Setup a new Win2016 Standard server as dot local or dot.com in Active Directory?

Hi, we are setting up a brand new Win2016 Standard server mainly as a file server with RDS.  Should I setup Active Directory as "company.com" or "company.local"?  There is no Exchange server but we would like to have SSL certificate for the Remote Desktop Gateway.  Something that came to mind for Remote Desktop Services access is to setup a sub domain called, "remote.company.com" for our remote desktop users.  Thanks.
Soho_DanAsked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
For new AD setups, I recommend sub.domain.com formatting. Not just for RDS  but for the AD domain itself. Ex: internal.mydomain.com or ad.mydomain.com

Using just domain.com tends to lead to odd split-DNS configurations down the road.
0
 
Soho_DanAuthor Commented:
What if we already have a public domain called, "mydomain.ca" and not dot com?  Would this matter at all?  Can we setup as "internal.mydomain.ca"?
0
 
Cliff GaliherCommented:
Yes. The.m dor-com was just a place holder for any TLD.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Shaun VermaakTechnical Specialist/DeveloperCommented:
company.com is perfectly fine and split DNS issues people refer to is simple things like having external website work via www.company.com instead of company.com. You can get the website to work through company.com with a simple netsh command
0
 
Cliff GaliherCommented:
Using company.com does introduce challenges under certain circumstances, particularly with AD and external domains, that can't be easily solved with a netsh command though.

Yes, there are workarounds. But since the OP made it clear that it is a new domain, I don't see why anybody would *recommend* using company.com, when corp.company.com is a fairly accepted standard in most circles.  If you start on strong footing, workarounds later become unnecessary.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Agree to disagree. 99% of my enterprise/SMB level clients with well over 2mil endpoint use the same domain internally. These so-called issues are a myth.
0
 
Soho_DanAuthor Commented:
There will not be any Exchange server or any internal websites.  If we setup a mydomain.com, doesn't it pose a security risk?
0
 
Cliff GaliherCommented:
@Shaun:  Fine. But again, I'll challenge you to defend explicitly making that choice on a new deployment.   One requires workarounds.  One doesn't.  Where's the risk of a subdomain? Where's the reward of not using one?  Risk/reward should always drive decisions.

@Soho_Dan:  While I oppose using domain.com, I won't result to FUD to push my recommendation.  There is no inherent security-related issue with using domain.com without a subdomain.  In theory, a person could argue that attackers now know your internal schema.  But using subdomain for security purposes is just security theater...security by obscurity.  It doesn't make sense. There are many good reasons to use sub.domain.com, but security isn't one of them.  Protecting your DCs is a far more important security step than obfuscating the domain name it uses.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Cliff, you made your recommendation, I made mine. One entry in DNS for WWW would take 10s. I have no interest in buying a stronger whip to beat a dead horse.
0
 
Cliff GaliherCommented:
I don't think being challenged to defend a position is beating a dead horse. I think it is healthy discourse where I often learn new things. Especially when I have to defend my own positions. Sorry you feel differently.
0
 
MaheshConnect With a Mentor ArchitectCommented:
Microsoft recommends AD domain as subdomain of external domain
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
The below article states few advantages of same
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772970(v=ws.10)

The major factor I see is simplicity of name resolution in case of subdomain of external name space
In case of same external / internal domain name, you can use single wildcard cert for all your internal and external SSL needs which is not the case when you use subdomain of external domain

From NetBIOS point of view, it did not make any difference whether you have subdomain as root domain or standard root domain
I don't see any much stronger point of one over another and vice versa
0
 
Soho_DanAuthor Commented:
Mahesh, so it seems Microsoft recommends for easy to deploy and management, I should go with something like, "mydomain.ca" and for internal sub-domain, such as, "remote.mydomain.ca" if I wish for my remote users to access the Remote Desktop Gateway?
0
 
MaheshArchitectCommented:
you can go with MS recommendation however don't use same FQDN as domain name for any service, it will create name resolution issue for that service internally
0
 
Cliff GaliherConnect With a Mentor Commented:
"Mahesh, so it seems Microsoft recommends for easy to deploy and management, I should go with something like, "mydomain.ca"

To be clear, Microsoft explicitly recommends using a SUBDOMAIN for AD.  From the document Mahesh already posted:

The short answer, as best practice:
  • Microsoft strongly recommends that you register a public domain and use subdomains for the internal DNS.
  • So, register a public DNS name, so you own it. Then create subdomains for internal use (like corp.example.org, dmz.example.org, extranet.example.org) and make sure you've got your DNS configuration setup correctly.
0
 
Cliff GaliherConnect With a Mentor Commented:
From the same document (official Microsoft guidance)  I've bolded the final sentence for emphasis:

Some customers use the same DNS zone for internal and external usage. But there are some important disadvantages:
  • mismatch between security zones (like intranet, extranet, DMZ and) and DNS naming
  • when adding / merging domains the DNS is subject to redesign
  • less flexible, less automated DNS operations

  • conflict in authority with internal DNS and external DNS (managed by internet provider)


You might face some practical issues like:
  • conflicts in DNS,

  • instable operations and sub-optimal performance

  • network issues

  • complex configuration

  • less or no automated DNS operations, more manual operations

  • keeping DNS under control is less obvious

Plus, you'll face some consequences regarding network security, by the lack of segregation of (DNS) duties.
So: Single DNS domain is absolutely not advised when you need to manage internal and external resources.
0
 
Soho_DanAuthor Commented:
Cliff, so back to your initial recommendation.  E.g. internal.mydomain.ca ?
0
 
Cliff GaliherCommented:
That's mine, yes.  That aligns with Microsoft best practices, as demonstrated here.  It isn't an absolute must. But unless you have a reason to go another way, it is the path many people, including myself, would recommend.  As demonstrated though, there are always exceptions, and other opinions.  I may not agree with them, but it'd be unfair to not acknowledge that they exist.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
As mentioned before, those articles were written by an individual, are very old and links to dated/missing sources. And I won't call it an Microsoft best practice, a lot has changed since those recommendations.
0
 
Cliff GaliherCommented:
Where I copied my text from:

https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx

The title is  "best practices."  One could argue that EVERYTHING is written by an individual. They question becomes how authoritative is the individual.

The history of that on the right tells the story. Written by an MVP and Microsoft contingent staff (which Microsoft often leans on to create official documentation and training.) Written in 2016. Last revised in 2017.

While his source material may date back to 2003, that wiki page is new. If you've read different guidance from Microsoft that you can link to, I'd love to read it.
1
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
That is a wiki source, I do not put much value on that. MVPs do not represent MS
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Cliff Galiher (https:#a42501972)
-- Mahesh (https:#a42502193)
-- Cliff Galiher (https:#a42502248)
-- Cliff Galiher (https:#a42502253)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
 
Soho_DanAuthor Commented:
Case can be closed.  Thank you all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.