Educause Security Discussion mailing list archives

Re: It's all in a Domain Name

From: "Consolvo, Corbett D" <cc72 () TXSTATE EDU>
Date: Thu, 18 Mar 2010 08:19:48 -0500

John,
  I would recommend the third option (.local).  I have been in that environment before (including providing remote 
access services) and I feel that provides the best security.  We did not run in to any major technical issues.

Corbett Consolvo
Texas State University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Kaftan
Sent: Thursday, March 18, 2010 8:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] It's all in a Domain Name

We are migrating to AD from Novell and are deciding on a domain name.  We have been reading through Microsoft's KB 
articles and asking friends what is the best domain name for Utica College.  One of our goals as a college is to become 
a university so our name could change to Utica University or something simular.  So far I have not found any document 
that makes it clear what the implications are in regards to a domain name.  Microsoft seems to be mostly concerned with 
making sure the name is unique so we can merge with another organization easily but I'd like to know if there is a 
major security reason to go one way over another.  Here are the options as we see them.  Our internet facing domain 
name is Utica.edu.


John Kaftan
Infrastructure Manager
Utica College
315.792.3102



Utica.edu

Pros:

Simple straight forward.  Can easily survive a college name change.  If we create branch campuses we could easily 
create a forest later, i.e. az.utica.edu for an branch campus in Arizona.

Cons:

Have to maintain two split DNS zones for Utica.edu.  One for the inside and another for the DMZ or internet facing 
names.

Ad.utica.edu or main.utica.edu or Utica.utica.edu

Pros:

Separate DNS zones for inside and internet names = can just forward inside DNS to DMZ DNS and only maintain Utica.edu 
zone in one place.

Cons:

Longer names internally when using FQDN for servers.  Possible issues with wild card certificates.

Utica.lan or Utica.local

Pros:

Separate DNS zones for inside and DMZ plus short domain name.

Cons:

Microsoft does not like it but the only reason I can see is because it is possible for two companies to have the same 
domain name and not being able to merge easily.  Possible issue with VPNs or Citrix secure Gateway but was not able to 
get detail on that.

Current thread:

It's all in a Domain Name John Kaftan (Mar 18)
- <Possible follow-ups>
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name Matthew Gracie (Mar 18)
- Re: It's all in a Domain Name Valdis Kletnieks (Mar 18)
- Re: It's all in a Domain Name Kenneth Arnold (Mar 18)
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name John Kristoff (Mar 18)
- Re: It's all in a Domain Name Michael Sinatra (Mar 18)