Setup internal and external DNS namespaces best practice

Similar Messages

• Meeting Place Web Servers ( Internal and External )DNS and IP Addressing

  For the Meetingplace 8.5 what will be the IP addresses of the Internal Web Server ( Internal IP's from the same subnet as of the CUCM) and for the External one interface from the internal network subnet ( CUCM subnet)  and the other Public IP address?
  How we will be mapping the DNS FQDN for these IP addresses?
  Do we need to have one internal DNS server and the other place in the DMZ?

  Hi Ali,
  You need two Web Server one Internal and one External. While configuring you internal web server you also add external if external particpants are allowed or not.
  For internal web server you want to make sure it's on the same subnet so internal particpants can access that one. For external you need to make sure the IP configured on external one is either natted ip or public ip so that when they type the external domain name it resolves to this external server ip address.
  Let me know if you have more questions.
  HTH
  Arun

• Internal vs. external directory services best practices

  Hello everyone,
  We have two distinct directory services here where I work, one that supports 'internal' needs, and one that is used for external clients, the people who use our web-facing applications. We are limited by the separation of the directory services. E.g., our internal users cannot use the external directory service to look up email addresses.
  I have been asked to look into design options and best practises. Is it common to have distinct services like this? Or are those external users usually part of the same service as the internal users? Is my online banking account information in the same directory service (assuming it is in a directory service at all) as the employees at my bank? Does it make sense to run separate services like this? What are some alternatives?
  Part of the integration problem is AD vs. Sun Directory Server. The external service is in Sun Directory Server and predates AD. The AD service is obviously here for the Windows environment. Some organizations I have worked with in the past used Sun LDAP as the authoritative source of data, and synced in one way or another into AD.
  Any feedback is appreciated,
  Mark

  No, what I am looking for is architectural input regarding the use of AD and a separate LDAP server. In my case I am talking about AD and the SJS Directory Server, but this would apply to any environment that has AD plus some other LDAP server.
  I need to be able to reasonably answer the general question: Why should we keep the SJS Directory Server, when we could just put all our LDAP data into AD?
  I also need to answer the more specific question: Given our LDAP data is external users only (customer, partners), does it make sense to keep them there? Again, why not just put these "external" entities into AD?
  I'm not trying to figure out how to get AD and LDAP to work together. I'm trying to figure out why I have two directories, and why I should or should not keep two directories. I've found nothing online dealing with what should be a very common scenario.
  Mark

• Exchange Server 2013 internal and external DNS records

  I recently installed Exchange Server 2013 and I've register a pubic ip too for exchange server. How can I create internal DNS as well MX record for my Exchange server to send and receive internet mails. It's my first time configuring exchange for a organization.
  registered domain name=====np.bbcmediaaction.org
  public ip=====202.166.212.221

  Hi,
  For external mail flow, we need the following DNS records: MX records for the domain part of the external recipient, A records for the destination messaging servers. For more information, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/bb676467(v=exchg.150).aspx
  Additionally, to ensure external mail flow works well, we also need to configure send connector.
  For more information, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/jj218640(v=exchg.150).aspx   
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Best practises regarding Internal and External access to SIM

  Currently we have two separate Active Directories one internal and one in the DMZ and plan to have one SIM on an segmented network allowing access for our internal users directly to SIM UI and external users thru portlets that talks to SIM.
  The external AD hosts some internal users that also needs access to the DMZ applications so we can save efforts in managing to separate SIM environments in development, tests, upgrades, unique UID etc...
  What are the best practices on the market is this a preferred choice with only one SIM or with one SIM internally and one SIM in DMZ hosting suppliers, customers etc?
  With a single SIM environment are you allowing internal users accessing SIM from Internet to change internal AD password or have you restricted the functionality in some way for internal users accessing SIM from internet?
  How about challenge response questions are you allowing users to have the same both internally and externally or setup different for different user interfaces?
  Anyone willing to share how your environment is setup for internal and external access?

  Yes for handling the access to the SIM we probably need to look into some kind of access management solution to get it to work in a secure way.
  The question is a bit complex with many different factors controlling the outcome of the SIM implementation, but I hope to get some idées with this thread of how we can solve it.
  The question still remains if its common to have one or to SIM's and what internal users is allowed to do in SIM from Internet.
  Ex are internal users allowed to change their password in internal Active Directory thru SIM from Internet or what have others done to limit the functionality?

• Exchange 2013 DNS for internal and external domain

  Hi All,
  I have been assigned a task to implement Microsoft Exchange Server 2013. I need some help in setting up DNS namespaces and design a strategy to have same internal and external names. Let me share some details here.
  We have an Active Directory domain myinternaldomain.net, and we have a public domain
  mypublicdomain.com and we have setup email policy to have
  mypublicdomain.com as the SMTP domain for all the users. We have created another DNS zone in Active directory integrated DNS and created a records for
  mail.mypublicdomain.com and autodiscover.mypublicdomain.com which will point to CAS NLB IP. We have 2 CAS servers and 2 MBX servers, we have configured DAG for MBX High availability and planning to implement WNLB for CAS as
  hardware LB is out of scope due to budget constrains.
  We want to have same URLs for OWA, Autodiscover, ECP and other services from internal network as well as from public network. Users should not be bothered to remember two URLs, using one from internal and other from public networks. I also want to confirm
  that with this setup in place do i need to have myinternaldomain.net and server names in SAN certificate?
  Thanks

  Hi Sccmnb,
  You can easily achieve this using split DNS.
  Internal DNS hostname "mail.mypublicdomain.com" will be pointing to your internal CAS NLB IP and the external public DNS hostname"mail.mypublicdomain.com" will be pointing to the Network device or
  Reverse proxy server IP.
  Depending upon users access location(internal\external) the IPs would vary and they should be able to access the website with same name.
  The names that you would require on the certificate(Use EAC or powershell to raise the request) for client connectivity would be
  SN= mail.mypublicdomain.com
  SAN= autodiscover.mypublicdomain.com
  You don't need to have the active directory domain name present in the certificate.
  Additional  to this you need to update the AutodiscoverURI for all servers and OWA,ECP,Autodiscover Virtual Directories InternalURL and ExternalURL fields with appropiate public names.
  Some additional Info:
  *Internal vs. External Namespaces
  Since the release of Exchange 2007, the recommendation is to deploy a split-brain DNS infrastructure for the Internet-based client namespaces. A split-brain DNS infrastructure enables different IP addresses to be returned for a given namespace
  based on where the client resides – if the client is within the internal network, the IP address of the internal load balancer is returned; if the client is external, the IP address of the external gateway/firewall is returned.
  This approach simplifies the end-user experience – users only have to know a single namespace (e.g., mail.contoso.com) to access their data, regardless of where they are connecting. A split-brain DNS infrastructure, also simplifies the configuration of Client
  Access server virtual directories, as the InternalURL and ExternalURL values within the environment can be the same value.
  *Managing Certificates in Exchange Server 2013 (Part 2)
  *Nice step by step article
  Designing a simple namespace for Exchange 2013
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• DNS Forwarding Same Internal and External Zone

  Hi,<o:p></o:p>
  So we have decided that we want our internal domain to be the same as our external domain e.g. domain.uk. I understand that split DNS can be used
  to fulfil this requirement but is it possible to set up a forward so if the DNS entry is not available in the internal zone it will forward onto one of our external name servers where it can resolve?<o:p></o:p>
  We are basically trying to avoid having to add the entry on both external and internal DNS servers for it to resolve. So far I have added the external name servers to
  the forwarders and disabled root hints which didn’t work. I’ve tried to add a conditional forwarder but it says the zone already exists. It seems the only to achieve the internal resolution is by creating the DNS entry both internally and externally.<o:p></o:p>
  Does anyone know if this is the case? It seems strange that you couldn’t point the DNS to another external name server for resolution? <o:p></o:p>
  Any help would be appreciated.<o:p></o:p>

  You must ask in networking forum
  https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverNIS&filter=alltypes&sort=lastpostdesc

• How to Setup RDS custom property when internal and external domain name space is different

