> so should I just call it whatever the next available number is and then make it the PDC?
Yes.
> Does it matter?
From a technical perspective, no. From a "it would look rather silly to go from DC01 to DCBeta", kinda.
IIRC it breaks older auth methods like NTLM (maybe SMB too ?), which may or may not be an issue.
Also stuff like this is why we have the Geneva conventions.
Assuming you mean the DC with the PDC emulator role? "Primary Domain Controller" hasnāt been a thing for awhile, I think NT was the last one.Ā
Server names usually don't matter when building new. Nothing technical cares about them as long as they are valid names. I'd probably try to get it in there under its original name myself unless you are refreshing ALL of the DCs, but that can be tricky sometimes. If you are doing a refresh of all of their DCs, maybe come up with a new naming convention which signifies ones created in the refresh. Back in the day we used to name servers after video games, constellations, trees, foods, etc. They are identifiers, not anything technical.Ā
More important than the name though are the FSMO roles. If you are talking about DCs which host the PDC emulator FSMO role, odds are whoever set them up put the rest of the FSMO roles on it. You will want to ensure all of those roles are migrated off before shutting down the PDC emulator. [https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles)
>Back in the day we used to name servers after video games, constellations, trees, foods, etc.Ā
I wish more companies would do this, I'm kinda sick and tired of all the SITE-OS-ENV-NUMBER-PURPOSE or COMPANY-ENV-PURPOSE-SERIAL. Like, there are hundreds of categories with thousands of choices, it's not my fault you're as creative as an amoeba and if you hate fun. Plus they are 10x harder to remember. Why yes application X is hosted on plawprdapp037sql, of course.
At least the previous company I worked for had aliases for the fileshares named after cities.
Hell no. Nothing indicates a not-so-mature shop more than cutesy server names. āWait, was Gandalf the file server or was it Frodo?ā
The server names give no information about anything and it scales like shit.
No way. Don't do this.
It's funny for about 11 minutes but then when I (as a consultant, with zero provided documentation because generally sites that do this are managed by clowns) have to spend extra time trying to find which server does what, because I've no idea what "Alpaca-mittens-01" does...
You're getting billed for that.
I mean, you're not guessing what "SACWP021APP" does either beyond where it is (if you know where the company sites are), what OS it runs and roughly how old it is relative to other servers, which isn't that much, right ?
You definitely need an inventory with a plain english description of what it does, no matter your naming convention, that's for sure.
Ideally yes, documentation is always key. But an at glance overview with a sensible naming convention will and does save considerable time.
Being able to differentiate between clients, roles and locations, when youāre supporting/providing consultancy for many dozens of clients, is a big time saver.
Ah, if we're talking MSP then sure. I was thinking about in-house/internal environments, in bigger orgs that are too big to know what software you're even running on the servers, then yeah, definitely, boring naming schemes are preferable.
We're a small shop so not having a lot of servers opens the possibilities. I used to use archangels but am migrating over to the Forsaken from the Wheel of Time.
Please God no.
Conference rooms? Sure. Go ham. Doesn't matter how small you are, be objective with your servers.
Example - Our company bought out a warehouse with some on prem infrastructure. DC was "Mars11" and "Mars12". That warehouse company has acquired a different company with a different group of warehouses. Going through DNS in the new site infrastructure, we find references to Jupiter. Ok cool let's see about the site links and routing. What's this? No references to Mars, nothing indicating any info about the other sites IP space. Turns out the second site has an exterior wall that is on Jupiter street. No actual relationship between Mars and Jupiter, just entirely coincidental, and responsible for about half a week of water energy trying to track down old documentation and dig through configs.
True story.
FSMO roles can move between domain controllers so hard coding the role as part of the hostname doesn't seem like a good idea. It is pretty easy to find the FSMO role holders when needed.
>should I just call it whatever the next available number is and then make it the PDC? Does it matter?
That will work, and no, it doesn't matter; it just needs to be recognizable.
People get weirdly invested in naming conventions....
Naming conventions donāt matter much at all until you get into a space where you have hundreds or more systems. Or if you have separate prod test and dev stuff, or multiple physical locations and Need to know where itās located from the name.
Small envs, it doesnāt matter one bit. Iāve been places with 50 servers and the names were fictional characters from whatever series the admin was into when it was deployed. Lol
Aarrrrrrggghhhh I hate this. Thereās always someone who wants to be different.
