RE: Windows 2003 Active Directory

  • From: "Kamire, Thomas" <Thomas.Kamire@xxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 7 Mar 2005 12:18:44 +0300

We do have our DNS internally and use BIND for external DNS. All our mails
are hosted internally and it is only the website and a registered\exchange for OWA which is registered outside
but the exchange box is internal. We also think of registering for our intranet server which is hosted
internally. If we use another namespace we will have issues when it comes to
these internally hosted services because we will have to tell the systems
that to reach an intranet server you go to http://intranet.kenya-airways.pvt
for private or which ever namespace we will have chosen. 

Thomas Kamire
Systems Engineer
Kenya Airways Ltd
Ext.:  +254 (20) 6422311
Tel:    +254 722 483253 / 499884

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Monday, March 07, 2005 11:07 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Windows 2003 Active Directory

> >From my own experience I would say that you should not use your 
> >public
> domain name as your internal AD domain name; I would recommend 
> something like "kenya-airways.local".  As you host your website 
> externally, and I presume use external DNS servers, you will find that 
> you will not have to manage your Windows DNS servers as much.


That is not a valid private use TLD:

  "John Savill
InstantDoc #44818
John Savill's FAQ for Windows  

A. Companies often use a .local or .pvt TLD to name an AD tree. However, as
I explain shortly, it's better to use a standard naming method--for example,
create a name by using a subdomain of your company's DNS address space
(e.g., if your company's DNS domain is, you could name your AD
tree When you use this method, though, you must remember
that the DNS information for the AD tree is hosted on internal DNS servers,
not on your external DNS servers. This means that external users can't see
information about your internal infrastructure because external users can
access only the external DNS server, which has no information about your
internal infrastructure. Alternatively, if you want to create a second-level
name for your AD domain, reserve another name--for example,
don't set your AD domain to the same name as your external name, to avoid
causing confusion in name resolution.

If you're determined to use a nonstandard TLD in your domain name, avoid the
use of .local or .pvt because they aren't reserved. Instead, use one of
these reserved top-level domains:

You can find more information about these names in Internet Engineering Task
Force (IETF) Request for Comments (RFC) 2606. Remember, if you use these
nonstandard DNS names, you can't obtain certificates from a third-party
Certificate Authority (CA), which might cause problems for your

By the way, in using Windows Server 2003 AD, you can setup your domain as
internal.example.moc and in DNS point the root domain example.moc at the
external DNS server. That way, your internal DNS server will be responsible
for internal.example.moc and all other example.moc queries will be sent to
the configured external server.

John Tolmachoff
eServices For You

List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking: Leading
Network Software Directory:
No.1 ISA Server Resource Site: Windows Security
Resource Site: Network Security Library: Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
thomas.kamire@xxxxxxxxxxxxxxxxx To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

This message and any attachments are confidential and may be legally
privileged or otherwise protected from disclosure. Although the necessary
precautions have been taken, Kenya Airways does not accept legal
responsibility for any damage whatsoever that is caused by viruses being
passed or for the contents of this message.
This message, and any attachments, are intended solely for use by the named
addressee. If you are not the intended recipient, you must not copy them or
disclose their contents to any other person. If you have received this
message in error, please notify the sender by return e-mail and delete any
attachments accompanying it immediately. "PLEASE NOTE THAT OUR OPERATOR
NUMBER HAS CHANGED TO - +254-20-642 2000"

Other related posts: