• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Internal Domain Naming Convention

CrimsonKnight13

Lord Stabington of [H]ard|Fortress
2FA
Joined
Jan 8, 2008
Messages
9,599
I keep seeing a ton of sites that recommend using a certain set of TLDs for internal domains. I'm quite confused since nothing seems to be giving a completely direct & concise answer.

What is considered the best practices for naming an internal domain?
Should I utilize my "owned" personal domain name with a subdomain or make a unique one?
If I do use a registered domain name, does the subdomain need to be added to the internet nameservers I use?
Any other advice?
 
I generally use .local.

The other school of thought is that you should use your public DNS zone. I don't like this method because you can create conflicts for yourself, between the internal and external zones.

If you use .local, you can easily add an additional internal zone for your public TLD, where it won't affect anything you do with AD.
 
When Microsoft originally brought out Active Directory they took the phrase "domain name" and made it their own thing and recommended that you use your Internet Domain name as your Active Directory domain name.

With later versions of Active Directory Microsoft stopped recommending that you use your Internet Domain Name because it caused issues. The last I knew it was best practice to use .local for your Internal Active Directory domain.
 
For SMB I use ".local" that matches the clients public domain name.

Example....
Client has website and company e-mail that is "clientsname.com"....I'll make their AD "clientsname.local".
 
Microsoft does not recommend .local anymore and people shouldn't be using it. It conflicts with things such as Bonjour and Macs. MS now recommends either a domain or subdomain you own (important!) that will NOT be publicly accessible. They also say to not make up TLDs for it either.

Alternatively, if you really want you can use a domain that is publicly accessible and do split DNS, but that can be a pain, especially if you don't quite know what you're doing.
 
Microsoft does not recommend .local anymore and people shouldn't be using it. It conflicts with things such as Bonjour and Macs. MS now recommends either a domain or subdomain you own (important!) that will NOT be publicly accessible. They also say to not make up TLDs for it either.

Alternatively, if you really want you can use a domain that is publicly accessible and do split DNS, but that can be a pain, especially if you don't quite know what you're doing.

Let's say I own domain.com. What would I need to do with the public zone in order to make a private subdomain work properly (ex: internal.domain.com)?
 
A quite old IETF draft recommends .local: http://tools.ietf.org/html/draft-ietf-dnsind-local-names-07

I have always used .local when I couldn't use anything else. If they have a domain example.com, there's no problem using lan.example.com locally. It's easy to make it visible only locally so external clients see no lan.example.com.

Keeping the lan.example.com subdomain CNAME record off of a public nameserver will keep it invisible to the public? If so, going that route makes good sense.
 
Microsoft does not recommend .local anymore and people shouldn't be using it. It conflicts with things such as Bonjour and Macs..

Anything "CrApple MAC" conflicts with the bottom of my size 12 boot...I'll save the MAC network IT work for people wearing birkenstocks and wearing patchouli oil...which I do not.

The MAC issue, only causes them to fail to join the AD if they're using their native protocol...if you change them to using DNS (like you run in AD anyways with your Winders boxes)...works fine.

And Bonjour.....since it causes so many issues with CPU utilization spiking, soon as I see that on any Windows rigs it's yanked.

I only saw they stopped recommending it because .local is not officially reserved for private anymore. But we know it will not become an officially public TLD either...it's safe as remaining private.
 
Keeping the lan.example.com subdomain CNAME record off of a public nameserver will keep it invisible to the public? If so, going that route makes good sense.

Not CNAME, rather NS.

A zone lan.example.com is in no way connected to example.com. In example.com, the record for "lan" simply doesn't exist and the server returns NXDOMAIN. Internally, lan.example.com is a wholly separate zone which only gets queried for lan.example.com and anything beneath. Queries for anything else in example.com go to the default forwarder and should end up at the external DNS servers just like for everyone else.
 
Anything "CrApple MAC" conflicts with the bottom of my size 12 boot...I'll save the MAC network IT work for people wearing birkenstocks and wearing patchouli oil...which I do not.

The MAC issue, only causes them to fail to join the AD if they're using their native protocol...if you change them to using DNS (like you run in AD anyways with your Winders boxes)...works fine.

And Bonjour.....since it causes so many issues with CPU utilization spiking, soon as I see that on any Windows rigs it's yanked.

I only saw they stopped recommending it because .local is not officially reserved for private anymore. But we know it will not become an officially public TLD either...it's safe as remaining private.

Not CNAME, rather NS.

A zone lan.example.com is in no way connected to example.com. In example.com, the record for "lan" simply doesn't exist and the server returns NXDOMAIN. Internally, lan.example.com is a wholly separate zone which only gets queried for lan.example.com and anything beneath. Queries for anything else in example.com go to the default forwarder and should end up at the external DNS servers just like for everyone else.

The flowing of good advice. I appreciate all of it. :)
 
Subdomain of registered domain, ie: corp.foo.com or just the registered parent domain. Split DNS is trivial to deal with BTW.

