Seperate namespace

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've read that it's best to have an internal and external namespace on your Windows 2000/2003 server. However, I'm puzzled over the setup of this. Let's use Microsoft's sample company - Contoso

Do I install Active Directory with contoso.com? I've read you should use something like contoso.local OR company.contoso.com for an internal namespace to shield your network from the outside. My confusion is over how this is setup. If anyone has any suggestions on how to configure this, I would appreciate it

TJ
 
You have read correctly - it's best not to use the same internal and
external namespace. However, this isn't new - many organizations have been
using TCPIP internally and externally without Active Directory and have used
separate namespace in those cases as well.

You can separate namespaces by either creating a disjoint or "split-brain"
DNS, or by making the root of your internal space a child of your external
space. Cases in point:

Contoso.com might use Contoso.local or Contoso.prv or any top level name you
can dream of.

You might opt also for using a completely different namespace and
registering it to "protect" it, such as: Ford.com and Fordcorp.com I don't
generally like that idea.

Making your root the child of an already existing namespace might work well
for you. For example, your external space might be army.mil and your
internal space might start with ds.army.mil.

The root of your AD DNS can be configured as a "root" DNS or as a forwarder
to your external namespace, or to another namespace you choose - such as
your ISP ... All internal computers must then "point" to the internal DNS
servers.

-ds


TJ said:
I've read that it's best to have an internal and external namespace on
Click to expand...
your Windows 2000/2003 server. However, I'm puzzled over the setup of this.
Let's use Microsoft's sample company - Contoso.
Do I install Active Directory with contoso.com? I've read you should use
Click to expand...
something like contoso.local OR company.contoso.com for an internal
namespace to shield your network from the outside. My confusion is over how
this is setup. If anyone has any suggestions on how to configure this, I
would appreciate it.
 
In
the confused said:
Dave, could you elaborate on the following paragragp?
Click to expand...

If Dave doesn't mind me jumping in here, I think I can comment on this.

If you configure your (Forest) Root domain's DNS server as a "Root" server,
then all resolution would stop there. Using this scenario would probably
mean you have a Proxy or ISA server controlling Internet access, so
therefore no forwarding out the door is required and we would keep the Root
zone on the Forest Root DNS. Forwarding out does not apply here.

Or choose to forward from the Forest Root domain's DNS server to your
external namesspace, such as with either a conditional forwarder (in W2k3)
or just forward all other queries to your ISP (no conditions on forwarding).

But all in all, ALL internal members of an AD infrastructure MUST only point
to your internal DNS servers for proper AD resolution. If you have
delegation to child domains, they would be forwarded to the Root DNS. Then
at the Forest Root domain (parent) DNS, you choose between a Root or
forwading.

Make sense?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
thanks for the jumping in plug (just leant the use of
that word).

makes sense in general, but noticed here people
use "forward" and "forwarder" a lot, but not "forwarding".

in a well designed and implemented DNS infrastructure,
one doesn't need to use forwarders that often. but the
MS world could be an exception, as many people just start
a piece of DNS for their AD in a corner.

just a side note, besides Conditional Forwarding, there
is a new feature with W2K3 DNS called Stub Zone (been
around a long time to DNS in general though), that can be
usefull when dealing with delegation and inter-forests
DNS.
 
In
the confused said:
thanks for the jumping in plug (just leant the use of
that word).

makes sense in general, but noticed here people
use "forward" and "forwarder" a lot, but not "forwarding".

in a well designed and implemented DNS infrastructure,
one doesn't need to use forwarders that often. but the
MS world could be an exception, as many people just start
a piece of DNS for their AD in a corner.

just a side note, besides Conditional Forwarding, there
is a new feature with W2K3 DNS called Stub Zone (been
around a long time to DNS in general though), that can be
usefull when dealing with delegation and inter-forests
DNS.
Click to expand...

Forwarding, forwarders, depending on context.

Stub zones, yes they can be utilized as well, but I would probably see or
use them more for a ref to another zone elsewhere, instead of conditional
forwarding. But if it comes down to it, other than the _msdcs.domain.com
Forest Stub, I would rather use good old fashion delegation and forward back
to the root.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top