Split DNS and DNS forwarding... if there's something that I will go on record as disagreeing with Dr. Tom [Mr. ISA Server] Shinder on is these two items.
In part two of Dr. Tom meets SBS, he talks about both. And while I respect his passion and belief in these topics [lord only knows I'm a bit passionate myself], in SBSland, the information he gives just ... we'll it's just not SBSized.
First let's take the easier one of the two. If you don't want to do DNS forwarding...whereby in the Connect to Internet wizard the DNS info from your ISP, then just leave it blank and your SBS box will do DNS lookup work just fine using something called 'root hints'. It will slow down the resolution 'just' a smidge, but I don't agree that you should be putting 'bogus' entries in that box like that.
The help file says “ *Preferred DNS server* If the value was not defaulted by the wizard, you must type the IP address of the DNS server at your ISP. The DNS Server service provided with Windows Small Business Server 2003 will be configured to forward the DNS queries it cannot resolve to the DNS server you specify.
If you do not specify DNS server information, name resolution requests must instead use root hints <#>. It is recommended that you use DNS server information if it is available from your ISP. For more information, click *Start*, click *Help and Support*, and then search for "root hints
Maybe if this warning box that you get if you leave the ISP DNS info blank was more 'in your face' it would be more obvious? But bottom line I disagree about putting in bogus DNS info in that box.
Next the .local stuff.
There's a reason we do that... in the help file it says...
The full DNS (Domain Name System) name and NetBIOS domain name are used to create your Windows Small Business Server domain. Having a domain enables you to manage access to resources on your network (for example, user accounts, client computers, shared folders, or printers). Setup provides default settings for your internal domain, separating your local (internal) network from the Internet (external network). It is recommended that you use these values.
Dr. Tom in his article states:
“The problem is that this statement is patently untrue. The belief that using the same domain name for internal and external domains is a security issue is based on misconfiguring the split DNS required for using the same domain name for both the internal and external network domains. It is untrue because a core tenet of a well design split DNS infrastructure is that the internal and external zones authoritative for the internal and external domain names have no relationship other than the domain name.
This is why there is no security issue with using the same domain name for external and internal domains. The only way you would run into security problems is if you, for some reason, decided to do a zone transfer from your internal DNS zone to your external DNS zone. If you did configure such a zone transfer, you could put the privacy of your internal naming infrastructure at risk. However, there’s no reason in the world to ever configure such a zone transfer, so imagined security issues related to mirrored DNS zone information is bogus at best, and misleading at worst.
There are many advantages to using the same domain name for internal and external zones. However, in the SBS single server environment where it’s likely that you’ll be hosting Web and other resources at an ISP or Web hosting service, the split DNS can make things more complicated. However, you can still deploy a fine-tuned split DNS infrastructure while leaving your Active Directory domain’s top level top name .local. In a future article I’ll go through the step by step procedures to make this happen so that you can benefit form the elegant transparency provided by a split DNS infrastructure.
Uh... say what? Dr. Tom totally lost me on these statements. We don't do external DNS, and more often than not we [I know I do not] host a web site somewhere else and we get WAY more people asking “I can't get to my firm's web site'. Remember what it says in the help file regarding the .local?
Local Domain vs. Internet Domain
A local domain is a way to manage access to resources on your network (for example, user accounts, client computers, shared folders, or printers). Local domain information is also used by tools and applications, such as Microsoft® Exchange Server 2003 or Microsoft® Windows® SharePoint™ Services. The local domain, or internal domain, for your Windows Small Business Server 2003 network is created automatically as part of Setup using a default value of organization_name.local. An Internet domain name is a friendly name used to identify your company on the Internet. An Internet domain name is registered for use on the Internet through an Internet registrar and uses the extension such as .com, .net, and .biz.
Setup creates your local, or internal domain, by installing and configuring the Active Directory® directory service. Setup uses the default value of .local for the last label of the internal domain name because the .local label is a more secure configuration as it is not registered for use on the Internet. This also separates your internal domain from your public Internet domain name. Additionally, using the extension of your registered Internet domain name can result in name resolution issues.
Once you name that box the same as your firm's Internet domain [that due to firm mergers and acqusitions... I'll bet you a Mountain Dew you'll be changing that sucker at some point in time], you are stuck with that name. Which is why you shouldn't call it the name you expect to use on email and web sites. I strongly recommend you call that internal domain .lan for mac, .local, heck call it computer.bozo, it doesn't matter, but don't call it your email address because if you are the agile firm that I know you are, you'll be changing that sucker and then go into the newsgroup asking “can this be changed' and we'll say...uh ...no it can't.
Furthermore, Dr. Tom says it makes it more complicated to call it .local. I disagree... it makes it more complicated to call it the same name. We later enter the mailhosting domain name later into the Exchange setup wizard [Connect to Internet] and it doesn't matter what the internal name is called whatsoever. But I'll guarantee if you call your internal computer name the same as your externally hosted web site, we'll have to walk you through hacking the A record inside the server afterwards. In SBSland it causes more problems, not less.
Remember we ALWAYS look inward for our DNS... not outside... naming us .local means the box always stays inside for inside stuff and doesn't try to resolve anything internal by looking external first.
Just as a footnote... even with a router, I use the “broadband' selection and put a static IP address in the inside NIC and outside NIC setup.
Welcome to SBSland Dr. Tom, I just still disagree with some of your comments.