Solved

Child Domain

Posted on 2013-06-26
6
455 Views
Last Modified: 2013-11-20
I'm looking for some more clarity on the whole child domain setup. Typically my customers all have an external .com or .net domain that is hosted at an external registrar such as GoDaddy or Network Solutions. In the past for internal network setups I have just used the domain.local deployment and managed split DNS when necessary. Is this still the preferred setup? Or should I consider the child domain setup where my internal domain is corp.domain.com?

If it is the latter, how do I go about the setup since my root/parent domain is hosted at an external resource that may or may not allow delegation.
0
Comment
Question by:mthsupport
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39278479
Do you plan on using Office 365, you could run into an issue there  http://markparris.co.uk/2011/03/08/active-directory-local-domain-design-and-office-365/

Try not splitting out to a child domain because that just add increasing complexity, extra DCs, etc.

Thanks

Mike
0
 

Author Comment

by:mthsupport
ID: 39278535
No plan to use Office 365. I'm trying to better understand how to setup the child domain on my internal LAN. Especially when my parent domain is hosted externally.

For example, during DC Promo I get asked if this is a new forest or existing forest. How do I answer that if NS doesn't allow delegation?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39278723
Split DNS with both FQDN (external) and a private (internal) is still best practice for this type of setup. However, it is strongly recommended by Microsoft & Apple to not use the domain.local namespace for your internal DNS as this will cause problems with Bonjour which also uses .local (now that Bonjour is no longer just a Mac package).

Then forward internal DNS queries for external DNS names to your external DNS.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Accepted Solution

by:
DrDave242 earned 300 total points
ID: 39278948
If you plan on hosting any externally-accessible resources in this domain, especially ones that will require a trusted SSL certificate, stay away from domain.local and go with the corp.domain.com scheme instead (where domain.com is your registered domain name). Public CAs (Verisign, GoDaddy, and the like) will soon stop issuing certificates that contain non-public domain names, in accordance with CA/Browser Forum guidelines that were adopted last year. Here's more info on that.

You don't actually have to do anything on the public side to make this work. There's no need to delegate the "child" domain corp.domain.com at all; you can treat them as two separate namespaces (so you'd treat the internal domain as a new domain during DC promotion). If and when you need to configure external access to an internal resource, the delegation should be easy to set up. If your domain host doesn't allow you to delegate, you should honestly start shopping for a new domain host.

Whatever you do, don't use identical names for your internal and external domains. That's a headache waiting to happen.
0
 

Author Comment

by:mthsupport
ID: 39290080
Okay that all makes sense. So when would I need delegation? Just to access internal resources using an external fqdn?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 200 total points
ID: 39290244
Yes. You could technically set as many child.externalDomain.com subdomains that you want and then point them (all/any/none to your internalDomain.com) by adding the appropriate records to your external host's DNS settings.

From there it is a firewall ruleset to allow the traffic into your LAN.

Similarly, you can then point a child.internalDomain.com subdomain to an internal or external resource.

Like DrDave says: "treat them as two separate namespaces". Very similar to an internal phone extension list and the associated external (direct inward dial) list.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now