We help IT Professionals succeed at work.

Help setting up new AD

461 Views
Last Modified: 2012-05-11
I am setting up a new Domain controller (2008 R2) for our office.

I have sucessfully completed the process, but before I start adding users, etc. I want to make sure I am future-proofing the design.

We have a TLD that hits our website (currently hosted) and our email is currently also hosted. We'll call it xyz.com. I want to make sure my new AD structure allows for as many as possible options in the future.

We have a west office and an east office and maybe more in the future. I *think* we should have the following domains:

xyz.com
west.xyz.com
east.xyz.com

I setup my AD as xyz.com with a NETBIOS name of  xyz. Should I start over from scratch as west.xyz.com (NETBIOS of west), or can I just add west.xyz.com to this DC?

Thank You!
Comment
Watch Question

Commented:
The best design like MS suggest is to get the minimun number of domains needed. Only special requirement like a password policy in win2003 or differents support teams or something like this could justify another domain. The xyz is the best name for netbios name and the xyz.com is a good domain name. You can put a domain controller in west and east offices and configure sites and replication between sites to efficient network traffic. And continue with only one domain. West and East can be OU if you need to set up permissions to support team to reset passwords and give support to users in these offices.

Usually is recomenden that internal and external domain have different namespace, but it is not mandatory. Your plan is correct in domain and netbios name for xyz.com

If you want the 3 doamins...
For west and east these should be the netbios name and the recomended setting is to set these two domains as subdoamains for xyz.com

You will have
xyz.com
west.xyz.com
east.xyz.com
JamesSenior Cloud Infrastructure Engineer
CERTIFIED EXPERT

Commented:
You can add west.xyz.com to the DC. This would be a new domain in an existing forest, which techilnically speaking would be a Child Domain. So with your current design you have Parent Child Domains. XYZ.com is the parent domain and west.xyz.com and east.xyz.com are your Child Domains.

In this senario, each Child Domain would have 3 FSMO roles which are domain wide - PDC Emulator Role, RID Master Role and the Infrastructure Master Role. You will have 2 FSMO Roles which are Forest wide - The Schema Master Role and the Domain Naming Master Role.

There is 2 way trusts automatically in place this is how replication is done. A BridgeHead Server which is a Domain Controller is selected for the Replication of Domain Wide and Forest Wide traffic. Site and Subnets you have the sites configured and subnets in place.
Sajid Shaik MSystem Admin
CERTIFIED EXPERT

Commented:
the best practice is point your domain as domain.local

if your hosted domain name ie. exchange, web server ...  domain.com  

to resolve DNS issues .. in future when u host exchange server and SSL , UCA/SAN

all the best
Sajid Shaik MSystem Admin
CERTIFIED EXPERT

Commented:
becouse it's related to routable and non routable domain name issue...

Author

Commented:
Thanks everybody!

So, is it best to keep everything under one domain? FYI - I dont expect we will get over 500 users in the next 3-4 years; we are currently around 50. I am wonderig if adding east/west at this time is overly complicated; especially if that could be done in the future anyway.

And, if so, should my domain in this office (where I will be adding users' PC's) be xyz.com or xyz.local?

If the answer if xyz.local, can I easily change the xyz.com DC or should I just remove the AD role and start over as xyz.local?

Sorry to over-noodle this, but I don't want to try and fix this down the road if I make bad decisions now :)
JamesSenior Cloud Infrastructure Engineer
CERTIFIED EXPERT

Commented:
Because your Domain is very small there is no real need to use mulitple domains. Also, some organisations choose to use multiple domains for senarios where broadband in geographical regions is very poor, and with the replication of Active Directory this can have an impact. As I said in my previous comment with Child domains there are 3 FSMO Roles which are domain wide and 2 which are Forest Wide.  

Author

Commented:
Anybody have a compelling reason why I should start over with xyz.local vs. keeping the xyz.com?
JamesSenior Cloud Infrastructure Engineer
CERTIFIED EXPERT

Commented:
One reason to use xyz.local as oppose to xyz.com is to keep your internal network "DNS" seperate from your external domain. For example lets say your external domain name is domain.com and you are setting up your internal network - you should configure your Active Directory DNS name space as domain.local.
Senior Cloud Infrastructure Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.