Original publication 5/2005
Updated 5/2010
Updated 10/15/2010 – Provided a link to my blog with a How-To deal with DNS and the name chosen, and Exchange 2007 & 2010 UC/SAN certificate considerations
Updated 10/21/2014 – Reflect changes by the certificate companies that no longer support .Local or any other non-public TLD.

—

IMPORTANT Note: UCC/SAN “.Local” and other private TLDs will no longer be supported

When you choose an internal name, it won’t matter, because you now must configure Exchange’s internet URLs to be identical as the external URLs to support your UCC/SAN certificate.

On the bright side, this will help with configuring clients internally and externally with the same name anyway. I’ve always configured my customer Exchange CAS URLs with the same name because of this reason.

More info:

Global changes in legislation regarding SAN SSL Certificates
http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

 

Topics Covered:

1. Preface: AD Design Considerations

2. Scenario 1 – Same Name as your external name (Split-Zone)

3. Scenario 2 – Sub domain name of the public domain name

4. Scenario 3 – Choosing a TLD Variation of your Public Domain, such as the “.net” version of it

5. Scenario 4 – Choosing a private TLD such as “.local”

6. Exchange 2007 & 2010 UC/SAN certificate considerations

7. Related Links

 

 

==================================================================

Preface: AD Design Considerations

Should I choose the same AD DNS domain name as my external public domain name (also called split-zone), choose a sub domain name of my public name, or should I choose a completely different name such as .local or .net?

I must say this is a classic question that has arisen on numerous occasions starting with the beginning days of AD.

Choosing a name for your internal AD DNS domain name can be based on a number of things, whether technical or political, or previous administrative experience. This has been highly discussed (not debated) in the past.

Whatever decision you make for an AD DNS FQDN domain name, just understand the ramifications. Actually I’m not going to try to get into any sort of debate, for there is really nothing to debate, nor help someone decide on what is ‘right’ or ‘wrong’ but rather just state the ramifications and implications of a name that you do decide on and how to get around them, no matter what the decision was based on.

 

Discussion on what name to choose

This discussion was between myself and Todd J. Heron, MVP, during the Summer of 2003.

Classic question:

“Which are the advantages of naming my domain with domain.com rather than domain.local? I have a domain.com registered for my Company that i use for my e-mail and Site Internet.”

There are different answers to this classic question and while these answers ultimately depend upon company preference, much of the direction will be based upon administrator experience.  The three basic scenarios outlined below are the most commonly given answers to the question, sometimes altogether and sometimes not.   Some company networks use a combination of these scenarios.  When explaining it to a relative beginner asking the question, many responses omit explanatory detail about all the scenarios, for fear of causing more confusion.

All three approaches will have to take both security and the end-user experience into perspective.  This perspective is colored by company size, budget, and experience of personnel running Active Directory and the network infrastructure (mostly with respect to DNS and VPN).  No one approach should be considered the best solution under all circumstances.  For any host name that you wish to have access from both your internal network and from the external Internet you need scenario 1, although it is the most DNS-intensive over time.   If you do not select this option and go with scenario 2, 3 or 4, consideration will have to be given to the fact that company end-users will need to be trained on using different names under different circumstances (based on where they are (at work, on the road or at home).

Since our discussion, I’ve expanded the Scenarios to include considerations when obtaining an Exchange 2007 or 2010 UC/SAN certificate. The certificate authorities will check all of the names for their registered owner. If you choose an internal name that just happens to be a real public domain name that you weren’t aware of, and owned by someone else, the certificate authorities will reject the certificate request. See Scenario 3 for more information.

 

==================================================================

Scenario 1 – Same Name as your external name (Split-Zone)

Choosing the same name internal/external (spilt-zone, or split-brain, whatever you want to call it) has the most administrative overhead. Why chosen?

Either because a misunderstanding of the pros/cons, political, or for ease of use.

Pros:

1. Their email address is their logon name. Easier to remember.

2.  Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.

3.  Short namespace.  Users don’t have to type in (or see) a long domain name when accessing company resources either internally or externally.  Names are “pretty”.

