DNS External And Internal Namespace


Naming Convention For Forest

 

Following are the factors which needs to be taken care while creating a forest. You have to plan registering a public domain name along with internal AD domain naming convention. You should choose the namespace wisely.

 

Seperate External Namespace And Internal Namespace:

Most of the administrators choose to have separate namespace for internal corporate network and external users eg: sainath.com as external or registered with ISP and sai.loc as internal. The only criteria should be non-routable domain names.

Most of the external namespaces are belong to DNS namespace and DNS namespace is very different from AD namespace. There are many arguments so as to choose separate namespace for AD domains or use Single namespace. The answer lies in the security model you design for any company which I will discuss in below “same external and internal namespace”. Most of the organizations follow this model.

 

A typical example is explained below

 

From the above diagram you can place the DNS in DMZ zone which is facing Extranet and most customers either configure this as Microsoft DNS or BIND DNS server with the appropriate domain name ( eg: Sainath.com.) and the Internal DNS server would be configured as Sainath.internal . Users on internet will resolve sainath.com and internal users will resolve to sainath.internal. You have to provide appropriate routing between the external facing DNS server and internal DNS server.

 

There are also situation where internal users wants to resolve the hostname on external dns server. Eg: users configured on sainath.internal wants to resolve hostname configured on sainath.com. To perform this you could create a zone name sainath.com on the internal DNS server. And other possible way for the internal users to resolve to the external namespace is to create a host record. Please remember that dnsclient service uses host file as first name resolution method, so if you manually configure the internal users to point to host record on external dns server , you could still have the internal users to access external hosts.

Eg: sharepoint.sainath.com 13.12.12.12

 

 

PS : I have seen issues with domain names such as .local so please use anything apart from .local.

 

Same External And Internal Namespace:

There are no restrictions from Active Directory to not to use same namespace for both external and internal users / access. Example : company can register sai.com as external namespace and still use developers.sai.com and testing.sai.com as internals namespaces, everything would work seamlessly after you configure appropriate DNS routing. Administrators has concern about the exposure of the AD namespace to the external world and they think that hackers might have better option to hack the internal servers and the data.

Well, if you provide better routing capabilities by blocking the required ports , I wouldn’t see a problem. But a small configuration change is required which is mentioned in

http://support.microsoft.com/kb/267855 ( concentrate on RegisterDnsARecords = 0x1 / 0x0 )

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s