Solved

Windows 2012R2 & Exchange 2013 - Recommended domain naming.

Posted on 2014-03-10
5
594 Views
Last Modified: 2014-03-11
Hello Experts,

We are preparing to deploy a Windows 2012R2 server (AD) + Windows Server 2012R2 with Exchange 2013.

In the Windows 2008 domain that it is replacing, we kept the local domain independent of their Internet domain name.  Company.Local versus CompanyInternetName.Org, where their email address format was UserName@CompanyInternetName.org.  

A colleague indicated that Microsoft recommends that in the Windows2012/Exchange2013 environment, that the internal domain name be kept consistent with the public domain.  Therefore, to maintain the new internal domain name as CompanyInternetName.org.
- http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/
- http://autodiscover.wordpress.com/2012/07/09/no-more-local-names-in-the-certificate-starting-november-2015-msexchange-lync-ucoms-lync2010-microsoft-part1/ 

Before embarking, I thought I'd check in with the Experts.  

Could you please offer some feedback and recommendations?

Thanks in advance.
RealTimer
0
Comment
Question by:realtimer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 39918384
I wrote a blog on the subject not too long ago: http://acbrownit.wordpress.com/2013/04/15/active-directory-domain-naming-in-the-modern-age/

Generally, Microsoft recommends using a subdomain of your public domain for the Internal Domain Name. This allows you to use SSL certificates without having to deal with Split horizon DNS.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39918566
Microsoft continues to be inconsistent in this issue. Essentials, even in 2012 R2, continues to use .local for example,

My recommendation? Avoid .local, as it is now officially used by mDNS. It can be used, but staying compliant with RFC is a little more touchy,

I also don't like using publicly available TLDs, especially in smaller environments where buyouts and mergers can happen, and AD renames are a whim of the new owner.

I recommend going generic, yet private, for a plumbing service, i'd use plumbing.internal. Or something similar. Generic enough that a merger won't have the old company's name in it, and the .internal is not publicly reachable and avoids the split-brain DNS issues that made .local a popular choice.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39919378
These days, I'm preferring to go with a sub domain of one of your owned DNS domain.  For example:

ad.mycompany.com
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 39919478
I recommend going generic, yet private, for a plumbing service, i'd use plumbing.internal. Or something similar. Generic enough that a merger won't have the old company's name in it, and the .internal is not publicly reachable and avoids the split-brain DNS issues that made .local a popular choice.

Just as a note, ICANN has basically opened DNS up to allow *any* TLD to be potentially routeable, so whatever domain you use should be one you own if you want to be RFC compliant. Using a subdomain of your existing public domain is much simpler and probably the best way to do it since Public CAs are clamping down on available host names in SSL certificates. You can continue to use .local if you want to (And Essentials uses it because it assumes that companies using that server do not already have public DNS), you just won't be able to get an SSL certificate unless you happen to own the .local Domain in the public space. This isn't a huge deal if you know what you're doing, because there are always ways around the issue of Split Horizon DNS and Autodiscover in Exchange.
0
 

Author Comment

by:realtimer
ID: 39922114
Thanks everyone.  Input is appreciated.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question