Solved

Child Doman, Domain Root, and DNS Name Space

Posted on 2009-07-08
7
679 Views
Last Modified: 2012-05-07
I currently have a domain abc.com.  This domain is also the root forest.  I need to add a second domain. I assume the DNS namespace will be the same regardless if I choose "new domain in existing forest" or "new domain tree root instead of new child domain"?  Either way will the new namespace be xyz.abc.com?  Furthermore is there any reason to choose one over the other?  Currently both domain and forest are operating on 2008 functional level.
0
Comment
Question by:damien1234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 11

Assisted Solution

by:willettmeister
willettmeister earned 100 total points
ID: 24804900
Unless you have reasons for not doing so you should add the new domain as a child domain in this scenario.  It logically makes the most sense and will provide for the most straight forward troubleshooting in the future especially for those that are not intimately fimiliar with the domain setup.

0
 
LVL 18

Expert Comment

by:Americom
ID: 24805150
The DNS namespace does not has to be the same and really depending on how you add the domain to the existing forest. If you add a child domain to the existing forest's root domain such as abc.com, then your child domain would be xyz.abc.com. When adding another tree to existing forest, it can be totally different name. Here's a link showing the different models: http://technet.microsoft.com/en-us/library/dd441359(office.13).aspx

The real question is why do you need to add another domain and for what reason etc. So, whether you should have a child domain, or separate tree etc, it realy depends on the company requirements as well as how your IT is going to manage the resources between domains or forests. If general, you don't need another domain. The more domain you have the more complicated your DNS and AD structure and will add more administrative overhead. So, the bes way is to identify if an additional domain is required or not.
0
 
LVL 1

Author Comment

by:damien1234
ID: 24805226
I'm not sure if I have any reasons to do it one way or the other since the major difference seems to be the namespace... which will be the same either way.  Basically we have a new semi-business partner and we need to deploy resources for this joint venture.  Both of us need full control over the AD structure in order to create/change group policy, create OU's, delegate AD control, and manage server resources.  BUT the new domain isn't really trusted even though it needs to be under our forest umbrella.... Sooo it has it's own subnet firewalled from the main network, only the AD controller will be able to talk to the main network, and the new "partners" will have not be allowed direct access to that server.. instead the MMC Active directory management icons will be installed on some other server...

That's the plan anyway.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 18

Expert Comment

by:Americom
ID: 24806547
sounded like you already two domains in totally separate forest with totally different domain name and not trusted. But you both need to manage the AD if I heard you correctly. You can open the firewall and let IT admins to manage both domain as long as the trust is created between the two exising domain.
May be do this for now and decide what to do later when you find out more on what the company goal is and how IT roles will play in these two domain and later create a new domains then migrate the two existing domain to a single domain structure. I'm just assuming based on how I interpreted your enviornment as I'm still a bit unlear of what exactly you have and what you need to accomplish....
0
 
LVL 1

Author Comment

by:damien1234
ID: 24807627
Currently there is only one domain/forest - abc.com.  The new domain does not exist yet.  IT personell in the root domain will need to manage BOTH the root domain and the brand new child domain.  However the business partners will only manage the new child domain.  Long term I don't know where this will lead but I don't want a new separate forest.  This would greatly complicate security issues if I ever started to tap into the resources of the root domain, like Exchange for example.  So basically I can do whatever I want since the new domain doesn't even exist, I have a clean slate.  The goal of course is to make the right decisions now to maximize security and flexibility in the future.  

I haven't had the time yet to read your link thouroughly but from what I've read so far I can have a new child domain with a completely different namespace like "xyz.local" but still be in my existing forest abc.com.  This might be ideal but I really need to finish reading.
0
 
LVL 18

Accepted Solution

by:
Americom earned 400 total points
ID: 24808038
In your scenario, creating a child domain would make most sense. Just exactly the reason you want the IT personnell to manage both domain but only allow the business partnets to manage the child domain.
Also, having the child domain is appropriate to live with the the root name space and will give you the most blexibility in the future. Just to clarify, in your case, if you have abc.com and you add a child domain, it means you will have xyz.abc.com and not xyz.local. You get xyz.local only when you add a completely separate forest root domain separate from your existing domain or when you add a separate domain tree to your existing forest root domain. This later scenario would complicated your design and make it tougher to manage both domain and a lot of extra administrative tasks will be created. The only reason i can think of that you may need this is if your business partner want to have completed separate name space and want to have complete control of the new domain and not wanting your IT personnel to receive default admin permissions in terms of default trust from parent to child relationship etc. But if your IT personnel is going to have complete administration on both domain, then I don't see why you would want to create complete separate domain or domain tree unless there is a legal issue with domain name...
0
 
LVL 1

Author Closing Comment

by:damien1234
ID: 31601170
Done.  A child domain it is.  I have no compelling reason for a new tree whether legal or use of namespace.  The added complexity of a new tree also helps make that option a lesser choice.  Simpler is better.  Thank you.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question