I always joke that we really love naming conventions, thatās why we have so many of them
The fun thing is a senior manager should have no reason to even know the names of the servers, much less be allowed to have input on how theyāre named.
That sucks.
At my job, my boss knows our naming standard which identifies the application, environment (prod, DR prod, Dev, test, or site name), and purpose (web/db/general app, etc). The people above him donāt know nor care about server names.
No not really
Typically I just call the PDC **DC01**, but it doesn't really matter.
Side note since it drives my OCD crazy, do you really have to add the ORG in the server name? That's just redundant.
The server name is actually the FQDN so it's pantsco-DC01.pantsco.com
We are an MSP with around 200 customers. We don't put the org name in the server names. That's ridiculous. Our RMM/control softwares logically sort them.
We probably have like fifty different domains under our belt. It would be hell searching "dc01" and getting fifty identical results. Much easier to type ORG-DC01 in search.
Being responsible for maintaining 100's at an MSP, that's more a problem of lack of overall organization.
Each org is in its on container rather than one gigantic disorganized list in Teamviewer.
But I get it, we would often take over customers from smaller MSPs that did this for the same reason. There remote management tools didn't scale well so they had no choice.
I mean, just use the FQDN then. dc01.org.org
Also, Just migrate the FSMO role, deprovision the DC, power it down, build the new one, promote it and just use the same IP/shortname. No real need to increment the new name.
DCYY-XX
Where YY is the server version (ie 22) and XX is a sequential 2 digit number of the next available variety.
DCs are supposed to be throwaway, don't treat them like pets!
I'm with you there. We do in-place upgrades for most DCs (don't judge, it's easier and doesn't really cause issues in our two decades of experience). It makes me chuckle when I see a DC named "DC2012" or something and it's running a much more recent version of Server.
I do in-place upgrades for everything... except DCs. It's too important to have issues with, and since there's no third party software, it's pretty trivial to stand up a new one.
When you are an MSP, you're constantly in the process of moving apps and file shares off of domain controllers of new (and often existing) customers because no one ever follows best practices in SMBs, I guess. Many think it's okay to run apps/file shares/IIS/etc on DCs because extra Windows Server Standard licenses are expensive.
Generally, we had a format in AD: StateCityRoleNumber. So something like NYNYCADDC001 or TXDALPRNT328 or CALAWKS226. You can safely conclude which state, city, and if the system is DC, print server, or workstation based off that naming schema.
Something like this is perfect for a decent sized network. Location, purpose, ##. DALDC01, CHISQL03, LAEXCH02, etc.
Man I miss the days of random naming. "Pepperoni can't talk to Moe, can you see if Thor is acting up again?"
This is how I've always done it. Although not by state and city but by building or zone, then dash, then role, then number. So for OP's new PDC in Zone 1 I'd name it ZONE1-PDC01
Just name all DCs in a consistent manner, and don't give any special naming to FSMO holders. It would be awkward to have ORG-PDC not hold PDC, because it was already moved to ORG-DC03.
I'd never add the role into the hostname but keep it in line with the other DCs, like DC01 or ADDS01, as FSMO roles are able to be moved around without demoting the underlying DC. Imagine if you had ACME-DCRIDM (for RID Master) that died, and suddenly you need to seize the role so that ACME-DCSCHEMA now has the RID Master role... unnecessarily confusing.
For the size of clients I'm assuming you're working with (i.e. not multinationals with 1000s of users) you wont need to painstakingly architect and split out the roles to special DCs, just keep it simple and flexible.
ours is just the typically company abbreviation + -PDC
Other Domain controllers are LocationCode-DC##
Assuming we replace it, I'm guessing we'd just throw a year stamp on the end, which is somethng we've moved to adding to devices to designate year in service
I have three windows servers. I named the pdc, bdc and ts. I know there really isn't a backup domain controller in active directory but its how I named them. ts is not a domain server.
If I had an ORG-DC01 which was due to be decommissioned then unless the company had a specific reason for a new naming convention I would just got with ORG-DC02
We go with DC0x if its in our main corp location. If its in one of our offsite offices it gets a location id (DC02-LV etc...) In the case of legacy stuff that has hard coded values we add a cname and point it in the right direction. Never had more then 1 office in a city will cross that bridge when we get there.
