Naming Windows Server 2008 domains

active-directory domain-name

See:

  • MS:Naming conventions in Active Directory for computers, domains, sites, and OUs
  • MS:Considerations for designing namespaces in a Windows 2000-based domain
  • MS:Information about configuring Windows for domains with single-label DNS names
  • MS:How DNS Support for Active Directory Works
  • SF:Issues with using real domain for Active Directory domain?
  • SF:Active Directory: Is it required that the “A” record for a domain point to a Domain Controller?
  • SF:Top level domain for private networks?
  • SF:Using .local for internal websites

The .local domain suffix is not an FQDN and therefore 'non-routable'. This protects your domain somewhat from passing information outside of its perimiter.

For example, a user with a laptop on your internal-only acme.com domain plugs into their home network. It attempts to resolve acme.com and talk to its nearest DC. Your external acme.com is suddently batting off AD-related traffic and that traffic is flowing directly across the internet.

Worst-case scenario is that you pick an internal domain name, and someone else owns that same domain name externally. Now when your users go off-site, their machine attempts to resolve and contact the domain, only to have their traffic being sent to some random company that owns the mysuperdomain.com name out in Timbuktu.

There's also some complications that may arise around internal and external DNS configuration if you choose to use the same name for internal and external domains. Even using a sub-domain of your external domain name (e.g. AD.mycompany.com) can lead to issues with DNS down the line, often in granting internal users access to your resources that are also available externally.

Best practice IMO is using mycompanyname.local for your internal domain, and mycompanyname.com (or such) for external.

Related

Using Powershell to bulk change the Home folder path of AD objects - %username"?
Can't connect to local MySQL server through socket
Whitelist rule for reject_rbl_client in Postfix?
Apache httpd LDAP integration
How to configure logwatch to monitor a custom log file
Unable to rewrite URL in Nginx when using SSL on non-standard ports
Check existance of domain accounts with Powershell script
Push content to Apache Traffic Server's Cache
Cron job unified logging
strongSwan server with Windows 7 clients doesn't route traffic
How can I block all traffic except web traffic?
Moving a process to and from swap [closed]