Naming a new Active Directory forest - why is split-horizon DNS not recommended?

domain-name-system active-directory best-practices split-dns

Hopefully, we all know what the recommendations for naming an Active Directory forest are, and they're pretty simple. Namely, it can be summed up in a single sentence.

Use a subdomain of an existing, registered domain name, and pick one that's not going to be used externally. For example, if I were to incorporate and register the hopelessn00b.com domain, my internal AD forest should be named internal.hopelessn00b.com or ad.hopelessn00b.com or corp.hopelessn00b.com.

There are overwhelmingly compelling reasons to avoid using "fake" tlds or single-label domain names, but I'm having a hard time finding similarly compelling reasons to avoid using the root domain (hopelessn00b.com) as my domain name and use a subdomain such as corp.hopelessn00b.com instead. Really, the only justification I can seem to find is that accessing the external website from internal requires an A name DNS record and typing www. in front of the website name in a browser, which is pretty "meh" as far as problems go.

So, what am I missing? Why is it so much better to use ad.hopelessn00b.com as my Active Directory forest name over hopelessn00b.com?

Just for the record, it's really my employer that needs convincing - the boss man is back-peddling, and after giving me the go ahead to create a new AD forest named corp.hopelessn00b'semployer.com for our internal network, he's wanting to stick with an AD forest named hopelessn00b'semployer.com (the same as our externally registered domain). I'm hoping that I can get some compelling reason or reasons that the best practice is the better option, so I can convince him of that... because it seems easier than rage quitting and/or finding a new job, at least for the moment. Right now, "Microsoft best practices" and internally accessing the public website for our company don't seem to be cutting it, and I'm really, really, really hoping someone here has something more convincing.


So much rep to be had. Come to me precious.

Ok, so it's pretty well documented by Microsoft that you shouldn't use split-horizon, or a made up TLD as you've linked to many times (shout out to my blog!). There are a few reasons for this.

  1. The www problem that you've pointed out above. Annoying, but not a deal breaker.

  2. It forces you to maintain duplicate records for all public-facing servers that are also accessible internally, not just www. mail.hopelessnoob.com is a common example. In an ideal scenario, you'd have a separate perimeter network for things like mail.hopelessnoob.com or publicwebservice.hopelessnoob.com. With some configurations, like an ASA with Internal and External interfaces, you either need inside-inside NAT or split-horizon DNS anyway but for larger organizations with a legitimate perimeter network where your web-facing resources aren't behind a hairpin NAT boundary - this causes unnecessary work.

  3. Imagine this scenario - You're hopelessnoob.com internally and externally. You have a corporation that you're partnering with called example.com and they do the same thing - split horizon internally with their AD and with their publicly accessible DNS namespace. Now, you configure a site-to-site VPN and want internal authentication for the trust to traverse the tunnel while having access to their external public resources to go out over the Internet. It's next to impossible without unbelievably complicated policy routing or holding your own copy of their internal DNS zone - now you've just created an additional set of DNS records to maintain. So you have to deal with hairpinning at your end and their end, policy routing/NAT, and all kinds of other trickery. (I was actually in this situation with an AD that I inherited).

  4. If you ever deploy DirectAccess, it drastically simplifies your name resolution policies - this is likely also true for other split-tunnel VPN technologies as well.

Some of these are edge cases, some are not, but they're all easily avoided. If you have the ability to do this from the beginning, might as well do it the right way so that you don't run into one of these in a decade.


This statement : "Really, the only justification I can seem to find is that accessing the external website from internal requires an SRV DNS record and typing www. in front of the website name in a browser" is not true.

It means you need to keep a copy of all of your public records in your AD DNS servers, which might cause problems, particularly if you don't do it properly - miss some, etc. If someone wants to get to ftp.company.com but you forget to create the alias in internal DNS (or didn't automate it properly), in-house folks can't hit the public FTP site at all.

This is pretty well fleshed out in the question you linked to : Windows Active Directory naming best practices?

If maintaining multiple copies of your DNS zones is an easy problem for you to solve correctly, forever, then I suppose you can do what you want. Until MS changes something that breaks it. You could just follow their recommendations.

Related

maintaining redirects in nginx from an external source
Is dig +trace always accurate?
iptables multiple source IPs in single rule
Is a CNAME to CNAME chain allowed?
Understanding RedHat's recommended tuned profiles
SElinux: allow httpd to connect to a specific port
How long does negative DNS caching typically last?
Ubuntu Linux - multiple NICs, same LAN... ARP responses always go out a single NIC
Do background processes get a SIGHUP when logging off?
Allowing FTP with IPTables
What is the problem with using Fedora for servers?
SSL password on apache2 restart