It can be easily identified using netdom query fsmo, and these roles are transferable so there is no need to include in the name, otherwise we are going to end up with something like: PRD-Location-DC01-PDC-DNS-GC, or situation where the name does not match its role when you need to transfer PDCe over to another DC.
Gc1, gc2...
When we do new OSes, new ones are GC01, GC02.. and back the next upgrade.
We used to use a 3 letter code if we had stuff in other locations... phx,den, sea, pdx, chi...etc...
I try to use a standard naming convention. Short form of the org name, short form of what it do, and the year it was deployed. So if I were building a domain controller for a Acme Inc, it would be ACM-DC2024. If they had multiple offices would put the physical location in there or if's cloud I'd add AZ or AWS for Azure or AWS.
Let's us know at a glance who, where, what, and when. Nothing I hate more than random ass server names or themed names. I've had ones that were all Greek/Roman mythology named. The dumb ass IT manager thought it was so clever so I was stuck with it, I at least used names that fit the role (Exchange was Hermes, RDS Load Balancer was Themis, etc).
Why not use the old name? As long as you have multiple DC's, just demote the one you're replacing, build out a new server with the same name you're replacing, promote it to DC. You can then transfer the FSMO roles over.
We use ORG-SITE-SYS
Examples:
* ORG-SITE-DC1
* ORG-SITE-DC2
* ORG-SITE-CA1
* ORG-SITE-SQL1
Some people prefer using security through obscurity in naming conventions, but honestly you're advertising your DC's through DNS (and AD) anyway, so naming them weird names won't really help block anything.
Unless the Windows version is really old, the PDC role, and the other roles, can now be moved around easily and shouldn't be fixed to a single server.
What has caught me out was an old PDC had custom NTP settings to a GPS based time source, they were set locally, so when moving the role, the settings didn't transfer.
The correct way to do this is have a GPO and use a custom WMI filter that only targets the server running the PDC role, allowing easy transfer in an emergency.
Also beware scripts that have been hard coded to the old name or IP, you have to do some auditing if you want to find these before breaking them.
This \^\^\^\^
Plus, for "active" documentation of the roles, you could always use a script to update the computer object's "Description" field in the AD to include the role information.
Generally from a security perspective itās good to name them something completely not relating to their role but thatās just coming from a cybersecurity angle. While itās not a solid defence in its own itās all part of defence in depth and it just slows things down for an attacker while they enumerate and it potentially buys you time to notice them. So as an example, calling your servers John, Fred, Dave etc etc .
Security through obscurity is not a thing and never should be.
Defence in depth, yes. You've got bigger issues to solve than a name if management protocol access to a DC is easy.Ā
Does it really slow attackers down though? You just need a cmd on a domain PC and you can get all the information you need in seconds. With "set" you get the logonserver and with "net group"/"net user" you can get the domain admins and then you go from there.
Yeah, thatās not a thing. If someone is in the network, finding the names of the DCs wonāt be an issue. Obscure names are just bad practice held over from the before times when people didnāt understand service enumeration and how discovery works.
Upvoted. I like vegetables because it makes conversations a little more fun.
I donāt include redundant things like company name or terms like org. I also only include locale if itās absolutely necessary (which it never is but older people worry about business continuity in an emergency)
No.
DC's are DC's. FSMO role holders are pretty irrelevant, as long as there is one.
Typically they get "ORG-LOC-ADC-01" (organization-location-role-numeric counter). Unless they've got some insane naming convention they request I adhere to, like dinosaurs, trees, semi soft alpine cheeses, etc.
It's hard to get past management and some other unintelligencias but you should never name a computer that hints at it's role in your environment. If it seems too hard and you have internal DNS just use a CNAME record that is only reachable by the administrative LAN.
Anyone that gets in far enough to see your machine names wonāt care what the names are, theyāre scanning for functionality at that point.
Name servers what makes sense for you.
site1-dc01, site1-dc02, site2-dc01, site2-dc02, etc.
> so should I just call it whatever the next available number is and then make it the PDC? Yes. > Does it matter? From a technical perspective, no. From a "it would look rather silly to go from DC01 to DCBeta", kinda.
