Use .local for your private-internal network?

[suklee]

Am setting up a new domain running win2k/3 servers, Exchange, etc.

Is it necessary to separate domains as per this person's suggestion? What do you all make of this?

Problems encountered:

Web server - the standard issue you know of...who is www.mydomain.com

DNS - Who will be the authorative DNS server for mydomain.com...my AD server or the ISP name server?

DNS - Subdomain of WHOSE authorative domain?

DHCP - My internal clients are registering their DNS names with which server?

AD/Printers - I get my printers to register in the Directory, but I also have whos?

Let me give an example (this was just when 2k arrived

I set up a company "our.example.com", they have an ISDN router that I setup beforehand and its working great. Everyone knows you must have the server connected to a hub (at least) or the install fails (because the network card isn't enabled.) The first AD server installs fine, no errors, DNS is there and running...its not even thinking its a root server, so I add the forwarder and get started on some others which are easy. Clients drop in no sweat as they are DHCP from the AD machine. Beautiful day, only about 6 hours on the servers and the clients are no sweat. Couple more days and the network is done! Someone calls...there is a problem. I drive over...and there is 1000+ clients in the DHCP, more printers than you have ever seen, and DNS records for most of the western world. Now the server complains about the domain being not found, no authorative DNS and being a pain in my bum.

I reinstall as our.company.local, and there are all these questions I never saw on the first install about authorative DNS, active DHCP scope, this time it thinks its a root server. Why didn't this happen before?

The first time the AD server never gave any DNS messages because it bounced out to "example.com" and joined their domain, became a slave to their DNS including caching, and started participating in serving our clients with their DHCP scope. Any DNS info we had went upstream in the dynamic DNS updates. "Example.com" got this stuff appearing and secured their firewall and my install became a child domain without a parent, worked for a while, then stopped and screamed!

I have seen something not as bad when the AD DNS server becomes a child of the ISP (because the ISP is authorative for the domain name before the server is installed.)

The reasons all the books talk of .com is they expect you are starting the whole company from scratch, will host everything yourself, never need any security from the outside world, have unlimited hardware resources...

Use the .local for your private-internal network!

 

[Nothinman]

Well you shouldn't use a domain you don't own (i.e. example.com) for an internal domain name, that's just common sense. At the very least you'll probably break access to that site (i.e. if you use microsoft.com as your internal domain name you won't be able to get to anything on the real microsoft.com domain as your DNS server will think it's authoritative and won't have those addresses). Basically it sounds like his DHCP/DNS/AD server was publically accessible and everyone on that ISDN subnet that had DHCP setup got IPs from his range, registered with his DNS, etc which is just poor planning and/or execution on his part. Hell I wouldn't doubt that his server is still publically accessible for no reason.

 

[chsh1ca]

I've used .int or .lnet before, simply because .lnet isn't a registered TLD, and I've never run into a viable .int domain (though I am sure they exist). I used .int a long time ago though, before I found out it was a real TLD. I used them because they are shorter than .local is. IE: .int for internal, and .lnet for local net. There's no harm in creating your own TLD and just using like www.lnet as the host address for your internal webserver. At least assuming .lnet stays unused.

 

[suklee]

Pardon my noobishness.. but TLD is short for ?

Basically I dont understand what this guy is talking about. Therefore.. what are the advantages to having a .local or .int "TLD" for our internal domain? Is it really necessary, or am I better off just going with the normal mympany.com scenario for our internal domain?

 

[Nothinman]

TLD = Top Level Domain i.e. .com, .net, .org.

 

[suklee]

Ah yes... how could I....

Think I'm gonna wipe out the AD yet again and just run a .com TLD internally.

 

[suklee]

I setup 2k3 server once again and I used domain.local instead of domain.com.

There are now plans to have a remote site hooked up to our AD network. I am currently not using my server as an external DNS; will I need to set up the DNS in the future so that it handles all requests (authoritative) for my domain?
- is this .local vs .com business going to pose a problem?

 

[suklee]

good morning north america

 

[djdrastic]

I don't quite understand your question

1)Do you have an internal DNS
2)How many forests do you have ?
3)How many DC's do you have
4)Do you have any domain trees

 

[suklee]

<- apologizes for being a n00b

1)Do you have an internal DNS

Yes, at the moment. Internal DNS zone is myco.local. All workstations point here for DNS resolution

2)How many forests do you have ?

Two, one current site, one remote

3)How many DC's do you have

One at current site, one at remote site.

4)Do you have any domain trees

None yet, but I want to make the remote site a child domain eg. child.myco.local

Is this .local extension going to cause me problems when I create a domain tree?

 

[suklee]

Is this .local extension going to cause me problems when I create a domain tree?

 

[Nothinman]

Doubtfull, the tld isn't terribly important. As long as you have hints to the root servers for the other .com, .net, .org, etc and you're authoritative for .local you should be fine.

 

[djdrastic]

No it won't and relax man . You can with a bit of sweat and tears change a domain name if need be .The only problem that I can see , is that your exchange users will have user@domain.local address , but those things can be sorted out with some aliasing in exchange.


Pm me , if you need any more advice / help

 

[suklee]

Thanks guys for clearing that up. :beer:

dj, I would PM you, but your PM function isnt enabled

 

[djdrastic]

PM Fixxored !