Regular IT Guy

Just a guy talking about Technology, in an uncomplicated way

Blogs

DNS Naming Strategies for AD (Active Directory)

  • Comments 11
  • Likes
DNS Namespace is frequently a stumbling block in the design process for people working an AD implementation or migration. I've lead a number of roundtables or facilitated discussions about this topic and I frequently find that people make it way more complicated then they need to. Being a consultant who has done a number of AD designs for customers ranging in size from 200 to 27000 users, I've seen it all. I have two simple recommendations:
  • Use the KISS principle (Keep It Simple S{fill in appropriate word here}
  • Do it right once and lock it in.

I was out last week for dinner (I was in Redmond for a technical conference) and a fairly heated discussion came up about DNS Naming Strategies for Active Directory. Take an x-enterprise strategy consultant, AD design consultant and an x-RedHat/Oracle engineer and throw them the DNS naming strategy topic and some interesting points get raised. I won't tell you who raised which strategy - I'll let you make your own.

Option 1 - Use the same Internal and External domain names.
If I already own rickcomapny.ca and I use it externally, why not use it internally as well? Humm... Maintain 2 DNS zone files on two servers that will from this day forward never exchange information and will need to be separately managed. This might seem like a good KISS principle and minimize internal client "comfort" of not having to change DNS namespace. In actual fact - it places much more administrative burden on the DNS admins and is not exactly "future proof" for changing business needs. You will have to manually add external entries into your internal zone. You will have to selectively add internal resources to your external zone. How will you handle internal and external records when you transition to IPv6?

I'm not knocking this method - I've implemented it for customers in the field - after they have reviewed all the Pros and Cons.

Option 2 - Use a delegated sub domain of the external domain for the internal domain.
Once again - if I own rickcompany.ca and I use it externally (either I host it on a set of servers or my ISP hosts it), I create a sub domain internally only (at this time) that could be called corp.rickcompany.ca or ad.rickcompany.ca or whatevermakessense.rickcompany.ca. Because this sub domain is only maintained internally on the internal DNS servers, it can't be accidentally placed on the outside servers. Clients and servers would be part of the internal sub domain of rickcompany.ca and function as normal in an AD environment. If you already had a large (or small) DNS zone of rickcompany.ca, the records could be transferred internally as secondary zones and maintained on which ever servers required the zones. This is by far the easiest one to manage, since you control the zone and don't have to worry about what is inside and outside. You are also futureproofing your design, since you have unique names inside and out. If your internal clients have the bad habit of not fully qualifying resources in the rickcompany.ca domain, you can add it to your list of search domains to ensure proper name resolution.

Option 3 - Use a non-standard internal domain. (Dustin Norman reminded me of this one).
I have used this one on only one occasion. I warn you that you should use this one with caution - as it severely limits your ability to easily manage externally accessible internal resources.  If you choose to use rickcompany.internal or rickcompany.local as your internal DNS domain name, you virtually guarantee that your internal hosts will never be resolvable from the outside world without jumping through hoops.  It is not generally a recommended best practice to use this type of non standard DNS domain naming convention without looking at all the implications.

I'll end off this conversation by saying - make sure to understand all the implications of DNS naming convention. Only after you have evaluated all the options should you make your choice. You need a rock solid understanding of DNS and how it works in order to ensure a strong foundation for AD and name resolution.

How do I answer when someone asks me the naming question? "It depends....."

Here's a link to the Windows Server 2003 Deployment guide discussion on DNS naming conventions.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_tvnd.asp

Comments
  • I've heard of a third option: Use a totally different (and non-internet routable)domain name like: rickcompany.local

    What are your thoughts on this type of usage? Are there pros/cons to this method?

  • Thanks Dustin - I completely forgot to add that one. i have implemented one of these...
    Can you tell it is a Monday?



  • http://support.microsoft.com/default.aspx?scid=kb;en-us;254680

    http://www.microsoft.com/Windows2000/technologies/communications/dns/default.asp

  • A good book I used.

    http://www.oreilly.com/catalog/dnswinsvr/index.html



  • With option 3, what problems do you encounter when you create a single name domain. We have experienced a few problems, but I don't ever see it documented anywhere.

  • Hey Rick,
    It's pretty obvious which choice you prefer! ;)
    I've used option 1 before, and it does require a DNS admin who's on the ball. That said, for most SMBs, it's just a single WWW record that you need to add to the internal zone. I have had probs in larger orgs where we had to add internal MX records, but that's not too common (it was only temporary during a migration/amalgamation).

  • There is yet another option (one I've seen used a number of times):

    Use an internet routable domain that you don't use externally. If you use rickscompany.com externally then register rickscompany.net and only use that internally. This has some of the value of option #3 and removes some of the limitations as well.

    Phil

  • I have recently taken ownership of a 2000 AD network that has a single one-word domain name, "calenwolde"...no suffix. I am having issues with AD registering itself properly with DNS and am wondering if it's because this is a nonconventional domain name. After Uninstalling and reinstalling DNS, recreating the zones, pointing the DNS entries correctly, running ipconfig /regsiterdns...netdiag.exe /fix still generates errors...it can't register with the DNS server. Could this be due to a non-conventional domain name? Is it possible to rename it?

    Thx,

    josh-

  • Josh,

    I had the same problems at a former job. I used this KB article and was able to completely solve the problem: http://support.microsoft.com/kb/300684.

    Hope this is helpful,
    Joshua

  • Hi,

    I've got a 2k3 multihomed network server with 2 nics. Dns installed, everething works perfect. But my isp gave me 1 fixed ip with hostname e.g. http://myserver.myisp.nl I could access it from the internet. Could someone tell me how I can confige my dns so I could add more hosts names to this fixed ip adres e.g. http://intranet.myserver.myisp.nl or http://mail.myserver.myisp.nl without asking my isp to add mx, a, alias files to there dns server?

    Thanks in advance

    p.s. I think it should do by a reverse lookup zone which direct a record mail to fixed ip isp provider???

  • So what are the pros/cons of the idea that a previous poster had about using the same domain name but with different TLDs? i.e. mydomain.com(external) and mydomain.net(internal). Seems like it would give the best of both worlds in terms of flexibility and manageability. Cheers.