[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Part two of Dr. Tom meets SBS [and I have some comments] - THE OFFICIAL BLOG OF THE SBS DIVA
Tue, Aug 30 2005 21:44 bradley

Part two of Dr. Tom meets SBS [and I have some comments]

Split DNS and DNS forwarding... if there's something that I will go on record as disagreeing with Dr. Tom [Mr. ISA Server] Shinder on is these two items.

In part two of Dr. Tom meets SBS, he talks about both.  And while I respect his passion and belief in these topics [lord only knows I'm a bit passionate myself], in SBSland, the information he gives just ... we'll it's just not SBSized.

First let's take the easier one of the two. If you don't want to do DNS forwarding...whereby in the Connect to Internet wizard the DNS info from your ISP, then just leave it blank and your SBS box will do DNS lookup work just fine using something called 'root hints'.  It will slow down the resolution 'just' a smidge, but I don't agree that you should be putting 'bogus' entries in that box like that.

The help file says “ *Preferred DNS server*     If the value was not defaulted by the wizard, you must type the IP address of the DNS server at your ISP. The DNS Server service provided with Windows Small Business Server 2003 will be configured to forward the DNS queries it cannot resolve to the DNS server you specify.

If you do not specify DNS server information, name resolution requests must instead use root hints <#>. It is recommended that you use DNS server information if it is available from your ISP. For more information, click *Start*, click *Help and Support*, and then search for "root hints

Maybe if this warning box that you get if you leave the ISP DNS info blank was more 'in your face' it would be more obvious?  But bottom line I disagree about putting in bogus DNS info in that box.

Next the .local stuff.

There's a reason we do that... in the help file it says...

The full DNS (Domain Name System) name and NetBIOS domain name are used to create your Windows Small Business Server domain. Having a domain enables you to manage access to resources on your network (for example, user accounts, client computers, shared folders, or printers). Setup provides default settings for your internal domain, separating your local (internal) network from the Internet (external network). It is recommended that you use these values.

Dr. Tom in his article states:

“The problem is that this statement is patently untrue. The belief that using the same domain name for internal and external domains is a security issue is based on misconfiguring the split DNS required for using the same domain name for both the internal and external network domains. It is untrue because a core tenet of a well design split DNS infrastructure is that the internal and external zones authoritative for the internal and external domain names have no relationship other than the domain name.

This is why there is no security issue with using the same domain name for external and internal domains. The only way you would run into security problems is if you, for some reason, decided to do a zone transfer from your internal DNS zone to your external DNS zone. If you did configure such a zone transfer, you could put the privacy of your internal naming infrastructure at risk. However, there’s no reason in the world to ever configure such a zone transfer, so imagined security issues related to mirrored DNS zone information is bogus at best, and misleading at worst.

There are many advantages to using the same domain name for internal and external zones. However, in the SBS single server environment where it’s likely that you’ll be hosting Web and other resources at an ISP or Web hosting service, the split DNS can make things more complicated. However, you can still deploy a fine-tuned split DNS infrastructure while leaving your Active Directory domain’s top level top name .local. In a future article I’ll go through the step by step procedures to make this happen so that you can benefit form the elegant transparency provided by a split DNS infrastructure.

Uh... say what?  Dr. Tom totally lost me on these statements.  We don't do external DNS, and more often than not we [I know I do not] host a web site somewhere else and we get WAY more people asking “I can't get to my firm's web site'.  Remember what it says in the help file regarding the .local?

Local Domain vs. Internet Domain

A local domain is a way to manage access to resources on your network (for example, user accounts, client computers, shared folders, or printers). Local domain information is also used by tools and applications, such as Microsoft® Exchange Server 2003 or Microsoft® Windows® SharePoint™ Services. The local domain, or internal domain, for your Windows Small Business Server 2003 network is created automatically as part of Setup using a default value of organization_name.local. An Internet domain name is a friendly name used to identify your company on the Internet. An Internet domain name is registered for use on the Internet through an Internet registrar and uses the extension such as .com, .net, and .biz.

Setup creates your local, or internal domain, by installing and configuring the Active Directory® directory service. Setup uses the default value of .local for the last label of the internal domain name because the .local label is a more secure configuration as it is not registered for use on the Internet. This also separates your internal domain from your public Internet domain name. Additionally, using the extension of your registered Internet domain name can result in name resolution issues.

Once you name that box the same as your firm's Internet domain [that due to firm mergers and acqusitions... I'll bet you a Mountain Dew you'll be changing that sucker at some point in time], you are stuck with that name.  Which is why you shouldn't call it the name you expect to use on email and web sites.  I strongly recommend you call that internal domain .lan for mac, .local, heck call it computer.bozo, it doesn't matter, but don't call it your email address because if you are the agile firm that I know you are, you'll be changing that sucker and then go into the newsgroup asking “can this be changed' and we'll say...uh ...no it can't. 

