Questions? Contact us!
General resources:

Last updated: 27-May-2008


 
 

Active Directory domain naming issues for MSU

(Discussion document)

One of the primary issues to consider when setting up an Active Directory server for units at MSU is the choice of the top-level domain for the Active Directory. Once this choice is made and implemented, it can be difficult to change [Question: Do more recent versions of Windows facilitate this change? May be true with Windows 2003 Server].

There are several choices for naming this domain, each with different pros/cons:

  1. Internal name

    Define an internal domain name that is not tied to the Internet DNS (i.e., does not end in msu.edu. An example would be dept.internal, where dept is your department name or code. This approach makes the names more private, since there will not be direct Internet exposure of the Active Directory data.

    This approach is recommended in most cases.

    This approach also requires that the client computers use your AD as the configured DNS server. Your server will still refer clients to other name servers as needed, including the central campus servers for names ending in msu.edu.

  2. Sub-domain under the special domain ad.msu.edu

    If your department is coordinating windows-based services with Administrative Information Services or Academic Computing and Network Services, you may need to establish your domain as dept.ad.msu.edu. This will allow your domain to interact with other domains established by AIS or ACNS which are also under the ad.msu.edu domain. Contact admin@ad.msu.edu for more details on this approach.

  3. Sub-domain under existing unit domain

    Define a domain name under your existing department domain, e.g. ad.dept.msu.edu. This approach makes the names more accessible - the central campus DNS servers (and others off-campus) would have access to the DNS data as needed. This approach should be used where there is a good justification for connecting the Active Directory domain to the Internet at large.

  4. Top-level unit domain

    Use your existing departmental domain (dept.msu.edu). This approach requires that your Active Directory DNS server also be configured with all existing DNS names for your department (e.g. static IP's, Web and mail servers, printers, etc.). Your server would also be required to allow secondary (slave) access to the DNS data for the central campus DNS servers, but you would not have to provide your own secondary server. The MSU Hostmaster would verify the configuration and correctness of the data before linking your server to the campus DNS.

    This approach allows a unit to maintain more immediate control over all DNS data for the unit. It also increases the need to maintain a reliable and accurate DNS service.

    Note that the top-level unit domain can be delegated to DNS servers within a unit which are not part of the Active Directory domain. One of the previous approaches would then be used for the Active Directory domain itself.

Regardless of the approach chosen, it is still permissible to register domain names under the domain msu.edu with hostmaster@msu.edu as needed. For further information, see the document:

     Management of IP addresses and host names at MSU

Last modified: 02-Apr-2004

Doug Nelson, Network Manager  |  nelson@msu.edu
Academic Computing and Network Services  |  Ph: (517) 353-2980
Michigan State University  |  http://www.msu.edu/~nelson/