<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Choosing the correct domain name

Published on
29,179 Points
14,279 Views
24 Endorsements
Last Modified:
Awarded
Community Pick

Introduction

Domain Names are a critical part of your Windows Environment. The DNS (Domain Name System) is a foundation upon which Active Directories and Resources rely upon. It can be a real problem if you need to go back and change your Domain Name.

So, before building your Windows domain it is important to choose the “correct” domain name.  Wherever possible you need to try and plan ahead, of course you cannot plan for company name changes or, a take over in years to come, because you simply don’t know about them.  But….we can plan to be flexible, and we must consider technical and ownership issues at the same time.

Choosing your domain name

Whilst most people believe that the internal windows domain name needs to be something.local this isn’t strictly true.  While it is often easier if the suffix is .local, strictly speaking, it doesn’t have to be. Let’s consider that point…

Some of the largest enterprises in the world use their external domain name on their internal network.  The most important consideration is that if you use domainname.com that you actually own domainname.com.

Why is this important? One of the main reasons that this is becoming a problem in recent days is because of 3rd Party SSL Certificates that are used to secure Small Business Server and/or Exchange 2007/2010.  One of the default requirements for these systems is using the internal fully qualified domain name of your Exchange Server.

So by way of example let’s say you have an internal domain name of virtualdomain.com and your external domain name is abc.com.

When setting up an Exchange 2007/2010 server you would need to request an SSL Certificate that contained the following names:

Autodiscover.abc.com
owa.abc.com
exchangeserver.virtualdomain.com
EXCHANGESERVER
When you request a certificate with these names in the first thing the Certificate Authority (CA) will do is perform a WHOIS lookup on the names you have requested. Anything .abc.com will show as your company owning the registration.  EXCHANGSERVER isn’t a problem because this is recognised as the CA as an internal name.  

However when the CA performs a WHOIS lookup on exchangserver.virtualdomain.com they find that the registrant of this domain is a different company and therefore send them a request to authorise the name. Worse, if they don't find a registrant for the domain then it is removed from the certificate request.

Can you see the problem?  If you own virtualdomain.com then by all means use it in your internal domain name.  If you don’t own it then don’t use it.

This is why most consultants will opt to use the .local suffix on internal domains.  Because when the CA receives a request .local they know it’s not an internet suffix and they will authorise it.

Now what about the dreaded company rename?.....Another common misconception is that when setting up a Windows Domain you must use the domain name for which you want to receive email for.  This is completely untrue.

You can configure Small Business Server and all versions of Microsoft Exchange Server to receive emails for any domain name, regardless of your internal domain name.

So let us now consider calling your internal domain name mydomain.local?
It is not linked to a specific company name
it will allow you to receive emails for your abc.com email domain
if you change your company name you don’t need to worry about trying to change the domain name so the new owner (or existing one) doesn’t have to see the old company name day in day out?
because it has a .local suffix you will never run in to problems in the future with SSL Certificates

Conclusion

With wider use of SSL certificates and a few common misconceptions created by the industry, it is important to deliberate over your internal domain name selection.  It’s also important to think ahead.  

What might be a good idea or even a bit of a laugh now, could come back to bite you in the rear in a few year's time. So, be careful and conservative when choosing your name.

I personally like to give my domains something non-descript, because I do a lot of work for small businesses which can and often do get taken over.  I had one company that was bought out twice within the space of 3 years.  I also had one company that split in to 2 companies and then both renamed themselves.

It can get messy and especially with Small Business Server where the internal domain name cannot be renamed, it can be impractical to use company specific domain names.

Of course there is always the case where the owner wants this but it’s our job as consultants to advise them why this isn’t a good idea.  And if they still want it then get it in writing :)
24
Comment
Author:Glen Knight
8 Comments
LVL 76

Expert Comment

by:Alan Hardisty
Good article - Yes vote from me.

Alan
0
LVL 55

Expert Comment

by:Mark Wills
Good article,

Guess my use of Star Wars characters (.local) isn't so dumb after all *laughing*
0
LVL 74

Author Comment

by:Glen Knight
As long as it's .local you can use whatever you like since this isn't an internet registered suffix :)

Thanks
DMZ
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 2

Expert Comment

by:ywainberg
INTERESTING!!!
0
LVL 74

Author Comment

by:Glen Knight
In what way?
0
LVL 2

Expert Comment

by:ywainberg
your perspective on internal and external domain name is interesting  ,although  i think that to decrease the overhead i would recommend to use an  internal domain name even if the owner has a external domain name because we never know what he will want in the future
0
LVL 74

Author Comment

by:Glen Knight
Which is pretty much what I said in my article, which part do you not agree with?
0
LVL 43

Expert Comment

by:kevinhsieh
It looks like Office 365 can have issues if you use mydomain.local. See
http://markparris.co.uk/2011/03/08/active-directory-local-domain-design-and-office-365/
0

Featured Post

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month