Active Directory Domain name

scottalanmiller

@jasgot said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

Using .local conflicts with MacOS utilization, so that should never be used.

I had heard there was an issue using .local - but never heard what the issue is.

Can't get SSL certs for .local anymore. Big problem if you host your email or website on your .local domain.

Could you ever get them? .local was never a TLD so no legit cert could ever have been issued. Anyone issuing one would have been an unofficial, random third party since you can't register .local

You can always issue your own, if you want.

jt1001001

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

Dashrender

@jt1001001 said in Active Directory Domain name:

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

I'm working toward this same goal.
replacing things like Group Policies is a next major focus of mine.

pmoncho

@dashrender said in Active Directory Domain name:

@jt1001001 said in Active Directory Domain name:

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

I'm working toward this same goal.
replacing things like Group Policies is a next major focus of mine.

I would really like to do the same thing but am having trouble figuring out what to replace it with.

Dashrender

@pmoncho said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

@jt1001001 said in Active Directory Domain name:

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

I'm working toward this same goal.
replacing things like Group Policies is a next major focus of mine.

I would really like to do the same thing but am having trouble figuring out what to replace it with.

Things on my plate - intune (comes with Microsoft 365 Premium)
Salt
Ansible
Chef

I'm more toward a client on the endpoint solution - i.e. intune and Salt, I don't know if the others use that or not?

Dashrender

Another option I've spoken with Jared about is running a script (say hourly) that would check a private gitlab/github repo for updates to be applied to the machines.

pmoncho

@dashrender said in Active Directory Domain name:

Another option I've spoken with Jared about is running a script (say hourly) that would check a private gitlab/github repo for updates to be applied to the machines.

I see. Interesting. I will look into those.

flaxking

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

JasGot

@scottalanmiller said in Active Directory Domain name:

Could you ever get them? .local was never a TLD so no legit cert could ever have been issued.

I just searched my Comodo Orders going back to 2007, I found many referencing .local

However, here's the difference that I had forgotten about, the .local was always a secondary name in the cert.

Example:
The cert was valid for:
Domain.Org
ServerName
ServerName.Domain.Org

I didn't see where I ever got a cert for ONLY the .local name.

black3dynamite

@flaxking said in Active Directory Domain name:

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

I'm curious if you ever seen a set up that reuses the same domainname as subdomain for AD like so, domainname.domainname.com?

flaxking

@black3dynamite said in Active Directory Domain name:

@flaxking said in Active Directory Domain name:

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

I'm curious if you ever seen a set up that reuses the same domainname as subdomain for AD like so, domainname.domainname.com?

Not exactly, I had had a discussion about using companyinitialsdomain.companyname.com, but in the end we purchased a new domain name for the AD domain.

scottalanmiller

@black3dynamite said in Active Directory Domain name:

@flaxking said in Active Directory Domain name:

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

I'm curious if you ever seen a set up that reuses the same domainname as subdomain for AD like so, domainname.domainname.com?

Or... companyname.domainname.com

Which might be the same, might be wildly different.

scottalanmiller

@flaxking said in Active Directory Domain name:

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

LOL, yeah, I see that a lot. I hate that.

pmoncho

@scottalanmiller said in Active Directory Domain name:

@flaxking said in Active Directory Domain name:

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

LOL, yeah, I see that a lot. I hate that.

I used ad.domain.com for my lab and have come to not like it either. Don't know if I like corp.domain.com either.

I've thought about companyinitials.domain.com too. That only works until the company is bought out.

scottalanmiller

@pmoncho said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

@flaxking said in Active Directory Domain name:

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

LOL, yeah, I see that a lot. I hate that.

I used ad.domain.com for my lab and have come to not like it either. Don't know if I like corp.domain.com either.

I've thought about companyinitials.domain.com too. That only works until the company is bought out.

ANY domain name is a problem "until bought out." There's never a way around that.

For a long time, we used "niagara" which was always just a short form of any name that we ever had.

Mario Jakovina

@scottalanmiller said in Active Directory Domain name:

For a long time, we used "niagara" which was always just a short form of any name that we ever had.

Does NTG still uses Active Directory in its business?

siringo

so are you guys saying that the new thinking is now to give your inhouse, private AD domain name a subdomain name of your public domain name?

is that primarily to avoid that macOS stuff Scott mentioned?

I never did any 2000/AD training (3.51 for me) but I can clearly remember reading MS technotes that mentioned using .local. That's why I've used that since.

Dashrender

@siringo said in Active Directory Domain name:

so are you guys saying that the new thinking is now to give your inhouse, private AD domain name a subdomain name of your public domain name?

I wouldn't call it new - it's been since at least 2016, and likely longer than that.

is that primarily to avoid that macOS stuff Scott mentioned?

I believe dumping .local was to avoid the mac issues, the subdomain use is because of DNS.

I never did any 2000/AD training (3.51 for me) but I can clearly remember reading MS technotes that mentioned using .local. That's why I've used that since.

I believe .local came into vogue around Server 2003 (maybe 2003R2) and was stopped around Server 2008 or 2012.

siringo

@dashrender said in Active Directory Domain name:

@siringo said in Active Directory Domain name:

so are you guys saying that the new thinking is now to give your inhouse, private AD domain name a subdomain name of your public domain name?

I wouldn't call it new - it's been since at least 2016, and likely longer than that.

is that primarily to avoid that macOS stuff Scott mentioned?

I believe dumping .local was to avoid the mac issues, the subdomain use is because of DNS.

I never did any 2000/AD training (3.51 for me) but I can clearly remember reading MS technotes that mentioned using .local. That's why I've used that since.

I believe .local came into vogue around Server 2003 (maybe 2003R2) and was stopped around Server 2008 or 2012.

Oh, OK. Thanks for that. I'd never heard of any of that before. Good to know.

Dashrender

@siringo said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

@siringo said in Active Directory Domain name:

so are you guys saying that the new thinking is now to give your inhouse, private AD domain name a subdomain name of your public domain name?

I wouldn't call it new - it's been since at least 2016, and likely longer than that.

is that primarily to avoid that macOS stuff Scott mentioned?

I believe dumping .local was to avoid the mac issues, the subdomain use is because of DNS.

I never did any 2000/AD training (3.51 for me) but I can clearly remember reading MS technotes that mentioned using .local. That's why I've used that since.

I believe .local came into vogue around Server 2003 (maybe 2003R2) and was stopped around Server 2008 or 2012.

Oh, OK. Thanks for that. I'd never heard of any of that before. Good to know.

FYI - Local was also dumped because it's not a valid TLD (Top Level Domain) - i.e. can't be used on the internet. Certificate makers are now refusing to include domain.local in new certificates.