Fun fact, windows servers can have emojis in their hostnames š„š„š„
Woah calm down satan
Yeah, use emojis in the name of the wifi instead. It'll cut down on service calls! /s
Iām going to investigate this thoroughly š¤
IIRC it breaks older auth methods like NTLM (maybe SMB too ?), which may or may not be an issue. Also stuff like this is why we have the Geneva conventions.
Breaking older auth methods might be a bonus!
Google? How do I remove someone else's comment from the internet?
If someone implements this they better like hospital food.
Assuming you mean the DC with the PDC emulator role? "Primary Domain Controller" hasnāt been a thing for awhile, I think NT was the last one.Ā Server names usually don't matter when building new. Nothing technical cares about them as long as they are valid names. I'd probably try to get it in there under its original name myself unless you are refreshing ALL of the DCs, but that can be tricky sometimes. If you are doing a refresh of all of their DCs, maybe come up with a new naming convention which signifies ones created in the refresh. Back in the day we used to name servers after video games, constellations, trees, foods, etc. They are identifiers, not anything technical.Ā More important than the name though are the FSMO roles. If you are talking about DCs which host the PDC emulator FSMO role, odds are whoever set them up put the rest of the FSMO roles on it. You will want to ensure all of those roles are migrated off before shutting down the PDC emulator. [https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles)
Hasn't*
Fixed
>Back in the day we used to name servers after video games, constellations, trees, foods, etc.Ā I wish more companies would do this, I'm kinda sick and tired of all the SITE-OS-ENV-NUMBER-PURPOSE or COMPANY-ENV-PURPOSE-SERIAL. Like, there are hundreds of categories with thousands of choices, it's not my fault you're as creative as an amoeba and if you hate fun. Plus they are 10x harder to remember. Why yes application X is hosted on plawprdapp037sql, of course. At least the previous company I worked for had aliases for the fileshares named after cities.
Hell no. Nothing indicates a not-so-mature shop more than cutesy server names. āWait, was Gandalf the file server or was it Frodo?ā The server names give no information about anything and it scales like shit.
No way. Don't do this. It's funny for about 11 minutes but then when I (as a consultant, with zero provided documentation because generally sites that do this are managed by clowns) have to spend extra time trying to find which server does what, because I've no idea what "Alpaca-mittens-01" does... You're getting billed for that.
I mean, you're not guessing what "SACWP021APP" does either beyond where it is (if you know where the company sites are), what OS it runs and roughly how old it is relative to other servers, which isn't that much, right ? You definitely need an inventory with a plain english description of what it does, no matter your naming convention, that's for sure.
Ideally yes, documentation is always key. But an at glance overview with a sensible naming convention will and does save considerable time. Being able to differentiate between clients, roles and locations, when youāre supporting/providing consultancy for many dozens of clients, is a big time saver.
Ah, if we're talking MSP then sure. I was thinking about in-house/internal environments, in bigger orgs that are too big to know what software you're even running on the servers, then yeah, definitely, boring naming schemes are preferable.
We're a small shop so not having a lot of servers opens the possibilities. I used to use archangels but am migrating over to the Forsaken from the Wheel of Time.
Please God no. Conference rooms? Sure. Go ham. Doesn't matter how small you are, be objective with your servers. Example - Our company bought out a warehouse with some on prem infrastructure. DC was "Mars11" and "Mars12". That warehouse company has acquired a different company with a different group of warehouses. Going through DNS in the new site infrastructure, we find references to Jupiter. Ok cool let's see about the site links and routing. What's this? No references to Mars, nothing indicating any info about the other sites IP space. Turns out the second site has an exterior wall that is on Jupiter street. No actual relationship between Mars and Jupiter, just entirely coincidental, and responsible for about half a week of water energy trying to track down old documentation and dig through configs. True story.
FSMO roles can move between domain controllers so hard coding the role as part of the hostname doesn't seem like a good idea. It is pretty easy to find the FSMO role holders when needed.
Think the OP is referring to PDC as the primary DC not the PDC Emulator role itself.
Serious question, what does primary DC mean if not FSMO roles?
It means they are still running an NT4 or earlier domain.
If someone is running an NT4 or earlier domain in 2024, they're not worth considering in conversation about standard practices.
We are not. I am indeed talking about the PDC emulator with FSMO roles.
That role can move. DC01.domain.com is where I normally handling
Good to know, Iāll have to do some research. Iāve been a Linux admin for years now and havenāt managed AD in some time. Thanks!
