Re: It's all in a Domain Name

["Consolvo, Corbett D" <cc72 () TXSTATE EDU>]

Interesting, I've learned something new today - we had used a .int (for internal) extension in our domain, I seem to 
have chosen a bad example.  Good to know!
Corbett

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kenneth 
Arnold
Sent: Thursday, March 18, 2010 9:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] It's all in a Domain Name

If you plan to use the active directory server with Novell products you 
should be aware that SUSE Linux and possibly other Novell products 
handle domain names ending with .local differently than other domain 
names. They use a different protocol to communicate. If you are going to 
connect any Novell products to the active directory make sure than you 
check with Novell before deciding on any name that ends with .local.

Consolvo, Corbett D wrote:
> John,
>
> I would recommend the third option (.local). I have been in that 
> environment before (including providing remote access services) and I 
> feel that provides the best security. We did not run in to any major 
> technical issues.
>
> Corbett Consolvo
>
> Texas State University
>
> *From:* The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *John Kaftan
> *Sent:* Thursday, March 18, 2010 8:05 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] It's all in a Domain Name
>
> We are migrating to AD from Novell and are deciding on a domain name. 
> We have been reading through Microsoft's KB articles and asking 
> friends what is the best domain name for Utica College. One of our 
> goals as a college is to become a university so our name could change 
> to Utica University or something simular. So far I have not found any 
> document that makes it clear what the implications are in regards to a 
> domain name. Microsoft seems to be mostly concerned with making sure 
> the name is unique so we can merge with another organization easily 
> but I'd like to know if there is a major security reason to go one way 
> over another. Here are the options as we see them. Our internet facing 
> domain name is Utica.edu.
>
> John Kaftan
>
> Infrastructure Manager
>
> Utica College
>
> 315.792.3102
>
> *Utica.edu*
>
> Pros:
>
> Simple straight forward. Can easily survive a college name change. If 
> we create branch campuses we could easily create a forest later, i.e. 
> az.utica.edu for an branch campus in Arizona.
>
> Cons:
>
> Have to maintain two split DNS zones for Utica.edu. One for the inside 
> and another for the DMZ or internet facing names.
>
> *Ad.utica.edu or main.utica.edu or Utica.utica.edu*
>
> Pros:
>
> Separate DNS zones for inside and internet names = can just forward 
> inside DNS to DMZ DNS and only maintain Utica.edu zone in one place.
>
> Cons:
>
> Longer names internally when using FQDN for servers. Possible issues 
> with wild card certificates.
>
> *Utica.lan or Utica.local*
>
> * *
>
> Pros:
>
> Separate DNS zones for inside and DMZ plus short domain name.
>
> Cons:
>
> Microsoft does not like it but the only reason I can see is because it 
> is possible for two companies to have the same domain name and not 
> being able to merge easily. Possible issue with VPNs or Citrix secure 
> Gateway but was not able to get detail on that.

-- 

Brother Kenneth Arnold
Director of Network Systems
Christian Brothers University
Memphis, TN
(901) 321-4333