mprachar
asked on
Help setting up new AD
I am setting up a new Domain controller (2008 R2) for our office.
I have sucessfully completed the process, but before I start adding users, etc. I want to make sure I am future-proofing the design.
We have a TLD that hits our website (currently hosted) and our email is currently also hosted. We'll call it xyz.com. I want to make sure my new AD structure allows for as many as possible options in the future.
We have a west office and an east office and maybe more in the future. I *think* we should have the following domains:
xyz.com
west.xyz.com
east.xyz.com
I setup my AD as xyz.com with a NETBIOS name of xyz. Should I start over from scratch as west.xyz.com (NETBIOS of west), or can I just add west.xyz.com to this DC?
Thank You!
I have sucessfully completed the process, but before I start adding users, etc. I want to make sure I am future-proofing the design.
We have a TLD that hits our website (currently hosted) and our email is currently also hosted. We'll call it xyz.com. I want to make sure my new AD structure allows for as many as possible options in the future.
We have a west office and an east office and maybe more in the future. I *think* we should have the following domains:
xyz.com
west.xyz.com
east.xyz.com
I setup my AD as xyz.com with a NETBIOS name of xyz. Should I start over from scratch as west.xyz.com (NETBIOS of west), or can I just add west.xyz.com to this DC?
Thank You!
You can add west.xyz.com to the DC. This would be a new domain in an existing forest, which techilnically speaking would be a Child Domain. So with your current design you have Parent Child Domains. XYZ.com is the parent domain and west.xyz.com and east.xyz.com are your Child Domains.
In this senario, each Child Domain would have 3 FSMO roles which are domain wide - PDC Emulator Role, RID Master Role and the Infrastructure Master Role. You will have 2 FSMO Roles which are Forest wide - The Schema Master Role and the Domain Naming Master Role.
There is 2 way trusts automatically in place this is how replication is done. A BridgeHead Server which is a Domain Controller is selected for the Replication of Domain Wide and Forest Wide traffic. Site and Subnets you have the sites configured and subnets in place.
In this senario, each Child Domain would have 3 FSMO roles which are domain wide - PDC Emulator Role, RID Master Role and the Infrastructure Master Role. You will have 2 FSMO Roles which are Forest wide - The Schema Master Role and the Domain Naming Master Role.
There is 2 way trusts automatically in place this is how replication is done. A BridgeHead Server which is a Domain Controller is selected for the Replication of Domain Wide and Forest Wide traffic. Site and Subnets you have the sites configured and subnets in place.
the best practice is point your domain as domain.local
if your hosted domain name ie. exchange, web server ... domain.com
to resolve DNS issues .. in future when u host exchange server and SSL , UCA/SAN
all the best
if your hosted domain name ie. exchange, web server ... domain.com
to resolve DNS issues .. in future when u host exchange server and SSL , UCA/SAN
all the best
becouse it's related to routable and non routable domain name issue...
ASKER
Thanks everybody!
So, is it best to keep everything under one domain? FYI - I dont expect we will get over 500 users in the next 3-4 years; we are currently around 50. I am wonderig if adding east/west at this time is overly complicated; especially if that could be done in the future anyway.
And, if so, should my domain in this office (where I will be adding users' PC's) be xyz.com or xyz.local?
If the answer if xyz.local, can I easily change the xyz.com DC or should I just remove the AD role and start over as xyz.local?
Sorry to over-noodle this, but I don't want to try and fix this down the road if I make bad decisions now :)
So, is it best to keep everything under one domain? FYI - I dont expect we will get over 500 users in the next 3-4 years; we are currently around 50. I am wonderig if adding east/west at this time is overly complicated; especially if that could be done in the future anyway.
And, if so, should my domain in this office (where I will be adding users' PC's) be xyz.com or xyz.local?
If the answer if xyz.local, can I easily change the xyz.com DC or should I just remove the AD role and start over as xyz.local?
Sorry to over-noodle this, but I don't want to try and fix this down the road if I make bad decisions now :)
Because your Domain is very small there is no real need to use mulitple domains. Also, some organisations choose to use multiple domains for senarios where broadband in geographical regions is very poor, and with the replication of Active Directory this can have an impact. As I said in my previous comment with Child domains there are 3 FSMO Roles which are domain wide and 2 which are Forest Wide.
ASKER
Anybody have a compelling reason why I should start over with xyz.local vs. keeping the xyz.com?
One reason to use xyz.local as oppose to xyz.com is to keep your internal network "DNS" seperate from your external domain. For example lets say your external domain name is domain.com and you are setting up your internal network - you should configure your Active Directory DNS name space as domain.local.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Usually is recomenden that internal and external domain have different namespace, but it is not mandatory. Your plan is correct in domain and netbios name for xyz.com
If you want the 3 doamins...
For west and east these should be the netbios name and the recomended setting is to set these two domains as subdoamains for xyz.com
You will have
xyz.com
west.xyz.com
east.xyz.com