So I work for a reasonable size IT and Telecoms company which in the last few years has absorbed several other ‘IT’ companies ranging from Desktop and Server support to ‘Cloud’ offerings to Software Development and so on which has resulted in getting to see a lot of different sides of this wonderful industry.
It also highlighted that IT people could not agree on the ‘best’ or ‘right’ way to do something if they tried
One thing I have noticed a lot of division on is how to setup AD Forests, specifically the domain name? Some use .local which is obviously not a real external domain and can only exist internally as it were but gets around any potential DNS issues you might have with your external domain if they instead matched whilst others have the internal and external domain names the same and I know as long as you setup DNS correctly this is also a perfectly valid way to do things.
I also know some have mention using a sub domain of your external domain for your AD though I’ve yet to see that implemented where I work.
My question is thus - what would you do? What is your preferred way to configure AD? What are the pros and cons you’ve found doing it one way over another?
Having only been working in the industry about 4 years now and seen a lot of different viewpoints and some that seem to boil down to “using an external domain for AD is madness, everything breaks!” which I know not to be the case but that doesn’t mean that camp would back down or give any better an answer hence my curiosity. I haven’t found my own preferred way of doing things yet but I am finding a lot of IT technicians seem to be very set in their ways especially where stuff like this is concerned.
TL;DR: How would you setup your AD Domain and why would you do it that way?
If you’re mainly asking about .local, that’s generally not considered a good practice any longer. There is a lot of back and forth when you get into it with people, but recent best practices point to using (and actually registering) the actual domain. This allows you to use things like actual certificates. Yes, you’ll probably have split DNS. There are a lot of work arounds including networking devices that will point you appropriately depending on if you’re on or off network, though especially depending on split tunnel you get into a fun area with VPNs…
Now, what I’ve seen a lot of frustration between engineers has been more when you want to split your domains (especially if you work for a holding company and/or SaaS company. When you might not even want something in the same forest, and where you do/don’t allow trusts. That sure gets fun.
I used a subdomain of the company domain since back in 2000 with Windows 2000. I run/ran BIND for external DNS and AD DNS internally (before windows split brain DNS was a thing if i’m not mistaken - i’d never put AD DNS servers on the internet, so it was always going to be physically separate boxes for inside and outside DNS).
I always thought .local was a bit of a broken hack, glad to see it become deprecated.
“Everything breaks!” with an external domain only if you don’t use a subdomain or at least split brain DNS. If i recall, dcpromo even checks and tries to help you with a subdomain delegation for AD-DNS - at least since Windows 2012R2 and probably with Windows 2008 R2 from memory, possibly earlier.
Unfortunately when AD first appeared, so many Windows admins who had no clue about DNS (or, well… no clue in general) started getting involved in Active Directory DNS all of a sudden. Hence the proliferation of crap like .local for internal domains.