I just created my first... forest?

D3K · 12 May 2016 at 22:12

Decided to upgrade my home server to a DC so I could tinker with AD and learn a few bits. Couldn't create a domain because there was no "forest".

I've never once in my entire career heard of the term "forest". As far as I knew, domains were the top level and could be connected to each other. I thought I was fairly savvy with IT and if I hadn't at least heard of the name then it was because it was niche or pretty deep down the rabbit hole.

Is the term new or is there a reason no one verbalises the word?

Since choosing a *.local forest I have access to AD. Does the forest act like a domain in my network?

blueboy2001 · 12 May 2016 at 23:11

A domain has to exist inside a forest. A forest can consist of one or many domains.

The domain and forest both have functional levels.

If you're only going to have one domain you don't really need to do concern yourself with the forest, but it has to exist.

Caged · 12 May 2016 at 23:17

Aaargh a .local

paradigm · 13 May 2016 at 08:01

You've never heard of an AD forest? But you work in IT?

Scary stuff.

Get learning about forest roots, trees, child domains...

nutcase · 13 May 2016 at 08:20

Caged said:
Aaargh a .local

Indeed!

Our company one is a .local and always will be I suspect

At home is a .com because I did research first

Felix · 13 May 2016 at 08:41

nutcase_1uk said:
Indeed!

Our company one is a .local and always will be I suspect At home is a .com because I did research first

Microsoft used to recommend using .local or anything but your outside domain!

D3K · 13 May 2016 at 09:38

paradigm said:
You've never heard of an AD forest? But you work in IT?

Scary stuff.

Get learning about forest roots, trees, child domains...

I'm more engineering than IT and have no need to learn such stuff. My interaction with servers is to put data management software on and configure, so everything has always been set up by the IT dept. I've been to a lot of companies and never once heard it being mentioned. Clearly above my security level

I only first touched AD last week when the IT guy disappeared and we needed a user added to a group. Hence my intrigue at home.

nutcase · 13 May 2016 at 14:11

Felix said:
Microsoft used to recommend using .local or anything but your outside domain!

Should have qualified my statement - the company domain is very old from when it was the norm!

Deleted member 138126 · 13 May 2016 at 15:08

Caged said:
Aaargh a .local

What's wrong with .local for home use?

Ev0 · 13 May 2016 at 19:14

paradigm said:
You've never heard of an AD forest? But you work in IT?

Scary stuff.

Get learning about forest roots, trees, child domains...

Depends what area of 'IT' in all fairness.

RichIbizaSport · 13 May 2016 at 20:41

nutcase_1uk said:
Indeed!

Our company one is a .local and always will be I suspect At home is a .com because I did research first

I believe the best practice is now to have a subdomain, e.g. ad.company.com

Caged · 13 May 2016 at 22:18

rotor said:
What's wrong with .local for home use?

There's literally no reason to use it. You can get a real domain for a few pounds to make your deployment a subdomain of, and if you're the sort of person wanting to run up AD in a home lab then you probably already have one. There's little point in running a home lab if it's not going to reflect how you'd do it for real.

Bry · 14 May 2016 at 08:49

.local is also reserved for MDNS under IPv6. Its really not recommended anymore. best practice is (and has been for many years now) to use a subdomain of a domain you own that is only available internally.

Deleted member 138126 · 16 May 2016 at 00:20

Man, I just really don't buy it. The single argument I've been able to find that is mildly convincing, is that using a TLD is the only way of guaranteeing global uniqueness. Why does that matter when .local is never going to resolve on the Internet (so who cares if it isn't globally unique), and when the chances of my company merging with another that both share the same xyz.local name is so stupidly close to zero? Not to mention that merging two companies rarely, if ever, results in the two domains being joined?

Having 3 and 4 deep DNS also seems, I don't know... Annoying?

root.company.com
subdomain.root.company.com

vs

company.local
subdomain.company.local

And DNS delegation can be such a hassle -- why marry the two, and worry about issues with delegation, split horizon, etc?

Some page I just found mentioned that commercial SSL providers refuse to issue certs to .local domains. Again, who is using commercial SSL providers for internal URLs? That's what AD-Integrated CAs are for.

I honestly don't get it.

I would love to be seriously convinced why .local is so bad (let alone for a home lab). I've worked with companies with over 100,000 employees, and there are far more companies using local variations (.local, .int, .internal, or other made-up ones) than there are using TLDs.

Gzero · 16 May 2016 at 00:37

It's just more silly money spin, why pay someone else so you can stake a claim in who.cares.local when you are never going to expose that domain externally, ever... you have more chance of grabbing a memorable ipv6 address.

Wait till the OP discovers Forest Trusts!

LizardKing · 16 May 2016 at 10:51

nothing wrong with a .local or similar, until you want to migrate to 365 or run a hybrid environment. (and lets be realistic here at some point any MS house is going to be using 365/azure etc in some form or another in the future!). Then it just becomes a ball ache.

For the sake of future proofing i wouldn't consider using a .local these days for anything other than perhaps an air gapped network.

ubern00b · 16 May 2016 at 11:05

D3K said:
I'm more engineering than IT and have no need to learn such stuff. My interaction with servers is to put data management software on and configure, so everything has always been set up by the IT dept. I've been to a lot of companies and never once heard it being mentioned. Clearly above my security level

I only first touched AD last week when the IT guy disappeared and we needed a user added to a group. Hence my intrigue at home.

Then don't make statements like this:

D3K said:
I thought I was fairly savvy with IT and if I hadn't at least heard of the name then it was because it was niche or pretty deep down the rabbit hole.

AD is hardly "deep down the rabbit hole".

Prophet · 16 May 2016 at 11:29

ubern00b said:
AD is hardly "deep down the rabbit hole".

Tell that to the consultant I worked with last week. He only deals with AD and after 8 years still confesses to not knowing everything about it.

Gzero · 16 May 2016 at 18:23

Prophet said:
Tell that to the consultant I worked with last week. He only deals with AD and after 8 years still confesses to not knowing everything about it.

That might be so, however M$ has changed the field a few times, so unless he claims to be certified up to date with the courses that actually address AD, server 2012 doesn't count (although it would certainly help the OP), I wouldn't shoot him down for not knowing some of the changes made like service accounts etc (just why? it's a normal account for the lazy admin).

Caged · 16 May 2016 at 20:09

rotor said:
...

What do you gain by using a .local?

Using a subdomain of a domain you own is as easy as using a .local, you never have to type the entire thing anyway if your DNS and DHCP offers are configured correctly, and it's considered current best practise.

Will using company.local cause you a ton of headaches right now? No, probably not. Neither will doing it with a subdomain.

I just created my first... forest?

Deleted member 138126

Deleted member 138126

Deleted member 138126

Deleted member 138126