS name space, but with sub spaces per zone.
This is a bit more complicated setup as you need to make sure the DNS servers forward the requests to the applicable zones correctly.
And it does require some planning and cooperation with your internet provider.
Microsoft strongly suggests to work with subdomains, within a publicly registered TLD domain.
Check: Creating Internal and External Domains op https://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx
| Design Option |
Management Complexity |
Example |
| The internal domain is a subdomain of the external domain. Microsoft strongly recommends this option. For more information, see Using an Internal Subdomain. |
Easy to deploy and administer. |
An organization with an external namespace contoso.com uses the internal namespace corp.contoso.com. |
| The internal and external domain names are different from each other. For more information, see Using Different Internal and External Domain Names. |
More complicated than previous option. |
An organization uses contoso.com for its external namespace, and corp.internal for its internal namespace. |
On top of that you need to be aware of a few rules regarding naming standards: https://support.microsoft.com/en-us/kb/909264
To conclude, please find some useful reference info in one spot below:
- DNS and Active Directory:
- Naming conventions in Active Directory for computers, domains, sites, and OUs
- How to choose a sensible local domain name for a home network?
- Top level domain/domain suffix for private network?
- Using public TLD & subdomains
- Microsoft
- Forum: AD domain name vs DNS domain name
- Split brain DNS
Like this:
Like Loading...
Identity Underground 