Setup a new Win2016 Standard server as dot local or dot.com in Active Directory?

Hi, we are setting up a brand new Win2016 Standard server mainly as a file server with RDS.  Should I setup Active Directory as "company.com" or "company.local"?  There is no Exchange server but we would like to have SSL certificate for the Remote Desktop Gateway.  Something that came to mind for Remote Desktop Services access is to setup a sub domain called, "remote.company.com" for our remote desktop users.  Thanks.
Soho_DanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
For new AD setups, I recommend sub.domain.com formatting. Not just for RDS  but for the AD domain itself. Ex: internal.mydomain.com or ad.mydomain.com

Using just domain.com tends to lead to odd split-DNS configurations down the road.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Soho_DanAuthor Commented:
What if we already have a public domain called, "mydomain.ca" and not dot com?  Would this matter at all?  Can we setup as "internal.mydomain.ca"?
0
Cliff GaliherCommented:
Yes. The.m dor-com was just a place holder for any TLD.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Shaun VermaakTechnical Specialist IVCommented:
company.com is perfectly fine and split DNS issues people refer to is simple things like having external website work via www.company.com instead of company.com. You can get the website to work through company.com with a simple netsh command
0
Cliff GaliherCommented:
Using company.com does introduce challenges under certain circumstances, particularly with AD and external domains, that can't be easily solved with a netsh command though.

Yes, there are workarounds. But since the OP made it clear that it is a new domain, I don't see why anybody would *recommend* using company.com, when corp.company.com is a fairly accepted standard in most circles.  If you start on strong footing, workarounds later become unnecessary.
0
Shaun VermaakTechnical Specialist IVCommented:
Agree to disagree. 99% of my enterprise/SMB level clients with well over 2mil endpoint use the same domain internally. These so-called issues are a myth.
0
Soho_DanAuthor Commented:
There will not be any Exchange server or any internal websites.  If we setup a mydomain.com, doesn't it pose a security risk?
0
Cliff GaliherCommented:
@Shaun:  Fine. But again, I'll challenge you to defend explicitly making that choice on a new deployment.   One requires workarounds.  One doesn't.  Where's the risk of a subdomain? Where's the reward of not using one?  Risk/reward should always drive decisions.

@Soho_Dan:  While I oppose using domain.com, I won't result to FUD to push my recommendation.  There is no inherent security-related issue with using domain.com without a subdomain.  In theory, a person could argue that attackers now know your internal schema.  But using subdomain for security purposes is just security theater...security by obscurity.  It doesn't make sense. There are many good reasons to use sub.domain.com, but security isn't one of them.  Protecting your DCs is a far more important security step than obfuscating the domain name it uses.
0
Shaun VermaakTechnical Specialist IVCommented:
Cliff, you made your recommendation, I made mine. One entry in DNS for WWW would take 10s. I have no interest in buying a stronger whip to beat a dead horse.
0
Cliff GaliherCommented:
I don't think being challenged to defend a position is beating a dead horse. I think it is healthy discourse where I often learn new things. Especially when I have to defend my own positions. Sorry you feel differently.
0
MaheshArchitectCommented:
Microsoft recommends AD domain as subdomain of external domain
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
The below article states few advantages of same
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772970(v=ws.10)

The major factor I see is simplicity of name resolution in case of subdomain of external name space
In case of same external / internal domain name, you can use single wildcard cert for all your internal and external SSL needs which is not the case when you use subdomain of external domain

From NetBIOS point of view, it did not make any difference whether you have subdomain as root domain or standard root domain
I don't see any much stronger point of one over another and vice versa
0
Soho_DanAuthor Commented:
Mahesh, so it seems Microsoft recommends for easy to deploy and management, I should go with something like, "mydomain.ca" and for internal sub-domain, such as, "remote.mydomain.ca" if I wish for my remote users to access the Remote Desktop Gateway?
0
MaheshArchitectCommented:
you can go with MS recommendation however don't use same FQDN as domain name for any service, it will create name resolution issue for that service internally
0
Cliff GaliherCommented:
"Mahesh, so it seems Microsoft recommends for easy to deploy and management, I should go with something like, "mydomain.ca"

To be clear, Microsoft explicitly recommends using a SUBDOMAIN for AD.  From the document Mahesh already posted:

The short answer, as best practice:
  • Microsoft strongly recommends that you register a public domain and use subdomains for the internal DNS.
  • So, register a public DNS name, so you own it. Then create subdomains for internal use (like corp.example.org, dmz.example.org, extranet.example.org) and make sure you've got your DNS configuration setup correctly.
0
Cliff GaliherCommented:
From the same document (official Microsoft guidance)  I've bolded the final sentence for emphasis:

Some customers use the same DNS zone for internal and external usage. But there are some important disadvantages:
  • mismatch between security zones (like intranet, extranet, DMZ and) and DNS naming
  • when adding / merging domains the DNS is subject to redesign
  • less flexible, less automated DNS operations

  • conflict in authority with internal DNS and external DNS (managed by internet provider)


You might face some practical issues like:
  • conflicts in DNS,

  • instable operations and sub-optimal performance

  • network issues

  • complex configuration

  • less or no automated DNS operations, more manual operations

  • keeping DNS under control is less obvious

Plus, you'll face some consequences regarding network security, by the lack of segregation of (DNS) duties.
So: Single DNS domain is absolutely not advised when you need to manage internal and external resources.
0
Soho_DanAuthor Commented:
Cliff, so back to your initial recommendation.  E.g. internal.mydomain.ca ?
0
Cliff GaliherCommented:
That's mine, yes.  That aligns with Microsoft best practices, as demonstrated here.  It isn't an absolute must. But unless you have a reason to go another way, it is the path many people, including myself, would recommend.  As demonstrated though, there are always exceptions, and other opinions.  I may not agree with them, but it'd be unfair to not acknowledge that they exist.
0
Shaun VermaakTechnical Specialist IVCommented:
As mentioned before, those articles were written by an individual, are very old and links to dated/missing sources. And I won't call it an Microsoft best practice, a lot has changed since those recommendations.
0
Cliff GaliherCommented:
Where I copied my text from:

https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx

The title is  "best practices."  One could argue that EVERYTHING is written by an individual. They question becomes how authoritative is the individual.

The history of that on the right tells the story. Written by an MVP and Microsoft contingent staff (which Microsoft often leans on to create official documentation and training.) Written in 2016. Last revised in 2017.

While his source material may date back to 2003, that wiki page is new. If you've read different guidance from Microsoft that you can link to, I'd love to read it.
1
Shaun VermaakTechnical Specialist IVCommented:
That is a wiki source, I do not put much value on that. MVPs do not represent MS
0
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Cliff Galiher (https:#a42501972)
-- Mahesh (https:#a42502193)
-- Cliff Galiher (https:#a42502248)
-- Cliff Galiher (https:#a42502253)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Soho_DanAuthor Commented:
Case can be closed.  Thank you all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.