Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Choose active directory domain name
Choose active directory domain name [message #160734] Mon, 07 September 2009 04:37 Go to next message
WimVM  is currently offline WimVM  Belgium
Messages: 1
Registered: September 2009
Junior Member
Hello,

When designing an active directory domain I always ask myself the same
question: "what is the best domain name to use for the internal active
directory domain?" Over time I already used a few suggested namings,
but still they all seems to have pros and cons.

The last implementations used a sub domain of the real corporate
domain, like internal.company.com. But I noticed issues with mail
systems. Especially spam filters try to resolve the name (because it
looks like a valid domain with an existing tld) and will end up with
an "unable to resolve". This is really bad because some systems seems
to assign high SPAM scores if the name is not able to be resolved.

The idea was to use .local, like mycompany.local. The problem I see
with this is that you will end up in trouble when you need to create
trusts with others. The anti-spam problem is likely not an issue with
this one because in unix/linux worlds .local is default and most
systems accept that. I noticed that a lot of emails I receive
use .local if you look in the message headers.

What is your suggestion on this?
Re: Choose active directory domain name [message #160739 is a reply to message #160734] Mon, 07 September 2009 05:24 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello WimVM,

If you see problems with .local just choose another one, like .loc or .pri.
I wouldn't use a TLD which is also used external like .com etc.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> When designing an active directory domain I always ask myself the same
> question: "what is the best domain name to use for the internal active
> directory domain?" Over time I already used a few suggested namings,
> but still they all seems to have pros and cons.
>
> The last implementations used a sub domain of the real corporate
> domain, like internal.company.com. But I noticed issues with mail
> systems. Especially spam filters try to resolve the name (because it
> looks like a valid domain with an existing tld) and will end up with
> an "unable to resolve". This is really bad because some systems seems
> to assign high SPAM scores if the name is not able to be resolved.
>
> The idea was to use .local, like mycompany.local. The problem I see
> with this is that you will end up in trouble when you need to create
> trusts with others. The anti-spam problem is likely not an issue with
> this one because in unix/linux worlds .local is default and most
> systems accept that. I noticed that a lot of emails I receive
> use .local if you look in the message headers.
> What is your suggestion on this?
>
Re: Choose active directory domain name [message #160741 is a reply to message #160734] Mon, 07 September 2009 05:33 Go to previous messageGo to next message
Syed Khairuddin  is currently offline Syed Khairuddin  Saudi Arabia
Messages: 77
Registered: June 2009
Member
In addition to Meinolf please see this KB a well http://support.microsoft.com/kb/909264


Thanks
Re: Choose active directory domain name [message #160743 is a reply to message #160734] Mon, 07 September 2009 06:35 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"WimVM" <wimvm1@gmail.com> wrote in message
news:11a6f083-9c63-4fc1-b4f0-7d017d8c5143@a7g2000yqo.googlegroups.com...
> Hello,
>
> When designing an active directory domain I always ask myself the same
> question: "what is the best domain name to use for the internal active
> directory domain?" Over time I already used a few suggested namings,
> but still they all seems to have pros and cons.
>
> The last implementations used a sub domain of the real corporate
> domain, like internal.company.com. But I noticed issues with mail
> systems. Especially spam filters try to resolve the name (because it
> looks like a valid domain with an existing tld) and will end up with
> an "unable to resolve". This is really bad because some systems seems
> to assign high SPAM scores if the name is not able to be resolved.
>
> The idea was to use .local, like mycompany.local. The problem I see
> with this is that you will end up in trouble when you need to create
> trusts with others. The anti-spam problem is likely not an issue with
> this one because in unix/linux worlds .local is default and most
> systems accept that. I noticed that a lot of emails I receive
> use .local if you look in the message headers.
>
> What is your suggestion on this?


Actually, I can't see how your internal private domain name is related to
your public email domain, unless they are the same names. Even if they are
the same names, then it be caled a split-zone, with separate and different
content internally for AD, and externally for public records.

