[Samba] Samba 4 DNS name Planing

James Cort james.cort at bediwin.co.uk
Wed Dec 4 03:45:51 MST 2013 

That refers to Server 2003 - ISTR Autodiscover (introduced with Exchange 2007) breaks much of that advice because it relies on valid SSL certificates.

This is from Microsoft’s own external wiki, but more-or-less tallies with my understanding:

http://social.technet.microsoft.com/wiki/contents/articles/17974.active-directory-domain-naming-considerations.aspx



-- 
Eckland-Cort Ltd T/A Bediwin Information Services
Registered in England and Wales, no. 02598654
Registered office:  3 Southleigh Road, Taunton, Somerset  TA1 2XZ

Our Managed Workstation service deals with antivirus, backup and updates for just £5.00/month!
http://www.bediwin.co.uk/services/managed-workstations

On 4 Dec 2013, at 10:26, L.P.H. van Belle <belle at bazuin.nl> wrote:

> Sure if you know what your doing with dns and domainnames, yes, i also preffer your the correct domain and yes, MS also prefers that,
> but because of misusage of the domainnames MS also uses .local 
>  
> As M.S. stats:
> If you want to use a full DNS name for the internal domain other than the default, it is strongly recommended that you use the .local label for the extension.
> Using an internal domain name different from your registered Internet domain name is a more secure configuration.
> Using a publicly registered Internet domain name can result in name resolution issues.
>  
>  
> Much to read about it :
>  
> here : http://technet.microsoft.com/en-us/library/cc708159(v=ws.10).aspx 
> must read:  dns namespace planning :  http://support.microsoft.com/kb/254680/en-us 
>  
>  
> but, if you want to use official certificates, yes, better u use the correct domainname.
> and when your doing that, then you know what your doing..  ;-) 
>  
> I myself preffer the following. ( i know how dns works, that helps. )
>  
> INTERNET DNS setup.
>  
> company.tld.     main internet adres, and NO ip assigned, yes lots of people do that, but i dont like it.
> www.company.tld.        points to my webserver. ( external ipnumbers )
> mail.company.tld.        points to my mail server. ( external ipnumbers )
> proxy.company.tld       points to my proxy ip ( external ipnumbers )
>  
> location1.company.tld.   is external resolvable.  ( for use of mail server1 )
> location2.company.tld.   is external resolvable.  ( for use of mail server2 ) 
> location3.company.tld.   is external resolvable.  ( for use of mail server3 ) 
> why resolvable, because of all of the spam traps and mail rules etc etc.
> Im also into anti-spam setups so this is a must.
>  
>  
> AD and INTERNAL !! dns setup.
> headoffice.location1.company.tld.    the AD server INTERNAL domain.
>     =>  servername in FQDN :   samba4-1.headoffice.location1.company.tld.
>     NETBIOS NAME: HEADOFFICE
>  
> mail.headoffice.company.tld.    points to the internal ipadres
> mail.locaction1.company.tld is a CNAME to mail.headoffice.company.tld.
> mail.locaction2.company.tld is a CNAME to mail.headoffice.company.tld.
> etc
>  
> so the big thing here is 
> hostname = samba4-1.headoffice.company.tld
> AD = headoffice.company.tld 
> REALM = HEADOFFICE.COMPANY.TLD
> DOMAINNAME ( NT Style )  COMPANY
>  
>  
> yes long names, but scalable to any thing and any where. 
>  
> but.. its just what you preffer or understand.
>  
> so think about your dns setup before you are installing any thing is my advice.
>  
> Louis
>  
> 
> Van: James Cort [mailto:james.cort at bediwin.co.uk] 
> Verzonden: woensdag 4 december 2013 10:47
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4 DNS name Planing
> 
> Pretty sure use of .local is deprecated in recent versions of Windows Server - ISTR it's something to do with some Windows client devices requiring a certificate signed by a recognised CA, and of course none of them will sign a certificate ending in .local.
> 
> Personally, I’d set up a subdomain of a registered domain - eg. ad.mydomain.com - and that’d be the AD domain. But I haven’t checked to see if that represents recommended practise so take it with all the salt you think it needs.
> 
> 
> James.
> 
> -- 
> Eckland-Cort Ltd T/A Bediwin Information Services
> Registered in England and Wales, no. 02598654
> Registered office:  3 Southleigh Road, Taunton, Somerset  TA1 2XZ
> 
> Our Managed Workstation service deals with antivirus, backup and updates for just £5.00/month!
> http://www.bediwin.co.uk/services/managed-workstations
> 
> On 4 Dec 2013, at 08:29, L.P.H. van Belle <belle at bazuin.nl> wrote:
> 
>> 
>> I suggest you always use .local if only internal use.. 
>> 
>> see RFC 6762, which has been approved and was officially published on February 20, 2013, 
>> essentially reserves the use of .local as a pseudo-TLD for link-local hostnames 
>> that can be resolved via the Multicast DNS name resolution protocol.
>> 
>> http://tools.ietf.org/html/rfc6762 
>> 
>> 
>> Louis
>> 
>> 
>>> -----Oorspronkelijk bericht-----
>>> Van: abartlet at samba.org [mailto:samba-bounces at lists.samba.org] 
>>> Namens Andrew Bartlett
>>> Verzonden: woensdag 4 december 2013 9:15
>>> Aan: Chan Min Wai
>>> CC: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Samba 4 DNS name Planing
>>> 
>>> On Tue, 2013-12-03 at 18:48 +0800, Chan Min Wai wrote:
>>>> Dear All,
>>>> 
>>>> Can help to advise if there are any name planing for dns?
>>>> 
>>>> e.g: I've a domain amtb-m.org
>>>> 
>>>> should my samba4 server be
>>>> ad.amtb-m.org?
>>>> 
>>>> OR should I create another non-reachable internal domain
>>>> e.g: ad.amtb-m.lan
>>>> 
>>>> For them?
>>>> 
>>>> What is the benefit on this or that?
>>>> Any documentation about that?
>>> 
>>> Use a proper subdomain of your registered DNS domain for your new AD
>>> domain.  Don't use .lan, .local, .corp as you have no idea 
>>> what suffixes
>>> ICANN might sell off next, use the domain you already own as the base. 
>>> 
>>> Andrew Bartlett
>>> 
>>> -- 
>>> Andrew Bartlett                       http://samba.org/~abartlet/
>>> Authentication Developer, Samba Team  http://samba.org
>>> Samba Developer, Catalyst IT          
>>> http://catalyst.net.nz/services/samba
>>> 
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list