  Hi All
  I am setting up RDS for customer
  My internal domain name is domain.local and my external domain is domain.com
  I came across below PowerShell cmdlets on some blogs because my internal and external name space are different
  Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”
  In above command, remote.domain.com points to which host?
  Is it pointing to RD Session Broker
  OR
  Pointing to RD Session Host servers
  I am not sure what above command will do exactly ?
  Any help will be highly appreciated
  Thanks Best Regards Mahesh

  Hi,
  It all depends who is accessing the RDS Solution.
  If you have a large BYOD or large number of external users, it would be better to use a public certificate.
  Have a look at the following script which will simplyfy the configuration of the RDSH hosts with certificates.
  http://ryanmangansitblog.com/2014/05/20/rds-2012-rdsh-certificate-deployment-script/
  You can use a custom RDP property to hide the Session host names.
  Have a look at the following article on configuring certificates:
  http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• DNS records to be created for Lync deployment (Internal and External)

  Hi There,
  If I want the Lync server environment to work Internal as well from External in all the aspects. (auto-discover, meetings, AV conferencing,web conferencing, voice integration, mobility etc), please answer to the below questions and also their purpose please.
  I'm not sure whether the answer varies for 2010 and 2013 version.
  1. What are the Internal and External(public) DNS records to be created for the reverse proxy(assume i'm using TMG servers), and their purpose?
  2. What are the Internal and External(public) DNS records to be created for Lync Edge server, and their purpose?

  I'll try to answer as well.
  1) For the reverse proxy, you'll need to publish the following:
  External:
  lyncdiscover.sipdomain.com (You'll need this record for every sip domain you have).  This is for client autodiscover.
  external web services FQDN (You'll need one of these per pool, you get to choose the name).  This is for address book downloads, web conferencing, etc.
  Meet.sipdomain.com (You can choose the name here, and have one per sip domain or one for the whole org).  This is for web conferencing.
  Dialin.sipdomain.com (You'll just need one here, it doesn't have to be dialin).  This is for changing your conferencing/phone pin, resetting conference info, and general conferencing info.
  For Lync 2013 only, you may want the Office Web Application server pool name as well for PowerPoint sharing.  Lync 2010 doesn't use this.  
  Internal:
  The external web services FQDN.  You'll need this available internally through the reverse proxy so you can redirect requests on port 443 to port 4443.  This will be used for mobile devices on WiFi.
  2) For the Edge server:
  Externally:
  sip.sipdomain.com (you'll need one per sip domain) this is an autodiscover/multi use FQDN and should point to your access edge IP.
  webedge.sipdomain.com (edge web conferencing, you can pick any name you like).
  avedge.sipdomain.com (av edge, you can pick any name you like).
  accessedge.sipdomain.com (you'll need a name for the access edge role, however you can just use sip.sipdomain.com and save a name in your certificate request).
  Internally:
  edgepool.sipdomain.com (you can pick any name you want, it's just the name assigned to the internal edge interface.
  If you choose to have a single ip for the external edge, you can get away with just an access edge name and/or sip.sipdomain.com
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Internal and external facing applicaitons on same infrastructure

  I'm looking for suggestions on the best way to architect an apex production environment where you may have two or three apps open to the public and 10 or more for internal access only. All of the apps (regardless of public or private) are running on the same APEX instance, DB, app tier and web tier.
  We are using the APEX Listener on Weblogic for the app tier with an OHS webserver and Load Balancer in front of everything.
  The Load Balancer houses all of our certificates and has the ability to perform iRules to make more friendly urls.
  Our approach is to assign each app (ie https://someurl.com/apex/f?p=APPID) a static IP from the load balancer and then firewall public/private based on APPID to prevent internal only apps from being reached outside the network.
  Unfortunately the iRule friendly url rewrite isn't able to mask the APPID from the URL (https://someurl.com/apex/f?p=200) which currently allows anyone the ability to change the APPID parameter of the URL and cycle through all the apps regardless of the firewall rule in place to prevent it from being publicly accessible.
  For example, if we have the following apps deployed and the only one which is allowed open to the internet is app 100, the url rewrite isn't able to mask APPID of 100 (or the APP Alias if used).
  Publicly accessible:
  https://someurl.com/apex/f?p=100 (192.168.25.100)
  Internal only access:
  https://somedifferenturl.com/apex/f?p=200 (192.168.25.200)
  https://anotherurl.com/apex/f?p=250 (192.168.25.250)
  https://subdomain.someurl.com/apex/f?p=300 (192.168.25.300)
  I could navigate to the publicly accessible url https://someurl.com/apex/f?p=100 and change the APPID for one of (200,250,300) and still access those apps which should not be open to the internet.
  from the internet browsing directly to https://somedifferenturl.com/apex/f?p=200 or https://anotherurl.com/apex/f?p=250 or https://subdomain.someurl.com/apex/f?p=300 would all result in a page not found error since their ip's are not accessible directly from the internet.
  What is the best practice to overcome the above scenario and utilize shared infrastructure for internal and external facing applications? Is mod_rewrite my only other option to accomplish this setup and bypass the load balancer?