Even if your AD name is a subdomain of your public name, it's a different
namespace. That means internally, if you have child.domain.com created as a
zone, and not domain.com, with the child name under it, then
child.domain.com is a totally separate namespace. When you setup a mail
system, you make it authorative to receive mail for domain.com, meaning that
the MX record is created on the external namespace, and not internally.

Take Exchange for example, when you setup the authorative mail suffix as
@domain.com, the default email address generator assisgns that to the
internal mail-enabled objects (whether they are users, groups, or Public
Folders), and it becomes the default 'reply-to' address. The system does
retain the @child.domain.com email suffix as well, but it is not used
externally. This means that, let's say a user's name is Ace Fekay, and the
alias is afekay, then the email address generator creates afekay@domain.com,
and makes that the default reply-to name. When Ace Fekay sends out an email
to someone@someOtherdomain.com, Ace Fekay's reply to address becomes
afekay@domain.com. The recipient on the outside world never sees
afekay@child.domain.com. When the recipient replies, it is going to
afekay@domain.com, and your MX records will be set at the public side for
domain.com to be your mail server.

Same thing goes when setting up an external Active Directory forest or NTLM
trust with another company. Using .local has nothing to do with not being
able to setup trusts. First you would setup a VPN between both companies,
using the IP address of each other's VPN devices, not the domain names. Once
the VPN is established and IP traffic is routing is in place between both
companies, you would configure conditional forwarders between each company's
domain names to their respective DNS addresses by IP address, not domain
names. If an NTLM trust, then setup WINS. Either way, the internal names
have nothing to do with having problems setting up trusts. It's a matter of
establishing name resolution first.

As far as choosing what name to use internally, there are pros and cons of
using your public TLD (whether the same namespace or not), or a private TLD.
I prefer a private TLD. You also have to take into consideration if you will
be using Exchange 2007 and expect to purchase a UC/SAN certificate. This
type of cert has multiple names, and the internal Exchange server's private
FQDN will be part of it. So for instance, your company is called "A Big
Company", and your external name is abc.com. You decide to make your
internal name abc.net. However you never purchased abc.net from the
registrar, and someone else did. So the Exchange server internal name is
exchange.abc.net. In such a case, the CA will not approve it because A Big
Company is not the registered owner of abc.net at the registrar (when you do
a WHOIS) and is owned by someone else.

Read more on the Exchange implications:

Exchange 2007 UC/SAN Certificate
http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange -2007-uc-san-certificate.aspx

There is more with internal name consideration, but I hope I was able to
point out the basics and alleviate your fears.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Choose active directory domain name [message #160780 is a reply to message #160734] Tue, 08 September 2009 06:26 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
There should be nothing wrong with child.company.com, I wouldn't use it if
it was test since you are using a production name space with a test name
space. If you want to use it and you are getting the unable to resolve then
you have a dns issue, unrelated to the promotion itself.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"WimVM" <wimvm1@gmail.com> wrote in message
news:11a6f083-9c63-4fc1-b4f0-7d017d8c5143@a7g2000yqo.googlegroups.com...
> Hello,
>
> When designing an active directory domain I always ask myself the same
> question: "what is the best domain name to use for the internal active
> directory domain?" Over time I already used a few suggested namings,
> but still they all seems to have pros and cons.
>
> The last implementations used a sub domain of the real corporate
> domain, like internal.company.com. But I noticed issues with mail
> systems. Especially spam filters try to resolve the name (because it
> looks like a valid domain with an existing tld) and will end up with
> an "unable to resolve". This is really bad because some systems seems
> to assign high SPAM scores if the name is not able to be resolved.
>
> The idea was to use .local, like mycompany.local. The problem I see
> with this is that you will end up in trouble when you need to create
> trusts with others. The anti-spam problem is likely not an issue with
> this one because in unix/linux worlds .local is default and most
> systems accept that. I noticed that a lot of emails I receive
> use .local if you look in the message headers.
>
> What is your suggestion on this?
Previous Topic:Install SCCM Agent via GPO -> How?
Next Topic:ADAM Sync Issue: objects get not deleted in local instance
Goto Forum:
  


Current Time: Tue Jan 23 16:42:18 MST 2018

Total time taken to generate the page: 0.02833 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software