Why .com is a bad choice for a Windows Active Directory domain name.

(or, How to choose an AD domain name.)

We run into this issue from time to time when a Windows domain has been set up by an inexperienced admin. It seems sensible and intuitive on the surface to have your internal domain name match your internet/website domain.

For example: your website is www.mycompany.com and you set up your Windows Active Directory domain to match as www.mycompany.com.

I myself thought this was a good idea when first starting out with Active Directory.
It's a terrible idea and here's why:

First, every machine in your domain should be pointed solely at your domain controller(s) for DNS resolution. In addition, your Domain controllers should have forwarding entries to your ISPs DNS servers to take care of internet name resolution.

So, what happens when you enter an address like www.mycompany.com and your internal and external domain names match?
Your workstation asks the domain controller for the server www.mycompany.com.

If your internal domain ends in mycompany.com the domain controller looks for that A record in it's forward lookup zone, doesn't find it, and sends back a 'host does not exist error'.

If your internal domain doesn't end in mycompany.com but, ends in mycompany.local (or any other ending you care to use), the DC/DNS server realizes immediately that it doesn't have the domain info and sends the resolution request to the configured 'forwarding' servers for resolution. The forwarding server will then reply with the correct IP info and your application will continue on it's merry way.

Obviously, the second case is preferable because it avoids an error condition.

How do you solve this name resolution problem without changing your internal domain name?
If you're already stuck with a public domain name but, need to resolve external servers, you can make an entry for 'www' in your forward lookup zone that points to your actual, external, internet-facing web server. (You will also have to make an entry for any other external servers you may need: smtp, pop, imap, mail, etc.)

It also dangerously blurs the psychological and technical lines between two very different networks which have very different security and access requirements.

Additionally, not having matching internal/external domains removes the need to make internal DNS entries to refer to external servers. You can simply keep your internet-facing DNS entries where they belong, in your domain registrar or hosting company's DNS control panel.

There is a great advantage to having a very sharp and clear line drawn between your interal network and your publicly-available services. This line works best when it's both psychological and technical.

Here's corraboration from MS:
http://support.microsoft.com/kb/296250

All the best...
Chris Thompson
Network Engineer