Keeping your network secure is always important. You can avoid common mistakes and some subtle vulnerabilities if you know all the little pitfalls and gotchas before your start implementing your infrastructure. And one of the important issues to know about when first designing your Active Directory infrastructure is laying out your namespace.
The Active Directory namespace is directly related to DNS. In fact, each Active Directory domain is granted a DNS name. Active Directory relies heavily on DNS to manage traffic, security and much more.
The Internet also relies heavily on DNS which is used there to resolve domain names into IP addresses and vice versa. Without DNS it would be nearly impossible to find resources or even properly direct traffic on the Internet.
The DNS systems of Active Directory and the Internet are so similar they can be deployed on the same DNS server, although this practice is highly discouraged. In fact, they are so similar that if you misconfigure your internal private DNS and namespace, you might wind up granting Internet users easy access to your network.
What to do? First and foremost, always avoid naming your Active Directory domains using the same names that are used by your organization or any other on the Internet. I would even avoid using the top-level domain names, such as .com, .org, .edu, etc. within your internal namespace as well. By purposely avoiding Internet names, you will prevent easy intrusion into
While an Active Directory DNS namespace can support any top-level domain name, Internet DNS cannot. Therefore, by avoiding Internet DNS names, you can eliminate an glaring vulnerability.
James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.
This was first published in February 2003