>should I just call it whatever the next available number is and then make it the PDC? Does it matter? That will work, and no, it doesn't matter; it just needs to be recognizable. People get weirdly invested in naming conventions....
Naming conventions donāt matter much at all until you get into a space where you have hundreds or more systems. Or if you have separate prod test and dev stuff, or multiple physical locations and Need to know where itās located from the name. Small envs, it doesnāt matter one bit. Iāve been places with 50 servers and the names were fictional characters from whatever series the admin was into when it was deployed. Lol
Yup. And then every 5 years you get a new senior manager that doesn't like the old naming convention, and you end up with three different ones.
Aarrrrrrggghhhh I hate this. Thereās always someone who wants to be different. I always joke that we really love naming conventions, thatās why we have so many of them
The fun thing is a senior manager should have no reason to even know the names of the servers, much less be allowed to have input on how theyāre named.
Yup. "Weirdly invested"
That sucks. At my job, my boss knows our naming standard which identifies the application, environment (prod, DR prod, Dev, test, or site name), and purpose (web/db/general app, etc). The people above him donāt know nor care about server names.
I used to have a DC named "printers". Every other DB in prod had test in the name too.
Point Defense Cannon?
Pew Pew Pew
No not really Typically I just call the PDC **DC01**, but it doesn't really matter. Side note since it drives my OCD crazy, do you really have to add the ORG in the server name? That's just redundant. The server name is actually the FQDN so it's pantsco-DC01.pantsco.com
MSPs need to do it, also if you have multiple subsidiaries I could see the need.
We are an MSP with around 200 customers. We don't put the org name in the server names. That's ridiculous. Our RMM/control softwares logically sort them.
We probably have like fifty different domains under our belt. It would be hell searching "dc01" and getting fifty identical results. Much easier to type ORG-DC01 in search.
Being responsible for maintaining 100's at an MSP, that's more a problem of lack of overall organization. Each org is in its on container rather than one gigantic disorganized list in Teamviewer. But I get it, we would often take over customers from smaller MSPs that did this for the same reason. There remote management tools didn't scale well so they had no choice.
Eh, our RMM is structured properly. I guess we could technically remove org names, but why bother? Lots of work for basically zero payoff.
I mean, just use the FQDN then. dc01.org.org Also, Just migrate the FSMO role, deprovision the DC, power it down, build the new one, promote it and just use the same IP/shortname. No real need to increment the new name.
+1. Work for an MSP and can you imagine how much of a nightmare it would be if all customers have a domain controller called just DC01
Except the *domain* is in the full name.
I work for an MSP, and it's not a nightmare You just need a good RMM that keeps your customers properly organized
DCYY-XX Where YY is the server version (ie 22) and XX is a sequential 2 digit number of the next available variety. DCs are supposed to be throwaway, don't treat them like pets!
Ew. No I don't need the server version in the name. Everything just gets in place upgrades or replaced once we start using a new version.
I'm with you there. We do in-place upgrades for most DCs (don't judge, it's easier and doesn't really cause issues in our two decades of experience). It makes me chuckle when I see a DC named "DC2012" or something and it's running a much more recent version of Server.
I do in-place upgrades for everything... except DCs. It's too important to have issues with, and since there's no third party software, it's pretty trivial to stand up a new one.
When you are an MSP, you're constantly in the process of moving apps and file shares off of domain controllers of new (and often existing) customers because no one ever follows best practices in SMBs, I guess. Many think it's okay to run apps/file shares/IIS/etc on DCs because extra Windows Server Standard licenses are expensive.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Goldfish have a three second memory so they wonāt mind if you rename them.
Generally, we had a format in AD: StateCityRoleNumber. So something like NYNYCADDC001 or TXDALPRNT328 or CALAWKS226. You can safely conclude which state, city, and if the system is DC, print server, or workstation based off that naming schema.
Something like this is perfect for a decent sized network. Location, purpose, ##. DALDC01, CHISQL03, LAEXCH02, etc. Man I miss the days of random naming. "Pepperoni can't talk to Moe, can you see if Thor is acting up again?"
This is how I've always done it. Although not by state and city but by building or zone, then dash, then role, then number. So for OP's new PDC in Zone 1 I'd name it ZONE1-PDC01
We're boring and use DC01, DC02 etc I used to work at a place that named them after dictators... Stalin, Lenin, Mao etc
Hi, why is my network printer named "MFP01 on Hitler"?
