> You can register a separate 2LD (like example.com or example.net) just for Active Directory, or use a subdomain of your "regular" domain (e.g., "corp.example.com" or "inside.example.com" o There are no available 2ld- so I guess I will be going the subdomain route HQ.examplemail.org
thx Jean-Paul Natola > From: [email protected] > Date: Fri, 1 Nov 2013 13:53:47 -0400 > Subject: Re: [NTSysADM] Recreating domain > To: [email protected] > > On Fri, Nov 1, 2013 at 11:09 AM, J- P <[email protected]> wrote: > > In creating the new domain should i just stick examplemail.org ?, aside > > from it looking/sounding dumb any downside to this approach? > > Doing so will create what's called a "split DNS". You'll have to > have different views of the <examplemail.org.> zone whether you're > inside your network or outside of it. > > Opinions are divided on this. My standard write-up (with my > opinion) follows below. If you've been on this list > long enough you've seen it before. You can Google to find archived > discussions of this subject: > > https://www.google.com/search?q=ntsysadmin+%22split+dns%22 > > I favor using a registered domain name that you control, so there is > no possibility of ever having name collision, even in the event of a > merger/acquisition, or changes in the public DNS topology, or new > stuff that claims your unregistered domain name. (Some > implementations of zeroconf want to use ".local".) > > You can register a separate 2LD (like example.com or example.net) > just for Active Directory, or use a subdomain of your "regular" domain > (e.g., "corp.example.com" or "inside.example.com" or "ad.example.com" > or whatever). > > Using your "main" domain for Active Directory creates a "split DNS", > where you have multiple disjoint namespaces with the same name. I > regard that as an ugly kludge. It's not how DNS is designed to work, > and going against the design assumptions is rarely a good idea. > > My objection to split DNS is simple: It is one more thing to go > wrong. If I can eliminate a place for something to go wrong, I will. > And when you are claiming authority for a DNS zone you are not > authoritative for (which is what split DNS is all about), there is the > potential for things to go wrong. Sure, if you do it right, nothing > will go wrong, but *WHY* even open up the possibility, if it does not > get you *any* advantage? > > At the same time, I think using a separate DNS domain name has several > advantages: > > * It keeps DNS names globally unique. > > * It clearly identifies internal vs external resources in their name. > > * You don't have to worry about keeping two different DNS zones in sync. > > * Should you decide you want to expose your private DNS to the public > for any reason, you can still do so. > > * Roaming systems which are sometimes outside the private network will > never get confused over which DNS zone is currently visible. > > In short, it keeps separate things separate. > > -- Ben > >
