Solved

Child Domain

Posted on 2013-06-26
6
464 Views
Last Modified: 2013-11-20
I'm looking for some more clarity on the whole child domain setup. Typically my customers all have an external .com or .net domain that is hosted at an external registrar such as GoDaddy or Network Solutions. In the past for internal network setups I have just used the domain.local deployment and managed split DNS when necessary. Is this still the preferred setup? Or should I consider the child domain setup where my internal domain is corp.domain.com?

If it is the latter, how do I go about the setup since my root/parent domain is hosted at an external resource that may or may not allow delegation.
0
Comment
Question by:mthsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39278479
Do you plan on using Office 365, you could run into an issue there  http://markparris.co.uk/2011/03/08/active-directory-local-domain-design-and-office-365/

Try not splitting out to a child domain because that just add increasing complexity, extra DCs, etc.

Thanks

Mike
0
 

Author Comment

by:mthsupport
ID: 39278535
No plan to use Office 365. I'm trying to better understand how to setup the child domain on my internal LAN. Especially when my parent domain is hosted externally.

For example, during DC Promo I get asked if this is a new forest or existing forest. How do I answer that if NS doesn't allow delegation?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39278723
Split DNS with both FQDN (external) and a private (internal) is still best practice for this type of setup. However, it is strongly recommended by Microsoft & Apple to not use the domain.local namespace for your internal DNS as this will cause problems with Bonjour which also uses .local (now that Bonjour is no longer just a Mac package).

Then forward internal DNS queries for external DNS names to your external DNS.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 26

Accepted Solution

by:
DrDave242 earned 300 total points
ID: 39278948
If you plan on hosting any externally-accessible resources in this domain, especially ones that will require a trusted SSL certificate, stay away from domain.local and go with the corp.domain.com scheme instead (where domain.com is your registered domain name). Public CAs (Verisign, GoDaddy, and the like) will soon stop issuing certificates that contain non-public domain names, in accordance with CA/Browser Forum guidelines that were adopted last year. Here's more info on that.

You don't actually have to do anything on the public side to make this work. There's no need to delegate the "child" domain corp.domain.com at all; you can treat them as two separate namespaces (so you'd treat the internal domain as a new domain during DC promotion). If and when you need to configure external access to an internal resource, the delegation should be easy to set up. If your domain host doesn't allow you to delegate, you should honestly start shopping for a new domain host.

Whatever you do, don't use identical names for your internal and external domains. That's a headache waiting to happen.
0
 

Author Comment

by:mthsupport
ID: 39290080
Okay that all makes sense. So when would I need delegation? Just to access internal resources using an external fqdn?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 200 total points
ID: 39290244
Yes. You could technically set as many child.externalDomain.com subdomains that you want and then point them (all/any/none to your internalDomain.com) by adding the appropriate records to your external host's DNS settings.

From there it is a firewall ruleset to allow the traffic into your LAN.

Similarly, you can then point a child.internalDomain.com subdomain to an internal or external resource.

Like DrDave says: "treat them as two separate namespaces". Very similar to an internal phone extension list and the associated external (direct inward dial) list.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question