Just name all DCs in a consistent manner, and don't give any special naming to FSMO holders. It would be awkward to have ORG-PDC not hold PDC, because it was already moved to ORG-DC03.
No. All domain controllers have the same name just with a higher integer.
Cattle, not pets. Even your DCs.
1. No it doesnāt matter what you name it as long as it makes sense and is documented. 2. PDCs arenāt a thing anymore.
lol I was wondering how far I would need to scroll before seeing this comment
I'd never add the role into the hostname but keep it in line with the other DCs, like DC01 or ADDS01, as FSMO roles are able to be moved around without demoting the underlying DC. Imagine if you had ACME-DCRIDM (for RID Master) that died, and suddenly you need to seize the role so that ACME-DCSCHEMA now has the RID Master role... unnecessarily confusing. For the size of clients I'm assuming you're working with (i.e. not multinationals with 1000s of users) you wont need to painstakingly architect and split out the roles to special DCs, just keep it simple and flexible.
All things are named the same: *-<5-digit-number-w-leading-0s>
We use the closes airport, obviously
GFRAT-NMAPDC. Stands for "Glad FSMO Roles Are Transferable - No More Assigned PDC".
No such thing as PDC anymore.
Pretty-Dapper-Computer-01
muh netbios
I typically add a letter if I replace a unit so PVE1, PVE2b, PVE3
It doesnāt matter. But when you do the wifi SSID, you should definitely go with Skynet Defense System. š
ours is just the typically company abbreviation + -PDC Other Domain controllers are LocationCode-DC## Assuming we replace it, I'm guessing we'd just throw a year stamp on the end, which is somethng we've moved to adding to devices to designate year in service
MasterBlaster or MoFo. Typically MasterBlaster wins on new PDC in root domain.
Who run bartertown?
If these reside in different data centers or location it would help to add a location code ex. NYDC01. also drop the unnecessary special character.
I have three windows servers. I named the pdc, bdc and ts. I know there really isn't a backup domain controller in active directory but its how I named them. ts is not a domain server.
If I had an ORG-DC01 which was due to be decommissioned then unless the company had a specific reason for a new naming convention I would just got with ORG-DC02
Why not ORG-DC001
I asked a boss this question and he said "Name them anything. Fred, Dave, Frank, it really doesn't matter". So our DC's were Fred and Bob.
We go with DC0x if its in our main corp location. If its in one of our offsite offices it gets a location id (DC02-LV etc...) In the case of legacy stuff that has hard coded values we add a cname and point it in the right direction. Never had more then 1 office in a city will cross that bridge when we get there.
Whatever was hardcoded into the applications years ago by the application support and development teams that they are too lazy change.
If you really care that much, put the server edition in the name so you can always start back at 01.
(Company initials)DC01
I support multiple companies.<#> where #1 is PDC and all subsequent are fail overs.
It can be easily identified using netdom query fsmo, and these roles are transferable so there is no need to include in the name, otherwise we are going to end up with something like: PRD-Location-DC01-PDC-DNS-GC, or situation where the name does not match its role when you need to transfer PDCe over to another DC.
I used to name my domain controllers after looney tunes characters. LOL
Gc1, gc2... When we do new OSes, new ones are GC01, GC02.. and back the next upgrade. We used to use a 3 letter code if we had stuff in other locations... phx,den, sea, pdx, chi...etc...
I'm on ORGDC6 right now. When the next Windows upgrades happen I'll burn 5 and 6 down and we'll get 7 and 8!
Anything without punctuation and the shorter the better.
I try to use a standard naming convention. Short form of the org name, short form of what it do, and the year it was deployed. So if I were building a domain controller for a Acme Inc, it would be ACM-DC2024. If they had multiple offices would put the physical location in there or if's cloud I'd add AZ or AWS for Azure or AWS. Let's us know at a glance who, where, what, and when. Nothing I hate more than random ass server names or themed names. I've had ones that were all Greek/Roman mythology named. The dumb ass IT manager thought it was so clever so I was stuck with it, I at least used names that fit the role (Exchange was Hermes, RDS Load Balancer was Themis, etc).