Cons:

1. Administrative overhead. If trying to get to your externally hosted website, it won’t resolve because a DNS server will not forward or resolve outside for what a zone that it hosts. You can overcome resolving the www.domain.com dilemma by using a delegation. Right-click your zone, new delegation, type in ‘www’ and provide the public SOAs for the name server(s). This way it will send the resolution request to the SOA and resolve that way. As for http://domain.com, that is difficult and would instruct all users to only use www.domain.com. This is because of the LdapIpAddress, the record that shows up as (same as parent), which EACH domain controller registers. So if you type http://domain.com, you will round robin between the DCs. To overcome that, on EACH DC, install IIS, then under the default website properties, redirect it to www.domain.com and let the delegation handle it.

Now if you were to be using SharePoint services, or something else that connects to the default website (no sub folders or virtual directories), then it becomes a problem. I know numerous installations setup with this and have operated fine for years.

2. Security.  Each DNS zone is authoritative for the zone of that name so therefore the external DNS zone and internal AD/DNS zone will NOT replicate with each other thereby prevent internal company records to be visible to the outside Internet.

3.  Any changes made to the public DNS zone (such as the addition or removal of an important IP host such as a web server, mail server, or VPN server) must added manually to the internal AD/DNS zone if internal users will be accessing these hosts from inside the network perimeter (a common circumstance).

4.  VPN resolution is problematic at best.  Company users accessing the network from the Internet will easily be able to reach IP hosts in the public DNS zone but will not easily reach internal company resources inside the network perimeter without special (and manual) workarounds such as maintaining hosts files on their machines (which must be manually updated as well every time there is a change to an important IP host in the public zone), entering internal host data on the public zone (such as for printers, SRV records for DCs, member server hosts, etc.), which exposes what internal hosts exist, or they must use special VPN software (usually expensive), such as Cisco, Netscreen, etc., which is more secure and reliable anyway.

For further reading on this scenario:
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html
http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon-common-server-names.html

With a Split-Zone, You may los the ability to access your website or other resources:

If you choose the same name, and you can’t access your internal website, or an external resource with the same name, you need to understand how to handle this with DNS. Read the following for specifics and a how-to.

Split Zone or no Split Zone – Can’t Access Internal Website with External Name
Published by AceFekay on Sep 4, 2009 at 12:11 AM  1278  0
http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-name.aspx

 

==================================================================

Scenario 2 – Sub domain name of the public domain name

Choosing a child name or delegated sub domain name of the public zone.

Examples:  Name such as ‘ad.domain.com’, or ‘corp.microsoft.com’. The AD DNS domain name namespace starts at corp.domain.com and has nothing to do with the domain.com zone.

Pros:

1. Minimal administrative overhead.

2. Forwarding will work.

3. The NetBIOS name will be ‘AD’ or ‘CORP’, depending on what you chose and what the users will see in the three-line legacy security logon box.

4.  Like Scenario 1, this method also isolates the internal company network but note this at the same time is also a disadvantage (see below).

5. Better than Scenario 1, internal company (Active Directory) clients can resolve external resources in the public DNS zone easily, once proper DNS name resolution mechanism such as forwarding, secondary zones, or delegation zones are set up.

6. Better than Scenario 1, DNS records for the public DNS zone do not need to be manually duplicated into the internal AD/DNS zone.

7. Better than Scenario 1, VPN clients accessing the internal company network from the Internet can easily navigate into the internal subdomain. It is very reliable as long as the VPN stays connected.

Cons:

1. Confusion on users if they decide on using their UPN.

2.  While there is security in an isolated subdomain, there is potential for exposure to outside attack.  The potential for exposure of internal company resources to the outside world, lies mainly in the fact that because when the public zone DNS servers receives a query for subdomain.externaldnsname.com, they will return the addresses of the internal DNS servers which will then provide answers to that query.

