Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Best Practices for Active Directory Domain Naming

ADFS

When creating a new Active Directory domain, the choice of domain name is important, regardless of whether you are a new or experienced administrator. This article discusses three options for domain names: using a valid Top Level Domain (TLD) registered to your company, using a subdomain of a valid TLD registered to your company, or using a non-TLD name. Examples of each option are provided.

Active Directory Basic Domain Naming Conventions

The first domain controller for an Active Directory creates both the first domain and the security boundary for the organization, known as the forest. Multiple domains can be added to improve replication within the forest. The forest can be a single domain or have multiple trees with subdomains. When setting up the first domain/forest, the administrator can choose its name, which can have significant implications for the organization’s future. The NetBIOS name, which does not have to be the same as the domain name, can also be defined during the Active Directory deployment process. For example, the domain ad.patricio.ca could have the NetBIOS name “Corporate” if desired.

Domain Registration

Regardless of the option chosen by the administrator, it is crucial to register the public domain under the company’s name. This is the first and most crucial step in establishing a strong foundation for the company’s environment. Considering the size and potential growth of the company, it is important to plan the Active Directory infrastructure setup with future expansion in mind. For instance, if a company like Patricio Enterprises operates solely in Canada but plans to have offices worldwide, it may be beneficial to purchase public domains for all countries. Additionally, it is recommended to designate one domain, such as .com, as the default domain.

Public Certificates

Public Certification Authorities only accept Top-Level Domains (TLDs) and do not support non-TLDs or NetBIOS names on their certificates. This means that network administrators have to use split-brain DNS when working with Exchange Server. This involves creating a DNS zone within the internal network with the same name as the Public DNS zone. Internal clients will then resolve the entries listed on their internal DNS servers, which point to a local server. This approach simplifies the design by using the same service name for internal and external users. Regarding Public Certificates, there are limited options available. Administrators must use a registered domain to request the certificate and configure the services to use that domain (e.g., Patricio.com).

Domain Name Services (DNS) and Name Resolution Design

DNS is a crucial service for Active Directory and other Microsoft products. It is necessary to manage Public Domains and can be done through Internet registrars or specialized DNS providers like Microsoft Azure/Office 365. Public DNS configurations are accessible to users on the Internet and allow for settings like email reception and client access services. The aim is to make the user experience seamless, regardless of whether they are on the intranet or Internet, through the use of a single name for services. To achieve this, a split-brain DNS is recommended. Some Microsoft technologies, such as Skype for Business and Exchange, almost necessitate the use of split-brain DNS.

Microsoft Exchange: Accepted Domains and Email Address Policies

In the process of setting up the first Exchange Server for an Exchange organization, the existing Active Directory domain will become the primary SMTP address for the organization. If a valid top-level domain (TLD) is used, there is no need to create accepted domains or configure email address policies. Everything will be automatically configured, and new mailboxes will receive the correct SMTP address without any changes. However, if Option 2 or Option 3 is chosen, a new accepted domain must be added, the email address policies must be updated, and the default domain created earlier must be removed to maintain organization and cleanliness.

Microsoft Azure and User Principal Name (UPN)

To synchronize directories between on-premises and Microsoft Azure Active Directory (AAD), the administrator must ensure that the public domain in Microsoft Azure is validated. This means that all accounts with the same domain set in their User Principal Name (UPN) will be synchronized with Azure Active Directory. Previously, authentication was done using the format DOMAIN\username, which still works for internal applications. However, for SaaS and Active Directory Federation, the UPN format, such as username@company.com, is required. This format is also recommended for logging into Windows client, Skype for Business, and Exchange (with Outlook Anywhere). When synchronizing with Azure Active Directory, the user UPN must match the domain in Azure.

There are three options for configuring this synchronization:

Option 1 requires no additional configuration change as the default UPN will be the current or root domain name.

Option 2 and Option 3 require adding the valid domain in Active Directory Domain and Trusts, and ensuring that all users have the valid UPN set in their user properties.

When building a new Active Directory, the administrator should consider Option 1 and Option 2. Personally, Option 1 is preferred as it is easier in the long run. Option 2 is feasible but requires more environment changes and is similar to Option 3 in terms of the to-do list.

How Lepide Helps Secure Active Directory

Now that your Active Directory domain naming is aligned with industry standards, it’s time to make sure your Active Directory is secure.

The Lepide Data Security Platform offers a comprehensive solution to enhance Active Directory security by providing robust monitoring, auditing, and threat detection capabilities. It helps organizations safeguard their critical infrastructure from unauthorized access, insider threats, and data breaches.

Lepide’s platform empowers administrators with real-time visibility into Active Directory changes and user activities. Through advanced auditing and reporting, it tracks modifications to user accounts, group memberships, permissions, and other configurations, ensuring a clear audit trail for compliance and security analysis. By pinpointing unusual behaviors or unauthorized actions, it enables proactive mitigation of potential threats.

The platform’s anomaly detection employs machine learning algorithms to identify deviations from established patterns, helping identify suspicious activities indicative of cyberattacks. Automated alerts and notifications promptly inform administrators about security incidents, enabling swift responses to mitigate risks.

Lepide also offers granular access control features, allowing organizations to enforce the principle of least privilege. Administrators can manage permissions more effectively, reducing the attack surface and preventing unauthorized access.

Schedule your demo of Lepide Data Security Platform .