Solved

No More local names in the certificate starting November 2015

Posted on 2016-08-17
4
126 Views
Last Modified: 2016-08-17
We are setting up a windows 2012 r2 standard server and it only going to serve as the domain controller nothing else.  We named it XYZComapany.local.  The clients IT guy was told by a friend that we could not use .local as that was outlawed in 2015. I know that I cannot register a .local name if I want an SSL certificate however my domain controller should be ok shouldn't it?
0
Comment
Question by:lorayne912
4 Comments
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41760133
Yes, that's still allowed. This only impacts SSL certificates issued by a public CA. Internal CAs can continue to issue .local if needed.  

Admittedly, in new deployments, I prefer to use private-sub.domain.com (such as corp.mycompany.com) or similar just to provide flexibility with future technologies, but I am not renaming existing domains. So depending on how far along you are in your deployment and your risk aversion, either is an option.
0
 
LVL 30

Assisted Solution

by:Scott C
Scott C earned 125 total points
ID: 41760135
Yes, that will be fine.

The biggest impact was for Exchange users.  Technically you COULD still use .local, but no CA will create a Cert with one.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41760208
It wasn't "outlawed". You *can* still use .local for your internal AD Domain Name, but the recommendations from Microsoft are to avoid doing so, since .local is used by Apple's Bonjour service for network discovery and can cause issues with some versions of iOS/OSX when interacting with the SMB protocol. I wrote an article on the current Domain Naming recommendations: http://wp.me/pUCB5-2k

It is true that third party CAs will not issue certificates that include .local as a TLD for the Common name or any SANs. This would mean that you will get certificate errors when attempting to access HTTPS websites using Internal DNS FQDNs if that's what your AD Domain uses (unless, as was mentioned, you generate the certificate with your own CA, but that also means you have to deploy the Root CA cert to all devices that access those sites with that FQDN). But there are work-arounds for that. Specifically, you would need to get a 3rd party cert using your Public DNS FQDN for the web server, then have a secondary Forward Lookup Zone (or Pinpoint DNS entries) that defines the host name to an Internal IP address.

TL;DR - You can still use domain.local for your Active Directory domain. The practice isn't outlawed. It just isn't a recommended best practice any longer (and hasn't been for about 10 years).
0
 

Author Closing Comment

by:lorayne912
ID: 41760236
Thanks everyone for your quick responses.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question