Lev,
There
are any number of ways that this can be done - many of which, some are going to
tell you are wrong. Frankly, Microsoft has flipped on this one subject
more times than any other.
The
question comes down to two considerations - what is your comfort level with
dealing with a single namespace for your internal and external DNS, and how much
security do you want to deal with?
There
is nothing stopping you from having a private address range internally and
coexist with your external address space (that's what NATting, proxying, routing
is all about). The single purpose for having a separate DNS domain for the
internal from the external is to 'hide' the sensitive Active Directory
information from prying outside eyes. It CAN be accomplished with a single
domain name, but it requires a specific set of security rules. Split-brain
DNS is where you should most likely be. It provides security, a set of
'books', if you will, for the internal and a separate for the external.
And, it's not overly difficult to set up or maintain.
Want
to read an authoritative article on the subject? I have two that are quite
good:
Mark
Minasi on AD and DNS design: http://www.win2000mag.net/Articles/Index.cfm?ArticleID=21128
National Security Agency on Windows 2000 Security - http://nsa1.www.conxion.com/win2k/download.htm
See section 5 and 6, though the entire thing is VERY good.
Good
luck. The decision is not this hard, honestly. It's making a commitment to
a direction and securing it that is the hard part.
Rick Kingslan - Microsoft
Certified Trainer
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lev Zden�k
Sent: Tuesday, May 14, 2002 9:49 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] domain namehelo evr,
Are there any arguments why the FQDN for AD should not to be name space in Internet such domain.com or domain.net, but domain.local or domain.intra ?THX
Z.
