Secondly, it doesn’t matter what you name your internal network because you should have a totally separate DNS (aka, split DNS). Your internal servers should not use your external servers and likewise for the external ones. The internal servers know about the inside systems and the external one knows about what’s outside and in the DMZ only.

Consequently, if your company changes it’s name from companya to companyb, you would most likely change your domain structure to match anyway. It wouldn’t matter if it were companya.com, companya.net, companya.local, etc. If it has companya associated with it, you’d probably want to change it.

I like the idea of using ad.company.local because it specifies that it is both active directory and internal (of course, it’s not fun to type all of the time). The external servers will be .com, .net, or .org depending on what you are using. Then you also do not have a problem resolving to your own web, ftp, etc servers from the inside domain because they would simply query the root servers and make their way back to your exernal DNS to resolve your server IP correctly.

Just my $0.02.

SF

Your ISP host you external DNS for you internet domain.
Your ISP assigns you an IP address lets say 66.43.32.x
Your domain mycompany.com resolves to this IP
You have a routing device that answers for the IP 66.43.32.x
Your firewall receives the request for http on IP 66.43.32.x and 66.43.32.x is NAT’d to and internal IP of lets say 191.168.1.x of your webserver.

Now on you internal network I assume that you are going to set up a win2k DNS server that will resolve traffic on your internal network. You can set up your interal network with the same domain name as your internet domain except for it should have “ad” before the mycompany.com, so the name would be “ad.mycompany.com”. This is not a must, but good practice.

The network I manage is affiliated.org
My ISP hosts my DNS and affiliated.org resolves to 66.43.36.10.
My router answers for 66.43.36.10 and passess http request on to the firwall witch NATS the 66.43.36.10 to an internal network private IP for the webserver.

My internal DNS has domains for ad.affiliated.org which resolves IP’s for all hardware on the network. So the fully qualified domain name for webserver1 would be webserver1.ad.affiliated.org. However under my private DNS, http://www.affiliated.org would not resovle, however http://www.ad.affiliated.org would.
So I have another private network DNS domain affiliated.org so that internaly I can go to http://www.affiliated.org, http://ftp.affiliated.org and so on.

Keep in mind that my internal DNS and external DNS are seperate, on my network http://www.affiliated.org has nothing to do with http://www.affiliated.org from the internet and vise/versa.

I could change the name of my external DNS name affiliated.org to affiliatedco.org and it would route traffic from the internet to the webserver. And internaly http://www.affilaited.org would still go to the webserver.

On my network, when you request http for http://www.affiliated.org my DNS server answers authoritively for the request routing it to the correct server. When you attempt to go to something like http://www.msn.com, my DNS cant answer for that so it sends the traffic to the default gateway (firewall) and out to the internet where a DNS server can answer authoritivly for the request.

Now if I did not have DNS for http://www.affiliated.org on my network then request originating from my network to http://www.affiliated.org would not be able to reach http://www.affiliated.org because of the NAT translation going on in the firewall, it will not allow traffic to go out the firewall and then loop around back through the firewall to the webserver.

I am not the best at explaining things, so I hope I did not cause you more confusion then help.