Child Doman, Domain Root, and DNS Name Space

I currently have a domain abc.com.  This domain is also the root forest.  I need to add a second domain. I assume the DNS namespace will be the same regardless if I choose "new domain in existing forest" or "new domain tree root instead of new child domain"?  Either way will the new namespace be xyz.abc.com?  Furthermore is there any reason to choose one over the other?  Currently both domain and forest are operating on 2008 functional level.
LVL 1
damien1234Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

willettmeisterCommented:
Unless you have reasons for not doing so you should add the new domain as a child domain in this scenario.  It logically makes the most sense and will provide for the most straight forward troubleshooting in the future especially for those that are not intimately fimiliar with the domain setup.

0
AmericomCommented:
The DNS namespace does not has to be the same and really depending on how you add the domain to the existing forest. If you add a child domain to the existing forest's root domain such as abc.com, then your child domain would be xyz.abc.com. When adding another tree to existing forest, it can be totally different name. Here's a link showing the different models: http://technet.microsoft.com/en-us/library/dd441359(office.13).aspx

The real question is why do you need to add another domain and for what reason etc. So, whether you should have a child domain, or separate tree etc, it realy depends on the company requirements as well as how your IT is going to manage the resources between domains or forests. If general, you don't need another domain. The more domain you have the more complicated your DNS and AD structure and will add more administrative overhead. So, the bes way is to identify if an additional domain is required or not.
0
damien1234Author Commented:
I'm not sure if I have any reasons to do it one way or the other since the major difference seems to be the namespace... which will be the same either way.  Basically we have a new semi-business partner and we need to deploy resources for this joint venture.  Both of us need full control over the AD structure in order to create/change group policy, create OU's, delegate AD control, and manage server resources.  BUT the new domain isn't really trusted even though it needs to be under our forest umbrella.... Sooo it has it's own subnet firewalled from the main network, only the AD controller will be able to talk to the main network, and the new "partners" will have not be allowed direct access to that server.. instead the MMC Active directory management icons will be installed on some other server...

That's the plan anyway.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

AmericomCommented:
sounded like you already two domains in totally separate forest with totally different domain name and not trusted. But you both need to manage the AD if I heard you correctly. You can open the firewall and let IT admins to manage both domain as long as the trust is created between the two exising domain.
May be do this for now and decide what to do later when you find out more on what the company goal is and how IT roles will play in these two domain and later create a new domains then migrate the two existing domain to a single domain structure. I'm just assuming based on how I interpreted your enviornment as I'm still a bit unlear of what exactly you have and what you need to accomplish....
0
damien1234Author Commented:
Currently there is only one domain/forest - abc.com.  The new domain does not exist yet.  IT personell in the root domain will need to manage BOTH the root domain and the brand new child domain.  However the business partners will only manage the new child domain.  Long term I don't know where this will lead but I don't want a new separate forest.  This would greatly complicate security issues if I ever started to tap into the resources of the root domain, like Exchange for example.  So basically I can do whatever I want since the new domain doesn't even exist, I have a clean slate.  The goal of course is to make the right decisions now to maximize security and flexibility in the future.  

I haven't had the time yet to read your link thouroughly but from what I've read so far I can have a new child domain with a completely different namespace like "xyz.local" but still be in my existing forest abc.com.  This might be ideal but I really need to finish reading.
0
AmericomCommented:
In your scenario, creating a child domain would make most sense. Just exactly the reason you want the IT personnell to manage both domain but only allow the business partnets to manage the child domain.
Also, having the child domain is appropriate to live with the the root name space and will give you the most blexibility in the future. Just to clarify, in your case, if you have abc.com and you add a child domain, it means you will have xyz.abc.com and not xyz.local. You get xyz.local only when you add a completely separate forest root domain separate from your existing domain or when you add a separate domain tree to your existing forest root domain. This later scenario would complicated your design and make it tougher to manage both domain and a lot of extra administrative tasks will be created. The only reason i can think of that you may need this is if your business partner want to have completed separate name space and want to have complete control of the new domain and not wanting your IT personnel to receive default admin permissions in terms of default trust from parent to child relationship etc. But if your IT personnel is going to have complete administration on both domain, then I don't see why you would want to create complete separate domain or domain tree unless there is a legal issue with domain name...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
damien1234Author Commented:
Done.  A child domain it is.  I have no compelling reason for a new tree whether legal or use of namespace.  The added complexity of a new tree also helps make that option a lesser choice.  Simpler is better.  Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.