Active Directory Domain name

Dashrender

@stuartjordan said in Active Directory Domain name:

Also using a subdomain like ad.mydomain.com makes using Remote Desktop Services a lot less problematic if you want to use in the future as well.

I'm curious - how's that?

Assuming you crazily publish RDP directly on the internet - are you publishing the RDGateway as ad.mydomain.com? not server.ad.mydomain.com?

scottalanmiller

@dashrender said in Active Directory Domain name:

/sigh - huh? This didn't become the rule until many many years after MS, All MS training for 2000 said use your real domain name, then for Windows 2003 (I think) they changed it to .local, then they dumped .local sometime after 2010.

Are you sure? When I learned AD, which was on initial release, it was always "avoid this one thing for sure".

Dashrender

@scottalanmiller said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

/sigh - huh? This didn't become the rule until many many years after MS, All MS training for 2000 said use your real domain name, then for Windows 2003 (I think) they changed it to .local, then they dumped .local sometime after 2010.

Are you sure? When I learned AD, which was on initial release, it was always "avoid this one thing for sure".

Where did you get your learning? I'm guessing it was likely a difference between the sources.

And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.

scottalanmiller

@dashrender said in Active Directory Domain name:

And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.

Who said it was like that from day one? No one.

scottalanmiller

@dashrender said in Active Directory Domain name:

Where did you get your learning? I'm guessing it was likely a difference between the sources.

Found an article from 2000 talking about risks of doing that...

https://www.techrepublic.com/article/understanding-active-directory-part-1/

I find it strange that MS would not know their own technology so much as to recommend doing something so bad. Of course, the use of www was so ubiquitous back then that this didn't cause much issue for a number of years.

Dashrender

@dashrender said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

/sigh - huh? This didn't become the rule until many many years after MS, All MS training for 2000 said use your real domain name, then for Windows 2003 (I think) they changed it to .local, then they dumped .local sometime after 2010.

Are you sure? When I learned AD, which was on initial release, it was always "avoid this one thing for sure".

Where did you get your learning? I'm guessing it was likely a difference between the sources.

And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.

Perhaps the original teachings didn't mention "ad".mydomain.com specifically for you - just don't use "mydomain.com" though I have no idea what people would have used back in those days.

I did run into the occasional setup with a single level domain name "mydomain" - man, those were fun to deal with.

Dashrender

@scottalanmiller said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

Where did you get your learning? I'm guessing it was likely a difference between the sources.

Found an article from 2000 talking about risks of doing that...

https://www.techrepublic.com/article/understanding-active-directory-part-1/

I find it strange that MS would not know their own technology so much as to recommend doing something so bad. Of course, the use of www was so ubiquitous back then that this didn't cause much issue for a number of years.

I think that is exactly it - www removed the main problem for the actual websites...

Dashrender

@scottalanmiller said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

And if ad.domain.com was a day one for active directory - they why would .local ever have been a thing MS pushed? That would make zero sense.

Who said it was like that from day one? No one.

Did you miss the 'if'?

scottalanmiller

@dashrender said in Active Directory Domain name:

Perhaps the original teachings didn't mention "ad".mydomain.com specifically for you - just don't use "mydomain.com" though I have no idea what people would have used back in those days.

Right, that's all that I am thinking that it was. It uses DNS, so should obviously never overlap with another DNS system.

scottalanmiller

@dashrender said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

Where did you get your learning? I'm guessing it was likely a difference between the sources.

Found an article from 2000 talking about risks of doing that...

https://www.techrepublic.com/article/understanding-active-directory-part-1/

I find it strange that MS would not know their own technology so much as to recommend doing something so bad. Of course, the use of www was so ubiquitous back then that this didn't cause much issue for a number of years.

I think that is exactly it - www removed the main problem for the actual websites...

Except email. It broke email back then.

JasGot

@dashrender said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

Using .local conflicts with MacOS utilization, so that should never be used.

I had heard there was an issue using .local - but never heard what the issue is.

Can't get SSL certs for .local anymore. Big problem if you host your email or website on your .local domain.

scottalanmiller

@jasgot said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

Using .local conflicts with MacOS utilization, so that should never be used.

I had heard there was an issue using .local - but never heard what the issue is.

Can't get SSL certs for .local anymore. Big problem if you host your email or website on your .local domain.

Could you ever get them? .local was never a TLD so no legit cert could ever have been issued. Anyone issuing one would have been an unofficial, random third party since you can't register .local

You can always issue your own, if you want.

jt1001001

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

Dashrender

@jt1001001 said in Active Directory Domain name:

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

I'm working toward this same goal.
replacing things like Group Policies is a next major focus of mine.

pmoncho

@dashrender said in Active Directory Domain name:

@jt1001001 said in Active Directory Domain name:

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

I'm working toward this same goal.
replacing things like Group Policies is a next major focus of mine.

I would really like to do the same thing but am having trouble figuring out what to replace it with.

Dashrender

@pmoncho said in Active Directory Domain name:

@dashrender said in Active Directory Domain name:

@jt1001001 said in Active Directory Domain name:

When we set it up we used a different TLD (not .local) thinking that was best practice. It bit us more times than I care to count. Project for 2022 now is to move 100% to "cloud" and remove AD from the footprint entirely.

I'm working toward this same goal.
replacing things like Group Policies is a next major focus of mine.

I would really like to do the same thing but am having trouble figuring out what to replace it with.

Things on my plate - intune (comes with Microsoft 365 Premium)
Salt
Ansible
Chef

I'm more toward a client on the endpoint solution - i.e. intune and Salt, I don't know if the others use that or not?

Dashrender

Another option I've spoken with Jared about is running a script (say hourly) that would check a private gitlab/github repo for updates to be applied to the machines.

pmoncho

@dashrender said in Active Directory Domain name:

Another option I've spoken with Jared about is running a script (say hourly) that would check a private gitlab/github repo for updates to be applied to the machines.

I see. Interesting. I will look into those.

flaxking

One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some cases

JasGot

@scottalanmiller said in Active Directory Domain name:

Could you ever get them? .local was never a TLD so no legit cert could ever have been issued.

I just searched my Comodo Orders going back to 2007, I found many referencing .local

However, here's the difference that I had forgotten about, the .local was always a secondary name in the cert.

Example:
The cert was valid for:
Domain.Org
ServerName
ServerName.Domain.Org

I didn't see where I ever got a cert for ONLY the .local name.