Active Directory – Lab 1 ADDS with internal subdomain

The majority of Active Directory domains I have seen use a standalone internal domain such as .local, .internal or .company name.

When you suggest that the Active Directory domain should be a subdomain of the company’s public domain, you get the worried look that you’re exposing Active Directory to the internet… o_O.

If you take time to read Microsoft TechNet you’ll discover an article which details an internal subdomain of your public domain as the recommended way to deploy a DNS namespace, see here.

So If you’re building a new Active Directory domain then please feel free to follow the instructions details below.

Windows Server 2008 R2


  • Windows Server 2008 R2 media – download an evaluation from here
  • A static IPv4 address
  • Your internet providers DNS server IP addresses
  • A public DNS name registered with an applicable authority


Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name and then run dcpromo.

Computer Name: ADDS01

IP Address Gateway Primary DNS


Forest root domain FQDN: office.[public domain name]


Reboot when prompted

DNS Configuration

Create a reverse DNS zone for your local subnet.


Create DNS forwarders which point to your ISPs DNS servers and deselect use root hints if forwarders are unavailable; this basically passes on the recursive DNS queries to your ISP rather than your DNS server. If root hints is left ticked then should your ISPs DNS servers be unavailable then your internal DNS will perform recursive DNS queries. Just FYI recursive DNS can be vulnerable to DOS attacks, cache poisoning and other issues commonly found when a DNS server is incorrectly configured.


Remove the root hints.


Testing DNS resolution using Network Monitor

Run Network monitor and scope the display filter to the DNS protocol, click start.

Because forwarding is enabled there are only two ethernet frames.


Initial query to my ISPs DNS servers.


Response from my ISPs DNS servers.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.