Note - I know there are a ton of questions around AD Naming. I do not believe though that this is a duplicate question. If it is please link me to a relevant one :).
We are implementing AD. Our big issue is the domain name. We already have decided against .local after reading the many articles out there and speaking with people (We are 70/30 Mac right now).
We're trying to figureout if we should go with ourdomain.com or corp.ourdomain.com for our Domain Name.
We know already if we went with ourdomain.com we'd have potential issues if people didn't prepend www. to our site's URL, and we are willing to live with that.
Our concern is if there are any other consequences we don't know about. E.g. If we have an Exchange server of ours hosted in a Data center that isn't part of the LAN, would it have issues with DNS?
To give an overview of what we have -
Our site is hosted in an external datacenter, we currently use Google Apps but plan a migration to Exchange (Yes, we know it's against the trend..) which may also be hosted in a datacenter or onsite.
We also make extensive use of our UTM Firewalls VPNs and are looking at a Cisco VPN or Citrix solution as we scale up.
There are also plans to institute Windows Distributed File Sharing and possibly use Centrify or Extreme-Z IP if we find Native Mac Integration lacking.
We also plan to use AD as our authentication backbone using it for RADIUS and LDAP services for authentication and role management across our internal web apps and wireless.
We did read http://msmvps.com/blogs/acefekay/archive/2009/09/07/what-s-in-an-active-directory-dns-name-choosing-a-domain-name.aspx but I was hoping for some more up to date information from anyone well versed in maintaining AD especially in hybrid/distributed environments.
Answer
There is absolutely no reason to use the same AD domain DNS name as your external web-facing DNS zone. None. At all.
Microsoft recommends using a subdomain of an existing domain, so something like corp.yourdomain.com or ad.mydomain.com is fine. If you don't want your users to see that their login name is corp\user you can set the domain's NetBIOS name to MYDOMAIN during the DCPROMO process of the first DC in your domain. The end result would be that your domain's FQDN would be corp.mydomain.com but your users would see mydomain\user. This way you can have "prettier" logins, without the complete shitmess of split-horizon DNS.
Seriously, there's no valid reason to ever have split-horizons DNS with your AD infrastructure.
No comments:
Post a Comment