I have noticed that there is a lot of confusion around how to name an Active Directory Domain primarily because the best practices have changed. Picking a name for your Active Directory Domain should be planned carefully as it is very hard to change. Although it can be done.
Before I go into the current best practices, here are two popular practices that I have seen that are no longer recommended:
• Generic top-level domains like .local, .loc, .corp, etc, are now being sold by ICANN, so the domain you could be using internally today “pixelrobots.local” could be bought by another company. Also, no major certificate vendor will issue an SSL certificate for an address with a .local, .loc, .corp, etc, in it.
• Split DNS is when you have your internal domain name the same as your external domain name. So company.co.uk for both. This can cause issues for your users when trying to access your company website as they will always have to use www. It also increases the administrative workload as you will have to administer both DNS Zones.
For the time being, until things change again I have listed two domain naming options for you.
The first one, that I prefer to use, is to use an inactive sub-domain of your public company domain. So in my case, I would name my Active Directory domain ad.pixelrobots.co.uk. You can use anything.pixelrobots.co.uk. Advantages of this method are:
• Only one domain name needs to be registered -even if you are going to make part of your internal name publicly accessible.
• Enables you to manage internal and external domains simply and separately.
• All internal domain names will be globally unique.
The only drawback with this method is you have more to type when entering FQDNs on your network. So keep your subdomain as short as possible.
The second option, which I do not like, is to use another domain you own, which isn’t used elsewhere. For instance, I could use pixelrobots.net, but I would have to buy this domain name which costs me more money. It can also make things more complicated for users when you make part of your domain publicly available.
For both options, you can set the NetBIOS name of the domain (the part before the backslash) to whatever you want during domain creation. You can also set the UPN (@ad.pixelrobots.co.uk) to anything that you want as well. This allows you to have your AD’s FQDN be something like ad.pixelrobots.co.uk, while your users will log in with pixelrobots\User or user@pixelrobots.co.uk. The FQDN of the domain has little to do with the format of a user’s login name other than it picks a reasonable default
0 Comments