3. Longer DNS namespace.  This may not look appealing (or “pretty”) to the end-users.

4. Security. We are assuming that we can only access the internal servers thru a VPN and assuming they are in a private subnet, they won;’t be accessible. Also assuming to secure the VPN with an L2TP/IPSec solution and not just a quick PPTP connection. If this is all so, we can assume it is secure and not accessible from the outside world.

The scenario is the recommendation from the Windows Server 2003 Deployment Guide.  It states to the external registered name and take a sub zone from that as  the DNS name for the Forest Root Domain:
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/default.asp

 

==================================================================

Scenario 3 – Choosing a TLD Variation of your Public Domain, such as “.net”

Example: Public domain name is domain.com, and you choose “domain.net” as your public name.

This choice has been made by many companies.

Pros:

1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.

2. Prevents name space conflicts with external domain name. No one else owns it on the internet.

3. Forwarding works.

Cons

1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).

2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.

3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accommodate anti-spam, SPF, and RBL software.

4. Obtaining a UC/SAN certificate for Exchange 2007 & 2010 may be a challenge if you haven’t registered the “.net” version of your public domain name. This is because the Certificate Authorities will check all names in the UC/SAN cert you are requesting, including Exchange’s internal FQDN in the certificate request. This is used by the AutoDiscover feature in Exchange 2007 and 2010 and needs to be in the certificate. Read more on it here:

Exchange 2007 & Exchange 2010 UC/SAN Certificate
http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx

==================================================================

Scenario 4 – Choosing a private TLD such as “.local”

Note: UCC/SAN “.Local” and other private TLDs will no longer be supported

When you choose an internal name, it won’t matter, because you can configure Exchange’s internet URLs to be identical as the external URLs. This will help with configuring clients internally and externally with the same name.

More info:

Global changes in legislation regarding SAN SSL Certificates
http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

Choosing a private name

Choosing a different TLD: Choosing a private TLD, such as domain.local, domain.corp, domain.abc, etc. This option is easy for either beginners or the expert, because it’s the easiest to implement primarily because it prevents name space conflicts from the very beginning with the public domain and requires no further action on your part with that respect.

The only caveat is that you must configure Exchange URLs to the external URLs to support the certificate requirements.

Pros:

1. Easy to implement with minimal administrative overhead. Requires minimal action on administrators.

2. Prevents name space conflicts with external domain name. No one else owns it on the internet.

3. Forwarding works.

Cons

1. Domain name may look unprofessional. But this has nothing to do with anything on the public side (the internet).

2. VPN resolution difficult (like option 1) if DNS is not setup properly. That can be a sticky issue and depending on the VPN client will dictate whether it will work or not. I know one of the other MVPs (Dean Wells) created a little script to populate a user’s laptop or home PC’s hosts file with the necessary resources and would remove them once the VPN is dissolved.

3. Exchange HELO name must be altered in the SMTP properties (Exchange 2000 using MetaEdit, or SMTP properties in Exchange 2003), or in the Hub Transport properties (Exchange 2007) to accommodate anti-spam, SPF, and RBL software.

4. You won’t have any problems obtaining an Exchange 2007 & 2010 UC/SAN certificate since the internal name is not a public name and there’s nothing to check registration-wise by the Certificate Authorities when requesting the certificate with the internal Exchange FQDN.

 

==================================================================

Exchange 2007, 2010 and 2013 UC/SAN certificate considerations

More things to consider concerning the internal AD DNS domain name and if using Exchange 2007

If you choose a TLD, be sure to not choose one that is already in use by another entity. Reason is it will cause due confusion, and will create problems if you were to get an Exchange 2007 UCC/SAN certificate and adding a name for the internal namespace on the certificate. Here are some existing TLDs that you do not want to choose if the name does not belong to your entity:

So it would be a bad choice for the complications that will arise, if you name the internal domain is registered by others.

