Hairpin routing
-
@scottalanmiller said:
@Dashrender said:
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.
Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.
The recommendation since .local is to have a unique domain that you own but is not .local.
Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.
There are still people touting this stuff all over the place.
http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html
This site says ICANN is selling .local, but I can't find anything on that at all.
http://blog.varonis.com/active-directory-domain-naming-best-practices/
-
We use .local but also have a lot of macs and it sucks.
Recommendation from MS anymore is internal.domain.com or something similar
-
@johnhooks said:
@scottalanmiller said:
@Dashrender said:
In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.
.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.
Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.
The recommendation since .local is to have a unique domain that you own but is not .local.
Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.
There are still people touting this stuff all over the place.
http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html
This site says ICANN is selling .local, but I can't find anything on that at all.
http://blog.varonis.com/active-directory-domain-naming-best-practices/
You have not been supposed to use .local for some time now, but no one is selling it, it is just a preventative measure to not have .local from that perspective. It is Apple trying to break AD is why it should be avoided. If you don't run Macs, .local works flawlessly on Windows networks.
-
@Jason said:
We use .local but also have a lot of macs and it sucks.
Recommendation from MS anymore is internal.domain.com or something similar
A lot of people use ad.domain.com mostly because it is short.
-
@scottalanmiller said:
@Jason said:
We use .local but also have a lot of macs and it sucks.
Recommendation from MS anymore is internal.domain.com or something similar
A lot of people use ad.domain.com mostly because it is short.
That is what I use on new stuff, for exactly that reason, it is short.
-
@JaredBusch said:
@scottalanmiller said:
@Jason said:
We use .local but also have a lot of macs and it sucks.
Recommendation from MS anymore is internal.domain.com or something similar
A lot of people use ad.domain.com mostly because it is short.
That is what I use on new stuff, for exactly that reason, it is short
literally ad.domain.com?
-
This post is deleted! -
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
@Jason said:
We use .local but also have a lot of macs and it sucks.
Recommendation from MS anymore is internal.domain.com or something similar
A lot of people use ad.domain.com mostly because it is short.
That is what I use on new stuff, for exactly that reason, it is short
literally ad.domain.com?
Where "domain.com" is your domain, yes.
-
@scottalanmiller said:
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
@Jason said:
We use .local but also have a lot of macs and it sucks.
Recommendation from MS anymore is internal.domain.com or something similar
A lot of people use ad.domain.com mostly because it is short.
That is what I use on new stuff, for exactly that reason, it is short
literally ad.domain.com?
Where "domain.com" is your domain, yes.
Yes.
-
So those of you that have had a domain for over a decade, have you all moved to new domains to follow this newish domain naming.
-
@Dashrender said:
So those of you that have had a domain for over a decade, have you all moved to new domains to follow this newish domain naming.
We've had ours well over a decade and it was already very much warned by MS not to do split horizon and they had been telling us .local was the way to go. I actually don't remember there ever being a time that they didn't warn against using your domain name. I started working with AD in beta in 1999 and by then I believe we were already warned. I've been on AD since Windows 2000 and the very first materials I saw from MS the number one thing that they trained you on when you did your first research was not to do that. We've been on AD for thirteen or more years of the same domain at NTG and have always been on .local.
-
@Dashrender said:
So those of you that have had a domain for over a decade, have you all moved to new domains to follow this newish domain naming.
Why would you spend tyhe money to move to a new domain structure? Sure if you are going to be redoing things for other reason, but their is no technical reason to move an existing domain that I am aware of.
-
I agree with Jared, best practice is to do one thing, but once the wrong thing is done, you pretty much just live with it. The negatives are there, but aren't generally dramatic. Just make sure new domains don't have overlapping domains with existing ones.
-
@scottalanmiller said:
I agree with Jared, best practice is to do one thing, but once the wrong thing is done, you pretty much just live with it. The negatives are there, but aren't generally dramatic. Just make sure new domains don't have overlapping domains with existing ones.
Almost all of my clients are on .local for example. They are because they used to be on SBS and that is how SBS set it up by default. The #1 rule of SBS was to always follow the wizards unless you wanted to spend a lot of time doing shit manually.
-
Definitely most everyone that I have seen is on .local. It was the advised standard for so long and it was so during the era when the majority of companies moved to AD. Even though the new standard has been around for a little bit now, nearly every company I deal with moved to AD prior to that time period. New companies get new AD, obviously, but as a market percentage they aren't so much yet, that I've seen.
