AD and DNS in DMZ

  • Thread starter Thread starter Edgar
  • Start date Start date
E

Edgar

Internally, we are running AD on '03 with MS DNS. We
have just got some integrators in doing some type of
application work, that will require them to use AD on
2000 w/ DNS outside on the DMZ. Since our internal root
domain is TDI.com will it be wize to have this second DNS
and AD machine with the same root domain name. Does it
make a difference? What if he keeps it the same and one
day he may want to bring it in from the DMZ internally?
Would it be ok to just have a different forest for this
use?

Thanks in Advance.
 
Edgar said:
Internally, we are running AD on '03 with MS DNS. We
have just got some integrators in doing some type of
application work, that will require them to use AD on
2000 w/ DNS outside on the DMZ. Since our internal root
domain is TDI.com will it be wize to have this second DNS
and AD machine with the same root domain name.
Click to expand...

I definitely would NOT do that.

If the domains will "communicate" they need different names.

If they are in the same forest this "need" becomes a requirement.
Does it make a difference?
Click to expand...

Yes, having the same name makes it difficult to maintain them
so that each can resolve machines in the other -- presumably these
folks are working for you and there might be a need to
communicate.
What if he keeps it the same and one
day he may want to bring it in from the DMZ internally?
Click to expand...

Nope. Never unless you can rename it. And actually you have
a bigger problem since there is no mechanism to "graft" AD
domains anyway.
Would it be ok to just have a different forest for this
use?
Click to expand...

You must have a different forest if you use the same name.

Even with separate forests is it a BAD idea to reuse the name.

Make it a child domain or a sibling.
 
<inline>

Edgar said:
Internally, we are running AD on '03 with MS DNS. We
have just got some integrators in doing some type of
application work, that will require them to use AD on
2000 w/ DNS outside on the DMZ. Since our internal root
domain is TDI.com will it be wize to have this second DNS
and AD machine with the same root domain name. Does it
make a difference?
Click to expand...

It probably is one of the most important decisions you can make. Yes. It
makes a big difference. Do Not do this.

What if he keeps it the same and one
day he may want to bring it in from the DMZ internally?
Would it be ok to just have a different forest for this
use?
Click to expand...

Use a separate forest. However, I suggest you name the forest something
other than the internal namespace.

Now, if your internal namespace is the name you absolutely MUST use on the
outside, you have a couple of options.

1 - you may opt to completely shield the inside via proxy and use the same
name internally and externally. I suspect you won't like this option much

2 - Windows Server 2003 in Forest Functional Level 2003 allows you to rename
domains and DCs. Although it's a ton of work, it can be done. Check the
docs.


-ds
 
Back
Top