Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

No More local names in the certificate starting November 2015

Posted on 2016-08-17
4
Medium Priority
?
160 Views
Last Modified: 2016-08-17
We are setting up a windows 2012 r2 standard server and it only going to serve as the domain controller nothing else.  We named it XYZComapany.local.  The clients IT guy was told by a friend that we could not use .local as that was outlawed in 2015. I know that I cannot register a .local name if I want an SSL certificate however my domain controller should be ok shouldn't it?
0
Comment
Question by:lorayne912
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 500 total points
ID: 41760133
Yes, that's still allowed. This only impacts SSL certificates issued by a public CA. Internal CAs can continue to issue .local if needed.  

Admittedly, in new deployments, I prefer to use private-sub.domain.com (such as corp.mycompany.com) or similar just to provide flexibility with future technologies, but I am not renaming existing domains. So depending on how far along you are in your deployment and your risk aversion, either is an option.
0
 
LVL 32

Assisted Solution

by:Scott C
Scott C earned 500 total points
ID: 41760135
Yes, that will be fine.

The biggest impact was for Exchange users.  Technically you COULD still use .local, but no CA will create a Cert with one.
0
 
LVL 43

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 41760208
It wasn't "outlawed". You *can* still use .local for your internal AD Domain Name, but the recommendations from Microsoft are to avoid doing so, since .local is used by Apple's Bonjour service for network discovery and can cause issues with some versions of iOS/OSX when interacting with the SMB protocol. I wrote an article on the current Domain Naming recommendations: http://wp.me/pUCB5-2k

It is true that third party CAs will not issue certificates that include .local as a TLD for the Common name or any SANs. This would mean that you will get certificate errors when attempting to access HTTPS websites using Internal DNS FQDNs if that's what your AD Domain uses (unless, as was mentioned, you generate the certificate with your own CA, but that also means you have to deploy the Root CA cert to all devices that access those sites with that FQDN). But there are work-arounds for that. Specifically, you would need to get a 3rd party cert using your Public DNS FQDN for the web server, then have a secondary Forward Lookup Zone (or Pinpoint DNS entries) that defines the host name to an Internal IP address.

TL;DR - You can still use domain.local for your Active Directory domain. The practice isn't outlawed. It just isn't a recommended best practice any longer (and hasn't been for about 10 years).
0
 

Author Closing Comment

by:lorayne912
ID: 41760236
Thanks everyone for your quick responses.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question