  Hi Jeff,
  I'm not sure if this is the ideal recommendation, but I know of a way you could block the "internal-only" applications from being accessed externally.
  1) Create a function which inspects the CGI environment variables, e.g., HTTP_HOST, HTTP_PORT, etc. Using this information, you determine if the request is emanating from an internal server name or an external server name.
  2) Create an authorization scheme which returns FALSE if the host/port/other CGI isn't what you expect.
  3) Apply this authorization scheme to every application you wish to keep from an external site.
  I know this isn't ideal, as you have to add this to every "internal-only" application. And if you forget an application, then this application suddenly becomes available on the Internet. But it's one way. If all of the applications are in the same workspace, you could define this authorization scheme in one application and subscribe to it from the other applications.
  Joel
  P.S. From SQL Commands, you can see all of the CGI environment variables at your disposal using:
  begin
  owa_util.print_cgi_env;
  end;

• Use Same URL for Internal and External Access for CRM 2015 IFD

  I have setup a CRM2015 server for IFD access.
  ADFS and CRM are on separate servers.
  CRM server all roles
  ADFS 2.0 server.
  Using the internal URL I am able to access CRM without entering my details (as expected)
  Using the external URL I am authenticated by ADFS as expected and can sign in.
  We have an internal domain domain.local
  We have an external domain domain.com (the certificate is for *.domain.com)
  We have a DNS zone created internally for domain.com.
  CRM URLs
  internal : internalcrm.domain.com
  External : externalcrm.domain.com
  I would like all users to use the same link regardless of them being internal or external, but I would like so that any user who is on the domain is automatically logged in without entering their username and
  password. What is the best way to do this?
  I have tried creating a cname record on the internal domain.com zone pointing externalcrm.domain.com to internalcrm.domain.com but that didn't work, I still get the ADFS sign in page.
  Thanks

  So fair warning, what you're asking for isn't really a supported deployment method of CRM.
  That said, you should be able to do some DNS trickery internal to your network that points your "crm.domain.com" to "crm.domain.local" and then hopefully CRM will treat the connection as if it came from an internal network.
  Otherwise, you're likely going to have to accept that everyone gets the ADFS login page internal and external to your network.
  The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

• Add account fails both internally and externally, but autodisover is working

  Recently our internal DNS zone was deleted on remote DC and the change propagated to all of our DNS server. I was able to make a copy of zone and restore it. The Exchange server is back online and working for existing machines, but when we attempt to add
  a users profile to a new machine or a remote machine the auto setup fails. I am not sure if it is DNS related, because our external DNS was not affected, but I wanted to mention it because I think it has something to do with problem. The following happens
  now:
  It finds the user.
  Fails to logon:
  Tells me I must provide the mail serve name
  When I click on check name it tells me the name cannot be resolved.
  I have been banging my head against the wall here, because both internal and external exchange connectivity test pass. Also,
   I cannot find anything in the event logs that looks related. Any ideas?

