Solved

Child Doman, Domain Root, and DNS Name Space

Posted on 2009-07-08
7
662 Views
Last Modified: 2012-05-07
I currently have a domain abc.com.  This domain is also the root forest.  I need to add a second domain. I assume the DNS namespace will be the same regardless if I choose "new domain in existing forest" or "new domain tree root instead of new child domain"?  Either way will the new namespace be xyz.abc.com?  Furthermore is there any reason to choose one over the other?  Currently both domain and forest are operating on 2008 functional level.
0
Comment
Question by:damien1234
  • 3
  • 3
7 Comments
 
LVL 11

Assisted Solution

by:willettmeister
willettmeister earned 100 total points
ID: 24804900
Unless you have reasons for not doing so you should add the new domain as a child domain in this scenario.  It logically makes the most sense and will provide for the most straight forward troubleshooting in the future especially for those that are not intimately fimiliar with the domain setup.

0
 
LVL 18

Expert Comment

by:Americom
ID: 24805150
The DNS namespace does not has to be the same and really depending on how you add the domain to the existing forest. If you add a child domain to the existing forest's root domain such as abc.com, then your child domain would be xyz.abc.com. When adding another tree to existing forest, it can be totally different name. Here's a link showing the different models: http://technet.microsoft.com/en-us/library/dd441359(office.13).aspx

The real question is why do you need to add another domain and for what reason etc. So, whether you should have a child domain, or separate tree etc, it realy depends on the company requirements as well as how your IT is going to manage the resources between domains or forests. If general, you don't need another domain. The more domain you have the more complicated your DNS and AD structure and will add more administrative overhead. So, the bes way is to identify if an additional domain is required or not.
0
 
LVL 1

Author Comment

by:damien1234
ID: 24805226
I'm not sure if I have any reasons to do it one way or the other since the major difference seems to be the namespace... which will be the same either way.  Basically we have a new semi-business partner and we need to deploy resources for this joint venture.  Both of us need full control over the AD structure in order to create/change group policy, create OU's, delegate AD control, and manage server resources.  BUT the new domain isn't really trusted even though it needs to be under our forest umbrella.... Sooo it has it's own subnet firewalled from the main network, only the AD controller will be able to talk to the main network, and the new "partners" will have not be allowed direct access to that server.. instead the MMC Active directory management icons will be installed on some other server...

That's the plan anyway.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 18

Expert Comment

by:Americom
ID: 24806547
sounded like you already two domains in totally separate forest with totally different domain name and not trusted. But you both need to manage the AD if I heard you correctly. You can open the firewall and let IT admins to manage both domain as long as the trust is created between the two exising domain.
May be do this for now and decide what to do later when you find out more on what the company goal is and how IT roles will play in these two domain and later create a new domains then migrate the two existing domain to a single domain structure. I'm just assuming based on how I interpreted your enviornment as I'm still a bit unlear of what exactly you have and what you need to accomplish....
0
 
LVL 1

Author Comment

by:damien1234
ID: 24807627
Currently there is only one domain/forest - abc.com.  The new domain does not exist yet.  IT personell in the root domain will need to manage BOTH the root domain and the brand new child domain.  However the business partners will only manage the new child domain.  Long term I don't know where this will lead but I don't want a new separate forest.  This would greatly complicate security issues if I ever started to tap into the resources of the root domain, like Exchange for example.  So basically I can do whatever I want since the new domain doesn't even exist, I have a clean slate.  The goal of course is to make the right decisions now to maximize security and flexibility in the future.  

I haven't had the time yet to read your link thouroughly but from what I've read so far I can have a new child domain with a completely different namespace like "xyz.local" but still be in my existing forest abc.com.  This might be ideal but I really need to finish reading.
0
 
LVL 18

Accepted Solution

by:
Americom earned 400 total points
ID: 24808038
In your scenario, creating a child domain would make most sense. Just exactly the reason you want the IT personnell to manage both domain but only allow the business partnets to manage the child domain.
Also, having the child domain is appropriate to live with the the root name space and will give you the most blexibility in the future. Just to clarify, in your case, if you have abc.com and you add a child domain, it means you will have xyz.abc.com and not xyz.local. You get xyz.local only when you add a completely separate forest root domain separate from your existing domain or when you add a separate domain tree to your existing forest root domain. This later scenario would complicated your design and make it tougher to manage both domain and a lot of extra administrative tasks will be created. The only reason i can think of that you may need this is if your business partner want to have completed separate name space and want to have complete control of the new domain and not wanting your IT personnel to receive default admin permissions in terms of default trust from parent to child relationship etc. But if your IT personnel is going to have complete administration on both domain, then I don't see why you would want to create complete separate domain or domain tree unless there is a legal issue with domain name...
0
 
LVL 1

Author Closing Comment

by:damien1234
ID: 31601170
Done.  A child domain it is.  I have no compelling reason for a new tree whether legal or use of namespace.  The added complexity of a new tree also helps make that option a lesser choice.  Simpler is better.  Thank you.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now