Keeping Active Directory namespaces secure

One of the important issues to know about when designing your Active Directory infrastructure is how to properly lay out your namespace. This tip breaks down the process, with details on how to keep your network secure.

Keeping your network secure is always important. You can avoid common mistakes and some subtle vulnerabilities

if you know all the little pitfalls and gotchas before your start implementing your infrastructure. And one of the important issues to know about when first designing your Active Directory infrastructure is laying out your namespace.

The Active Directory namespace is directly related to DNS. In fact, each Active Directory domain is granted a DNS name. Active Directory relies heavily on DNS to manage traffic, security and much more.

The Internet also relies heavily on DNS which is used there to resolve domain names into IP addresses and vice versa. Without DNS it would be nearly impossible to find resources or even properly direct traffic on the Internet.

The DNS systems of Active Directory and the Internet are so similar they can be deployed on the same DNS server, although this practice is highly discouraged. In fact, they are so similar that if you misconfigure your internal private DNS and namespace, you might wind up granting Internet users easy access to your network.

What to do? First and foremost, always avoid naming your Active Directory domains using the same names that are used by your organization or any other on the Internet. I would even avoid using the top-level domain names, such as .com, .org, .edu, etc. within your internal namespace as well. By purposely avoiding Internet names, you will prevent easy intrusion into your private namespace.

While an Active Directory DNS namespace can support any top-level domain name, Internet DNS cannot. Therefore, by avoiding Internet DNS names, you can eliminate an glaring vulnerability.


James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.


This was first published in February 2003

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close