RE: Windows 2003 Active Directory

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 7 Mar 2005 11:20:13 -0800

> You're right, but Microsoft often recommends .local.  They also are making
> push for it's reserved status.  Which leads to the question: who's
> procedures?  If IANA has an RFC that states one thing, and Microsoft has
> published whitepapers that dictate another, it can be very confusing for
> folks.

Personally and professionally, I would like to see IANA add .local to the
reserved private use list. That would clear the issue once and for all.

> Really? What problems?  While I've seen it used often, that in and of
> has never caused a problem that I've seen.  While I've seen many, many AD
> problems related to DNS, the use of the .local extension has never caused
> inherently related problem in my experience.

Certificates issued/used incorrectly (I was working on a problem where one
client with their own internal CA and using .local just happened to have a
client who also was using their own internal CA and using .local and was
causing extremely hard to diagnose secure website problems. I ended up
getting support from both MS and Thawte involved and after going through
changing the clients AD domain the problems went away) and RPC over HTTP
publishing are two examples that come to mind.

> So technically, you can use someone else's, and manage it much like you
> would a split DNS configuration.  It happens, it can be ugly, and it's not
> ideal.  Which is why using a reserved TLD is the best practice.  I suspect
> we're in agreement here and simply syntactic disagreement.  As an aside, I
> do wonder how many folk use "' as their internal domain name.
> than I few that I've seen.  When DNS problems pop up, they wonder why ;)

I have seen used more than once as well.

> There's no interrelationship between what you name your AD and what email
> domains you use for external email and MX records.  You can name one
> and the other and as long as you can enter a valid MX record for
> pointing to you, you can accept email and send email from that
> domain.  What you enter as your AD DNS name won't matter as far as this is
> concerned.

If your external domain name is publicexample.moc and the internal is
privateexample.moc, and your exchange server is not configured to accept
e-mail for publicexample.moc through either recipient policy or such,
Exchange will not accept them.

> The catch though is what you highlight - as with everything, it has to be
> properly configured to support what you want to accomplish.

What we in trying to help others must remember is that we can not assume
they will be able to understand and properly configure what is possible, and
should therefore first explain what is recommended.

John Tolmachoff
eServices For You

Other related posts: