Domain Controller using sub domain while hosting provider does main DNS

domain-controllerdomain-name-systemsubdomainwindows-server-2012-r2

I'm trying to setup a Domain Controller on Windows Server 2012 R2. I read that best practices are to not use a made up TLD (such as .local, .lan, etc.), but use something that you actually own (say mysite.com). I registered a domain through namecheap.com, and they do the mail hosting and DNS. I don't have a static IP address (it rarely changes, but it is possible). I would like to continue using them for the DNS (I only have a couple of records, @ and www, but may add a couple more in the future). I use a tool that updates the DNS with them if my IP address changes. I decided I'll make the root of my Domain Controller dc.mysite.com.

Do people normally have something like AD.mysite.com or DC.mysite.com in their DNS that is public facing? I would prefer to have it resolve to 192.168.1.x instead of the Internet facing IP.

It seems like I need to delegate to a subdomain for the Domain Controller. The DNS role would be installed on the same server. It would only be for the Domain Controller. I would like to create a subdomain locally (only intranet facing) without involving my DNS provider (namecheap.com) – is this possible? I'd prefer to keep it intranet only and let the queries for @ and www pass through and let namecheap.com DNS be authoritative for it.

Best Answer

Unless you are going to offer Active Directory-related services to machines using public DNS resolvers (which is ill-advised, because AD's security posture wasn't designed to be exposed directly to the public Internet) you don't need to expose your AD DNS namespace to the Internet. Typically all your domain member computers (including the Domain Controller (DC) computers) will should DNS servers running on DCs in your Forest. These servers would typically be firewalled from the Intenrnet.

What you're saying in your last paragraph is more-or-less correct. When you say "..."and let the queries for @ and www pass through..." that seems to imply that you think you have to do something. Assuming you don't create a "mysite.com" zone in your DC's DNS configuration the DNS Server service will automatically recursively resolve any domains it isn't authoritative for.

Related Topic