AD Domain Name - Best Practices

we in process of designing brand new ad implementation , running difference of opinions in regards ad domain should be.

our company "contoso" plans use contoso.com for public website, , hosted exchange email using o365. ad infrastructure expected synchronize with o365 , azure and use sso whenever possible.
additionally ad fs , ldap on ssl (using 3rd party certificates) might in our feature no formal requirements defined yet.

the options on table are:

1. contoso.com
2. ad.contoso.com
3. contoso.local
4. adcontoso.com

the majority of our team split between options 1 , 2. think ideal name should be?

generally recommendation use delegated subdomain such example 2. both 1 , 2 (and do) work in scenarios. .local , other non-registerable tld suffixes not recommended anymore (people suggesting them remember windows 2000 names ad documentation used suggested name). option 4 require (well, recommend) public registration [1], , make adfs sso more difficult, if that's how you're planning accomplish sso.

option 1 require "split-brain dns" [2] while option 2 not, aspect, option 2 best choice. can set upns use contoso.com option 2, of course.

best regards,

rich milburn

[1] prevents else registering name in future , causing havoc name resolution, , you'd want register office365 tenant if it's not email suffix, again, require public registration.

[2] admins don't split brain dns (where have internally-hosted dns zone named same publicly-facing zone hosted externally, internal 1 has subset of records), because requires coordination external dns records. if publishes site to, say, fred.contoso.com, , haven't entered in internal contoso.com zone, internal users unable resolve name. on other hand, facilitate using internal ips internal users , external ones internet users, others believe benefit justifying split-brain dns

Windows Server  >  Directory Services