Good afternoon! I have a small Active Directory domain, with about 50 users/computers and 30 printers. Currently, there is only one controller running Windows Server 2008 R2 OS. Although I did not set it up and I am teaching myself AD slowly.

The previous sysadmins named the domain as <domain name>.loc. Recently, a new colleague with extensive experience was hired, who claims that this is categorically wrong and suggested that we change it to company.local. However, I didn't understand why *.loc is worse than *.local.

I researched on Google and found out that .local is already called non-hilfo and it's better to use .nn or similar. But since our domain is exclusively local, we do not have a public domain yet.

My apologies if my question seems stupid but my knowledge of AD is still minimal.

UPD: After talking to my partner, he told me that he has been using the *.local domain in his office for 20 years without any problems. However, I have decided that I probably won't use it in my practice.

While .loc may seem appealing, using a reserved domain like .local is a better choice. It's generally advised to register a domain, but keep in mind that this links your network to a public domain which increases the probability of domain name changes. In comparison, the .local domain has a lower probability of change.

Choosing a purchased domain is recommended for obtaining a legitimate certificate, as opposed to using .local or .loc which do not allow for certification. It is important to note that operating under your own CA comes with limitations and longevity.

It is crucial to prioritize security measures when it comes to online domains and certificates. In order to ensure legitimacy, it is wise to invest in a purchased domain rather than opting for alternative options. Not only will this provide the opportunity for obtaining a legitimate certificate, but it allows for more long-term success. However, it is important to acknowledge the potential limitations and restrictions that may come with operating under your own CA.

Last month, the .local domain became unusable due to its inability to be resolved by Android 12 and higher. Recently, I encountered this issue and struggled to uncover its cause. It was puzzling why my previous Android 10 device could access home domain websites while the new one could not.

It's great to hear that you're teaching yourself Active Directory (AD) and striving to improve your knowledge in that area. Regarding the domain naming, both ".loc" and ".local" were historically used as domain name suffixes for internal networks. However, in recent years, it has been recommended to avoid using these suffixes for various reasons.

One of the main reasons is that ".local" was designated by the Internet Engineering Task Force (IETF) as a reserved domain for Multicast DNS (mDNS). The use of ".local" as an Active Directory domain can potentially cause conflicts with mDNS, leading to network issues. Additionally, ".local" is not a valid top-level domain in the public DNS system, which means it could cause problems if you decide to integrate your internal domain with a public domain in the future.

As for using ".nn" or a similar suffix, it's a common practice to use a unique, non-reserved domain name that you have control over. This ensures that there won't be any conflicts with existing domain names and avoids potential future issues.

While some organizations have used ".local" for many years without problems, it's generally advisable to follow best practices and avoid using reserved or non-standard domain name suffixes. Choosing a more appropriate domain name, such as "company.local" or a unique variation, will ensure compatibility and reduce the risk of encountering issues down the line.

It's great that you're seeking to improve your AD knowledge and make informed decisions about your domain.

Your domain name setup screams amateur hour with that .loc TLD - it's not even a legit top-level domain, more like a typo waiting to bite you in the DNS resolution. Switching to .local aligns with RFC specs for local AD environments, avoiding mDNS conflicts and future scalability woes.

Your colleague's push for company.local is spot-on for internal namespaces, preventing split-brain scenarios in multi-site forests. Ditch the .loc hackery, register a public TLD if needed, and embrace hierarchical DNS best practices to keep your AD forest healthy and your users' logins smooth. With 50 users and 30 printers, you're not running a Fortune 500 corp yet, but planning ahead with proper zone delegation and forwarders will save you from domain rename nightmares later.
Trust me, as a domainer who's parked thousands of domains, .local is your safe harbor for internal ops, not some bogus .loc experiment.