  Hi,
  Please refer to the following article to troubleshoot the issue:
  Outlook: Unable to perform a Check Name or connect to an Exchange mailbox
  To resolve this issue, import the User Shell Folders registry key from a working Windows User Profile.
  Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added
  protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs
  Hope this helps!
  Thanks.
  Niko Cheng
  TechNet Community Support

• Non-Web Server Publishing Rule for Internal and External

  Hi there,
  I have a problem with my TMG and publishing SSH for Internal and External users to an internal Server.
  Network:
  Internal Network
  SSH Server, 10.10.10.25
  Internal DNS record "ssh.domain.com" pointing to 10.10.10.254
  TMG Server, 10.10.10.254/192.168.0.254
  External Network
  External DNS record "ssh.domain.com pointing to 192.168.0.254
  I want my users (internal AND external) using their SSH client to connect to ssh.domain.com and TMG to forward the request to the SSH server. Note that internal clients and the SSH server are in the same network.
  I have created a custom "SSH Server" protocol with inbound TCP for port 22 and created a Non-Web Server publishing rule.
  Traffic Tab: SSH Server Protocol
  From Tab: Internal, External
  To Tab: 10.10.10.25, original client
  Networks Tabs: Internal, External
  External users cann connect without a problem, all fine here. Internal users get a timout. The TMG Log says: Denied Connection (Default Rule,
  The policy rules do not allow the user request) and doesn´t recognize this is an inbound request. The log gives me dest IP 10.10.10.254 and protocol SSH and not 10.10.10.25 and SSH Server.
  I read a lot of networking rules and NAT/Routing, tried a bit but never got a success.
  Can you help me fix or working around this and tell me whats going on there and if there a limitations in TMG I don´t know yet?
  Regards,
  Sascha

  Hi,
  According to your description, it seems that request was denied by the TMG rules so the request from the internal users
  could not be forwarded to the SSH server. I would appreciate it if you can post the logs to us and the results of running ipconfig/all on the TMG server.
  In addition, maybe you can change the firewall policy only from
  External and add another firewall policy for the internal user to see if the issue persists.
  More information:
  Creating and using a server protocol
  TMG
  Back to Basics - Part 1: Server Publishing Rules
  Best regards,
  Susie

• Exchange 2010 and 2013 coexistence Internal and external URL

  Hi all,
  been reading alot of threads about Outlook anywhere and virtual directories in co-existence exchange 2010 and 2013.
  Still i dont get any smarter.
  Here is scenario:
  Exchange 2010
  Cas1
  Cas2
  Mailbox1
  Mailbox2
  Casarray is Exchange.casarray,com ( internal dns pointed to CAS1 in exchange 2010).Seems like by default both exchange 2013 cas servers are added to the casarray.
  Exchange 2013
  CAS+Mailbox
  Cas+Mailbox
  DNS
  mail.exchange.com pointing to VIP (kemp loadbalancer)
  Autodiscover ( pointed to same vip ,kemp load balancer)
  Outlook anywhere on all servers (2010 and 2013)
  Internal ( pointing to VIP on Kemp)
  External ( pointing to external IP,then it passes firewall that again passes to kemp)
  Problem we are having is when migrating users from Exchange 2010 - 2013.
  Users using Outlook 2010
  restart of outlook and mail  works fine.
  OWA works fine
  Active sync fails ( need to inherit permission of users AD object),wait couple of hours then mobile can sync again.)
  Users using Outlook 2013
  Outlook in disconnected status,only fix is to create new profile.
  OWA works fine
  Active sync fails ( need to inherit permission of users AD object),wait couple of hours then mobile can sync again.)
  Question is,what should be set for internal and external url (active sync,owa,ews)on 2010 and 2013 servers?
  Where is the config wrong?
  Thanks!
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

  Hi Martina,
  did the test as mentioned,even tried both CAS 2013 servers.Flush and registerdns didnt help.
  Still Outlook is Connected to the cas.exchange.as (which again Points to 1 of Exchange 2010 servers),
  Tried repair Outlook profile,no og.Only fix is to setup New account.
  Any more tips?
  thanks!
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

