DNS for AD and public Domain Security
Bill
want everything to be secure.
From what I can see, the best way to do this is keep the public domain and
my AD seperate. Looks like I want to do something like this...
Public (Internet site <IIS>) ABC.com
Private (AD and Exchange?) AD.ABC.com
What benefits would this have? From what I can tell is that my Public and
Private DNS will be seperate, and I won't have to worry about that security
wise.
Am I on the right track here? If so, then how do I do it? Assuming that I
have ABC.com registered, will I actually need to have AD running in that? Or
can I have just a stand alone IIS server running IIS (ABC.com) in my DMZ,
then set up AD on my internal network as AD.ABC.com. If that is the case,
and that is the best way to do it, what do I choose when doing DCPromo?
"Domain in a new forest" or a "Child domain in and existing domain tree" for
the AD.ABC.com
Any suggestions or links would be greatly appreciated!
I haven't even really begun to think about Exchange yet. But I guess I
would want that on the ABC.com section right? Or does that change
everything?
Thanks for you help in advance!
Kevin D. Goodknecht Sr. [MVP]
Bill <Bi...@discussions.microsoft.com> wrote their comments
Then Kevin replied below:
> I am planning a brand new AD structure. I want to have a
> web presence, and I want everything to be secure.
> From what I can see, the best way to do this is keep the
> public domain and my AD seperate. Looks like I want to
> do something like this...
>
> Public (Internet site <IIS>) ABC.com
> Private (AD and Exchange?) AD.ABC.com
OR you could use ABC.local for the AD domain, that would probably be better
in the long run. That is because even though your domain name might be
AD.abc.com the default behavior is for parent suffixes of the primary DNS
suffix are appended to all queries. This can cause an unexpected behavior
because each query you do will search both ABC.COM and AD.ABC.COM, This is a
real headache if you have a wildcard record in ABC.com. If that is the case
and you have a wildcard record in ABC.com any name you try to resolve will
resolve to the wildcard record.
>
> What benefits would this have?
You would be able to access the sites in the public domain by the domain
name i.e. http://abc.com
The name ad.abc.com _must_ resolve to the IP address of the domain
controllers and not the IIS box. This is for Group policies.
From what I can tell is
> that my Public and Private DNS will be seperate, and I
> won't have to worry about that security wise.
>
> Am I on the right track here? If so, then how do I do
> it? Assuming that I have ABC.com registered, will I
> actually need to have AD running in that?
No
Or can I have
> just a stand alone IIS server running IIS (ABC.com) in my
> DMZ, then set up AD on my internal network as AD.ABC.com.
The IIS server will still be a member of the AD domain, assuming Exchange
will be on the IIS server, since IIS is required for OWA.
> If that is the case, and that is the best way to do it,
> what do I choose when doing DCPromo? "Domain in a new
> forest" or a "Child domain in and existing domain tree"
> for the AD.ABC.com
Use a new domain in a new forest named ad.abc.com, this is the forest root.
abc.com is related only in name, it is not part of the AD forest.
>
> Any suggestions or links would be greatly appreciated!
>
> I haven't even really begun to think about Exchange yet.
> But I guess I would want that on the ABC.com section
> right? Or does that change everything?
Exchange can be in ad.abc.com, it has no bearing on the mail domain,
Exchange can still accept mail for abc.com if you have that in the recipient
policy. No matter what the AD domain is, you can even set it up so users
logon with their email address by adding an Alternate UPN logon suffix in AD
Domains & Trusts. In fact if you host multiple mail domains you can add the
UPN Suffix for each mail domain and make that part of the user logon, you
can even have two users with the same username as long as the UPN suffix is
different e.g. j...@example.com and j...@abc.com The pre Windows 200 logon
name must be different though ABC\joedoe and ABC\joesmith
--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
Ace Fekay [MVP]
Bill <Bi...@discussions.microsoft.com> made a post then I commented below
You could choose that name, you can also choose a completely separate name.
Exchange would work either way. The AD name has really nothing to do with
what domains Exchange can handle. I host 25 domains on my Exchange and none
of the names have anything to do with the AD name its under. Just don;t
choose the same name, it will cause additional administrative overhead.
Being registered has nothing to do with the internal name. That's just for
external reference. Your internal is private and will not be accessible by
name from the outside.
You're pretty much on the right track. For the new domain, you choose new
domain in a new tree in a new forest. Any child domains or trees can be
added after the initial forest root domain creation.
Not to unindate you, but here are links on design. Keep in mind with DNS,
you must ONLY use the internal DNS servers for AD and use a forwarder for
efficient Internet resolution. Don't use the ISPs anywhere other than a
fowarder or AD will not function properly.
254680 - DNS Namespace Planning:
http://support.microsoft.com/default.aspx?scid=kb;en-us;254680
285983 - Considerations for Designing Namespaces in Windows 2000-Based
Domain:
http://support.microsoft.com/default.aspx?scid=kb;en-us;285983
Active Directory - All about it [For Design see section on Planning &
Deployment Guides]:
http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp
Active Directory Branch Office Guide Series:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/deploy/adguide/DEFAULT.asp
Active Directory Operations Guide:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/default.mspx
AD Deployment Planning Guide:
http://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp
Best Practice Active Directory Design for Managing Windows Networks [and
DNS]:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx
Chapter 4 - Active Directory Design:
http://www.microsoft.com/resources/documentation/exchange/2000/all/reskit/en-us/part2/c04names.mspx
Chapter 9 - Designing the Active Directory Structure:
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/deploy/part3/chapt-9.mspx
Deploying and Designing Active Directory [DNS Design, Migration, Cert Auth,
Branch Offices, Exchange, ADC, Import-Export, etc]:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/default.mspx
AD and DNS Planning Guide for Branch Offices:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/adguide/adplan/default.mspx
--
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================