Tuesday, September 15, 2015

Use the Local Suffix for Windows Domain DNS Names

When a Windows domain is created, two identifiers must be chosen for it: the NetBIOS name (the all-caps thing that goes before the backslash and a user SAM name) and the DNS name (the name that appears when the Ethernet icon is moused over). Neither can be changed after Active Directory Domain Services is set up. The DNS name not only looks like a DNS entry - it really is one, and its subentries are stored in and served from the Windows DNS service, which is required on at least one domain controller in the domain. Pinging the root will probably get you a domain controller.

The convention for Windows domain DNS names is to end them with ".local" rather than with a normal TLD. That is really important when the DNS name you pick is also a real website, say, your company's. If your website is "example.com" and you name your Windows domain "example.com", people will reach your domain controller instead of your public web site when they type that URL into their browsers. That's because the DNS servers in your network take priority over the ones on the Internet (to which your domain controller forwards non-local requests). You should have used "example.local".

One might try to fix the problem by manually adding an entry for the root of your domain that points to the public web site. That will appear to fix the problem, but it will be very bad for name resolution inside your network. Looking up "localmachine.example.com" will fail because localmachine is not a subdomain of the public example.com. If you try this "fix", you'll only be able to use NetBIOS name lookup, which is severely suboptimal, and some programs will break anyway. Kerberos, the Windows network authentication/encryption protocol requires a functional DNS infrastructure.

To recap: once you set up your domain, there's no going back on the name. Use a local suffix, or at least make sure you're not overriding a real Internet site.

No comments:

Post a Comment