Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

Help setting up new AD

I am setting up a new Domain controller (2008 R2) for our office.

I have sucessfully completed the process, but before I start adding users, etc. I want to make sure I am future-proofing the design.

We have a TLD that hits our website (currently hosted) and our email is currently also hosted. We'll call it xyz.com. I want to make sure my new AD structure allows for as many as possible options in the future.

We have a west office and an east office and maybe more in the future. I *think* we should have the following domains:

xyz.com
west.xyz.com
east.xyz.com

I setup my AD as xyz.com with a NETBIOS name of  xyz. Should I start over from scratch as west.xyz.com (NETBIOS of west), or can I just add west.xyz.com to this DC?

Thank You!
0
mprachar
Asked:
mprachar
  • 4
  • 2
  • 2
  • +1
1 Solution
 
serchlopCommented:
The best design like MS suggest is to get the minimun number of domains needed. Only special requirement like a password policy in win2003 or differents support teams or something like this could justify another domain. The xyz is the best name for netbios name and the xyz.com is a good domain name. You can put a domain controller in west and east offices and configure sites and replication between sites to efficient network traffic. And continue with only one domain. West and East can be OU if you need to set up permissions to support team to reset passwords and give support to users in these offices.

Usually is recomenden that internal and external domain have different namespace, but it is not mandatory. Your plan is correct in domain and netbios name for xyz.com

If you want the 3 doamins...
For west and east these should be the netbios name and the recomended setting is to set these two domains as subdoamains for xyz.com

You will have
xyz.com
west.xyz.com
east.xyz.com
0
 
JBond2010Commented:
You can add west.xyz.com to the DC. This would be a new domain in an existing forest, which techilnically speaking would be a Child Domain. So with your current design you have Parent Child Domains. XYZ.com is the parent domain and west.xyz.com and east.xyz.com are your Child Domains.

In this senario, each Child Domain would have 3 FSMO roles which are domain wide - PDC Emulator Role, RID Master Role and the Infrastructure Master Role. You will have 2 FSMO Roles which are Forest wide - The Schema Master Role and the Domain Naming Master Role.

There is 2 way trusts automatically in place this is how replication is done. A BridgeHead Server which is a Domain Controller is selected for the Replication of Domain Wide and Forest Wide traffic. Site and Subnets you have the sites configured and subnets in place.
0
 
Sajid Shaik MSr. System AdminCommented:
the best practice is point your domain as domain.local

if your hosted domain name ie. exchange, web server ...  domain.com  

to resolve DNS issues .. in future when u host exchange server and SSL , UCA/SAN

all the best
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Sajid Shaik MSr. System AdminCommented:
becouse it's related to routable and non routable domain name issue...
0
 
mpracharAuthor Commented:
Thanks everybody!

So, is it best to keep everything under one domain? FYI - I dont expect we will get over 500 users in the next 3-4 years; we are currently around 50. I am wonderig if adding east/west at this time is overly complicated; especially if that could be done in the future anyway.

And, if so, should my domain in this office (where I will be adding users' PC's) be xyz.com or xyz.local?

If the answer if xyz.local, can I easily change the xyz.com DC or should I just remove the AD role and start over as xyz.local?

Sorry to over-noodle this, but I don't want to try and fix this down the road if I make bad decisions now :)
0
 
JBond2010Commented:
Because your Domain is very small there is no real need to use mulitple domains. Also, some organisations choose to use multiple domains for senarios where broadband in geographical regions is very poor, and with the replication of Active Directory this can have an impact. As I said in my previous comment with Child domains there are 3 FSMO Roles which are domain wide and 2 which are Forest Wide.  
0
 
mpracharAuthor Commented:
Anybody have a compelling reason why I should start over with xyz.local vs. keeping the xyz.com?
0
 
JBond2010Commented:
One reason to use xyz.local as oppose to xyz.com is to keep your internal network "DNS" seperate from your external domain. For example lets say your external domain name is domain.com and you are setting up your internal network - you should configure your Active Directory DNS name space as domain.local.
0
 
JBond2010Commented:
Also, have a look at this article from Microsoft and this should help to explain things more clearly.

http://support.microsoft.com/kb/254680
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now