 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows NT / DNS / July 2003Active Directory DNS namespace suffix
My boss won't let us go anywhere with our Active Directory DNS namespace design until I can get a solid answer one way or another on the following question. QUESTION>>>> Microsoft suggests you use a top level domain for the suffix (.org, .net, .com, etc.) of your Active Directory namespace. Does anyone know of a sound implementation reason of why I should/shouldn't use <.ad > as my forest root domain? I intend to be the only authoritative DNS servers for that namespace in my network. We have a relatively small implementation (Single Forest, Single Domain, ~50 Servers) and this would allow us to start fresh with our internal DNS structure as well as clearly distinguishing our internal and external DNS. I have read the following statement From TechNet with regards to this situation "Windows 2003 deployment kit, designing a DNS namespace." The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network. In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible.) Are there any other relevant reasons than the above argument provided by Microsoft? Are there any sound business or implementation reasons? Are there any relevant reasons why this may be a superior solution to using a top level domain suffix? Also read>>>> I have read in the "Best Practice Active Directory Design for Managing Windows Networks (2000)" which states "Note As a best practice use DNS names registered with an Internet authority in the Active Directory namespace. Only registered names are guaranteed to be globally unique. If another organization later registers the same DNS domain name, or if your organization merges with, acquires, or is acquired by other company that uses the same DNS names then the two infrastructures can never interact with one another. Add a prefix that is not currently in use to the registered DNS name to create a new subordinate name. For example, if your DNS root name were contoso.com then you should create an Active Directory forest root domain name such as concorp.contoso.com, where the namespace concorp.contoso.com is not already in use on the network. This new branch of the namespace will be dedicated to Active Directory and Windows 2000 and can easily be integrated with the existing DNS implementation. The rules for selecting a prefix are listed in Table 9. Table 9 Rules for Creating a Prefix for an Active Directory Name Prefix rule Explanation There is really no need to have this "suffix" be anything particularly useful. I never use a real Internet "Suffix" on Active Directory because you really do not need it. You are not going to find a "document" that states this. As your documents below suggest there are only suggestions but in reality there really is no confusion for users or Admins. Your internal DNS servers will take care of all your clients and Active Directory and it really won't matter what your Internal Suffix is. I usually use .local or something that separates this from the real Internet Domain Name. More important than this is to make sure than you have no Domain name under TCPIP/DNS as this will wreck your migration to Win2k and leave you with a Disjointed DNS Namespace that is not repairable. I don't know of a single company that has these names that are the same and I have performed several Migrations with Win2k and Exchange 2000 without any issues arising from this DNS Suffix being different than the real Internet DNS name. Nobody even really sees this suffix as it does not show up under the login screen and the end users typically will never even know that this suffix exists. Any other thoughts guys? -- Scott Harding MCSE, MCSA, A+, Network+ Microsoft MVP - Windows NT Server scrockel@***No_SPAM***hotmail.com > My boss won't let us go anywhere with our Active Directory DNS > namespace design until I can get a solid answer one way or another on [quoted text clipped - 49 lines] > Table 9 Rules for Creating a Prefix for an Active Directory Name > . Prefix rule . Explanation ******* If anyone else wants to chime in please feel free.******** Scott, Thanks for your reply. When you say > "More important than this is to make sure than you have no Domain name under > TCPIP/DNS as this will wreck your migration to Win2k and leave you with a > Disjointed DNS Namespace that is not repairable." You mean that on every Local Area Connection>Properties> (including teams and and inividual nic's) Internet Protocol TCP/IP> Properties> Advanced>DNS tab> DNS Suffix for this connection:> ...Right? with regards to TCPIP/DNS I have read/heard this needs to be blank and the only place the suffix should be populated on any machine (that needs it) in the enterprise is My Computer>Properties> Network Identification tab>Properties> More>Primary DNS Suffix for this computer:> Is this the "gotcha!" I should look for with a clean AD DNS install? Also should "Change Primary DNS Suffix when domain membership changes" be checkmarked? Thanks in advance for your response and your previous input. Brandon > There is really no need to have this "suffix" be anything particularly > useful. I never use a real Internet "Suffix" on Active Directory because you [quoted text clipped - 73 lines] > > Table 9 Rules for Creating a Prefix for an Active Directory Name > > . Prefix rule . Explanation The only machine that this DNS suffix can hurt you is when you are upgrading the PDC to Active Directory. Just that machine as this creates the Active Directory namspace. If you are doing a clean install of Active Directory on Win2k than this Domain option does not exist. This really is only a NT4 migration issue. You do want the Change Domain Suffix on Domain membership check box checked but that is only on Win2k anyways if I remember correctly. Hope this helps. These articles may help what I am referrring to. They even recommend that your Internal Namespace is different than your External namspace. http://support.microsoft.com/default.aspx?scid=kb;en-us;254680 http://support.microsoft.com/default.aspx?scid=kb;en-us;285983 http://support.microsoft.com/default.aspx?scid=kb;en-us;258503 -- Scott Harding MCSE, MCSA, A+, Network+ Microsoft MVP - Windows NT Server scrockel@***No_SPAM***hotmail.com > ******* If anyone else wants to chime in please feel free.******** > [quoted text clipped - 103 lines] > > > Table 9 Rules for Creating a Prefix for an Active Directory Name > > > . Prefix rule . Explanation |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.