Solved

No More local names in the certificate starting November 2015

Posted on 2016-08-17
4
129 Views
Last Modified: 2016-08-17
We are setting up a windows 2012 r2 standard server and it only going to serve as the domain controller nothing else.  We named it XYZComapany.local.  The clients IT guy was told by a friend that we could not use .local as that was outlawed in 2015. I know that I cannot register a .local name if I want an SSL certificate however my domain controller should be ok shouldn't it?
0
Comment
Question by:lorayne912
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 41760133
Yes, that's still allowed. This only impacts SSL certificates issued by a public CA. Internal CAs can continue to issue .local if needed.  

Admittedly, in new deployments, I prefer to use private-sub.domain.com (such as corp.mycompany.com) or similar just to provide flexibility with future technologies, but I am not renaming existing domains. So depending on how far along you are in your deployment and your risk aversion, either is an option.
0
 
LVL 30

Assisted Solution

by:Scott C
Scott C earned 125 total points
ID: 41760135
Yes, that will be fine.

The biggest impact was for Exchange users.  Technically you COULD still use .local, but no CA will create a Cert with one.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41760208
It wasn't "outlawed". You *can* still use .local for your internal AD Domain Name, but the recommendations from Microsoft are to avoid doing so, since .local is used by Apple's Bonjour service for network discovery and can cause issues with some versions of iOS/OSX when interacting with the SMB protocol. I wrote an article on the current Domain Naming recommendations: http://wp.me/pUCB5-2k

It is true that third party CAs will not issue certificates that include .local as a TLD for the Common name or any SANs. This would mean that you will get certificate errors when attempting to access HTTPS websites using Internal DNS FQDNs if that's what your AD Domain uses (unless, as was mentioned, you generate the certificate with your own CA, but that also means you have to deploy the Root CA cert to all devices that access those sites with that FQDN). But there are work-arounds for that. Specifically, you would need to get a 3rd party cert using your Public DNS FQDN for the web server, then have a secondary Forward Lookup Zone (or Pinpoint DNS entries) that defines the host name to an Internal IP address.

TL;DR - You can still use domain.local for your Active Directory domain. The practice isn't outlawed. It just isn't a recommended best practice any longer (and hasn't been for about 10 years).
0
 

Author Closing Comment

by:lorayne912
ID: 41760236
Thanks everyone for your quick responses.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question