Reading Time: 2 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

I have noticed that there is a lot of confusion around how to name an Active Directory Domain primarily because the best practices have changed. Picking a name for your Active Directory Domain should be planned carefully as it is very hard to change. Although it can be done.

Before I go into the current best practices, here are two popular practices that I have seen that are no longer recommended:

• Generic top-level domains like .local, .loc, .corp, etc, are now being sold by ICANN, so the domain you could be using internally today “pixelrobots.local” could be bought by another company. Also, no major certificate vendor will issue an SSL certificate for an address with a .local, .loc, .corp, etc, in it.

• Split DNS is when you have your internal domain name the same as your external domain name. So company.co.uk for both. This can cause issues for your users when trying to access your company website as they will always have to use www. It also increases the administrative workload as you will have to administer both DNS Zones.

For the time being, until things change again I have listed two domain naming options for you.

The first one, that I prefer to use, is to use an inactive sub-domain of your public company domain. So in my case, I would name my Active Directory domain ad.pixelrobots.co.uk. You can use anything.pixelrobots.co.uk. Advantages of this method are:

• Only one domain name needs to be registered -even if you are going to make part of your internal name publicly accessible.
• Enables you to manage internal and external domains simply and separately.
• All internal domain names will be globally unique.

The only drawback with this method is you have more to type when entering FQDNs on your network. So keep your subdomain as short as possible.

The second option, which I do not like, is to use another domain you own, which isn’t used elsewhere. For instance, I could use pixelrobots.net, but I would have to buy this domain name which costs me more money. It can also make things more complicated for users when you make part of your domain publicly available.

For both options, you can set the NetBIOS name of the domain (the part before the backslash) to whatever you want during domain creation. You can also set the UPN (@ad.pixelrobots.co.uk) to anything that you want as well. This allows you to have your AD’s FQDN be something like ad.pixelrobots.co.uk, while your users will log in with pixelrobots\User or user@pixelrobots.co.uk. The FQDN of the domain has little to do with the format of a user’s login name other than it picks a reasonable default

 

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *