[Samba] Samba 4 DNS name Planing

James Cort james.cort at bediwin.co.uk
Wed Dec 4 03:48:26 MST 2013 

Replying to myself, but it’s interesting to note that Microsoft have offered contradictory advice on this very issue in the past:

http://en.wikipedia.org/wiki/.local#Microsoft_recommendations


-- 
Eckland-Cort Ltd T/A Bediwin Information Services
Registered in England and Wales, no. 02598654
Registered office:  3 Southleigh Road, Taunton, Somerset  TA1 2XZ

Our Managed Workstation service deals with antivirus, backup and updates for just £5.00/month!
http://www.bediwin.co.uk/services/managed-workstations

On 4 Dec 2013, at 10:45, James Cort <james.cort at bediwin.co.uk> wrote:

> That refers to Server 2003 - ISTR Autodiscover (introduced with Exchange 2007) breaks much of that advice because it relies on valid SSL certificates.
> 
> This is from Microsoft’s own external wiki, but more-or-less tallies with my understanding:
> 
> http://social.technet.microsoft.com/wiki/contents/articles/17974.active-directory-domain-naming-considerations.aspx
> 
> 
> 
> -- 
> Eckland-Cort Ltd T/A Bediwin Information Services
> Registered in England and Wales, no. 02598654
> Registered office:  3 Southleigh Road, Taunton, Somerset  TA1 2XZ
> 
> Our Managed Workstation service deals with antivirus, backup and updates for just £5.00/month!
> http://www.bediwin.co.uk/services/managed-workstations
> 
> On 4 Dec 2013, at 10:26, L.P.H. van Belle <belle at bazuin.nl> wrote:
> 
>> Sure if you know what your doing with dns and domainnames, yes, i also preffer your the correct domain and yes, MS also prefers that,
>> but because of misusage of the domainnames MS also uses .local 
>>  
>> As M.S. stats:
>> If you want to use a full DNS name for the internal domain other than the default, it is strongly recommended that you use the .local label for the extension.
>> Using an internal domain name different from your registered Internet domain name is a more secure configuration.
>> Using a publicly registered Internet domain name can result in name resolution issues.
>>  
>>  
>> Much to read about it :
>>  
>> here : http://technet.microsoft.com/en-us/library/cc708159(v=ws.10).aspx 
>> must read:  dns namespace planning :  http://support.microsoft.com/kb/254680/en-us 
>>  
>>  
>> but, if you want to use official certificates, yes, better u use the correct domainname.
>> and when your doing that, then you know what your doing..  ;-) 
>>  
>> I myself preffer the following. ( i know how dns works, that helps. )
>>  
>> INTERNET DNS setup.
>>  
>> company.tld.     main internet adres, and NO ip assigned, yes lots of people do that, but i dont like it.
>> www.company.tld.        points to my webserver. ( external ipnumbers )
>> mail.company.tld.        points to my mail server. ( external ipnumbers )
>> proxy.company.tld       points to my proxy ip ( external ipnumbers )
>>  
>> location1.company.tld.   is external resolvable.  ( for use of mail server1 )
>> location2.company.tld.   is external resolvable.  ( for use of mail server2 ) 
>> location3.company.tld.   is external resolvable.  ( for use of mail server3 ) 
>> why resolvable, because of all of the spam traps and mail rules etc etc.
>> Im also into anti-spam setups so this is a must.
>>  
>>  
>> AD and INTERNAL !! dns setup.
>> headoffice.location1.company.tld.    the AD server INTERNAL domain.
>>     =>  servername in FQDN :   samba4-1.headoffice.location1.company.tld.
>>     NETBIOS NAME: HEADOFFICE
>>  
>> mail.headoffice.company.tld.    points to the internal ipadres
>> mail.locaction1.company.tld is a CNAME to mail.headoffice.company.tld.
>> mail.locaction2.company.tld is a CNAME to mail.headoffice.company.tld.
>> etc
>>  
>> so the big thing here is 
>> hostname = samba4-1.headoffice.company.tld
>> AD = headoffice.company.tld 
>> REALM = HEADOFFICE.COMPANY.TLD
>> DOMAINNAME ( NT Style )  COMPANY
>>  
>>  
>> yes long names, but scalable to any thing and any where. 
>>  
>> but.. its just what you preffer or understand.
>>  
>> so think about your dns setup before you are installing any thing is my advice.
>>  
>> Louis
>>  
>> 
>> Van: James Cort [mailto:james.cort at bediwin.co.uk] 
>> Verzonden: woensdag 4 december 2013 10:47
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4 DNS name Planing
>> 
>> Pretty sure use of .local is deprecated in recent versions of Windows Server - ISTR it's something to do with some Windows client devices requiring a certificate signed by a recognised CA, and of course none of them will sign a certificate ending in .local.
>> 
>> Personally, I’d set up a subdomain of a registered domain - eg. ad.mydomain.com - and that’d be the AD domain. But I haven’t checked to see if that represents recommended practise so take it with all the salt you think it needs.
>> 
>> 
>> James.
>> 
>> -- 
>> Eckland-Cort Ltd T/A Bediwin Information Services
>> Registered in England and Wales, no. 02598654
>> Registered office:  3 Southleigh Road, Taunton, Somerset  TA1 2XZ
>> 
>> Our Managed Workstation service deals with antivirus, backup and updates for just £5.00/month!
>> http://www.bediwin.co.uk/services/managed-workstations
>> 
>> On 4 Dec 2013, at 08:29, L.P.H. van Belle <belle at bazuin.nl> wrote:
>> 
>>> 
>>> I suggest you always use .local if only internal use.. 
>>> 
>>> see RFC 6762, which has been approved and was officially published on February 20, 2013, 
>>> essentially reserves the use of .local as a pseudo-TLD for link-local hostnames 
>>> that can be resolved via the Multicast DNS name resolution protocol.
>>> 
>>> http://tools.ietf.org/html/rfc6762 
>>> 
>>> 
>>> Louis
>>> 
>>> 
>>>> -----Oorspronkelijk bericht-----
>>>> Van: abartlet at samba.org [mailto:samba-bounces at lists.samba.org] 
>>>> Namens Andrew Bartlett
>>>> Verzonden: woensdag 4 december 2013 9:15
>>>> Aan: Chan Min Wai
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba 4 DNS name Planing
>>>> 
>>>> On Tue, 2013-12-03 at 18:48 +0800, Chan Min Wai wrote:
>>>>> Dear All,
>>>>> 
>>>>> Can help to advise if there are any name planing for dns?
>>>>> 
>>>>> e.g: I've a domain amtb-m.org
>>>>> 
>>>>> should my samba4 server be
>>>>> ad.amtb-m.org?
>>>>> 
>>>>> OR should I create another non-reachable internal domain
>>>>> e.g: ad.amtb-m.lan
>>>>> 
>>>>> For them?
>>>>> 
>>>>> What is the benefit on this or that?
>>>>> Any documentation about that?
>>>> 
>>>> Use a proper subdomain of your registered DNS domain for your new AD
>>>> domain.  Don't use .lan, .local, .corp as you have no idea 
>>>> what suffixes
>>>> ICANN might sell off next, use the domain you already own as the base. 
>>>> 
>>>> Andrew Bartlett
>>>> 
>>>> -- 
>>>> Andrew Bartlett                       http://samba.org/~abartlet/
>>>> Authentication Developer, Samba Team  http://samba.org
>>>> Samba Developer, Catalyst IT          
>>>> http://catalyst.net.nz/services/samba
>>>> 
>>>> 
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>> 
>>>> 
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>

More information about the samba mailing list