Active Directory: What should the new Active Directory be called?

My last posts on the subject of Active Directory have brought an important question to light:

What should the new Active Directory be called?

In this article I have made the following statement:

If you are on a greenfield site, you can freely assign the name for the Active Directory. In the meantime, names such as company.local are no longer used in new environments. A name like ad.firma.de would be better here. Nevertheless, names such as firma.local or firma.intern can still be used. However, the root domain name must not be one part. "Company" or "Internal" is therefore not possible.

After various emails and a comment, I realized that I should perhaps also justify this statement. Hence this article. I would like to say one thing in advance: Nobody has to rename their existing Active Directory or reinstall it.

However, if you install a brand new Active Directory, you should also think about the name as well as the design.

To be precise, you need to think about two names: The NetBIOS name and the DNS name (FQDN) of the new environment. The fact that a domain has two names within the Active Directory becomes clear during installation. When installing a new Active Directory, the FQDN is queried first:

The NetBIOS name then appears in one of the following dialogs:

When choosing the appropriate name, you must first of all adhere to the convention. The following specifications apply to the FQDN:

• Maximum 255 characters (complete FQDN)
• only upper/lower case letters / numbers
• Only "-" (hyphen) is permitted as a special character
• maximum 63 characters per name

The following applies to the NetBIOS name:

• 15 characters

Although a few special characters are allowed, they should be avoided and only letters and numbers should be used.

NetBIOS name and FQDN are independent of each other and can/may differ from each other. Furthermore, the FQDN must not be one part. The FQDN must therefore not be .local or .de. The FQDN must consist of at least two parts (frankysweb.local or frankysweb.de). One-part domain names are no longer supported by various services, the best-known example being Exchange.

So much for the technical requirements. Back to the actual question, why shouldn't a new Active Directory simply be called firma.local, firma.intern or firma.lan?

1. Top level domains (TLDs) have been sold in every conceivable variation for some time now. The classic top level domains such as .de and .com have been supplemented with ever more exotic TLDs, so it is conceivable that at some point .intern or .local will also be sold and listed as an official TLD. This would inevitably lead to problems with name resolution.
2. Public certification authorities do not issue SSL certificates for non-official TLDs, so if you want to equip internal servers with a certificate from a public CA, you will inevitably have to use a valid name. No public CA will issue an official certificate for intranet.company.local.
3. The Active Directory name should be unique. A merger of two companies with the same AD name (e.g. ad.local) will cause pain, even if only one VPN connection is to be implemented.

 

Considering that an Active Directory is used for a very long time and renaming (if possible at all) or a new installation is only possible with great effort, these points should not be neglected. After all, who can say which TLDs will be registered in the next 5 or 10 years?

Most companies already have a domain registered anyway, so it makes sense to build on this domain. FrankysWeb serves as an example. I have registered the domain frankysweb.de, which ensures that there is no second domain that is also called frankysweb.de. Obtaining certificates for this public domain is also no problem, as it is officially registered.

The FQDN for the Active Directory could therefore be ad.frankysweb.de, for example. In turn, "frankysweb" could be used as the NetBIOS name. Users could log in with "frankysweb\username" or with "benutzername@ad.frankysweb.de". Computer names are, for example, server1.ad.frankysweb.de. This looks quite nice and avoids the problems mentioned above.

By the way, the FQDN of the Active Directory should not be the same as the registered domain name. In my case, the AD should not be called frankysweb.de, as this name for the AD would force DNS splitbrain and cause more problems than it solves.

Here is a very old MSDN article on this topic, but it is still valid:

Best Practice Active Directory Design for Managing Windows Networks

It states:

As a best practice use DNS names registered with an Internet authority in the Active Directory namespace. Only registered names are guaranteed to be globally unique. If another organization later registers the same DNS domain name, or if your organization merges with, acquires, or is acquired by other company that uses the same DNS names then the two infrastructures can never interact with one another.

Add a prefix that is not currently in use to the registered DNS name to create a new subordinate name. For example, if your DNS root name were contoso.com then you should create an Active Directory forest root domain name such as concorp.contoso.com, where the namespace concorp.contoso.com is not already in use on the network. This new branch of the namespace will be dedicated to Active Directory and Windows 2000 and can easily be integrated with the existing DNS implementation.

So the recommendations are by no means new.