One of the reasons that I've recommended using a registerable domain name (but not the domain name that hosts your website, etc.) for the AD domain name is that .NET will allow forest-level trusts between domains, and using a real domain name will allow this to be done across the Internet. Use a .local and you'll not be able to do this.
Missy Koslosky hp Services ----- Original Message ----- From: "Ken Cornetet" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 06, 2002 9:49 AM Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. At $9/year from godaddy.com, it would be silly not to register. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Friday, December 06, 2002 7:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. Call it a safety net, or whatever, but its still not a good idea to make up a tld. Take, for instance, the case of two companies that choose ad.local as their AD domain name. There can be a lot of different issues if they ever try to merge or even connect their networks (extranet style). Uniqueness is key in AD domains - and for $35USD[1] a year, I think it wise to register the domain with your favorite registrar. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA [1] Or less, depending on your registrar. I spent $8USD last time, IIRC. > -----Original Message----- > From: Ben Machin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 05, 2002 6:09 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] AD upgrade DNS namespace questions. > > > as far as I can see the name is immaterial - the thing that > matters is if > you chose a tld that ever became in use on the Internet. Only > then are you > likely to have a problem... > > if .local never gets used as a tld there's no issue... but to > be absolutely > sure either register your ad domain name, if it has a valid > tld, and never > use it on the internet - or make an educated gamble on the > tld, choose one > like .local or .xyz, not being used during the lifetime of > your forest. > > ----- Original Message ----- > From: "Roger Seielstad" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, December 05, 2002 9:20 PM > Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. > > > > Two different groups (each) at with Compaq Consulting Services and > Microsoft > > Consulting Services. I don't have anything that's not > company-proprietary > to > > share. > > > > I also recall hearing the same recommendation at MEC2001 in > Orlando as > well > > - you might want to see if those session's are still available on > > Microsoft's website. > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: Charles Carerros [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, December 05, 2002 3:44 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. > > > > > > > > > I would like to see where this best practice rule came from. My > > > university is using the .local structure because when we > begin putting > > > up AD domains this was the best practice. Right now we are > > > considering a proposal to put up another AD domain and I would > > > like > it to be as > > > up-to date as it can be. So, can you point me in the direction of > > > your source. > > > > > > Thanks, > > > > > > Chuck > > > > > > -----Original Message----- > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, December 05, 2002 2:34 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. > > > > > > > > > While there's no requirement to use *the* organizations > DNS domain, it > > > is strongly suggested to use a valid, registered DNS domain, and > > > NOT to use .local > > > > > > Specifically, it guarantee's uniqueness of domain names, > in case there > > > is ever a time in which 2 organizations decide to enter a trust > > > relationship, etc. > > > > > > We chose to register 2 generic DNS names for our forest root and > > > production domains. The .local suggestion was done, IIRC, as part > > > of the JDP program, and after the deployments began, it became > apparent that > > > there are some pretty big potential conflicts out there, and that > > > using valid, registered domains is really the best practice. > > > > > > ------------------------------------------------------ > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Inovis - Formerly Harbinger and Extricity > > > Atlanta, GA > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, December 05, 2002 3:16 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] AD upgrade DNS namespace questions. > > > > > > > > > > > > I have done 5 enterprise sized production > > > > installations/implementations of AD and have always used the > > > > .local dns suffix. AD's > DNS does not > > > > need to be globally routable. > > > > > > > > Example: > > > > NetBIOS domain name of ThanksBill > > > > DNS domain name of ThanksBill.local > > > > > > > > Internal DNS (unregistered DNS) and External DNS (your > > > registered DNS > > > > name) are then maintained in separate zones (Internal > never to be > > > > replicated outside your network). My internal clients > are assigned > > > > the internal zone as the primary DNS suffix through DHCP (done > > > > manually for static IPs) and I add the external DNS zone as an > alternate search > > > > suffix. Intranet sites are registered in the non > registered zone > > > > intranet.thanksbill.local and internet sites are > registered in the > > > > registered DNS zone www.thanksbill.com > > > > > > > > If you were hosting your own registered DNS zone and > > > maintained it on > > > > you internal network letting TCP and UDP port 53 pass > > > through your PIX > > > > > > > this setup would keep the AD DNS and Registered DNS zones > > > > separate.....a good thing indeed. I would never > recommend allowing > > > > any traffic to pass > > > > into your internal network, this was just an example. I > > > would host my > > > > registered DNS in a perimeter zone (DMZ for those of use > > > not in Korea) > > > > and maintain my MX and Internet records separate from my > > > internal DNS > > > > servers. > > > > > > > > I am sure others have a more articulate explanation, but I think > > > > you are on the right track. > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Jim Busick [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, December 05, 2002 2:32 PM > > > > To: '[EMAIL PROTECTED]' > > > > Subject: [ActiveDir] AD upgrade DNS namespace questions. > > > > > > > > > > > > We are planning to upgrade our single NT domain to AD and I want > > > > to make sure I understand about how we will name the domain. > > > Currently our NT > > > > domain name is SSD_DOMAIN0 (yeah, I know. I was handed > it) and our > > > > registered domain name is santee.k12.ca.us. We are NAT'd > > > behind a PIX > > > > and using 10. private address and only need our website > and Exchange > > > > (5.5) visable to the internet. As I understand it, when I run > > > > the Win2k upgrade I will be asked for the FQDN, I assume that I > > > > should use santee.k12.ca.us, right. If I do, how will this > > > > affect our downlevel (we > > > > still have W9x) clients. I've read that I shouldn't use your > > > > registered > > > > DNS name for the AD, something like ssd.santee.k12.ca.us. Any > > > > advice on > > > > this subject would be appreciated. > > > > > > > > TIA > > > > Jim Busick > > > > Database Network Analyst MCSE > > > > Santee School District > > > > Santee, CA 92071 > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