Furthermore, Dr. Tom says it makes it more complicated to call it .local.  I disagree... it makes it more complicated to call it the same name.  We later enter the mailhosting domain name later into the Exchange setup wizard [Connect to Internet] and it doesn't matter what the internal name is called whatsoever.  But I'll guarantee if you call your internal computer name the same as your externally hosted web site, we'll have to walk you through hacking the A record inside the server afterwards.  In SBSland it causes more problems, not less.

Remember we ALWAYS look inward for our DNS... not outside... naming us .local means the box always stays inside for inside stuff and doesn't try to resolve anything internal by looking external first.

Just as a footnote... even with a router, I use the “broadband' selection and put a static IP address in the inside NIC and outside NIC setup. 

Welcome to SBSland Dr. Tom, I just still disagree with some of your comments. 

Filed under:

# re: Part two of Dr. Tom meets SBS [and I have some comments]

Wednesday, August 31, 2005 6:37 AM by bradley

No no no no no no no nonooooooooooo!
Your AD domain name has NOTHING TO DO with a split DNS infrastrucutre. Sure, if you want to plan in advance to use the same domain name internally and externally, that's great! But it does take an awareness of the implications and the simple solutions to those implications. But the flexibility, the transparency, and the happiness on the CxO's face after deploying a well-designed split DNS infrastructure make it well worth understanding how it works and how to deploy it -- even in an SBS environment where we hope the business will grow beyond a single server enviroment.

In the first quarter of next year we have a book slated on ISA EE, ISA on SBS and advanced DMZ and Exchange Scenarios. Looks like we'll need a 25,000 word chapter with copious examples and rationales to help the SBS IT pro to understand how it works so that they garner the full benefits that the big boys (or small boys like me and the small biz clients I work with) get from the beautiful transparency provided by a well-designed split DNS infrastructure.

# re: Part two of Dr. Tom meets SBS [and I have some comments]

Wednesday, August 31, 2005 7:10 AM by bradley

Susan -

Actually, you're both right . . . it simply depends on what you're trying to accomplish.

Tom is correct that using the same domain name internally for AD and externally for the Internet in and of itself does not pose a security threat. There are easy ways to configure DNS so that things will resolve correctly whether you are on the LAN side or the Internet side of things, without exposing sensitive information to the Internet.

The problems start to occur when you use a non-public IP address range for your protected LAN with the same domain name used both internally and externally. Using NAT, if the DNS names are different, everything works great -- but if the DNS names are the same, things get mighty complex mighty fast.

Now before everyone starts wailing about how you shouldn't use a public IP address range for numbering your internal hosts behind a firewall, there are on occassion, business reasons why one would want to do that. And these reasons usually make the most sense for smaller companies that are involved with Internet or e-commerce businesses and that don't have the money for completely separate and distinct hardware for both their "internal" versus their "external" systems and for whom shared web hosting or server co-location won't work either.

The point I'm trying make is that it all depends on what you are trying to accomplish from a business perspective. Sometimes you want separate DNS names for your protected network versus the Internet, and sometimes you don't. Tom's approach, although unconventional from the vanilla SBS implementation perspective, makes a lot of sense for those organizations that use SBS and also either host, or manage, a lot of their own publically facing Internet infrastructure.

# re: Part two of Dr. Tom meets SBS [and I have some comments]

Wednesday, August 31, 2005 7:22 AM by bradley

Ah, but you hit the nail on the head and maybe didn't even realize it Tom. The connect to the Internet wizard configures everything, not just your Internet connection and certainly not just DNS. It is also setting up your active directory. I call it the connect to everything wizard. So while it's possible to setup your active directory differently than your DNS structure that's not how it's designed in SBS. As Susan would put it the SBSsized way of doing things it to have using the same naming structure and therefore in SBSland when you go messing with one, you've messed up the other. Spitting up the wizards into more wizards would make things a lot more complex and take out the simplicity of the product. I think of the .local issue and just a hang nail, really. It's something we can live with but at the same time a little annoying. No reason to get all excited about it.

# re: Part two of Dr. Tom meets SBS [and I have some comments]

Wednesday, August 31, 2005 7:37 AM by bradley

Hi Amy,

Yes! But I'm NOT recommending that they rename their AD name. I'm not even recommending that they involve their AD in the split DNS at all, although it will actually make things easier in the long run. I'm also not recommending that folks that don't understand how DNS works implement it.

I've been admonished by several SBS MVPs to not treat them as less knowledgable than other MS admins. OK, I took it to heart and I expect them to understand MS network servers and services as well as any other MS network admin. I think its a worthwhile endeavor to do these kind of article series to teach a thing or two, and expand the number of options. The community I'm not aiming at is the guy who was the best at Doom on his block and decided to go into SBS for easy money :)

I think by the end of the series you'll see what I'm talking about. I've been very humble throughout the process and make it clear that its unoffiical, unauthorized, and that people should go with MS recs if they don't like, don't understand, or don't trust what I have to say.

Thanks!
Tom