Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Child Domain

Posted on 2013-06-26
6
Medium Priority
?
467 Views
Last Modified: 2013-11-20
I'm looking for some more clarity on the whole child domain setup. Typically my customers all have an external .com or .net domain that is hosted at an external registrar such as GoDaddy or Network Solutions. In the past for internal network setups I have just used the domain.local deployment and managed split DNS when necessary. Is this still the preferred setup? Or should I consider the child domain setup where my internal domain is corp.domain.com?

If it is the latter, how do I go about the setup since my root/parent domain is hosted at an external resource that may or may not allow delegation.
0
Comment
Question by:mthsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39278479
Do you plan on using Office 365, you could run into an issue there  http://markparris.co.uk/2011/03/08/active-directory-local-domain-design-and-office-365/

Try not splitting out to a child domain because that just add increasing complexity, extra DCs, etc.

Thanks

Mike
0
 

Author Comment

by:mthsupport
ID: 39278535
No plan to use Office 365. I'm trying to better understand how to setup the child domain on my internal LAN. Especially when my parent domain is hosted externally.

For example, during DC Promo I get asked if this is a new forest or existing forest. How do I answer that if NS doesn't allow delegation?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39278723
Split DNS with both FQDN (external) and a private (internal) is still best practice for this type of setup. However, it is strongly recommended by Microsoft & Apple to not use the domain.local namespace for your internal DNS as this will cause problems with Bonjour which also uses .local (now that Bonjour is no longer just a Mac package).

Then forward internal DNS queries for external DNS names to your external DNS.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 27

Accepted Solution

by:
DrDave242 earned 1200 total points
ID: 39278948
If you plan on hosting any externally-accessible resources in this domain, especially ones that will require a trusted SSL certificate, stay away from domain.local and go with the corp.domain.com scheme instead (where domain.com is your registered domain name). Public CAs (Verisign, GoDaddy, and the like) will soon stop issuing certificates that contain non-public domain names, in accordance with CA/Browser Forum guidelines that were adopted last year. Here's more info on that.

You don't actually have to do anything on the public side to make this work. There's no need to delegate the "child" domain corp.domain.com at all; you can treat them as two separate namespaces (so you'd treat the internal domain as a new domain during DC promotion). If and when you need to configure external access to an internal resource, the delegation should be easy to set up. If your domain host doesn't allow you to delegate, you should honestly start shopping for a new domain host.

Whatever you do, don't use identical names for your internal and external domains. That's a headache waiting to happen.
0
 

Author Comment

by:mthsupport
ID: 39290080
Okay that all makes sense. So when would I need delegation? Just to access internal resources using an external fqdn?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 800 total points
ID: 39290244
Yes. You could technically set as many child.externalDomain.com subdomains that you want and then point them (all/any/none to your internalDomain.com) by adding the appropriate records to your external host's DNS settings.

From there it is a firewall ruleset to allow the traffic into your LAN.

Similarly, you can then point a child.internalDomain.com subdomain to an internal or external resource.

Like DrDave says: "treat them as two separate namespaces". Very similar to an internal phone extension list and the associated external (direct inward dial) list.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question