• Internal and Public DNS conflict breaks mail

  History:
  We set up a new Mac Mini Server to replace our existing Server. The Mac Mini Server is setup behind a Time Capsule, which acts as our router and DHCP server. It also acts as our firewall on the public IP address and forwards mail to our internal server. Our situation is almost identical to the example situation on page 18 to 19 in the 'Getting Started' guide.
  Our ISP acts as our DNS server and they host our public website. They also used to host our mail, but we have now moved the mail to our new in-house server. We asked our ISP to update their MX records to point to our static public IP address. Public DNS records for server.mydomain.com also resolve to this IP address.
  When we originally set up the new mac mini server, the ISP had not yet updated the MX records. I am wondering if this affects how the Server sets up DNS on the local server machine?
  Issue:
  The local server machine on the local LAN is called server.mydomain.com, which resolves via local DNS (hosted by our server) to the server's internal IP address. (The local DNS server was setup automatically by the Server during initial installation / setup.) This conflicts with with public DNS records which identify server.mydomain.com with our public IP address at 205.200.19.225. This somehow causes confusion for the server which consequently seemingly randomly resets our domain (mydomain.com) and host name (server.mydomain.com) settings under Mail settings - which breaks our mail service. (We then edit these to the correct settings and all works again.)
  I spoke to an Apple tech and they advised that we reinstall the Server operating system, using a local server name that differs from the public name. e.g. server.mydomain.lan (local) vs. server.mydomain.com (public).
  *This may seem like a dumb question*: Would it be easier to keep our local host and DNS set up to server.mydomain.com and then rather have our ISP change the records for our public address / IP to mail.mydomain.com or public.mydomain.com? If we could make the change via the ISP's records versus our own, then it would save us a lot of work.
  *A second potentially dumb question:* Since we rely on our ISP for DNS name servers, could we delete / stop the local DNS server for the local network and just use straight IP addresses instead?
  *Plan of Action:*
  Assuming that there is not an easy fix via the ISP's DNS records, then I'll reinstall the operating system and use server.mydomain.lan as the local machine and domain name. If I do this, then what should I be using as the domain and host name settings in mail? .com or .lan?
  Should there be any need to manually configure DNS settings to make Mail work?

  Mr Hoffman and Corbywan - thanks for the interesting and educational discussion. I must admit that I am still a bit confused and would appreciate any further help in understanding this issue!
  *My situation:*
  - Server on a LAN, which sits behind a Time Capsule router.
  - The Time Capsule router serves DHCP and Internet to the LAN and sits on our public static IP Address.
  - Our ISP has set up MX and domain records to forward public requests for our domain to our static IP address.
  - Time Capsule acts as our firewall and forwards Mail and other incoming services to our internal server via port forwarding.
  - Local DNS service is provided by the local server so that it can provide services to the local network. Non local requests are forwarded to the ISP DNS service.
  *The problem*
  We seem to have established that Snow Leopard Server breaks when the internal domain name matches the public domain name, because of conflict between the internal and public DNS which resolve to different IP addresses for the same domain.
  *The solution*
  I am looking for the easiest and most basic way to fix this problem. My understanding is that the simplest would be to reinstall our Snow Leopard Server to a new and different local domain name.
  I am thinking of using server.example.lan for our local LAN domain name - which would be resolved to our private IP address via local DNS on the local server. I would be keeping server.example.com for our public domain name - which would be resolved to our public IP address, which would be forwarded from the Time Capsule to the internal server.
  Now where I start getting confused is this: If Snow Leopard Server requires a Fully Qualified Domain Name to do things like send mail, then do I need to register my internal domain name? And how would this resolve from a public DNS server to the internal private IP address? Or is it more an issue where as long as the internal (albeit 'fake') domain name does not conflict with an existing public domain name?
  *Other items:*
  After setup, I will verify that Snow Leopard Server has setup our local DNS correctly for local DNS service.
  If I understand correctly, I would set up Mail Settings - 'Domain Name' as the local domain name: i.e. example.lan and I would set up the Host Name as server.example.lan - is this correct? Would this work if these are not FQDN?
  How does the mail server reconcile these local domain names with the public domain names? I assume that I need to check the box at Mail - Settings - Advanced - Hosting: "Include server's domain as local host alias" ? Or would I manually add an alias to the Local Host Aliases under the same tab?
  Thanks!