Namespace Considerations
AD uses the DNS namespace as the basis for naming AD domains. Careful planning of the namespace will invariably make it easier to expand AD into new trees and domains, and will also make it easier to access resources using intuitive names. Ease of adding child domains as your network grows will prove critical in the Active Directory namespace life cycle.
Choosing a naming structure most appropriate for your organization will undoubtedly be influenced by the business factors. Obviously, domain names should somehow correspond to what the company is doing, and in many cases it will be necessary to work with existing domain names. It is likewise necessary to honor logical and physical business division needs, for ease of use, security, administrative, and other purposes. It will also help to know what the company plans are for the immediate and longer-term future, if it is growing (naturally or through acquisitions), if it is planning partnerships or subsidiary spin-offs, and so on.
Windows Server 2008 allows renaming domains—something that was not easily available prior to Windows Server 2003. However, even though it is a built-in feature, domain restructuring on a larger scale is not a trivial task. This feature is intended more for unplanned circumstances; architects and administrators are still strongly advised to plan ahead. Though this might take more time in the rollout phase, it will certainly pay off in the long run. AD hierarchy begins with the forest root domain, sometimes referred to as either the forest domain or the root domain. Its purpose is to initiate the AD namespace, and in practice, it is often left empty— that is, not used for storing actual user or application objects. Since every other domain in this forest will inherit the name of this parent container, this is the most critical part in creating the namespace. Table 3-2 summarizes the advantages and disadvantages of several namespace strategies.
It is recommended that you plan your AD structure first, and then create DNS subdomains to reflect your AD planning results. This may be somewhat difficult to accomplish in environments where the DNS structure is already in place. In this case, it is still recommended that you plan the AD structure first, and then either use a DNS subdomain or a completely separate namespace for the purpose of maintaining the AD infrastructure. Keep in mind that the external namespace should not collide with your internal namespace, or it may cause some name resolution problems for your users. This is why it is recommended to either register your DNS domain name to be used as the AD namespace, even though you might not be providing any network services to external clients, or use a name such as .local that is not possible to query outside of your network without establishing some sort of relationship beforehand.
TABLE 3-2
DNS and AD Namespace Strategies
TABLE 3-2
DNS and AD Namespace Strategies
|
Naming Scheme |
Advantages/Disadvantages |
|
The AD root domain name is the subdomain of a publicly registered and externally accessible SLD DNS domain name. |
All AD information can be fully isolated from the Internet (assuming no delegation is set up from the public portion of the namespace into the internal network). The internal namespace is integrated with the external, in a consistent and logical fashion. It may not be necessary to restructure the existing DNS infrastructure. Internal FQDN hostnames will be longer. It is not necessary to register additional domain names with ICANN, since the root name is already registered. |
|
The AD root domain name coincides with the publicly registered and externally accessible SLD DNS name. |
Users will have shorter and easier names to work with. It is becoming more difficult to administer DNS servers, authoritative for the company domain name, because DNS clients are no longer able to distinguish between internal and external resources. It is not necessary to register additional domain names with ICANN. You will have to update internal and external DNS resource records selectively, exercising caution not to expose internal naming or service information to the outside world. |
|
The AD root domain name has nothing in common with the publicly registered and externally accessible SLD DNS name. |
Administration and security are easier to practice, since internal and external namespaces are created completely separately from each other. The internal namespace and associated resources are inaccessible from the Internet. You may need to maintain two sets of records (one in the internal namespace and one in the external namespaces) for some resources. There is no need to keep internal and external namespaces synchronized. It may become more difficult to integrate internal and external namespaces so that users are able to access resources on the Internet using the external namespace internally. It is not necessary to restructure the existing DNS infrastructure. It is possible, however, that you will have to update existing DNS servers to support SRV records. |
Related posts
- Setting Up Trust Relationships Active Directory Windows Server 2008
-
Manage the UPN Suffix Active Directory Windows Server 2008
- Working with AD LDS Active Directory Windows Server 2008
- Trusts Configured Manually Active Directory Windows Server 2008
- Replication Monitor Active Directory Windows Server 2008
Post a comment