Announcement

Collapse
No announcement yet.

Naming active directory domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Naming active directory domain

    Hi all,

    I am in the process of setting up my first active directory domain for a small business. The business already owns the (internet) domain name company.com. On the 2nd our O365 mail account has been setup with @company.com. But we have no plan to integrate/replicate our on-premises domain with cloud domain. I am receiving conflicting advice on how to name the active directory domain. I am willing to name our AD domain as "company.com" - But which options is better to be in the long run:
    • company.local / company.internal
    • company.com
    • corp.company.com
    I have been reading multiple forums, however it doesn't seem to offer any good advice on the subject. Is there anyone in the know here who can advise the advantages/disadvantages of the different choices?

    Thanks!

  • #2
    AFAIK recommended best practice is to use your public name (company.com) or a subdomain of it. If you don't you will (among other things) run into issues with SSL certificates which can now only be issued to resolvable names
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Using your registered Internet domain as the Active Directory domain name means your local DNS server(s) will believe they're authoritative for an Internet domain that's really registered elsewhere. This is commonly referred to as split-brain DNS or split-horizon DNS, and means you'll have to create and maintain local DNS records mirroring the "real" records in the public DNS zone. Unless you're also responsible for managing the external DNS service, you're likely to experience issues like not being able to access corporate web resources when external records are created or updated. It's a hassle and your users will complain when it happens.

      Using an otherwise unused subdomain of your registered Internet domain (like activedirectory.company.com) avoids the split-brain DNS issue, and all your servers would still have hostnames that are valid on the Internet and as such could be issued valid certificates from an external CA. Please note that although commonly used as examples in various books and articles, "ad" or "ads" might not be the best subdomains to use, as a name collision is likely to occur should those responsible for your company's web presence ever decide to host their own ads.

      Now, in both the above scenarios you could run into security issues down the line. Should your domain name ever lapse or be sold or transferred (for instance due to a merger or a split), you would find yourself in a position where someone else would be able to register the domain and obtain certificates that could easily be used to spoof internal, trusted resources on your LAN. That could force you to rename your internal domain, which in many cases is a a non-trivial task. I've been in that position more than once, and for that reason I'm reluctant to recommend this particular naming policy.

      Another common strategy is to use an invalid DNS domain or TLD suffix for the internal AD DNS zone. This obviously avoids conflicts with external DNS names, but as Ossian mentioned, you'll be unable to procure external certificates for local host names. That may not be an issue if you don't actually need certificates, or if your certificate needs can be satisfied by setting up an internal Certification Authority or by using self-signed certificates. However, an invalid TLD or domain may not remain invalid forever; see what happened to .local.

      Finally, using a reserved TLD puts you in the exact same position as with an invalid TLD, but without the risk of the TLD or domain suddenly being allocated to some other entity in the future, creating a naming conflict. There exists a number of reserved country codes that could be used for that purpose,see ISO 3166-1 alpha 2.

      Comment


      • #4
        Microsoft is clear on this issue: Use an unused sub-domain of your public domain. So... ad.company.com, corp.company.com, etc., etc.

        Comment


        • #5
          Originally posted by joeqwerty View Post
          Microsoft is clear on this issue: Use an unused sub-domain of your public domain. So... ad.company.com, corp.company.com, etc., etc.
          That's their current recommendation, yes. Prior to that they were equally clear in recommending an invalid TLD.

          I say consider the likely consequences your choice will have for your particular organization. No matter what you choose it'll be you who have to clean up the mess should your choice turn out to be the wrong one, not someone at Microsoft.

          Comment

          Working...
          X