Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 605
  • Last Modified:

Windows 2012R2 & Exchange 2013 - Recommended domain naming.

Hello Experts,

We are preparing to deploy a Windows 2012R2 server (AD) + Windows Server 2012R2 with Exchange 2013.

In the Windows 2008 domain that it is replacing, we kept the local domain independent of their Internet domain name.  Company.Local versus CompanyInternetName.Org, where their email address format was UserName@CompanyInternetName.org.  

A colleague indicated that Microsoft recommends that in the Windows2012/Exchange2013 environment, that the internal domain name be kept consistent with the public domain.  Therefore, to maintain the new internal domain name as CompanyInternetName.org.
- http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/
- http://autodiscover.wordpress.com/2012/07/09/no-more-local-names-in-the-certificate-starting-november-2015-msexchange-lync-ucoms-lync2010-microsoft-part1/ 

Before embarking, I thought I'd check in with the Experts.  

Could you please offer some feedback and recommendations?

Thanks in advance.
RealTimer
0
realtimer
Asked:
realtimer
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
I wrote a blog on the subject not too long ago: http://acbrownit.wordpress.com/2013/04/15/active-directory-domain-naming-in-the-modern-age/

Generally, Microsoft recommends using a subdomain of your public domain for the Internal Domain Name. This allows you to use SSL certificates without having to deal with Split horizon DNS.
0
 
Cliff GaliherCommented:
Microsoft continues to be inconsistent in this issue. Essentials, even in 2012 R2, continues to use .local for example,

My recommendation? Avoid .local, as it is now officially used by mDNS. It can be used, but staying compliant with RFC is a little more touchy,

I also don't like using publicly available TLDs, especially in smaller environments where buyouts and mergers can happen, and AD renames are a whim of the new owner.

I recommend going generic, yet private, for a plumbing service, i'd use plumbing.internal. Or something similar. Generic enough that a merger won't have the old company's name in it, and the .internal is not publicly reachable and avoids the split-brain DNS issues that made .local a popular choice.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
These days, I'm preferring to go with a sub domain of one of your owned DNS domain.  For example:

ad.mycompany.com
0
 
Adam BrownSr Solutions ArchitectCommented:
I recommend going generic, yet private, for a plumbing service, i'd use plumbing.internal. Or something similar. Generic enough that a merger won't have the old company's name in it, and the .internal is not publicly reachable and avoids the split-brain DNS issues that made .local a popular choice.

Just as a note, ICANN has basically opened DNS up to allow *any* TLD to be potentially routeable, so whatever domain you use should be one you own if you want to be RFC compliant. Using a subdomain of your existing public domain is much simpler and probably the best way to do it since Public CAs are clamping down on available host names in SSL certificates. You can continue to use .local if you want to (And Essentials uses it because it assumes that companies using that server do not already have public DNS), you just won't be able to get an SSL certificate unless you happen to own the .local Domain in the public space. This isn't a huge deal if you know what you're doing, because there are always ways around the issue of Split Horizon DNS and Autodiscover in Exchange.
0
 
realtimerAuthor Commented:
Thanks everyone.  Input is appreciated.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now