.local namespace in mixed environments

Reading Time: 2 minutes

Some posts on ActiveDir.org mailing list reminds me about a topic I discussed some time ago with few peoples regarding using .local DNS suffix in AD domain environment. In fact there is nothing wrong with this particular suffix, it can be used and it is widely used in examples, and as far as I know it is default suffix proposed for SBS installation .. but, yes, there's always something :).

The problem starts when You have not pure Windows (server and clients) environment but when You have also Linux or MacOS X clients which You want to connect to Your domain or which have to use domain resources. It may happen with Linux and AFAIK (I'm not very familiar with MacOS) it is deafult for MacOS X that they support multicast DNS specification, which specifies what follows:

 This document proposes that the DNS top-level domain ".local." be
designated a special domain with special semantics, namely that any
fully-qualified name ending in ".local." is link-local, and names
within this domain are meaningful only on the link where they


 Any DNS query for a name ending with ".local." MUST be sent
to the mDNS multicast address ( or its IPv6 equivalent

So here we have our problem – how our non-Windows client can identify and locate AD domain which uses .local suffix if they will forward all queries to multicast address. This causes problem with authentication, locating resources etc. in the AD domain environment for non-Windows clients.
How we can solve this problem:

  1. First, if we are aware of this problem at the domain promotion stage, don't use .local suffix for your AD domain. Use .private or something like that instead.
  2. For MacOS X clients You can use this tip to configure them to use also unicast DNS queries. Here is another very good description how to fix this problem for Mac OS X. Probably there is also such configuration for Linux clients, I should check it in future.

And that's my .02USD about this issue, I think that this should be reflected in documents describing AD and DNS implementation for Windows platform and should be also corrected in any place when it is used by default (SBS world – am I right that this is default proposed suffix?), but this is far beyond my reach to make these changes.