Announcement

Collapse
No announcement yet.

Active directory FQDNs; .local vs .com

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active directory FQDNs; .local vs .com

    For a long time I've heard arguments about naming your internal Active Directory FQDN with a bogus internal TLD (.local, .internal, .borkborkbork, etc.) versus using your company's real domain name with the real TLD (.com, .org, .net). However, I've never heard any concrete arguments for one over the other. Let's discuss this and see what we can find out together. Links to articles or references to books would be appreciated.

    The most commonly seen issue that seems to present itself is with DNS names. You'd have to create a DNS entry in local DNS that matches your external site and any subdomains. That doesn't seem to be a big issue. However, I just recently heard that there could be a problem with resolving internal names over a VPN connection if the VPN client can't be set to use only internal DNS servers after the connection is made. That seems logical. has anyone had this issue?



    I'm faced with starting a new AD forest/domain and am strongly considering using the company's external domain name for their internal AD FQDN. The biggest reason: usernames. In one place I worked at, the domain was named domain.local, and we had no end of issues with certain username/password fields for various software needing the domain name prepended (I hate that word), some needing the domain name and TLD prepended (hate it!), and others not needing a domain included with the username at all. It was frustrating for users and techs alike to have to remember that certain authentication issues that involved any AD integrated system (from backup software to webmail) may or may not need the domain in the username and which format (domain or domain.local). Many times I couldn't get something authenticated and after much fruitless searching, one of the other IT people would say "Did you add the domain name to the username?". Some things needed it, and other didn't. At that workplace, I always "solved" the issue by using the alternate way of presenting AD credentials: typing my username as "[email protected]". It dawned on me that if the internal domain name was the same as the external name, then I could simply tell everyone "your username is your email address" and then issues with credentials would vanish for users and IT people alike. Does that make sense?

    The potential problem with VPNs causes me some concern. I'll keep looking for meaty articles on the subject and post my findings here.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

  • #2
    Re: Active directory FQDNs; .local vs .com

    about that user name thing................lookup UPN, (user principal name)
    I will find some juicy link on in in a bit.
    "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

    Comment


    • #3
      Re: Active directory FQDNs; .local vs .com

      I prefer a split DNS . Although the only draw back of a single domain namespace I've seen is if you want your website to work as "domain.com" vs "www.domain.com"

      Comment


      • #4
        Re: Active directory FQDNs; .local vs .com

        Originally posted by Lior_S View Post
        about that user name thing................lookup UPN, (user principal name)
        I will find some juicy link on in in a bit.
        Yes, UPNs will be what you are looking for.

        With regards to the debate, I have always preferred to have the Top Level part of the FQDN (.local etc) to be something unconventional, so is kept private and less obvious to outsiders. I then get users to logon with using a UPN and then use SSO solutions, so they are not hampered accessing other systems.

        I could allow a UPN of their email to be used I suppose but then, should an intruder realise that, and with emails being public knowledge, there is the enhance chance that all usernames could be compromised.

        Comment


        • #5
          Re: Active directory FQDNs; .local vs .com

          Originally posted by Lior_S View Post
          about that user name thing................lookup UPN, (user principal name
          That seems to jingle something in my distant memory...


          Originally posted by Garen View Post
          I prefer a split DNS . Although the only draw back of a single domain namespace I've seen is if you want your website to work as "domain.com" vs "www.domain.com"
          But that's only an issue on the internal network, which seems trivial to me. I never liked not seeing the www in front of a domain name anyway.


          Originally posted by Virtual View Post
          Yes, UPNs will be what you are looking for.
          Okay, I'll look into it.


          Originally posted by Virtual View Post
          With regards to the debate, I have always preferred to have the Top Level part of the FQDN (.local etc) to be something unconventional, so is kept private and less obvious to outsiders.
          How secure do you think things are by an intruder not immediately knowing the TLD? What could a person do with a TLD that they couldn't do without it? Would a simple query of SRV records show the FQDN of the site? I didn't think that you needed any permissions to discover a domain's TLD.


          Originally posted by Virtual View Post
          I could allow a UPN of their email to be used I suppose but then, should an intruder realise that, and with emails being public knowledge, there is the enhance chance that all usernames could be compromised.
          That thought occurred to me, but for some reason doesn't bother me too much. It would seem just as likely that a person could find out that usernames followed a convention of FirstInitial.LastName and then all usernames would be exposed that way. Either way, an outsider discovering the internal username scheme remains just as likely no matter what the scheme is. No?


          Good discussion so far.
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: Active directory FQDNs; .local vs .com

            Originally posted by Nonapeptide View Post

            How secure do you think things are by an intruder not immediately knowing the TLD? What could a person do with a TLD that they couldn't do without it? Would a simple query of SRV records show the FQDN of the site? I didn't think that you needed any permissions to discover a domain's TLD.
            I know what your saying but in my opinion, minimising risk when you can is good practice. As NAT hides the internal IP adressing scheme, I also like to do the same using a different domain name and therefore, DNS namespace.

            For a start, an intruder could attempt to join the domain should policy allow a normal user to do so. (GPO policy does exist to allow this) It means they are less likely to be picked up by an IDS system, if they have successfully entered already undetected, as they can minimise what they need to scan for internally. I know what your saying. There are pro and cons for both ways.



            That thought occurred to me, but for some reason doesn't bother me too much. It would seem just as likely that a person could find out that usernames followed a convention of FirstInitial.LastName and then all usernames would be exposed that way. Either way, an outsider discovering the internal username scheme remains just as likely no matter what the scheme is. No?
            Not really. There are a number of naming schemes in use, so ensuring the naming scheme is not conclusively known will slow down an attack. Like with anything, there are vulnerabilities and ways round security systems. I always opt for a security in-depth approach.

            Some elements of security may seem trivial, such as the suggestions,but add the the grand sheme of things.

            LIke you said, very interesting debate and good to see everyones point of view.

            Comment


            • #7
              Re: Active directory FQDNs; .local vs .com

              As long as you don't use a .com or .net that someone else owns on the Internet.

              Oh how that annoys me.
              VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

              Comment

              Working...
              X