Solved

Child Doman, Domain Root, and DNS Name Space

Posted on 2009-07-08
7
675 Views
Last Modified: 2012-05-07
I currently have a domain abc.com.  This domain is also the root forest.  I need to add a second domain. I assume the DNS namespace will be the same regardless if I choose "new domain in existing forest" or "new domain tree root instead of new child domain"?  Either way will the new namespace be xyz.abc.com?  Furthermore is there any reason to choose one over the other?  Currently both domain and forest are operating on 2008 functional level.
0
Comment
Question by:damien1234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 11

Assisted Solution

by:willettmeister
willettmeister earned 100 total points
ID: 24804900
Unless you have reasons for not doing so you should add the new domain as a child domain in this scenario.  It logically makes the most sense and will provide for the most straight forward troubleshooting in the future especially for those that are not intimately fimiliar with the domain setup.

0
 
LVL 18

Expert Comment

by:Americom
ID: 24805150
The DNS namespace does not has to be the same and really depending on how you add the domain to the existing forest. If you add a child domain to the existing forest's root domain such as abc.com, then your child domain would be xyz.abc.com. When adding another tree to existing forest, it can be totally different name. Here's a link showing the different models: http://technet.microsoft.com/en-us/library/dd441359(office.13).aspx

The real question is why do you need to add another domain and for what reason etc. So, whether you should have a child domain, or separate tree etc, it realy depends on the company requirements as well as how your IT is going to manage the resources between domains or forests. If general, you don't need another domain. The more domain you have the more complicated your DNS and AD structure and will add more administrative overhead. So, the bes way is to identify if an additional domain is required or not.
0
 
LVL 1

Author Comment

by:damien1234
ID: 24805226
I'm not sure if I have any reasons to do it one way or the other since the major difference seems to be the namespace... which will be the same either way.  Basically we have a new semi-business partner and we need to deploy resources for this joint venture.  Both of us need full control over the AD structure in order to create/change group policy, create OU's, delegate AD control, and manage server resources.  BUT the new domain isn't really trusted even though it needs to be under our forest umbrella.... Sooo it has it's own subnet firewalled from the main network, only the AD controller will be able to talk to the main network, and the new "partners" will have not be allowed direct access to that server.. instead the MMC Active directory management icons will be installed on some other server...

That's the plan anyway.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 18

Expert Comment

by:Americom
ID: 24806547
sounded like you already two domains in totally separate forest with totally different domain name and not trusted. But you both need to manage the AD if I heard you correctly. You can open the firewall and let IT admins to manage both domain as long as the trust is created between the two exising domain.
May be do this for now and decide what to do later when you find out more on what the company goal is and how IT roles will play in these two domain and later create a new domains then migrate the two existing domain to a single domain structure. I'm just assuming based on how I interpreted your enviornment as I'm still a bit unlear of what exactly you have and what you need to accomplish....
0
 
LVL 1

Author Comment

by:damien1234
ID: 24807627
Currently there is only one domain/forest - abc.com.  The new domain does not exist yet.  IT personell in the root domain will need to manage BOTH the root domain and the brand new child domain.  However the business partners will only manage the new child domain.  Long term I don't know where this will lead but I don't want a new separate forest.  This would greatly complicate security issues if I ever started to tap into the resources of the root domain, like Exchange for example.  So basically I can do whatever I want since the new domain doesn't even exist, I have a clean slate.  The goal of course is to make the right decisions now to maximize security and flexibility in the future.  

I haven't had the time yet to read your link thouroughly but from what I've read so far I can have a new child domain with a completely different namespace like "xyz.local" but still be in my existing forest abc.com.  This might be ideal but I really need to finish reading.
0
 
LVL 18

Accepted Solution

by:
Americom earned 400 total points
ID: 24808038
In your scenario, creating a child domain would make most sense. Just exactly the reason you want the IT personnell to manage both domain but only allow the business partnets to manage the child domain.
Also, having the child domain is appropriate to live with the the root name space and will give you the most blexibility in the future. Just to clarify, in your case, if you have abc.com and you add a child domain, it means you will have xyz.abc.com and not xyz.local. You get xyz.local only when you add a completely separate forest root domain separate from your existing domain or when you add a separate domain tree to your existing forest root domain. This later scenario would complicated your design and make it tougher to manage both domain and a lot of extra administrative tasks will be created. The only reason i can think of that you may need this is if your business partner want to have completed separate name space and want to have complete control of the new domain and not wanting your IT personnel to receive default admin permissions in terms of default trust from parent to child relationship etc. But if your IT personnel is going to have complete administration on both domain, then I don't see why you would want to create complete separate domain or domain tree unless there is a legal issue with domain name...
0
 
LVL 1

Author Closing Comment

by:damien1234
ID: 31601170
Done.  A child domain it is.  I have no compelling reason for a new tree whether legal or use of namespace.  The added complexity of a new tree also helps make that option a lesser choice.  Simpler is better.  Thank you.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question