Public and Private DNS

We are in need of redoing our External DNS servers and we're also in the process of moving to a new AD forest internally. Originally our internal domain was company.com and we're working towards company.internal to fall in with best practice. We're already going to have multiple subdomains of company.internal and considered the idea of public.company.internal to isolate the external DNS servers and also give us a separate domain for credentialing our customers that need access to public facing systems. The zones then supported on these external DNS servers would be AD integrated however because they are part of the forest I can then do lookups from externally and resolve what should be internal only zones such as company.internal, sub.company.internal, etc. Not that it's necessarily relevant to question but the publicly accessible servers would be RODC. We have auditing tools in place for this forest which is also part of the desire to keep them linked.

I've not found an elegant solution to restrict those lookups. Is that a possibility or do I need to structure this entirely different to avoid that?

June 17th, 2015 6:05pm

Hi,

Before you continue, I would like to warn you that company.internal is no longer considered best practice. In fact, you can get into some difficulties with it.

The best practice is int.company.com - "int" meanining internal.

For example:

NetBIOS name = CONTOSO

FQDN = int.contoso.com


The reason is certificates. For some scenarios, like Skype for Business, you must deploy commercial certificates. And you cannot get commercial SAN certificate which specifies private name space.

I'm sorry I cannot give you any links to support my claim, but I encourage you to do your own research.

Best of luck

Free Windows Admin Tool Kit Click here and download it now
June 18th, 2015 3:39am

Hi,

According to your description, my understanding is that you want to configure external DNS servers in public.company.internal with AD-Integrated zones, in order to resolve internal names from external. And also internal users can access external. 

I am not sure how many DNS server in public.company.internal. Conditional forwarders might be also helpful for resolve internal names, just forward queries to other corresponding DNS servers. It would be better than configuring AD-Integrated zone accessible from external directly. Besides, you may also configure read-only DNS server for external DNS queries.

You may reference Planning Deployment of AD DS in the Perimeter Network for more information, including different deployment models, considerations for choosing an appropriate AD deployment model
https://technet.microsoft.com/en-us/library/dd728030(v=ws.10).aspx

And reference Designing RODCs in the Perimeter Network for more information about configuring DNS for name resolution and registration:
https://technet.microsoft.com/en-us/library/dd728028(v=ws.10).aspx  

Best Regards,
Eve Wang                                                                                                                                
June 18th, 2015 3:40am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics