RE: Windows 2003 Active Directory

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 7 Mar 2005 00:06:41 -0800

> >From my own experience I would say that you should not use your public
> domain name as your internal AD domain name; I would recommend something
> like "kenya-airways.local".  As you host your website externally, and I
> presume use external DNS servers, you will find that you will not have
> to manage your Windows DNS servers as much.

DO NOT USE ".local" AS THE TLD.

That is not a valid private use TLD:

http://www.windowsitpro.com/Article/ArticleID/44818/44818.html

  "John Savill
InstantDoc #44818
John Savill's FAQ for Windows  

A. Companies often use a .local or .pvt TLD to name an AD tree. However, as
I explain shortly, it's better to use a standard naming method--for example,
create a name by using a subdomain of your company's DNS address space
(e.g., if your company's DNS domain is ntfaq.com, you could name your AD
tree ads.ntfaq.com). When you use this method, though, you must remember
that the DNS information for the AD tree is hosted on internal DNS servers,
not on your external DNS servers. This means that external users can't see
information about your internal infrastructure because external users can
access only the external DNS server, which has no information about your
internal infrastructure. Alternatively, if you want to create a second-level
name for your AD domain, reserve another name--for example, ntfaq.net--but
don't set your AD domain to the same name as your external name, to avoid
causing confusion in name resolution.

If you're determined to use a nonstandard TLD in your domain name, avoid the
use of .local or .pvt because they aren't reserved. Instead, use one of
these reserved top-level domains:

.test 
.example 
.invalid 
.localhost
You can find more information about these names in Internet Engineering Task
Force (IETF) Request for Comments (RFC) 2606. Remember, if you use these
nonstandard DNS names, you can't obtain certificates from a third-party
Certificate Authority (CA), which might cause problems for your
organization."

By the way, in using Windows Server 2003 AD, you can setup your domain as
internal.example.moc and in DNS point the root domain example.moc at the
external DNS server. That way, your internal DNS server will be responsible
for internal.example.moc and all other example.moc queries will be sent to
the configured external server.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You




Other related posts: