Solved

Child Domain

Posted on 2013-06-26
6
458 Views
Last Modified: 2013-11-20
I'm looking for some more clarity on the whole child domain setup. Typically my customers all have an external .com or .net domain that is hosted at an external registrar such as GoDaddy or Network Solutions. In the past for internal network setups I have just used the domain.local deployment and managed split DNS when necessary. Is this still the preferred setup? Or should I consider the child domain setup where my internal domain is corp.domain.com?

If it is the latter, how do I go about the setup since my root/parent domain is hosted at an external resource that may or may not allow delegation.
0
Comment
Question by:mthsupport
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39278479
Do you plan on using Office 365, you could run into an issue there  http://markparris.co.uk/2011/03/08/active-directory-local-domain-design-and-office-365/

Try not splitting out to a child domain because that just add increasing complexity, extra DCs, etc.

Thanks

Mike
0
 

Author Comment

by:mthsupport
ID: 39278535
No plan to use Office 365. I'm trying to better understand how to setup the child domain on my internal LAN. Especially when my parent domain is hosted externally.

For example, during DC Promo I get asked if this is a new forest or existing forest. How do I answer that if NS doesn't allow delegation?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39278723
Split DNS with both FQDN (external) and a private (internal) is still best practice for this type of setup. However, it is strongly recommended by Microsoft & Apple to not use the domain.local namespace for your internal DNS as this will cause problems with Bonjour which also uses .local (now that Bonjour is no longer just a Mac package).

Then forward internal DNS queries for external DNS names to your external DNS.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 26

Accepted Solution

by:
DrDave242 earned 300 total points
ID: 39278948
If you plan on hosting any externally-accessible resources in this domain, especially ones that will require a trusted SSL certificate, stay away from domain.local and go with the corp.domain.com scheme instead (where domain.com is your registered domain name). Public CAs (Verisign, GoDaddy, and the like) will soon stop issuing certificates that contain non-public domain names, in accordance with CA/Browser Forum guidelines that were adopted last year. Here's more info on that.

You don't actually have to do anything on the public side to make this work. There's no need to delegate the "child" domain corp.domain.com at all; you can treat them as two separate namespaces (so you'd treat the internal domain as a new domain during DC promotion). If and when you need to configure external access to an internal resource, the delegation should be easy to set up. If your domain host doesn't allow you to delegate, you should honestly start shopping for a new domain host.

Whatever you do, don't use identical names for your internal and external domains. That's a headache waiting to happen.
0
 

Author Comment

by:mthsupport
ID: 39290080
Okay that all makes sense. So when would I need delegation? Just to access internal resources using an external fqdn?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 200 total points
ID: 39290244
Yes. You could technically set as many child.externalDomain.com subdomains that you want and then point them (all/any/none to your internalDomain.com) by adding the appropriate records to your external host's DNS settings.

From there it is a firewall ruleset to allow the traffic into your LAN.

Similarly, you can then point a child.internalDomain.com subdomain to an internal or external resource.

Like DrDave says: "treat them as two separate namespaces". Very similar to an internal phone extension list and the associated external (direct inward dial) list.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now