Must the root domain name be registered when creating a new forest in Active Directory?

active-directory windows-server-2012 domain windows-server-2012-r2 domain-controller

12,322

The name of an Active Directory domain is only for internal usage, thus you could name it anything you want; however, in an Active Directory environment, the domain name also acts as the DNS suffix for all computers in the domain, and the domain controllers act as internal DNS servers which are (or at least behave as they were) authoritative for that DNS domain.

What this means is, if the AD domain name conflicts with an actual domain name that exists on the Internet, all DNS queries for that domain would be answered by your DCs, and not by the actual Internet DNS servers which manage it. In your case, if you name your domain "microsoft.com", then you would have all sorts of problems when trying to connect to Microsoft sites or services, because you wouldn't be able to query the public DNS servers for that domain (as your internal DNS servers would believe they rightfully own it).

Incidentally, the same is true if you use your real public DNS domain as your Active Directory domain: things are of course a lot simpler because you actually own them both, but this still requires you to mantain two distinct DNS setups for the same domain, one for the Internet and one for your internal network.

As a best practice, you should use a subdomain of your public DNS domain as your AD domain name; if f.e. your public domain is "domain.com", you could use "internal.domain.com" or "ad.domain.com" or whatever, as long as it's a valid subdomain; this wil ensure no conflicts and a lot less headaches.

You should, anyway, not use any domain name you don't actually own, even if it's not currently active (because it still could be registered later by someone else than you, and headaches would ensue).

12,322

Aaron

Updated on September 18, 2022

Comments

Aaron over 1 year

When creating a new forest in Active Directory on my domain controller running Windows Server 2012 R2, I was prompted to specify a root domain name. Must the domain name be registered and owned by me? What would happen if I enter a domain registered and owned by other people like microsoft.com? Later on when I try to add a Windows computer to this domain, will it go out onto the internet and search for microsoft.com or would it search only in it's subnet (my domain controller)? Would it be safe/preferable to just enter a domain that is owned like microsoft.com?
- Michael Hampton almost 9 years
  
  See Windows Active Directory naming best practices?
Massimo almost 9 years

An Active Directory domain is managed by Domain Controllers, which should never be directly exposed on the Internet (that would be a massive security hole). Consequently, yes, only computers that are physically connected to your network or using a VPN connection can join the domain and talk to other domain computers.
Aaron almost 9 years

Let's say I have simple network that looks like this: Internet --> Router --> Domain Controller --> PCs. The DC only runs AD, DHCP & DNS. In this case, is my domain controller exposed on the internet? Is the only ways of protecting my domain controller from the internet through not having a physical connection to the internet or a firewall, or is it settings inside Windows Server?
Massimo almost 9 years

It depends on your network setup; usually, a router performs NAT for your internal network, thus your computers are unreachable from the outside unless you explicitly publish something. However, this is getting quickly out of scope, and it's better suited for a different question.
Aaron almost 9 years

The NAT part answered my question. Thank you so much for your help, I really appreciate it!