Balls: Since this is a learning environment I will address the question regarding DNS and AD being housed together.

AD is entirely dependent upon properly configured DNS in order to be able to function correctly, (it really doesn't work without it). The problem comes when you look at a properly configured AD integrated DNS zone. There is more information there about the nitty-gritty details of your network, it's resources etc. than you can shake a stick at. You really don't want this information exposed to the public network.

This has lead to what is called Double-DNS or Split-DNS. The AD servers should be maintained _entirely_ on the trusted network since they all contain the sensitive information. All the clients should be set to get their DNS resolution from these internal AD servers.

In the DMZ should be your public DNS servers. They should contain _only_ records that pertain to your publicly available resources such as nameservers, web, ftp and mail servers, etc. Zone transfers should be enabled to only the nameservers listed in each zone.

The internal servers should be set to use forwarders. The forwarders are set to the DMZ DNS servers and for extra assurance the firewall should only allow outbound DNS from the internal DNS servers to the DMZ DNS servers, (not onwards to the public network). The DMZ DNS servers should be allowed free access through DNS to anywhere on the net and incoming DNS requests should only be allowed to the DMZ DNS servers. DNS Requests from the DMZ to the trusted network should be blocked, there's no reason for the DMZ servers to have any idea that the trusted network exists.

In this way external devices making DNS requests can only reach the DMZ and can therefore only reach publicly available information about your zone. The AD DNS servers can only make requests of the DMZ servers which keeps their DNS traffic off the public network entirely.

Finally, you can use the same domain name internally as you do publicly. The problem comes when internal users try to access external resources in the same domain. They will fail unless you place fixed records in the AD DNS zones that point to the external resource because the search will cease at the AD DNS server because it is an authoritative server for the zone.

As you can see from that, the DMZ servers contain no information that you do not want to be publicly available and they aren't allowed to even request it from the trusted network. This makes it practically impossible for anyone to enumerate your internal structure using DNS.

Integrating the two on a publicly available server simply elevates your risk significantly.