8

It's looking more and more like I'll have to rename my Active Directory domain.

There is a well-known process for making this change, including some very good answers on Server Fault already (like this one). I understand you may think I want to ask a duplicated question, but this includes the squishy topic of Not Triggering a Revolution.

I inherited an internal Active Directory domain from the dawn of Active Directory. We'll call it ACRO.TLD with the NetBIOS name ACRO (short for "acronym").

This was great when everybody used a grandpa box behind the firewall. But this practice is now deprecated and could cause trouble down the line. There are a lot more mobile devices and it would probably be Very Bad if the domain leaked out into the Internet at large.

I need to

  1. sell the change to managers
  2. minimize disruption to users, especially the ones who like convenience (see requirement 1). (Changing the NetBIOS domain name from ACRO would be a deal breaker).

There are bound to be decisions made in planning and presenting the change that increase the chance of success (i.e. users don't show up at my door with pitchforks and torches). This is clearly a subjective question and the best answers would come from people who had been through the change already.

Selling it to management probably consists of explaining the why behind the Very Bad Things, combined with "the change shouldn't be so bad".

So now the question is how to make the change not be so bad, in other words, minimize the disruption to users. I hate to sound open ended but I may be tripping over something basic.

We own domains that I'll call COMPANYNAME.COM and COMPANYNAME.NET. Our external web presence and email addresses (email is hosted externally, there is no Exchange) use COMPANYNAME.COM; we have COMPANYNAME.NET as a buffer against domain squatting.

So I think that my best alternatives are

ACRO.COMPANYNAME.COM (subdomain)
COMPANYNAME.NET

I prefer ACRO.COMPANYNAME.COM, because users are used to ACRO and COMPANYNAME.COM and we're just bringing the two together. No need to change the NetBIOS domain name, and of course the Windows 10 login screen by default uses the domain a computer is joined to.

Because of the existing practice I've already laid out, users are already trained to use separate user names and passwords for Windows login and email (probably a Good Thing with hosted email)

Some of the cons are

  • ACRO.COMPANYNAME.COM is already a hostname registered in Internet DNS.
  • there may be some confusion when both accounts contain companyname.
  • a pain point of potentially tripling what people have to type in to enter login credentials.

But are these real barriers to going ahead with ACRO.COMPANYNAME.COM? Am I missing something?

Spencer
  • 187
  • 1
  • 8
  • 5
    I don't think you've outlined the actual business or technical case for changing the name of your domain. It's significant work with very real risk and is disruptive to end users. Can you please elaborate on *why* you actually want to do through with this? "It's not named to best practices" isn't a big enough reason to subject the organization to this risk and disruption, in my opinion. – MDMarra Dec 14 '18 at 15:37
  • 1
    I think he's saying that the internal domain name is actually someone else's registered domain. It works when it's only internal, but guaranteed to cause conflicts when you want to use the name on the internet. – Randy Orrison Dec 23 '18 at 13:29

2 Answers2

6

If your organization changes and you need an entirely new directory structure, sure take the opportunity to pick a best practice DNS name. But you have not identified a problem, either technical or user experience, worth doing a rename project.

Adding a UPN of COMPANYNAME.COM or perhaps COMPANYNAME and doing a UserPrincipalName conversion, is supposed to be easy. Describe this to users as logging in with (what looks like) their email address. Although, you trained them to separate email credentials from AD DS, so this may be confusing.

ACRO.TLD in an internal network security zone is fine, you can keep that. Register the name, just in case clients bypass internal DNS. Challenges come if users expect something else, or expect this to be the public presence (web server).

ACRO.COMPANYNAME.COM is already a hostname registered in Internet DNS.

I suggest avoiding the public presence names, even if you can design around the conflicts and confusion. Perhaps something like ACRO.COMPANYNAME.NET.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • I just realized this was still open. I wonder if the subdomain is strictly necessary: Perhaps just `COMPANYNAME.NET` would work, although there might be confusion because of the NetBIOS name `ACRO`. – Spencer Jan 07 '19 at 14:06
  • If short name is all you want, set a UPN. You will have the least conflicts and confusion if the subdomain is only for AD use. `COMPANYNAME.NET` is great, you have your name on internal stuff, .net TLD implies network. Until marketing asks for it to be redirected to the public web site. – John Mahowald Jan 07 '19 at 15:02
  • A UPN won't affect the NetBIOS domain name AFAICT. – Spencer Apr 24 '19 at 15:20
-1

Consider looking into Active Directory Federated services. It should allow multiple independent unrelated domains to co-exist while allowing cross domain trusts and co-existence. One of the things it does well is allow a company on an acquisition binge to get all of the acquired AD's talking nicely to each other.

Tech Geek
  • 7
  • 1
  • 3
    You’re misrepresenting the role of AD FS. It will only work for web-based applications and has nothing to do with domain membership of devices. – MDMarra Dec 15 '18 at 21:08