Although the DNS is defined by RFCs, domain naming for private networks is not defined in the manner that IP addressing is defined. During Setup of Small Business Server, the user is prompted to enter the fully qualified domain name (FQDN) of the Small Business Server domain. At this point during Setup, Small Business Server requires the following:
- A local FQDN that Microsoft Windows 2000 DNS or Microsoft Windows Server 2003 DNS can use for local name resolution on the private Small Business Server network.
- A network basic input/output system (NetBIOS) domain name for compatibility with NetBIOS-based programs and client computers.
- Make the name a private domain name that is used for name resolution on the internal Small Business Server network. This name is usually configured with the first-level domain of .local. At the present time, the .local domain name is not registered on the Internet.
- Make the name a sub-domain of a publicly registered domain name. For example, if the publicly registered domain name is Contoso.com, a sub-domain of Corp.contoso.com can be used.
- Make the name the same as a publicly registered domain name.
- The management of the local namespace is controlled by the Small Business Server Server. When you use a private FQDN for local DNS name resolution, the DNS server becomes the start of authority for the local domain. This result means that a query to external DNS root servers is not required for local resource name resolution.
- The security may be increased for your DNS server by not enabling zone transfers by means of the zone transfer properties of the forward lookup zone. Because dynamic registration of internal hosts can occur with the DNS server, if you disable the zone transfers from external clients, you can limit the exposure of internal host names to the Internet.
- The natural separation of internal and external networks occurs because of the use of a separate internal namespace. A client query generated from the Internet for www.contoso.local does not return any valid domain information because .local, at the present time, is not a registered domain name. However, by using the Web Publishing rules in Internet Security and Acceleration (ISA) Server, internal Web sites can be hosted externally and viewed by using resolvable domain names. This hosting still requires a registered domain name as well as the appropriate public DNS records that resolve to the external IP address of Small Business Server. Refer to "Configuring Publishing" in ISA Server Help for more information about Web Publishing rules.
- Internal clients may be able to resolve resources on the internal domain, however, queries to external resources of the domain are not resolved by the DNS server. For example, if the internal network namespace is configured by using the publicly registered domain name of Contoso.com, only resources that have "A" (Host) records in the forward lookup zone for Contoso.com are available to local clients. This behavior can pose a problem if Contoso.com hosts resources, such as, a web server by means of an external provider or Internet service provider (ISP). Any queries from internal clients to www.contoso.com are resolved as a negative query by the local DNS server because the "A" record for "www" does not exist in the forward lookup zone for Contoso.com. For clients to access external resources, "A" records must be added to the forward lookup zone of the DNS server for those resources.
- The use of a publicly registered sub-domain name can pose the same problems as described for a publicly registered domain name. If at any time, the start of authority for the registered domain (Contoso.com, in this example) adds records for sub-domains, the currently configured private sub-domain may become public.
The use of a separate and private DNS namespace for Small Business Server is consistent with the recommendations in the following Microsoft Knowledge Base article:
Article ID: 296250 - Last Review: Dec 2, 2007 - Revision: 1