new domain-DNS

Microsoft Windows
Networking services
Hey there, I'm looking for some direction on DNS and domain naming. I am setting up a fresh W2k3 domain. 2 DC's, 1 Exchange, and 1 Web server. All XP clients, and W2k3 servers. Our ISP takes care of DNS right now on our NT domain. We have a webserver in place that is behind firewall with NAT. ISP points '' to our webserver public IP address, then I NAT it to our webserver. My question is, when I create a name for my new domain, what is the best practice for DNS? should I use or should I just go completely separate and use something like domain.local? One reason I ask is that if we have a change in our web name-such as changes to, how will this affect my internal domain structure if I use thanks....and if you know of a site or article that explains this in good detail, I would appreciate that as well.

Answer Wiki

Thanks. We'll let you know when a new response is added.

My recommendation is to use a completelly independant domain for your internal network. Something like mycompany.local or if you use and you own, use it, but it will block the domain for la later usage.

If you use a sub-domain ( you will have to ask your ISP to delegate you this zone and to STRICLTY avoid have it accessible from Internet. If once for any reason anyone could resolve your, then he will be able to have the best image any hacker could imagine of you LAN.

Best practice:
– use mycompany (as a top level domain) -> www.mycompany for your intranet
– use mycompany.local -> www.mycompany.local for your Intranet

Have good evening

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • HumbleNetAdmin
    Lets see if I understand you correctly. Your ISP host you external DNS for you internet domain. Your ISP assigns you an IP address lets say 66.43.32.x Your domain resolves to this IP You have a routing device that answers for the IP 66.43.32.x Your firewall receives the request for http on IP 66.43.32.x and 66.43.32.x is NAT'd to and internal IP of lets say 191.168.1.x of your webserver. Now on you internal network I assume that you are going to set up a win2k DNS server that will resolve traffic on your internal network. You can set up your interal network with the same domain name as your internet domain except for it should have "ad" before the, so the name would be "". This is not a must, but good practice. The network I manage is My ISP hosts my DNS and resolves to My router answers for and passess http request on to the firwall witch NATS the to an internal network private IP for the webserver. My internal DNS has domains for which resolves IP's for all hardware on the network. So the fully qualified domain name for webserver1 would be However under my private DNS, would not resovle, however would. So I have another private network DNS domain so that internaly I can go to, and so on. Keep in mind that my internal DNS and external DNS are seperate, on my network has nothing to do with from the internet and vise/versa. I could change the name of my external DNS name to and it would route traffic from the internet to the webserver. And internaly would still go to the webserver. On my network, when you request http for my DNS server answers authoritively for the request routing it to the correct server. When you attempt to go to something like, my DNS cant answer for that so it sends the traffic to the default gateway (firewall) and out to the internet where a DNS server can answer authoritivly for the request. Now if I did not have DNS for on my network then request originating from my network to would not be able to reach because of the NAT translation going on in the firewall, it will not allow traffic to go out the firewall and then loop around back through the firewall to the webserver. I am not the best at explaining things, so I hope I did not cause you more confusion then help.
    0 pointsBadges:
  • Sonyfreek
    First things first: Put your Web Server in a DMZ environment. It sounds like you have it inside the firewall on your internal network according to your initial question. That's a bad idea because if they own your web server, your domain controller is not far behind... Secondly, it doesn't matter what you name your internal network because you should have a totally separate DNS (aka, split DNS). Your internal servers should not use your external servers and likewise for the external ones. The internal servers know about the inside systems and the external one knows about what's outside and in the DMZ only. Consequently, if your company changes it's name from companya to companyb, you would most likely change your domain structure to match anyway. It wouldn't matter if it were,, companya.local, etc. If it has companya associated with it, you'd probably want to change it. I like the idea of using because it specifies that it is both active directory and internal (of course, it's not fun to type all of the time). The external servers will be .com, .net, or .org depending on what you are using. Then you also do not have a problem resolving to your own web, ftp, etc servers from the inside domain because they would simply query the root servers and make their way back to your exernal DNS to resolve your server IP correctly. Just my $0.02. SF
    0 pointsBadges:
  • Cptrelentless
    If I may add my tuppence to this, domain.local or domain.lan is a rubbish way of doing it, even in Windows. If you ever want any sort of integration in the future then rip your domain apart. Using is loads better and any non-Windows techs will thank you for using DNS properly. Also, I'd recommend getting your DNS back from your IP, unless you want a load of stale records polluting your DNS for the next ten years. People who work at ISPs are in my experience incompetent buffoons when it comes to DNS.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: