Domain questions

R

raksasas

Limp Gawd
Joined
Dec 14, 2002
Messages
477
AD Domain questions

I have been trying to wrap my head around some things regarding domains and I think my home lab/network is probably setup all wrong.

Rewriting this:
How I don't understand how to setup a prioper AD domain
So you can not use ".local" for anymore?

I know some of these questions have been asked before but I have just spent a couple of hours search and trying to make heads or tails of it all. Confusing.

I just want to get my home lab/network setup correctly. Starting from the ground up.
 
Last edited:
Is English your first language? If so I suggest rewording your post.

A domain is just a name that maps to an IP. Whether that be an internal domain or external.

(NAT and routing have nothing to do with DNS. They use MAC addresses and IPs)

Using .local is no longer recommended. It is recommended to use a sub domain like company.ad.example.com. Something that is not reachable externally.

With AD, if the domain is "companyname" it's just short form for companyname.ad.example.com. If setup properly, the clients will append the "ad.example.com" to any host you try internally.
 
I know. I know. I could not really get out what wanted to say clearly. So I just put my thoughts out to see what sticks.


/usr/home said:
Using .local is no longer recommended. It is recommended to use a sub domain like company.ad.example.com. Something that is not reachable externally.

With AD, if the domain is "companyname" it's just short form for companyname.ad.example.com. If setup properly, the clients will append the "ad.example.com" to any host you try internally.
Click to expand...

This is what excaltly what i am not understanding.

Company Name is : Widget
website domain name is: htttp://www.widget.com
AD server name is: cyclops
File server name is : gambit
client 1 computer name is: client1
client 2 computer name is: client 2

So it would be.
widget.cyclops.widget.com?

It is not making any sense to me.
 
Okay. I think i have an idea..
I know that when I create a "New" ad domain It asks for you to fill in the "Full DNS name" for new domain & "Domain NetBIOS name"

If I take what you said above and the bogas company name of Widget. I would make it the following:
Full DNS name = widget.ad.widget.com
Domain NetBIOS name =Widget

when I put client 1 onto the domain it would be
Enter the "Domain" name = widget
Fully qualified domain name for client 1 would be: client1.ad.widget.com

But wouldn't it make the FQDN be: client1.widget.ad.widget.com?
 
raksasas said:
Okay. I think i have an idea..
I know that when I create a "New" ad domain It asks for you to fill in the "Full DNS name" for new domain & "Domain NetBIOS name"

If I take what you said above and the bogas company name of Widget. I would make it the following:
Full DNS name = widget.ad.widget.com
Domain NetBIOS name =Widget

when I put client 1 onto the domain it would be
Enter the "Domain" name = widget
Fully qualified domain name for client 1 would be: client1.ad.widget.com

But wouldn't it make the FQDN be: client1.widget.ad.widget.com?
Click to expand...


Almost. Itd be client1.widget.ad.widget.com
 
/usr/home said:
Almost. Itd be client1.widget.ad.widget.com
Click to expand...

That is why I don't understand it because of what you said on your other post

With AD, if the domain is "companyname" it's just short form for companyname.ad.example.com. If setup properly, the clients will append the "ad.example.com" to any host you try internally.
Click to expand...

I would want: client1.ad.widget.com
 
Last edited:
also what would that make my *nix systesm?

Debian lamp server's hostname: webserver1
webserver1.ad.widget.com?
 
raksasas said:
That is why I don't understand it because of what you said on your other post



I would want: client1.ad.widget.com
Click to expand...

In that case your netbios name would be "AD" and the full name for the domain would be ad.widget.com. completely doable. The computer hostname always gets added to the front of the fqdn for the domain.
 
I prefer the external DNS of company.com (for website/customers/etc.), and company.net for AD/internal DNS suffix.

Just sayin'

Or if you want to be really security-minded, name it something else all together.
 
REDYOUCH said:
I prefer the external DNS of company.com (for website/customers/etc.), and company.net for AD/internal DNS suffix.

Just sayin'

Or if you want to be really security-minded, name it something else all together.
Click to expand...

But if someone owns the .net domain you then need to mess with your internal DNS. I prefer using a subdomain that doesnt actually exist externally.
 
/usr/home said:
But if someone owns the .net domain you then need to mess with your internal DNS. I prefer using a subdomain that doesnt actually exist externally.
Click to expand...
just use split horizon DNS in those cases. works great.

@OP. If your company owns domain

contoso.com
then make your active directory netbios name AD.
This way your FQDN for active directory will be ad.contoso.com
Then any of your clients and servers FQDN's will be
server1.ad.contoso.com
client1.ad.contoso.com

If you host the DNS zone for contoso.com (in most modern enterprises they host their own DNS forward lookup zone for their sites) you would maintain 4 DNS servers. 2 internal and 2 external.
Your external DNS servers would have www, NS, and CNAME records for your websites and servers using the outside public IP Addresses.
However your internal DNS servers www, NS, and CNAME records for those same websites would use the internal IP addresses. This way,
www.contoso.com would properly resolve both internally and externally.
 
/usr/home said:
But if someone owns the .net domain you then need to mess with your internal DNS. I prefer using a subdomain that doesnt actually exist externally.
Click to expand...

I was assuming that the hypothetical company was large enough to own their .com and .net domains.
 
Thank you. /usr/home & cyr0n_k0r. you have provided the most helpful information. I believe I understand it a lot better now.
 
cyr0n_k0r said:
just use split horizon DNS in those cases. works great.

@OP. If your company owns domain

contoso.com
then make your active directory netbios name AD.
This way your FQDN for active directory will be ad.contoso.com
Then any of your clients and servers FQDN's will be
server1.ad.contoso.com
client1.ad.contoso.com

If you host the DNS zone for contoso.com (in most modern enterprises they host their own DNS forward lookup zone for their sites) you would maintain 4 DNS servers. 2 internal and 2 external.
Your external DNS servers would have www, NS, and CNAME records for your websites and servers using the outside public IP Addresses.
However your internal DNS servers www, NS, and CNAME records for those same websites would use the internal IP addresses. This way,
www.contoso.com would properly resolve both internally and externally.
Click to expand...

What about non-AD based systems? Unix/Linux/network?

I don't like this *.ad.company.com approach. And who is running AD-integrated DNS externally anymore (internal too)?
 
REDYOUCH said:
What about non-AD based systems? Unix/Linux/network?

I don't like this *.ad.company.com approach. And who is running AD-integrated DNS externally anymore (internal too)?
Click to expand...
What about them? If they can't automatically update your internal DNS zone then add A records for them manually.

Why don't you like the *.ad.company.com approach? I've run this method in 2 different enterprises and it's not only intuitive, but also VERY stable.
I never said to run AD integrated zones externally. In fact, I didn't mention it at all because the OP isn't at that level yet. I was providing a general overview of split horizon.
And are you suggesting that you don't run AD integrated zones internally? :confused: umm... what?
 
This is a simple and intuitive approach for a smaller, mostly Windows company.

As you get larger, with various locations, domains, companies, subsidiaries, and business units, as well as non-windows based hosts, "*.ad.company.com" starts to make less and less sense.

And AD-integrated DNS for servers is generally a bit of a change management and security risk that should be considered.
 
You must log in or register to reply here.
Back
Top