Active Directory Domain name
-
@gjacobse said in Active Directory Domain name:
Is there any real benefit to naming your AD / AAD Domain different than your Domain? As in:
business.local
over
Yes, it's HUGE. First, neither is correct. Do it right, don't even consider something that isn't proper.
Proper is something like ad.business.org or local.business.org or domain.business.org
-
Using .local conflicts with MacOS utilization, so that should never be used.
-
@scottalanmiller said in Active Directory Domain name:
Using .local conflicts with MacOS utilization, so that should never be used.
I had heard there was an issue using .local - but never heard what the issue is.
-
But the absolute first, most basic rule of Active Directory is never, ever to make it the same name as your domain. Because AD requires DNS to work, it has to control whatever domain you set it to. So if you use a public domain name used for anything else, proper DNS cannot work. So, for example, your company website will not have an possible DNS entry for it because you made both your website AND your domain the same name and since the domain is mandatory, your website won't work.
-
@dashrender said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
Using .local conflicts with MacOS utilization, so that should never be used.
I had heard there was an issue using .local - but never heard what the issue is.
Apple did it to just be a pip. They knew it was a common convention but wasn't official. So they hard coded it to MacOS for some things under the hood just to be jerks about it. But it taught an important lesson about using things just because "no one else is" because that was always a bad idea.
-
Also using a subdomain like ad.mydomain.com makes using Remote Desktop Services a lot less problematic if you want to use in the future as well.
-
@scottalanmiller said in Active Directory Domain name:
But the absolute first, most basic rule of Active Directory is never, ever to make it the same name as your domain. Because AD requires DNS to work, it has to control whatever domain you set it to. So if you use a public domain name used for anything else, proper DNS cannot work. So, for example, your company website will not have an possible DNS entry for it because you made both your website AND your domain the same name and since the domain is mandatory, your website won't work.
/sigh - huh? This didn't become the rule until many many years after MS, All MS training for 2000 said use your real domain name, then for Windows 2003 (I think) they changed it to .local, then they dumped .local sometime after 2010.
All that said - I ran with a domain with my real domain name for nearly two decades. Did it cause split DNS issues of course it did - could I work around it - of course I could/did like like thousands of others.
But - if you are standing up something today - definitely use something completely unrelated to anything real or likely more simple - just use a subdomain of your real domain, such as ad.domain.com
-
@stuartjordan said in Active Directory Domain name:
Also using a subdomain like ad.mydomain.com makes using Remote Desktop Services a lot less problematic if you want to use in the future as well.
I'm curious - how's that?
Assuming you crazily publish RDP directly on the internet - are you publishing the RDGateway as ad.mydomain.com? not server.ad.mydomain.com?
-
@dashrender said in Active Directory Domain name:
/sigh - huh? This didn't become the rule until many many years after MS, All MS training for 2000 said use your real domain name, then for Windows 2003 (I think) they changed it to .local, then they dumped .local sometime after 2010.
Are you sure? When I learned AD, which was on initial release, it was always "avoid this one thing for sure".
-
@scottalanmiller said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
/sigh - huh? This didn't become the rule until many many years after MS, All MS training for 2000 said use your real domain name, then for Windows 2003 (I think) they changed it to .local, then they dumped .local sometime after 2010.
Are you sure? When I learned AD, which was on initial release, it was always "avoid this one thing for sure".
Where did you get your learning? I'm guessing it was likely a difference between the sources.
And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.
-
@dashrender said in Active Directory Domain name:
And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.
Who said it was like that from day one? No one.
-
@dashrender said in Active Directory Domain name:
Where did you get your learning? I'm guessing it was likely a difference between the sources.
Found an article from 2000 talking about risks of doing that...
https://www.techrepublic.com/article/understanding-active-directory-part-1/
I find it strange that MS would not know their own technology so much as to recommend doing something so bad. Of course, the use of www was so ubiquitous back then that this didn't cause much issue for a number of years.
-
@dashrender said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
/sigh - huh? This didn't become the rule until many many years after MS, All MS training for 2000 said use your real domain name, then for Windows 2003 (I think) they changed it to .local, then they dumped .local sometime after 2010.
Are you sure? When I learned AD, which was on initial release, it was always "avoid this one thing for sure".
Where did you get your learning? I'm guessing it was likely a difference between the sources.
And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.
Perhaps the original teachings didn't mention "ad".mydomain.com specifically for you - just don't use "mydomain.com" though I have no idea what people would have used back in those days.
I did run into the occasional setup with a single level domain name "mydomain" - man, those were fun to deal with.
-
@scottalanmiller said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
Where did you get your learning? I'm guessing it was likely a difference between the sources.
Found an article from 2000 talking about risks of doing that...
https://www.techrepublic.com/article/understanding-active-directory-part-1/
I find it strange that MS would not know their own technology so much as to recommend doing something so bad. Of course, the use of www was so ubiquitous back then that this didn't cause much issue for a number of years.
I think that is exactly it - www removed the main problem for the actual websites...
-
@scottalanmiller said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.
Who said it was like that from day one? No one.
Did you miss the 'if'?
-
@dashrender said in Active Directory Domain name:
Perhaps the original teachings didn't mention "ad".mydomain.com specifically for you - just don't use "mydomain.com" though I have no idea what people would have used back in those days.
Right, that's all that I am thinking that it was. It uses DNS, so should obviously never overlap with another DNS system.
-
@dashrender said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
Where did you get your learning? I'm guessing it was likely a difference between the sources.
Found an article from 2000 talking about risks of doing that...
https://www.techrepublic.com/article/understanding-active-directory-part-1/
I find it strange that MS would not know their own technology so much as to recommend doing something so bad. Of course, the use of www was so ubiquitous back then that this didn't cause much issue for a number of years.
I think that is exactly it - www removed the main problem for the actual websites...
Except email. It broke email back then.
-
@dashrender said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
Using .local conflicts with MacOS utilization, so that should never be used.
I had heard there was an issue using .local - but never heard what the issue is.
Can't get SSL certs for .local anymore. Big problem if you host your email or website on your .local domain.
-
@jasgot said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
Using .local conflicts with MacOS utilization, so that should never be used.
I had heard there was an issue using .local - but never heard what the issue is.
Can't get SSL certs for .local anymore. Big problem if you host your email or website on your .local domain.
Could you ever get them? .local was never a TLD so no legit cert could ever have been issued. Anyone issuing one would have been an unofficial, random third party since you can't register .local
You can always issue your own, if you want.
-
When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.
