On Fri, Nov 1, 2013 at 11:09 AM, J- P <[email protected]> wrote: > In creating the new domain should i just stick examplemail.org ?, aside > from it looking/sounding dumb any downside to this approach?
Doing so will create what's called a "split DNS". You'll have to have different views of the <examplemail.org.> zone whether you're inside your network or outside of it. Opinions are divided on this. My standard write-up (with my opinion) follows below. If you've been on this list long enough you've seen it before. You can Google to find archived discussions of this subject: https://www.google.com/search?q=ntsysadmin+%22split+dns%22 I favor using a registered domain name that you control, so there is no possibility of ever having name collision, even in the event of a merger/acquisition, or changes in the public DNS topology, or new stuff that claims your unregistered domain name. (Some implementations of zeroconf want to use ".local".) You can register a separate 2LD (like example.com or example.net) just for Active Directory, or use a subdomain of your "regular" domain (e.g., "corp.example.com" or "inside.example.com" or "ad.example.com" or whatever). Using your "main" domain for Active Directory creates a "split DNS", where you have multiple disjoint namespaces with the same name. I regard that as an ugly kludge. It's not how DNS is designed to work, and going against the design assumptions is rarely a good idea. My objection to split DNS is simple: It is one more thing to go wrong. If I can eliminate a place for something to go wrong, I will. And when you are claiming authority for a DNS zone you are not authoritative for (which is what split DNS is all about), there is the potential for things to go wrong. Sure, if you do it right, nothing will go wrong, but *WHY* even open up the possibility, if it does not get you *any* advantage? At the same time, I think using a separate DNS domain name has several advantages: * It keeps DNS names globally unique. * It clearly identifies internal vs external resources in their name. * You don't have to worry about keeping two different DNS zones in sync. * Should you decide you want to expose your private DNS to the public for any reason, you can still do so. * Roaming systems which are sometimes outside the private network will never get confused over which DNS zone is currently visible. In short, it keeps separate things separate. -- Ben
