The majority of Active Directory domains I have seen use a standalone internal domain such as .local, .internal or .company name.
When you suggest that the Active Directory domain should be a subdomain of the company’s public domain, you get the worried look that you’re exposing Active Directory to the internet… o_O.
If you take time to read Microsoft TechNet you’ll discover an article which details an internal subdomain of your public domain as the recommended way to deploy a DNS namespace, see here.
So If you’re building a new Active Directory domain then please feel free to follow the instructions details below.
Windows Server 2008 R2
- Windows Server 2008 R2 media – download an evaluation from here
- A static IPv4 address
- Your internet providers DNS server IP addresses
- A public DNS name registered with an applicable authority
Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name and then run dcpromo.
Computer Name: ADDS01
IP Address 192.168.0.100/24 Gateway 192.168.0.1 Primary DNS 127.0.0.1
Forest root domain FQDN: office.[public domain name]
Reboot when prompted
Create a reverse DNS zone for your local subnet.
Create DNS forwarders which point to your ISPs DNS servers and deselect use root hints if forwarders are unavailable; this basically passes on the recursive DNS queries to your ISP rather than your DNS server. If root hints is left ticked then should your ISPs DNS servers be unavailable then your internal DNS will perform recursive DNS queries. Just FYI recursive DNS can be vulnerable to DOS attacks, cache poisoning and other issues commonly found when a DNS server is incorrectly configured.
Remove the root hints.
Testing DNS resolution using Network Monitor
Run Network monitor and scope the display filter to the DNS protocol, click start.
Because forwarding is enabled there are only two ethernet frames.
Initial query to my ISPs DNS servers.
Response from my ISPs DNS servers.