New AD DS Forest Questions.. Need help badly

Hey everyone,

I'm having a bit of a conundrum about the new forest domain name and what possible implications it can have if I chose the wrong name convention...

Current Setup

The current issue is that the company I work for was bought out by another company and atm, where using a 2-way forest trust.

The company also has another site in Africa which is using a different forest domain but doesn't have any forest trust to either of the other 2 domains.

The current forest domains are:-

1. Company1.local (my old company)

2. (main company)

3. (Africa site)

To make it worse, all three sites have their own Exchange environment and there's all types of file share/application authentication issues between sites.

Therefore, the company has decided that they want to get rid of all the exchange environments/file shares and so forth and move everything to Office365, including SharePoint and Lync

New Solution

They have also decided that they want a new forest with a single domain and that the locations and security will be delegated by using different OU structures/GPO's as it's all going to administered by 2 people at the main company site. This is non-negotiable as they don't want sub/child domains or different forests, just a single entity.

They're using a third party to do the Office365 design and implementation. However I have been assigned to setup the new initial ADDS server for the new forest.

After some reading I've found that we really shouldn't be using '.local' or '.internal' for the forest root domain. I suggested that we use '' and a NetBIOS of 'CNF' (but because its such a long name, Ifeel that if we have to use a FQDN for anything then it will cause an issue)

They want me use the following for the forest root domain 'au.cnf' with a NetBIOS of 'CNF'

Is that really such a good idea or is there any situation whereby using 'au.cnf' as the prefix.suffix could cause any issues?

I would of like to use '' however the domain name '' is already registered by another company..

Once the new forest is created, I'll be setting it up with the ADFS to Office365 and create 2way forest trusts from the new forest the 3 old ones and start migrating users to the new forest domain.

Thanks in advance for you help
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

At this point in time you should stop using an invalid TLD (Top Level Domain) names like .local, .int, .etc.  For one it is no longer possible to get SSL certificates from public CAs using domain names which cannot be verified as valid and owned by your company, so whether or not you think that is an issue now think about the future when the need for public certs for 'something' comes into play.

Also depending on if you have a need for Enterprise Voice in Lync then you may be looking at leveraging a Hybrid (Split-Domain) topology for some time.  Considering that you have a couple options for your AD namespace.  The nice thing is that the hybrid scenario leverages SMTP, SIP, etc domain names which do not have to match your actual AD namespace.

The simplest solution is to basically use the same name as your external, owned namespace.  So internal AD, external, SIP, SMTP are all the same (e.g.  The other option is to use separate namespace, but make sure whatever you use for the internal namespace is something you own on the Internet.  Even if you won't ever publish (and should not) this namespace on the Internet you'll need to prove ownership of the domain to get any public certs issued with CN or SAN entries containing that namespace.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QuazzieMAuthor Commented:
Hi Jeff, thanks for you reply..

I'm more leaning towards using the '' and setting the new forest root domain as either '' or ''.

As were moving to more Azure cloud services like Office365/Sharepoint/Lync and I can only see us starting to utilise more IaaS sooner rather then later.

My only concern is that by using such a long winded forest root domain of '' is that if there's a scenerio whereby we need to use FQDN for some form on internal application or internal website, it can be annoying for staff to have to type that such a long winded address or login credential..

For example, if they needed to type.. '' for a sharepoint site in Office365 or if the app requires them to use as the log in credentials..

Is there something that can be configured in AD/DNS that could create some sort of shortened verisons for these types of situations?
QuazzieMAuthor Commented:
Would using a shorter UPN sort this issue out?? Sorry I'm dont know enough about UPN's and what they bring to the AD DS side of things
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.