.local is meh but you can be successful using any of them.
 
Besides Apple's products, are there any other known applications (or protocols) that could give issue with ".local" AD domain names?
 
our company domain is
company.org

so our internal domain is
ad.company.org

thus our "domain" is called AD, which is awesome. because when you log in everything is AD\username

just makes sense.
 
I can see it both ways... I'm a big fan of .local domains. Apple can stick their bonjour service where the sun don't shine.

The job I just started is using a sub domain of our public domain.. It works but wouldn't have been my first choice...
 
Rule of thumb- if you don't understand any of this- use .local
If you do understand most of this, use local.yourdomain.com or similar
If you run SBS or Exchange, simplest config will assume you are using public-facing domain name, e.g. yourdomain.com. This can be remedied in the case of using local.yourdomain.com by adding a send connector for the public domain.
 
I can see it both ways... I'm a big fan of .local domains. Apple can stick their bonjour service where the sun don't shine.

The job I just started is using a sub domain of our public domain.. It works but wouldn't have been my first choice...

It's cute you think only Apple uses Bonjour :D

The IETF registered .local and willfully using a reserved name (and one that is shown to break things on both platforms) is quit idiotic.
 
Last edited:
Anything "CrApple MAC" conflicts with the bottom of my size 12 boot...I'll save the MAC network IT work for people wearing birkenstocks and wearing patchouli oil...which I do not.

The MAC issue, only causes them to fail to join the AD if they're using their native protocol...if you change them to using DNS (like you run in AD anyways with your Winders boxes)...works fine.

And Bonjour.....since it causes so many issues with CPU utilization spiking, soon as I see that on any Windows rigs it's yanked.

I only saw they stopped recommending it because .local is not officially reserved for private anymore. But we know it will not become an officially public TLD either...it's safe as remaining private.

You don't deal with Media Access Control in your network job? It's "Mac". It's not an acronym. If you learn that maybe in the future you'll stop looking like an idiot. It must really hurt to see Macs increasing in business every year, and that's not even counting iPads :D
 
Besides Apple's products, are there any other known applications (or protocols) that could give issue with ".local" AD domain names?

It's a reserved name, which means in the future problems can occur. HP and others use Bonjour for various things.
 
Microsoft does not recommend .local anymore and people shouldn't be using it.

True.

It conflicts with things such as Bonjour and Macs.

Besides the point, especially if you have zero intention of putting Macs or any Apple products on your LAN.

MS now recommends either a domain or subdomain you own (important!) that will NOT be publicly accessible. They also say to not make up TLDs for it either.

The practical and functional differences between subdomain.realdomain.com and fakedomain.local are negligible.
 
It's cute you think only Apple uses Bonjour :D

The IETF registered .local and willfully using a reserved name (and one that is shown to break things on both platforms) is quit idiotic.

I think it's funny how you think I give two shits about bonjour even if it's more than an apple protocol. I guess not everyone can be the network administrator you are
 
True.



Besides the point, especially if you have zero intention of putting Macs or any Apple products on your LAN.

Sure, YOU may not. But that doesn't mean your boss(es) or the executives may not. Or some new product by someone else. Or someone after you leave. Willfully using a reserved name because YOU don't think you need it when they're plenty of alternatives just isn't being a good administrator.


The practical and functional differences between subdomain.realdomain.com and fakedomain.local are negligible.

Until .local suddenly starts getting used for something else (because being reserved it definitely CAN, just like any reserved name). Your owned subdomain doesn't have that limitation.
 
Two customers I inherited from another consultant have .local
Customers I built from scratch I used .priv
At home I use .SMB
 
.local is common. I like .loc because it's shorter, that's what I use at home. I've seen .int used as well. As long as it's not a TLD that is common. I would avoid using .net etc or if you do register the domain name.
 
I committed to .local, which has been working quite well. Now for plenty of testing.
 
.local is common. I like .loc because it's shorter, that's what I use at home. I've seen .int used as well. As long as it's not a TLD that is common. I would avoid using .net etc or if you do register the domain name.
of all the TLDs to use .int is one of the worst because you absolutely cannot get a domain on it.
 
I use .local for mine. Habit I guess

Maybe I'll switch to something more creative.

.pornstarnamesIlike

Think customers would notice? Bah, probably not
 
of all the TLDs to use .int is one of the worst because you absolutely cannot get a domain on it.

That's kinda the idea, I prefer to use something that's not available, or at least, if it is, is not really popular. Though I don't hate the idea of using a subdomain as well. Like int.domain.com or something like that.
 
I use .local for mine. Habit I guess

Maybe I'll switch to something more creative.

.pornstarnamesIlike

Think customers would notice? Bah, probably not

I'd keep that for the server naming convention. Call each server after a porn star. :D
 
For those that despise the way of OS X, I was able to join my MacBook (w/ 10.7.4) to my domain (ex: domain.local) without any issues. No apparent chaos so far.
 
Back
Top