I have done 5 enterprise sized production installations/implementations of AD and have always used the .local dns suffix. AD's DNS does not need to be globally routable.
Example: NetBIOS domain name of ThanksBill DNS domain name of ThanksBill.local Internal DNS (unregistered DNS) and External DNS (your registered DNS name) are then maintained in separate zones (Internal never to be replicated outside your network). My internal clients are assigned the internal zone as the primary DNS suffix through DHCP (done manually for static IPs) and I add the external DNS zone as an alternate search suffix. Intranet sites are registered in the non registered zone intranet.thanksbill.local and internet sites are registered in the registered DNS zone www.thanksbill.com If you were hosting your own registered DNS zone and maintained it on you internal network letting TCP and UDP port 53 pass through your PIX this setup would keep the AD DNS and Registered DNS zones separate.....a good thing indeed. I would never recommend allowing any traffic to pass into your internal network, this was just an example. I would host my registered DNS in a perimeter zone (DMZ for those of use not in Korea) and maintain my MX and Internet records separate from my internal DNS servers. I am sure others have a more articulate explanation, but I think you are on the right track. -----Original Message----- From: Jim Busick [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 2:32 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD upgrade DNS namespace questions. We are planning to upgrade our single NT domain to AD and I want to make sure I understand about how we will name the domain. Currently our NT domain name is SSD_DOMAIN0 (yeah, I know. I was handed it) and our registered domain name is santee.k12.ca.us. We are NAT'd behind a PIX and using 10. private address and only need our website and Exchange (5.5) visable to the internet. As I understand it, when I run the Win2k upgrade I will be asked for the FQDN, I assume that I should use santee.k12.ca.us, right. If I do, how will this affect our downlevel (we still have W9x) clients. I've read that I shouldn't use your registered DNS name for the AD, something like ssd.santee.k12.ca.us. Any advice on this subject would be appreciated. TIA Jim Busick Database Network Analyst MCSE Santee School District Santee, CA 92071 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
