.local vs .com



  • I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?



  • @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.



  • I would not deploy a new .local today. MS has decided to move away from this, I'd stick to that.

    Overall, I'd not rename AD domains period, it's silly. It's an under the hood authentication artifact and should not matter to employees. Really, they shouldn't see it at all, that they do is a Windows-ism that I don't like.



  • @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.



  • @bbigford said in .local vs .com:

    @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.

    Is more on the website site of things for DNS, in which the main domain cannot be accessed internally (Website0 without www CNAME record or other records with it.



  • @bbigford said in .local vs .com:

    @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.

    Other than one blows domain.com out from working properly and the other doesn't. If you are buying domain.com with the sole purpose of paying to own a domain just to use for AD, sure. But... why?



  • @dbeato said in .local vs .com:

    @bbigford said in .local vs .com:

    @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.

    Is more on the website site of things for DNS, in which the main domain cannot be accessed internally (Website0 without www CNAME record or other records with it.

    And can never access the default!



  • @dbeato said in .local vs .com:

    @bbigford said in .local vs .com:

    @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.

    Is more on the website site of things for DNS, in which the main domain cannot be accessed internally (Website0 without www CNAME record or other records with it.

    I posted that without thinking about it too much. There's a lot of reasons to not use domain.com 🙂



  • @bbigford said in .local vs .com:

    @dbeato said in .local vs .com:

    @bbigford said in .local vs .com:

    @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.

    Is more on the website site of things for DNS, in which the main domain cannot be accessed internally (Website0 without www CNAME record or other records with it.

    I posted that without thinking about it too much. There's a lot of reasons to not use domain.com 🙂

    I am giving you one reason but I can come up with others.



  • @dbeato said in .local vs .com:

    @bbigford said in .local vs .com:

    @dbeato said in .local vs .com:

    @bbigford said in .local vs .com:

    @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.

    Is more on the website site of things for DNS, in which the main domain cannot be accessed internally (Website0 without www CNAME record or other records with it.

    I posted that without thinking about it too much. There's a lot of reasons to not use domain.com 🙂

    I am giving you one reason but I can come up with others.

    That's a huge reason though. Having to maintain records in multiple areas. No thanks.



  • @bbigford said in .local vs .com:

    @dbeato said in .local vs .com:

    @bbigford said in .local vs .com:

    @dbeato said in .local vs .com:

    @bbigford said in .local vs .com:

    @thwr said in .local vs .com:

    @bbigford said in .local vs .com:

    I'm not sure if this conversation has been completely talked to death. I'm wanting to get others' perspective on the use of .local vs. .com

    .local has been used by a default for Windows Server for quite some time, up to 2012R2 Essentials. Many people prefer to use something like ad.domain.com

    There have been a few client acquisitions, and what ends up happening is a company name changes a couple times before the servers are replaced within ~5 years. Rather than changing their domain name, I just create a new DNS suffix instead. Over time, I end up rebuilding the domain not only to clean stuff up, but to have the company name completely updated across the board. It takes a little more time, but it looks better in the end so there is no old hold-over.

    I've read quite a bit over the years of people using corp.local ... don't have to worry about company name changes or anything else. But then people have run into issues where they need to have an internal CA since 3rd party certs can't be issued to non resolvable FQDN's.

    Thoughts on consistency?

    About com vs local: Many guides today suggest a real domain. The most important reason seems to be that you will be able to get "real" certificates. No chance for certs with invalid TLDs.

    Right. I haven't found any pros/cons for ad.domain.com vs. domain.com though.

    Is more on the website site of things for DNS, in which the main domain cannot be accessed internally (Website0 without www CNAME record or other records with it.

    I posted that without thinking about it too much. There's a lot of reasons to not use domain.com 🙂

    I am giving you one reason but I can come up with others.

    That's a huge reason though. Having to maintain records in multiple areas. No thanks.

    See also this:

    https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx



  • @bbigford

    If given the choice, I would not deploy a fresh domain using a .local or similar. If you walk into one, it's not really an issue and it's hard to justify the time and labour to change it, but I will say there are cases it makes sense to change to a normal TLD from a .local.

    If you work for the parent company, like BigCorp.com, and you have a bunch of acquisitions... when you do make changes, it really depends on how your company is logically laid out. If the acquisitions keep their names, you could do something like company1.bigcorp.com. If the name gets melted in, you could simply absorb it into BigCorp.com. It really just depends.

    You could also do nothing if there's no reason to change.



  • I've been working at a .local for almost 5 years now... no issues whatsoever, and no additional work required. No reason to change, probably never will unless a need comes up. We also use internal CA, for all users and public email... no issues there.



  • @tim_g said in .local vs .com:

    I've been working at a .local for almost 5 years now... no issues whatsoever, and no additional work required. No reason to change, probably never will unless a need comes up. We also use internal CA, for all users and public email... no issues there.

    We've got a ton of clients using them from over the years. I just built a couple new environments this week and used ad.domain.com for them. It would help not having to deal with an internal CA.



  • @bbigford said in .local vs .com:

    @tim_g said in .local vs .com:

    I've been working at a .local for almost 5 years now... no issues whatsoever, and no additional work required. No reason to change, probably never will unless a need comes up. We also use internal CA, for all users and public email... no issues there.

    We've got a ton of clients using them from over the years. I just built a couple new environments this week and used ad.domain.com for them. It would help not having to deal with an internal CA.

    Sometimes an internal CA is extremely beneficial in an AD environment.

    In my case, there's hundreds of users in an AD/O365 environment. The internal MS CA does everything 100% automatically as far as certificate creation and distribution goes, including adding certs to the machine when they logon to another PC automatically.... (the certs follow them).

    That would be a nightmare using something external.

    Oh, I should mention that all certificates are using company.com... so being that the internal domain is .local has no effect on whether or not you must use an internal or external CA.


Log in to reply