To use a .Local or real internet DNS name for SBS (Small Business Server)

I while back I got into a debate with a good friend of mine – Mitch Garvis – President of the Montreal IT Pro user-group.  He’s a hands on Small Business Server guy with plenty of practical real world experience with the product and with various customer requirements. We were having a few drinks with a bunch of people after an event one night and I overheard him mention installing Small Business Server with the DNS namespace ending in a .local top level domain.  That is to say – if I owned canitpro.ca public DNS namespace, the default SBS install suggests I install Active Directory with a canitpro.local DNS namespace.

This intrigued me – why do this? I’ve been designing AD and DNS namespaces for small, medium and enterprise organisations since the product was in Beta and working with DNS and internet connected systems way before then. It doesn’t make sense… A non routable domain suffix?  How could I let Mitch pass out this recommendation to someone without asking – WHY?   So I asked, and opened the proverbial can of worms….

Mitch – Because it’s default… it’s simple.. and it works… Why would I change it?

OK. I had to speak up. My main concern for recommending someone use a .local is that it is not routable and never will be routable on the internet. This is both a good thing (security some say) and bad thing (what if I want to talk to someone on the internet directly without jumping through hoops). If you have a server that has a FQDN (Fully Qualified Domain Name) that ends in a .local – someone who needs to get back to you, can not – without extra work. This isn’t a big deal for internet email (if you don’t mind the extra work), since you can edit the MX records to point to a properly formated, internet resolvable name that just happens to correspond to your IP where your firewall / router / ISA server will accept the incoming SMTP request and switch-er-oo the addressing info to the proper info and pass it on through.  This isn’t the case for other technologies coming down the pipe… maybe they will work with the extra work, maybe they wont… Here are three things that I foresee as being problems for you if you decide to use .local

  • SPAM evaluation scores… if your FQDN that your server spits out when queried is different then your MX record or your SPF record or if it’s non resolvable – you will get higher SPAM ratings for the various systems and have a significantly higher chance of having your email flagged as SPAM.
  • Non translatable services with the ISA firewall / router switch-er-oo… have you thought about your Identity on the internet going forward? What about if you want to start to do some e-commerce stuff or Active Directory Federation Services with someone – can you or will you be able to do it when you have a .local internal name? Maybe, but it sure will require a LOT more extra work.
  • Self issued certificates for SSL – way more complicated – to be trusted outside of your environment without direct importing your issuing root server certificate resulting in extra work for EVERY device and EVERY customer you need to work with. Why is this important? Do you ever want to use a Mobile 5 device with your SBS Exchange SP2 based system for Push email?  Do you have an SSL protected HTTPS page on the internet that prompts you?  If you get prompted by an SSL protected OWA or Exchange Active Sync page, Mobile 5 with Push technology will cause your additional setup grief for each device resulting in extra work.
  • Macintosh machines really hate it – they just can’t cope.

My questions back to him (and you) is – do you own your own internet based DNS namespace that ends in a properly resolvable top level domain (like canitpro.ca or canitpro.com)?  Why not save yourself all that extra work and set up your SBS server environment in such a way as to future proof yourself for DNS namespace and FQDN name resolution headaches. What could you use? Following the K.I.S.S. (Keep It Simple S{fill in here}) principle – if you own canitpro.ca, name your internal AD name space ad.canitpro.ca or corp.canitpro.ca or whateveryoulike.canitpro.ca… You control the namespace, you call it whatever you like. Sure it will make your user names slightly longer (rick@ad.canitpro.ca) – but you can fix that with a couple of simple post install steps. 

  • When you create your AD and you make your first users – run the Administrator tool called Active Directory Domains and Trusts.  You will want to choose properties of the top level object in the details pane (left side of the MMC console) and type in a shortened UPN suffix of canitpro.ca… All new users can be created and then you can select this shorter logon name that will match their email address.
  • You will want to create a Recipient policy in Exchange that will create and set the default SMTP address to be the external routable DNS name… i.e. My internal DNS name space is ad.canitpro.ca and my default email address with exchange is rick@ad.canitpro.ca… you will want to update this recipient policy so that it reflects rick@canitpro.ca as the default…

After some back and forth amongst Mitch, myself and the other table participants – we all came to the agreement that it made sense to use proper DNS naming conventions that are routable and controllable by yourself in an effort to reduce the extra work that would be coming down the pipe as the company grows. I mean hey – what small business wants to stay small forever, right?   Does this mean you should run out and re-install all your SBS installations or reinstall your personal one? You would have to evaluate the Pros and Cons for that one, since it would take a big chunk of planning to determine the impact. Don’t worry – you can continue to live just fine with a .local implementation, provided you are ready for the extra work that lays ahead.

Please don’t take this post as a slight to the SBS community or Development team for using a .local DNS name as a default install choice. IT IS NOT. Likewise – Small Business Server is a True / Real server OS that is an extremely integrated and powerful solution that grows to accommodate up to 75 users.  It is not a “lite” version of Windows Server 2003.  Trust me – I respect SBS and the user community that supports it – they know their stuff.   

Disclaimer: This discussion was over beer, amongst friends, peers and fellow geeks.  It was around DNS naming conventions and best practices for DNS namespace with debates on both sides of the house in good faith. Who won and who lost? I think I picked up the tab, but Mitch and others in attendance now use a different approach to namespace design. You make the call.