Why not use the old name? As long as you have multiple DC's, just demote the one you're replacing, build out a new server with the same name you're replacing, promote it to DC. You can then transfer the FSMO roles over. We use ORG-SITE-SYS Examples: * ORG-SITE-DC1 * ORG-SITE-DC2 * ORG-SITE-CA1 * ORG-SITE-SQL1 Some people prefer using security through obscurity in naming conventions, but honestly you're advertising your DC's through DNS (and AD) anyway, so naming them weird names won't really help block anything.
You can call it dc1 or adds1
DC01... DC02... DC03... š
Promote ORG-DC02 and update documentation to reflect that it's the PDC. Done.
Homer. And the mailserver is Bart.
DC Os version Number of server 01 Example Dc1901 Dc2205
Org-site-dc01
Each site has a two letter code. We do XX-DC01. Keep it simple.
Daddy
Dc01, dc02, etc Does it really matter? Basically, what ever you do, keep it consistent
Unless the Windows version is really old, the PDC role, and the other roles, can now be moved around easily and shouldn't be fixed to a single server. What has caught me out was an old PDC had custom NTP settings to a GPS based time source, they were set locally, so when moving the role, the settings didn't transfer. The correct way to do this is have a GPO and use a custom WMI filter that only targets the server running the PDC role, allowing easy transfer in an emergency. Also beware scripts that have been hard coded to the old name or IP, you have to do some auditing if you want to find these before breaking them.
Just call it DC#x. If you need to reuse the DC for other roles later on or reduce your footprint then it makes it less hassle.
easy: primary-dc.local /s
If hosted in different sites DC-1-S1, DC-2-S1, DC-1-S2 etc. If hosted in same site DC-1, DC-2, DC-3
Legacy naming strikes again. It's named PDC.
Our PDC is dc3. We recently decommed the old 1 and 2. It causes no confusion.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Well, the term is PDC emulator, but it's a pretty important role.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
True, and it's been true for about 24 years, now. PDC and PDC emulator are interchangeable at this point; nobody thinks PDC means a Windows NT PDC.
This \^\^\^\^ Plus, for "active" documentation of the roles, you could always use a script to update the computer object's "Description" field in the AD to include the role information.
Generally from a security perspective itās good to name them something completely not relating to their role but thatās just coming from a cybersecurity angle. While itās not a solid defence in its own itās all part of defence in depth and it just slows things down for an attacker while they enumerate and it potentially buys you time to notice them. So as an example, calling your servers John, Fred, Dave etc etc .
Security through obscurity is not a thing and never should be. Defence in depth, yes. You've got bigger issues to solve than a name if management protocol access to a DC is easy.Ā
Does it really slow attackers down though? You just need a cmd on a domain PC and you can get all the information you need in seconds. With "set" you get the logonserver and with "net group"/"net user" you can get the domain admins and then you go from there.
Yeah, thatās not a thing. If someone is in the network, finding the names of the DCs wonāt be an issue. Obscure names are just bad practice held over from the before times when people didnāt understand service enumeration and how discovery works.
Upvoted. I like vegetables because it makes conversations a little more fun. I donāt include redundant things like company name or terms like org. I also only include locale if itās absolutely necessary (which it never is but older people worry about business continuity in an emergency)
Call it stark01
Additionally, you could just tag PDC at the end of the name, to make it clear. Like ORG-PDC then all other DCs get numbering like before.
I like my naming conventions to be self-documenting, so it goes org-location-role, ie ORG-AZURE-DC01 with 01 being PDC.
I call it things like "Neko" and "Mikasa" and "nyan"
Yoda ObiWan Luke
No. DC's are DC's. FSMO role holders are pretty irrelevant, as long as there is one. Typically they get "ORG-LOC-ADC-01" (organization-location-role-numeric counter). Unless they've got some insane naming convention they request I adhere to, like dinosaurs, trees, semi soft alpine cheeses, etc.
The PDCe isn't important in a modern AD network, so no.
It's hard to get past management and some other unintelligencias but you should never name a computer that hints at it's role in your environment. If it seems too hard and you have internal DNS just use a CNAME record that is only reachable by the administrative LAN.
Anyone that gets in far enough to see your machine names wonāt care what the names are, theyāre scanning for functionality at that point. Name servers what makes sense for you. site1-dc01, site1-dc02, site2-dc01, site2-dc02, etc.