> Should a domain name be private or public? We are
> considering a dedicated root domain and two or three domains directly
under it. I
> feel that our domain name should be private. That is a domain named
like
> mydomain.priv or mydomain.local. Is there a compelling reason to use
an
> actual publishable name? (mydomain.edu)
I'm strongly of the opinion that a publishable name should be used. If
it turns out that private will suit you best, then you don't actually
have to publish it yet. The "published" DNS entries for your name can
be blackholed if you like. It's just nice to have the option in future.
The reason I say this is that Windows .NET (the operating system
formerly known as Whistler) Active Directory cross forest trusts are
Kerberos trusts between forest root domains. This means you need DNS
resolution between every domain in each forest and the root domain of
the other forest (and more besides, but that is the key bit.)
So if you have a private name and later upgrade to .NET AD and have a
cross forest trust with the example.com forest, every client in the
example.com forest will need to be able to resolve mydomain.priv. Which
is a possible (but unenviable and hard to maintain) kludge to their DNS
config. Worse still, say that you choose "forest.root" as your forest
root domain name -- and the nice folks at Example Corp also choose
"forest.root" as their forest root domain name, and then you try to make
a cross forest trust...
(Of course, there's no need to actually use the top level "mydomain.edu"
-- you could always use something like
"really.secret.domain.name.mydomain.edu")
--
Adam Wood
http://www.adamwood.com
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
