Naming active directory domain

Home Forums Microsoft Networking and Management Services Active Directory Naming active directory domain

This topic contains 5 replies, has 5 voices, and was last updated by  colin200 7 months, 3 weeks ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts

  • mavismani
    Member
    #167238

    Hi all,

    I am in the process of setting up my first active directory domain for a small business. The business already owns the (internet) domain name company.com. On the 2nd our O365 mail account has been setup with @company.com. But we have no plan to integrate/replicate our on-premises domain with cloud domain. I am receiving conflicting advice on how to name the active directory domain. I am willing to name our AD domain as “company.com” – But which options is better to be in the long run:

    • company.local / company.internal
    • company.com
    • corp.company.com

    I have been reading multiple forums, however it doesn’t seem to offer any good advice on the subject. Is there anyone in the know here who can advise the advantages/disadvantages of the different choices?

    Thanks!


    Ossian
    Moderator
    #191831

    AFAIK recommended best practice is to use your public name (company.com) or a subdomain of it. If you don’t you will (among other things) run into issues with SSL certificates which can now only be issued to resolvable names


    universal
    Member
    #388835

    Using your registered Internet domain as the Active Directory domain name means your local DNS server(s) will believe they’re authoritative for an Internet domain that’s really registered elsewhere. This is commonly referred to as split-brain DNS or split-horizon DNS, and means you’ll have to create and maintain local DNS records mirroring the “real” records in the public DNS zone. Unless you’re also responsible for managing the external DNS service, you’re likely to experience issues like not being able to access corporate web resources when external records are created or updated. It’s a hassle and your users will complain when it happens.

    Using an otherwise unused subdomain of your registered Internet domain (like activedirectory.company.com) avoids the split-brain DNS issue, and all your servers would still have hostnames that are valid on the Internet and as such could be issued valid certificates from an external CA. Please note that although commonly used as examples in various books and articles, “ad” or “ads” might not be the best subdomains to use, as a name collision is likely to occur should those responsible for your company’s web presence ever decide to host their own ads.

    Now, in both the above scenarios you could run into security issues down the line. Should your domain name ever lapse or be sold or transferred (for instance due to a merger or a split), you would find yourself in a position where someone else would be able to register the domain and obtain certificates that could easily be used to spoof internal, trusted resources on your LAN. That could force you to rename your internal domain, which in many cases is a a non-trivial task. I’ve been in that position more than once, and for that reason I’m reluctant to recommend this particular naming policy.

    Another common strategy is to use an invalid DNS domain or TLD suffix for the internal AD DNS zone. This obviously avoids conflicts with external DNS names, but as Ossian mentioned, you’ll be unable to procure external certificates for local host names. That may not be an issue if you don’t actually need certificates, or if your certificate needs can be satisfied by setting up an internal Certification Authority or by using self-signed certificates. However, an invalid TLD or domain may not remain invalid forever; see what happened to .local.

    Finally, using a reserved TLD puts you in the exact same position as with an invalid TLD, but without the risk of the TLD or domain suddenly being allocated to some other entity in the future, creating a naming conflict. There exists a number of reserved country codes that could be used for that purpose,see ISO 3166-1 alpha 2.


    joeqwerty
    Moderator
    #304611

    Microsoft is clear on this issue: Use an unused sub-domain of your public domain. So… ad.company.com, corp.company.com, etc., etc.


    universal
    Member
    #388836
    joeqwerty;n514085 wrote:
    Microsoft is clear on this issue: Use an unused sub-domain of your public domain. So… ad.company.com, corp.company.com, etc., etc.

    That’s their current recommendation, yes. Prior to that they were equally clear in recommending an invalid TLD.

    I say consider the likely consequences your choice will have for your particular organization. No matter what you choose it’ll be you who have to clean up the mess should your choice turn out to be the wrong one, not someone at Microsoft.


    colin200
    Member
    #392014

    Hi, I would like to move the website [MOD EDIT DELETED} to [DELETED] . Can I do that? I want to improve my ranks with your hosting. thank you

    [MOD EDIT]
    No you can’t. You are a spammer, and have been banned. Why on earth you think a thread about active directory is an appropriate place to post your spam is a separate issue. Now p**s off and find someone else to annoy [/MOD EDIT]

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.