This has been a fun topic of discussion on Server Fault. There appear to be varying "religious views" on the topic.
I agree with Microsoft's recommendation: Use a sub-domain of the company's already-registered Internet domain name.
So, if you own foo.com
, use ad.foo.com
or some such.
The most vile thing, as I see it, is using the registered Internet domain name, verbatim, for the Active Directory domain name. This causes you to be forced to manually copy records from the Internet DNS (like www
) into the Active Directory DNS zone to allow "external" names to resolve. I've seen utterly silly things like IIS installed on every DC in an organization running a web site that does a redirect such that someone entering foo.com
into their browser would be redirected to www.foo.com
by these IIS installations. Utter silliness!
Using the Internet domain name gains you no advantages, but creates "make work" every time you change the IP addresses that external host names refer to. (Try using geographically load-balanced DNS for the external hosts and integrating that with such a "split DNS" situation, too! Gee-- that would be fun...)
Using such a subdomain has no effect on things like Exchange email delivery or User Principal Name (UPN) suffixes, BTW. (I often see those both cited as excuses for using the Internet domain name as the AD domain name.)
I also see the excuse "lots of big companies do it". Large companies can make boneheaded decisions as easily (if not moreso) than small companies. I don't buy that just because a large company makes a bad decision that somehow causes it to be a good decision.
I did a four part blog post for set up of Mercurial on IIS with Active Directory authentication and using hgwebdir.cgi for push authorization. It goes over the whole process of:
- Setting up Mercurial's hg web interface on IIS.
- Setting up the IIS authentication for Mercurial so that only users authorized by the active directory (i.e. security groups/users) can view/access the repositories either via the hg web interface or through the file system.
- Configuring Active Directory authentication for Mercurial users, so only authorized users can see/access the repositories they have access to.
- Configuring hgwebdir.cgi via hgweb.config to set push authorization for specified users to repositories.
- Hiding hgwebdir.cgi using Helicon's ISAPI Rewrite in your repository's URL.
- Customizing the style/feel of the hg web user interface to your own taste.
http://www.endswithsaurus.com/2010/05/setting-up-and-configuring-mercurial-in.html
I hope it's useful to people...
Best Answer
Yes, I think that you can use the IIS Shell. I'm not sure, though.
You may want to take a look at this: http://technet.microsoft.com/en-us/library/cc778815(WS.10).aspx
To quote the site: