Solved

Child Domain

Posted on 2013-06-26
6
459 Views
Last Modified: 2013-11-20
I'm looking for some more clarity on the whole child domain setup. Typically my customers all have an external .com or .net domain that is hosted at an external registrar such as GoDaddy or Network Solutions. In the past for internal network setups I have just used the domain.local deployment and managed split DNS when necessary. Is this still the preferred setup? Or should I consider the child domain setup where my internal domain is corp.domain.com?

If it is the latter, how do I go about the setup since my root/parent domain is hosted at an external resource that may or may not allow delegation.
0
Comment
Question by:mthsupport
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39278479
Do you plan on using Office 365, you could run into an issue there  http://markparris.co.uk/2011/03/08/active-directory-local-domain-design-and-office-365/

Try not splitting out to a child domain because that just add increasing complexity, extra DCs, etc.

Thanks

Mike
0
 

Author Comment

by:mthsupport
ID: 39278535
No plan to use Office 365. I'm trying to better understand how to setup the child domain on my internal LAN. Especially when my parent domain is hosted externally.

For example, during DC Promo I get asked if this is a new forest or existing forest. How do I answer that if NS doesn't allow delegation?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39278723
Split DNS with both FQDN (external) and a private (internal) is still best practice for this type of setup. However, it is strongly recommended by Microsoft & Apple to not use the domain.local namespace for your internal DNS as this will cause problems with Bonjour which also uses .local (now that Bonjour is no longer just a Mac package).

Then forward internal DNS queries for external DNS names to your external DNS.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 26

Accepted Solution

by:
DrDave242 earned 300 total points
ID: 39278948
If you plan on hosting any externally-accessible resources in this domain, especially ones that will require a trusted SSL certificate, stay away from domain.local and go with the corp.domain.com scheme instead (where domain.com is your registered domain name). Public CAs (Verisign, GoDaddy, and the like) will soon stop issuing certificates that contain non-public domain names, in accordance with CA/Browser Forum guidelines that were adopted last year. Here's more info on that.

You don't actually have to do anything on the public side to make this work. There's no need to delegate the "child" domain corp.domain.com at all; you can treat them as two separate namespaces (so you'd treat the internal domain as a new domain during DC promotion). If and when you need to configure external access to an internal resource, the delegation should be easy to set up. If your domain host doesn't allow you to delegate, you should honestly start shopping for a new domain host.

Whatever you do, don't use identical names for your internal and external domains. That's a headache waiting to happen.
0
 

Author Comment

by:mthsupport
ID: 39290080
Okay that all makes sense. So when would I need delegation? Just to access internal resources using an external fqdn?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 200 total points
ID: 39290244
Yes. You could technically set as many child.externalDomain.com subdomains that you want and then point them (all/any/none to your internalDomain.com) by adding the appropriate records to your external host's DNS settings.

From there it is a firewall ruleset to allow the traffic into your LAN.

Similarly, you can then point a child.internalDomain.com subdomain to an internal or external resource.

Like DrDave says: "treat them as two separate namespaces". Very similar to an internal phone extension list and the associated external (direct inward dial) list.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question