Active Directory Domain name
-
@dashrender said in Active Directory Domain name:
@siringo said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
@siringo said in Active Directory Domain name:
so are you guys saying that the new thinking is now to give your inhouse, private AD domain name a subdomain name of your public domain name?
I wouldn't call it new - it's been since at least 2016, and likely longer than that.
is that primarily to avoid that macOS stuff Scott mentioned?
I believe dumping .local was to avoid the mac issues, the subdomain use is because of DNS.
I never did any 2000/AD training (3.51 for me) but I can clearly remember reading MS technotes that mentioned using .local. That's why I've used that since.
I believe .local came into vogue around Server 2003 (maybe 2003R2) and was stopped around Server 2008 or 2012.
Oh, OK. Thanks for that. I'd never heard of any of that before. Good to know.
FYI - Local was also dumped because it's not a valid TLD (Top Level Domain) - i.e. can't be used on the internet. Certificate makers are now refusing to include domain.local in new certificates.
Interesting. I believe that is why it was used in private AD environments in the first place, for that very reason.
-
@flaxking said in Active Directory Domain name:
One thing to note with ad.domainname.com is that in some places it will just display your domain as 'AD'
Which could be a vanity problem in some casesFound one that uses 'AD' in production.
-
@black3dynamite ha, I've seen it, but not often.
-
@siringo said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
@siringo said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
@siringo said in Active Directory Domain name:
so are you guys saying that the new thinking is now to give your inhouse, private AD domain name a subdomain name of your public domain name?
I wouldn't call it new - it's been since at least 2016, and likely longer than that.
is that primarily to avoid that macOS stuff Scott mentioned?
I believe dumping .local was to avoid the mac issues, the subdomain use is because of DNS.
I never did any 2000/AD training (3.51 for me) but I can clearly remember reading MS technotes that mentioned using .local. That's why I've used that since.
I believe .local came into vogue around Server 2003 (maybe 2003R2) and was stopped around Server 2008 or 2012.
Oh, OK. Thanks for that. I'd never heard of any of that before. Good to know.
FYI - Local was also dumped because it's not a valid TLD (Top Level Domain) - i.e. can't be used on the internet. Certificate makers are now refusing to include domain.local in new certificates.
Interesting. I believe that is why it was used in private AD environments in the first place, for that very reason.
That's right, that it had those limitations was the point. AD is fundamentally not built with the intention of being on the Internet!
-
@dashrender said in Active Directory Domain name:
@siringo said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
@siringo said in Active Directory Domain name:
so are you guys saying that the new thinking is now to give your inhouse, private AD domain name a subdomain name of your public domain name?
I wouldn't call it new - it's been since at least 2016, and likely longer than that.
is that primarily to avoid that macOS stuff Scott mentioned?
I believe dumping .local was to avoid the mac issues, the subdomain use is because of DNS.
I never did any 2000/AD training (3.51 for me) but I can clearly remember reading MS technotes that mentioned using .local. That's why I've used that since.
I believe .local came into vogue around Server 2003 (maybe 2003R2) and was stopped around Server 2008 or 2012.
Oh, OK. Thanks for that. I'd never heard of any of that before. Good to know.
FYI - Local was also dumped because it's not a valid TLD (Top Level Domain) - i.e. can't be used on the internet. Certificate makers are now refusing to include domain.local in new certificates.
Not also, it was kept until there was competition over the private (can't be used) TLD. Apple and MS both chose it because it couldn't be used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).
Any CA that issued that can't be trusted and is a huge security risk.
-
@scottalanmiller said in Active Directory Domain name:
used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).
The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.
-
@dbeato said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).
The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.
I was thinking the same thing. Sure they weren't the primary, these odd-balls where always secondary, but still most of them supported it as far as I understood.
I guess that makes most CA's scams.
-
@dbeato said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).
The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.
Yeah from a quick search looks like at least GoDaddy and Digicert offered them.
Nov 2015 is when CA/Browser Forum set the standard to not allow internal domains. So looks like most if not all would have supported it before that.
-
Wow, sounds like they didn't think that through.
-
@stacksofplates said in Active Directory Domain name:
@dbeato said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).
The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.
Yeah from a quick search looks like at least GoDaddy and Digicert offered them.
Nov 2015 is when CA/Browser Forum set the standard to not allow internal domains. So looks like most if not all would have supported it before that.
Damn, that's a major security hole! So I could go get a cert issued for a domain someone else used and there had to be zero verification since.... there was nothing to verify!
-
@dashrender said in Active Directory Domain name:
I guess that makes most CA's scams.
That's not what did it, but yes, yes they are.
-
@scottalanmiller said in Active Directory Domain name:
@dashrender said in Active Directory Domain name:
I guess that makes most CA's scams.
That's not what did it, but yes, yes they are.
I really think ICANN should have just kept CAs to themselves and not made any money off of it.
-
@scottalanmiller Microsoft recommends the onpremise and Azure AD to be exactly the same for a Hybrid AD. I know it's completely different subject but it kind of relates.
-
@scottalanmiller said in Active Directory Domain name:
@stacksofplates said in Active Directory Domain name:
@dbeato said in Active Directory Domain name:
@scottalanmiller said in Active Directory Domain name:
used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).
The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.
Yeah from a quick search looks like at least GoDaddy and Digicert offered them.
Nov 2015 is when CA/Browser Forum set the standard to not allow internal domains. So looks like most if not all would have supported it before that.
Damn, that's a major security hole! So I could go get a cert issued for a domain someone else used and there had to be zero verification since.... there was nothing to verify!
Yup.
