No More local names in the certificate starting November 2015

We are setting up a windows 2012 r2 standard server and it only going to serve as the domain controller nothing else.  We named it XYZComapany.local.  The clients IT guy was told by a friend that we could not use .local as that was outlawed in 2015. I know that I cannot register a .local name if I want an SSL certificate however my domain controller should be ok shouldn't it?
lorayne912Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
It wasn't "outlawed". You *can* still use .local for your internal AD Domain Name, but the recommendations from Microsoft are to avoid doing so, since .local is used by Apple's Bonjour service for network discovery and can cause issues with some versions of iOS/OSX when interacting with the SMB protocol. I wrote an article on the current Domain Naming recommendations: http://wp.me/pUCB5-2k

It is true that third party CAs will not issue certificates that include .local as a TLD for the Common name or any SANs. This would mean that you will get certificate errors when attempting to access HTTPS websites using Internal DNS FQDNs if that's what your AD Domain uses (unless, as was mentioned, you generate the certificate with your own CA, but that also means you have to deploy the Root CA cert to all devices that access those sites with that FQDN). But there are work-arounds for that. Specifically, you would need to get a 3rd party cert using your Public DNS FQDN for the web server, then have a secondary Forward Lookup Zone (or Pinpoint DNS entries) that defines the host name to an Internal IP address.

TL;DR - You can still use domain.local for your Active Directory domain. The practice isn't outlawed. It just isn't a recommended best practice any longer (and hasn't been for about 10 years).
0
 
Cliff GaliherConnect With a Mentor Commented:
Yes, that's still allowed. This only impacts SSL certificates issued by a public CA. Internal CAs can continue to issue .local if needed.  

Admittedly, in new deployments, I prefer to use private-sub.domain.com (such as corp.mycompany.com) or similar just to provide flexibility with future technologies, but I am not renaming existing domains. So depending on how far along you are in your deployment and your risk aversion, either is an option.
0
 
Scott CConnect With a Mentor Senior Systems EnginerCommented:
Yes, that will be fine.

The biggest impact was for Exchange users.  Technically you COULD still use .local, but no CA will create a Cert with one.
0
 
lorayne912Author Commented:
Thanks everyone for your quick responses.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.