As far as choosing what name to use internally, there are pros and cons of using your public TLD (whether the same namespace or not), or a private TLD. I prefer a private TLD. You also have to take into consideration if you will be using Exchange 2007 and expect to purchase a UC/SAN certificate. This type of cert has multiple names, and the internal Exchange server’s private FQDN will be part of it. So for instance, your company is called “A Big Company”, and your external name is abc.com. You decide to make your internal name abc.net. However you never purchased abc.net from the registrar, and someone else did. So the Exchange server internal name is exchange.abc.net. In such a case, the CA will not approve it because A Big Company is not the registered owner of abc.net at the registrar (when you do a WHOIS) and is owned by someone else.

Technically speaking, you can also use the same name for the internal domain and the external domain. Just understand the ramifications. You may encounter the following possible issues that you may have to perform a domain rename in the future.

1.  If the internal domain name that you chose is the same as your Internet public domain name, internal clients may get the domain external IP but routers and firewalls will not respond from an internal request to the external interface. Some refer to this as a U-Turn, and firewalls, routers and NATs cannot handle U-Turns for port forwarded services.

2. Worse, if the internal name you chose was registered by another entity.

Generic top-level domains:

biz .com .info .name  .net  .org  .pro  .aero  .asia  .cat  .coop .edu 
gov .int  .jobs  .mil .mobi  .museum   .tel  .travel

Country-Code Top-Level Domains

You must be careful choosing, especially if someone else owns it on the internet. You’ll never get the cert approved if it is owned by someone else, despite the argument that “it’s my internal domain name…”

ac  .ad  .ae  .af  .ag  .ai  .al  .am  .an  .ao  .aq  .ar  .as  .at  .au 
aw  .ax  .az  .ba  .bb  .bd  .be  .bf  .bg  .bh  .bi  .bj  .bm  .bn  .bo 
br  .bs  .bt  .bw  .by  .bz  .ca  .cc  .cd  .cf  .cg  .ch  .ci  .ck  .cl 
cm  .cn  .co  .cr  .cu  .cv  .cx  .cy  .cz  .de  .dj  .dk  .dm  .do  .dz 
ec  .ee  .eg  .er  .es  .et  .eu  .fi  .fj  .fk  .fm  .fo  .fr  .ga  .gd 
ge  .gf  .gg  .gh  .gi  .gl  .gm  .gn  .gp  .gq  .gr  .gs  .gt  .gu  .gw 
gy  .hk  .hm  .hn  .hr  .ht  .hu  .id  .ie  .il  .im  .in  .io  .iq  .ir 
is  .it  .je  .jm  .jo  .jp  .ke  .kg  .kh  .ki  .km  .kn  .kp  .kr  .kw 
ky  .kz  .la  .lb  .lc  .li  .lk  .lr  .ls  .lt  .lu  .lv  .ly  .ma  .mc 
me  .md  .mg  .mh  .mk  .ml  .mm  .mn  .mo  .mp  .mq  .mr  .ms  .mt  .mu 
mv  .mw  .mx  .my  .mz  .na  .nc  .ne  .nf  .ng  .ni  .nl  .no  .np  .nr 
nu  .nz  .om  .pa  .pe  .pf  .pg  .ph  .pk  .pl  .pn  .pr  .ps  .pt  .pw 
py  .qa  .re  .ro  .rs  .ru  .rw  .sa  .sb  .sc  .sd  .se  .sg  .sh  .si 
sk  .sl  .sm  .sn  .sr  .st  .sv  .sy  .sz  .tc  .td  .tf  .tg  .th  .tj 
tk  .tl  .tm  .tn  .to  .tr  .tt  .tv  .tw  .tz  .ua  .ug  .uk  .us  .uy 
uz  .va  .vc  .ve  .vg  .vi  .vn  .vu  .wf  .ws  .ye  .za  .zm  .zw

 

 

==================================================================

Related Links

For a broad overview of this topic, read some of the links below.

Creating Internal and External Domains
http://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx

DNS Namespace Planning
http://support.microsoft.com/default.aspx?scid=kb;en-us;254680

Assigning the Forest Root Domain Name:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbc_logi_kqxm.asp

=================================================================

Summary

I hope this helps in your endeavor.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

 

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Suggestions, comments and corrections welcomed!