It's looking more and more like I'll have to rename my Active Directory domain.
There is a well-known process for making this change, including some very good answers on Server Fault already (like this one). I understand you may think I want to ask a duplicated question, but this includes the squishy topic of Not Triggering a Revolution.
I inherited an internal Active Directory domain from the dawn of Active Directory. We'll call it ACRO.TLD with the NetBIOS name ACRO (short for "acronym").
This was great when everybody used a grandpa box behind the firewall. But this practice is now deprecated and could cause trouble down the line. There are a lot more mobile devices and it would probably be Very Bad if the domain leaked out into the Internet at large.
I need to
- sell the change to managers
- minimize disruption to users, especially the ones who like convenience (see requirement 1). (Changing the NetBIOS domain name from
ACROwould be a deal breaker).
There are bound to be decisions made in planning and presenting the change that increase the chance of success (i.e. users don't show up at my door with pitchforks and torches). This is clearly a subjective question and the best answers would come from people who had been through the change already.
Selling it to management probably consists of explaining the why behind the Very Bad Things, combined with "the change shouldn't be so bad".
So now the question is how to make the change not be so bad, in other words, minimize the disruption to users. I hate to sound open ended but I may be tripping over something basic.
We own domains that I'll call COMPANYNAME.COM and COMPANYNAME.NET. Our external web presence and email addresses (email is hosted externally, there is no Exchange) use COMPANYNAME.COM; we have COMPANYNAME.NET as a buffer against domain squatting.
So I think that my best alternatives are
ACRO.COMPANYNAME.COM (subdomain)
COMPANYNAME.NET
I prefer ACRO.COMPANYNAME.COM, because users are used to ACRO and COMPANYNAME.COM and we're just bringing the two together. No need to change the NetBIOS domain name, and of course the Windows 10 login screen by default uses the domain a computer is joined to.
Because of the existing practice I've already laid out, users are already trained to use separate user names and passwords for Windows login and email (probably a Good Thing with hosted email)
Some of the cons are
ACRO.COMPANYNAME.COMis already a hostname registered in Internet DNS.- there may be some confusion when both accounts contain
companyname. - a pain point of potentially tripling what people have to type in to enter login credentials.
But are these real barriers to going ahead with ACRO.COMPANYNAME.COM? Am I missing something?
If your organization changes and you need an entirely new directory structure, sure take the opportunity to pick a best practice DNS name. But you have not identified a problem, either technical or user experience, worth doing a rename project.
Adding a UPN of
COMPANYNAME.COMor perhapsCOMPANYNAMEand doing a UserPrincipalName conversion, is supposed to be easy. Describe this to users as logging in with (what looks like) their email address. Although, you trained them to separate email credentials from AD DS, so this may be confusing.ACRO.TLDin an internal network security zone is fine, you can keep that. Register the name, just in case clients bypass internal DNS. Challenges come if users expect something else, or expect this to be the public presence (web server).I suggest avoiding the public presence names, even if you can design around the conflicts and confusion. Perhaps something like
ACRO.COMPANYNAME.NET.Consider looking into Active Directory Federated services. It should allow multiple independent unrelated domains to co-exist while allowing cross domain trusts and co-existence. One of the things it does well is allow a company on an acquisition binge to get all of the acquired AD's talking nicely to each other.