We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Child Doman, Domain Root, and DNS Name Space

damien1234
damien1234 asked
on
Medium Priority
761 Views
Last Modified: 2012-05-07
I currently have a domain abc.com.  This domain is also the root forest.  I need to add a second domain. I assume the DNS namespace will be the same regardless if I choose "new domain in existing forest" or "new domain tree root instead of new child domain"?  Either way will the new namespace be xyz.abc.com?  Furthermore is there any reason to choose one over the other?  Currently both domain and forest are operating on 2008 functional level.
Comment
Watch Question

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
The DNS namespace does not has to be the same and really depending on how you add the domain to the existing forest. If you add a child domain to the existing forest's root domain such as abc.com, then your child domain would be xyz.abc.com. When adding another tree to existing forest, it can be totally different name. Here's a link showing the different models: http://technet.microsoft.com/en-us/library/dd441359(office.13).aspx

The real question is why do you need to add another domain and for what reason etc. So, whether you should have a child domain, or separate tree etc, it realy depends on the company requirements as well as how your IT is going to manage the resources between domains or forests. If general, you don't need another domain. The more domain you have the more complicated your DNS and AD structure and will add more administrative overhead. So, the bes way is to identify if an additional domain is required or not.

Author

Commented:
I'm not sure if I have any reasons to do it one way or the other since the major difference seems to be the namespace... which will be the same either way.  Basically we have a new semi-business partner and we need to deploy resources for this joint venture.  Both of us need full control over the AD structure in order to create/change group policy, create OU's, delegate AD control, and manage server resources.  BUT the new domain isn't really trusted even though it needs to be under our forest umbrella.... Sooo it has it's own subnet firewalled from the main network, only the AD controller will be able to talk to the main network, and the new "partners" will have not be allowed direct access to that server.. instead the MMC Active directory management icons will be installed on some other server...

That's the plan anyway.

Commented:
sounded like you already two domains in totally separate forest with totally different domain name and not trusted. But you both need to manage the AD if I heard you correctly. You can open the firewall and let IT admins to manage both domain as long as the trust is created between the two exising domain.
May be do this for now and decide what to do later when you find out more on what the company goal is and how IT roles will play in these two domain and later create a new domains then migrate the two existing domain to a single domain structure. I'm just assuming based on how I interpreted your enviornment as I'm still a bit unlear of what exactly you have and what you need to accomplish....

Author

Commented:
Currently there is only one domain/forest - abc.com.  The new domain does not exist yet.  IT personell in the root domain will need to manage BOTH the root domain and the brand new child domain.  However the business partners will only manage the new child domain.  Long term I don't know where this will lead but I don't want a new separate forest.  This would greatly complicate security issues if I ever started to tap into the resources of the root domain, like Exchange for example.  So basically I can do whatever I want since the new domain doesn't even exist, I have a clean slate.  The goal of course is to make the right decisions now to maximize security and flexibility in the future.  

I haven't had the time yet to read your link thouroughly but from what I've read so far I can have a new child domain with a completely different namespace like "xyz.local" but still be in my existing forest abc.com.  This might be ideal but I really need to finish reading.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Done.  A child domain it is.  I have no compelling reason for a new tree whether legal or use of namespace.  The added complexity of a new tree also helps make that option a lesser choice.  Simpler is better.  Thank you.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.