Private address space top level domain (.local or .net)

When I first set up Active Directory in 2000 I quickly came to the
conculsion it was better to use a non-existant TLD (like .local)
Later in the 2003 literature it seemed Microsoft were following suit.
I've been working through the Server 2008 Training Kit and am noticing that
MS now seem to recommend using using .net .org etc... for private DNS
schemes.
Is there any reason for this; you don't really want anyone to be able to
resolve these names from "The Internet"...or do you?
Can anyone shed any light on this?

Hello Steve,

In the private range basically you can choose what you like. .local has problems
when MAC OS machines are in the domain. So i think that's one of the reasons
they changed. If you have a web site name like company.org i suggest to another
TLD in the private network like .loc, so you have no problems with split
DNS configuration when both names are the same.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> When I first set up Active Directory in 2000 I quickly came to the
> conculsion it was better to use a non-existant TLD (like .local)
> Later in the 2003 literature it seemed Microsoft were following suit.
> I've been working through the Server 2008 Training Kit and am noticing
> that
> MS now seem to recommend using using .net .org etc... for private DNS
> schemes.
> Is there any reason for this; you don't really want anyone to be able
> to
> resolve these names from "The Internet"...or do you?
> Can anyone shed any light on this

The current suggestions are documented here:

http://support.microsoft.com/kb/909264

It tends to focus more on a private sub-domain of a public domain rather
than something like .local. An example of that would be corp.domain.com.

Even if you use a public name for AD there's no reason that the names
within that zone should be available on the Internet. For that to happen
you would have to expose your internal DNS servers to the public (and
register them as the DNS servers for the public domain).

Using a sub-domain of the public domain side-steps any disadvantages
associated with using a public domain name (split brain, inability to
reclaim "http://domain.com" from AD, etc).

So why not .local? We can only guess. Perhaps there are concerns about
compatibility. Or perhaps they worry that suggesting everyone use a TLD
that isn't reserved in any way is a bad plan in the longer term, even if
it's very unlikely that anything will happen with .local.

Whatever you do, you should avoid the TLD names here:

http://www.iana.org/domains/root/db/

Especially anything like .int. That one is always fun if you ever need
to get a certificate for the domain (unless you really do actually work
for an organisation like the UN).

Chris

Steve Buckley wrote:
> When I first set up Active Directory in 2000 I quickly came to the
> conculsion it was better to use a non-existant TLD (like .local)
> Later in the 2003 literature it seemed Microsoft were following suit.
> I've been working through the Server 2008 Training Kit and am noticing
> that MS now seem to recommend using using .net .org etc... for private
> DNS schemes.
> Is there any reason for this; you don't really want anyone to be able to
> resolve these names from "The Internet"...or do you?
> Can anyone shed any light on this?

"Steve Buckley" <mrnecros(remove-this)@hotmail.com> wrote in message
news:...
> When I first set up Active Directory in 2000 I quickly came to the
> conculsion it was better to use a non-existant TLD (like .local)
> Later in the 2003 literature it seemed Microsoft were following suit.
> I've been working through the Server 2008 Training Kit and am noticing
> that MS now seem to recommend using using .net .org etc... for private DNS
> schemes.
> Is there any reason for this; you don't really want anyone to be able to
> resolve these names from "The Internet"...or do you?
> Can anyone shed any light on this?


I'm leaning towards, and have been using the .net version of a company name,
if available for purchase, for internal names. I mean you can still go with
a .local, or a subdomain of the company name, if you like, but from
experience with one company a couple of years ago with an Exchange 2007
implementation and purchasing a cert, has made me re-think to use the .net
version.

Reason is the Exchange 2007 cert type required should be a UCC/SAN cert.
They contain multiple names,including the internal FQDN and the NetBIOS name
of the machine:

mail.domain.com
autodiscover.domain.com
servername.internaldomain.com
servername

I know some folks will say or even respond to this post that these names are
not needed and can get away with a single name cert, but a single name
doesn't cover's Outlook Anywhere connection methods.

When purchasing the cert, the registered name of the domain names in
question are all checked. So if you have a public name of American Ball
Club, and the external name is ameriball.com (or whatever), but at one point
you've decided to use abc.net for the internal, well that name will be
checked. In this case, if abc.net (unknowingly) belongs to someone else, it
will get denied.

If it is a .local name, it won't be checked, and will be approved, since it
doesn't exist.

Don't get me wrong, you can call it any internal name you want, but just for
consistency sake, many are starting to lean towards the .net version of the
name, as long as it's not registered, and if it isn't, make sure you
register it.

