Issues with using real domain for Active Directory domain?

Is there any reason why I shouldn't use example.com as my AD domain versus example.local or some other non-existant variant?


Solution 1:

I like this approach...The only PITA factor I've found with this is if you make a change to your external DNS (for public services, not AD-linked) server, you have to remember to change/add the entry into your internal DNS server.

So, for example, if you move your website to another IP address and change your entry with register.com (or godaddy or wherever), you have to go in and change the IP on your local DNS server.

EDIT: I came across an MS article called "Naming Conventions for Active Directory for computers, domains, sites, and OUs".

In that document, they say:

A DNS namespace that is connected to the Internet must be a subdomain of a top-level or second-level domain of the Internet DNS namespace.

Further in that document, they recommend something like corp.yourdomain.com as an example.

Solution 2:

Don't use your "real domain name" for an Active Directory domain name. The reason that AdamB gave as a "PITA factor" is exactly the reason not to, and it's not just a "PITA".

It's bad practice to put up a DNS server that's authoritative for a domain that already has authoritative nameservers elsewhere. If you do it, you'll soon want to resolve the "already authoritative" names and have a mess of manually duplicating records into your internal DNS servers.

If you want a namespace contiguous with your "real" domain name, try something like "ad.company.com". Leave "company.com" out of it.

Edit:

Now I think I see where you're going. You should really real up on how DNS is used by Active Directory (http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx). You really do want to host the DNS for Active Directory locally!

The DNS for your Internet domain name (for your email, website, etc) absolutely should be hosted externally, but that doesn't have to be (and really shouldn't be) the same domain name you use for your Active Directory domain name.

Your external DNS host is likely not going to support all the features that you need to make Active Directory work properly in their DNS servers. In particular, they're probably not going to support dynamic DNS registration or GSSAPI-based secure updates.

Beyond that, all of your domain-member client and server computers are going to need DNS to do basic things like logons and application of group policy. You don't want to tie that to your Internet connection being up!

You've got to use a Windows Server computer to host Active Directory itself. It's common practice to also use those domain controller computers to host DNS for the Active Directory (and often to forward requests for other names to the ISP's DNS servers or the root DNS servers) and to use these DNS servers as the DNS servers for all domain-member client and server computers.

Solution 3:

I inherited a network where the internal and external DNS names were the same. This was a relatively small business, with only a few external hosts so the problems I had were minor. The internal DNS was hosted locally, and I would strongly recommend you do the same. The external DNS was hosted at an ISP and only included records for hosts that needed to be accessible from the Internet. The (minor) problems I had were primarily in making sure I duplicated any Internet-accessible hosts on both the internal and external DNS.

For example, mail.company.com was accessible both inside and outside the network, as were the hosts vpn and www. I needed to make sure both DNS servers were changed when any of those hosts changed (which they did a few times).

Bottom line - this is not a best practice. But if you only have a few Internet-accessible hosts, it's not that big a deal. You should really, really host your AD DNS on your local domain controllers. You probably shouldn't expose your local DNS to the Internet.