Educause Security Discussion mailing list archives
Re: It's all in a Domain Name
From: Kenneth Arnold <bkarnold () CBU EDU>
Date: Thu, 18 Mar 2010 09:04:06 -0500
If you plan to use the active directory server with Novell products you should be aware that SUSE Linux and possibly other Novell products handle domain names ending with .local differently than other domain names. They use a different protocol to communicate. If you are going to connect any Novell products to the active directory make sure than you check with Novell before deciding on any name that ends with .local.
Consolvo, Corbett D wrote:
John,I would recommend the third option (.local). I have been in that environment before (including providing remote access services) and I feel that provides the best security. We did not run in to any major technical issues.Corbett Consolvo Texas State University*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *John Kaftan*Sent:* Thursday, March 18, 2010 8:05 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] It's all in a Domain NameWe are migrating to AD from Novell and are deciding on a domain name. We have been reading through Microsoft’s KB articles and asking friends what is the best domain name for Utica College. One of our goals as a college is to become a university so our name could change to Utica University or something simular. So far I have not found any document that makes it clear what the implications are in regards to a domain name. Microsoft seems to be mostly concerned with making sure the name is unique so we can merge with another organization easily but I’d like to know if there is a major security reason to go one way over another. Here are the options as we see them. Our internet facing domain name is Utica.edu.John Kaftan Infrastructure Manager Utica College 315.792.3102 *Utica.edu* Pros:Simple straight forward. Can easily survive a college name change. If we create branch campuses we could easily create a forest later, i.e. az.utica.edu for an branch campus in Arizona.Cons:Have to maintain two split DNS zones for Utica.edu. One for the inside and another for the DMZ or internet facing names.*Ad.utica.edu or main.utica.edu or Utica.utica.edu* Pros:Separate DNS zones for inside and internet names = can just forward inside DNS to DMZ DNS and only maintain Utica.edu zone in one place.Cons:Longer names internally when using FQDN for servers. Possible issues with wild card certificates.*Utica.lan or Utica.local* * * Pros: Separate DNS zones for inside and DMZ plus short domain name. Cons:Microsoft does not like it but the only reason I can see is because it is possible for two companies to have the same domain name and not being able to merge easily. Possible issue with VPNs or Citrix secure Gateway but was not able to get detail on that.
-- Brother Kenneth Arnold Director of Network Systems Christian Brothers University Memphis, TN (901) 321-4333
Current thread:
- It's all in a Domain Name John Kaftan (Mar 18)
- <Possible follow-ups>
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name Matthew Gracie (Mar 18)
- Re: It's all in a Domain Name Valdis Kletnieks (Mar 18)
- Re: It's all in a Domain Name Kenneth Arnold (Mar 18)
- Re: It's all in a Domain Name Consolvo, Corbett D (Mar 18)
- Re: It's all in a Domain Name John Kristoff (Mar 18)
- Re: It's all in a Domain Name Michael Sinatra (Mar 18)