Pros and Cons of using internal or external domain name for Active Directory

I've built and supported dozens of Active Directory forests over the last decade from building 10-user SBS servers to taking over management of 6,000 user forest with 50+ DC's and redesigning the whole thing. I can say I see no reason to NOT use your .com Internet domain name for the AD forest name if you plan properly. Microsoft stopped recommending using .local domain years back due to Bonjour incompatiblities with older Mac OS X versions, and for the reasons you're citing. The idea from Win2000 days to make a "memberless" root domain with your main domain being a sub-domain is also out the window due to better tools and management now.

Reasons to do "split-brain" DNS with Internet and AD domain's being the same:

  1. Best reason: URL's for web apps are same inside and out for users (recommend adding your internal domain name to IE intranet security zone through GPO)
  2. option to easily make logon's and email address the same (NT4 way of logon is domain\user but in modern windows it also takes [email protected])
  3. OCS/Lync SIP address same as email and login
  4. You can use your public certs for internal servers rather then your private CA


  1. split-tunnel VPN's The complexity comes into play when client computers outside your network need to decide to use either the public IP for or the internal one. Often companies (in order to be cheap and save bandwidth) setup client Windows VPN settings for split-tunnel which tells Windows to only send traffic to intranet that is destined for internal names/IPs. When DNS can resolve the same names inside and outside the network, which should it choose to use? Windows will give you mixed results for which DNS records (private or public) to use for the client. My recommendation: don't allow split-tunneling in client VPN's.