RE: Windows 2003 Active Directory

  • From: Rick Boza <rickb@xxxxxxxxxxxxxxx>
  • To: Exchange List <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 07 Mar 2005 13:54:27 -0500

Some decent points, John, but I think you're missing some of mine.

Rather than not using .local (or .lan for that matter, which I have also
seen) I'm for endorsing a change to include .local as a reserved TLD not for
external use.  That seems like a large task, but it would certainly avoid
the pain that could or would happen should it become a publicly available
TLD and people start buying them up.

A few other comments inline-

On 3/7/05 12:10 PM, "John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx>

>> Actually it is valid - it just isn't reserved.  People use it all the time
>> with no ill effects - the only way a Bad Thing is likely to happen
> following
>> the use of .local internally is if suddenly .local were a valid,
>> registerable TLD on the Internet.
> Sure, people and companies can get along fine for years with a mistake in
> place, and then one day wake up and Gotcha.
> It is always recommended to follow proper procedures, not make up the rules
> as you go. Anything less is unprofessional and can lead to consequences down
> the road.

You're right, but Microsoft often recommends .local.  They also are making a
push for it's reserved status.  Which leads to the question: who's
procedures?  If IANA has an RFC that states one thing, and Microsoft has
published whitepapers that dictate another, it can be very confusing for

>> That seems extremely unlikely - you should probably worry about a
> satellite
>> dropping on your head as a more likely occurrence.
> Well, I personally have not heard of any satellites dropping on any one's
> head, I have indeed heard of problems using .local as a TLD.

Really? What problems?  While I've seen it used often, that in and of itself
has never caused a problem that I've seen.  While I've seen many, many AD
problems related to DNS, the use of the .local extension has never caused an
inherently related problem in my experience.

If you can share some examples though that would be great - I'm always on
the lookout for interesting stuff

On another note, my point was it's more likely that you'll get hit by a
falling satellite than .local becomes a valid public TLD.  For this reason,
using .local is not all that risky, but it isn't reserved.

>> The important point isn't so much what you use as your internal - rather
>> that you avoid using your external domain presence.  Ideally you also want
>> to avoid using someone else's external domain name.
> No one said to avoid, only not recommended unless you know what you are
> doing. Using Split DNS can help things and can also cause big problems. It
> all depends on who is administering it.
> Oh, BTW. Ideally has nothing to do with not using some one else's domain
> name, you can not do so period. It WILL cause problems.

So technically, you can use someone else's, and manage it much like you
would a split DNS configuration.  It happens, it can be ugly, and it's not
ideal.  Which is why using a reserved TLD is the best practice.  I suspect
we're in agreement here and simply syntactic disagreement.  As an aside, I
do wonder how many folk use "' as their internal domain name.  More
than I few that I've seen.  When DNS problems pop up, they wonder why ;)

>> As for your email domain, which I suspect is the root of the question for
>> you, using a private internal name versus a different public domain has no
>> impact on your ability to receive and send mail as name@xxxxxxxxxxxxxxxxxx
>> The two are not related.
> Sure they are and if not configured correctly can cause problems, such as if
> you do not configure your Exchange server (or what ever flavor of e-mail
> server you have on the internal LAN) to accept e-mail destined for users
> using the external public domain, they will not get the e-mail.

There's no interrelationship between what you name your AD and what email
domains you use for external email and MX records.  You can name one
and the other and as long as you can enter a valid MX record for pointing to you, you can accept email and send email from that
domain.  What you enter as your AD DNS name won't matter as far as this is

The catch though is what you highlight - as with everything, it has to be
properly configured to support what you want to accomplish.

> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
> ------------------------------------------------------
> List Archives:
> Exchange Newsletters:
> Exchange FAQ:
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking:
> Leading Network Software Directory:
> No.1 ISA Server Resource Site:
> Windows Security Resource Site:
> Network Security Library:
> Windows 2000/NT Fax Solutions:
> ------------------------------------------------------
> You are currently subscribed to this Discussion List as:
> rickb@xxxxxxxxxxxxxxx
> To unsubscribe visit
> Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: