Private/Public DNS 1

[Timhi]

Hi,

We are doing a domain migration and from I have read, it is recommended that you keep seperate domain names for inside and outside. (Lets say domain.net for inside and domain.com for outside). So basically the world should only see domain.com. Registering two domain names is no problem.

Do I just create two primary lookup zones and have domain.net point to our internal servers and domain.com house the

http://www and

point to our ISP? Our public DNS name is ISP-hosted. Do I need two DNS servers inside my network (one for public, one for private)? Do I need two PDC's also? I am running Server 2000/2003 DC's (2000 native mode).


Thanks a bunch for all the help, this forum is the best.

 

[Dublin73]

Hi, you seem to be tangling up your internal AD Domain name and your company's registered internet domain name. Think of these as 2 separate entities, which have nothing to do with each other.

Regarding selecting separate domain names for the internal and internet domains, this isn't necessary. You can select the same domain name for each if you want.

For the internet domain, your ISP takes care of the DNS for that. So you won't need to set up any DNS servers for the internet domain.

For your internal domain, you do need to take care of the DNS for that.

Only one PDC is required, however it's always best practice to deploy a minimum of two for redundancy.

 

[Timhi]

Thanks for the info, Dublin. I guess separate name spaces isn't the big deal for security anymore.

 

[Dublin73]

no problem. Security is very important, but separate domain name spaces won't provide you with tons of extra security etc.. There's hundreds of secure networks out there (including global banks etc.) where the private and public DNS names are the same

 

[theravager]

Just a note the internal domain name is usually not something resolvable on the inet, .net is a bad choice. There a few common ones but .int shortened for .internal is a common one.

For your external dns, sometimes people make a duplicate copy of the dns with different records for the purposes of testing and dev or the intranet being substantially different to what your would see from the outside. Depends on what sort of environment or devs want.

 

[58sniper]

For your external dns, sometimes people make a duplicate copy of the dns with different records for the purposes of testing and dev or the intranet being substantially different to what your would see from the outside. Depends on what sort of environment or devs want.

That's split brain DNS. A lot of thinking comes into play there. If you have internal resources that internal employees have access to, such as SharePoint, Outlook Web Access, or other resource where they need to remember a name, and you want them to be able to gain access to them from outside using the SAME name, then split brain DNS solves that. This is especially true if you're trying SSL certificates to things.

Just remember that if you create an internal forward lookup zone for your external, public DNS, that you create host records for all of the external resources as well, such as your public web site. Otherwise, internal people won't be able to get to them.

Pat Richard
Microsoft Exchange MVP
Contributing author Microsoft Exchange Server 2007: The Complete Reference

 

[dearingkr]

Somewhere in all the Microsoft stuff I've read, they recommend using [blue].local[/blue] for your internal domain.

MCSE CCNA CCDA

 

[58sniper]

Yes, but if you're ever going to have Macs in your environment, you shouldn't use .local

Pat Richard
Microsoft Exchange MVP
Contributing author Microsoft Exchange Server 2007: The Complete Reference