I like those articles Chris posted, too. They're good to know for DNS name
limitations and other recommendations, including for this type of thing. I
have a blog I'm putting together regarding AD naming conventions, including
pros, cons, Exchange 2007 UCC/SAN consideration, etc, but I haven't quite
completed and proofed it yet. It pretty much includes what I discussed here.
I'll let you know if I complete it any time soon.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Yes, certificates are something that maybe propelling this, especially with
the move towards IPv6.
With the use of a valid Internet domain name I guess you keep your options
open for the possibility that going forward all networks will be
homogenously connected with one big IPv6 Internet.
IPv6 IP addresses can roam and will use the same certificate when connected
to any network (just the network address changes and the home router
redirects connections to the current host network.)
This also allows you to authenticate and connect directly to your LAN from
anywhere as long as the firewall rules permit (no VPN required.)
Guess I'd better start using .biz addresses internally now.

"Ace Fekay [MCT]" <> wrote in message
news:O$...
> "Steve Buckley" <mrnecros(remove-this)@hotmail.com> wrote in message
> news:...
>> When I first set up Active Directory in 2000 I quickly came to the
>> conculsion it was better to use a non-existant TLD (like .local)
>> Later in the 2003 literature it seemed Microsoft were following suit.
>> I've been working through the Server 2008 Training Kit and am noticing
>> that MS now seem to recommend using using .net .org etc... for private
>> DNS schemes.
>> Is there any reason for this; you don't really want anyone to be able to
>> resolve these names from "The Internet"...or do you?
>> Can anyone shed any light on this?
>
>
> I'm leaning towards, and have been using the .net version of a company
> name, if available for purchase, for internal names. I mean you can still
> go with a .local, or a subdomain of the company name, if you like, but
> from experience with one company a couple of years ago with an Exchange
> 2007 implementation and purchasing a cert, has made me re-think to use the
> .net version.
>
> Reason is the Exchange 2007 cert type required should be a UCC/SAN cert.
> They contain multiple names,including the internal FQDN and the NetBIOS
> name of the machine:
>
> mail.domain.com
> autodiscover.domain.com
> servername.internaldomain.com
> servername
>
> I know some folks will say or even respond to this post that these names
> are not needed and can get away with a single name cert, but a single name
> doesn't cover's Outlook Anywhere connection methods.
>
> When purchasing the cert, the registered name of the domain names in
> question are all checked. So if you have a public name of American Ball
> Club, and the external name is ameriball.com (or whatever), but at one
> point you've decided to use abc.net for the internal, well that name will
> be checked. In this case, if abc.net (unknowingly) belongs to someone
> else, it will get denied.
>
> If it is a .local name, it won't be checked, and will be approved, since
> it doesn't exist.
>
> Don't get me wrong, you can call it any internal name you want, but just
> for consistency sake, many are starting to lean towards the .net version
> of the name, as long as it's not registered, and if it isn't, make sure
> you register it.
>
> I like those articles Chris posted, too. They're good to know for DNS name
> limitations and other recommendations, including for this type of thing. I
> have a blog I'm putting together regarding AD naming conventions,
> including pros, cons, Exchange 2007 UCC/SAN consideration, etc, but I
> haven't quite completed and proofed it yet. It pretty much includes what I
> discussed here. I'll let you know if I complete it any time soon.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum to benefit from collaboration
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>

"Steve Buckley" <mrnecros(remove-this)@hotmail.com> wrote in message
news:...
> Yes, certificates are something that maybe propelling this, especially
> with the move towards IPv6.
> With the use of a valid Internet domain name I guess you keep your options
> open for the possibility that going forward all networks will be
> homogenously connected with one big IPv6 Internet.
> IPv6 IP addresses can roam and will use the same certificate when
> connected to any network (just the network address changes and the home
> router redirects connections to the current host network.)
> This also allows you to authenticate and connect directly to your LAN from
> anywhere as long as the firewall rules permit (no VPN required.)
> Guess I'd better start using .biz addresses internally now.

Good point about certificate portability.

The .biz namespace seems to be a good alternative, too!

Ace

Great thread.

Another problem that will be coming up is ICANN is looking at allowing many
new gTLDs. Some being considered are .green .horse .eco .nyc .quebec and
thousands more. Combine this with IDN's, also upcoming, and it's all too
likely that sometime in the future whatever non-standard TLD you pick may
suddenly be public. It's unlikely .local or .internal would ever be approved
as a gTLD but who knows what the future holds. I think using a subdomain of
an existing public domain or a buying a gTLD name like .net is the best
practice for now.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/


"Steve Buckley" <mrnecros(remove-this)@hotmail.com> wrote in message
news:...
> When I first set up Active Directory in 2000 I quickly came to the
> conculsion it was better to use a non-existant TLD (like .local)
> Later in the 2003 literature it seemed Microsoft were following suit.
> I've been working through the Server 2008 Training Kit and am noticing
> that MS now seem to recommend using using .net .org etc... for private DNS
> schemes.
> Is there any reason for this; you don't really want anyone to be able to
> resolve these names from "The Internet"...or do you?
> Can anyone shed any light on this?