Re: In domain.company.com "domain" is not technically a child in a single domain 1 DC AD?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Thanks Herb! Response inline:

Herb Martin wrote:
One area that seems unclear is the issue of their one and only single
root domain - which is patterned like this in their single AD DNS
forward lookup zone:

domain.company.com

Is the "domain" above technically a child? I say no since they have
only 1 domain controller, one domain. They do have two DC's but the
second is only for backup purposes.


They should have two (or more) DCs and DNS servers. For a single
domain forest they should both be GCs as well. If you have more than
one subnet, you almost certainly should have WINS Servers as well.

WINS? I thought that went out in the 80's. With excellent DNS and
LDAP/AD resolution, what is the benefit of Wins?





They felt this naming convention, adding the "domain" prefix, was
necessary and they also felt they had 2 domains in AD. Don't they only
have one, which is domain.company.com I think the periods are
confusing....but this is their only and root domain.

Nothing wrong with that extra DNS label (prefix), but there is no
such thing as "feeling" they have two domains, they either do or they
do not.

Quite right.


Then the domain.company.com is NOT a child domain, just a three label
DNS name.

Ahhh. "Three label DNS name" does give clarity to the blurry bits.
Thanks for this term.


Question 1.) Does this mean that, although there are periods, there is
no AD child domain?

Yes (according to your description)

The entire domain, periods and all, is
domain.company.com. To have a child domain they would have to have a
child.domain.company.com, right?

Yes. (or that parent domain with the current one a child.)

They could also have had two sibling or unrelated domain
names for two AD domains and neither would be a child or parent.

Their name server/DC is named in DNS like this:
company1.domain.company.com

Odd name but you have altered it so maybe the real one isn't
so weird looking. DC1.domain.company.com or some such
would be more explanatory.

Yes, of course. I should have named it DC1.domain.company.com for
clarity. Sorry.


Question 2.) Couldn't they have simply used company.com?

Yes. They could have done that. It is a choice, not necessarily
better (and in some ways worse) than what they chose.

Is it okay to
use the exact same naming as one's Public FQDN, eg. company.com,
without adding a "child" domain to the front?

Ok? Yes, but there are several minor problems.

That's the pivotal decision I have to make. Keep them on a 3 label
domain name - domain.company.com or revert them to company.com. what
are the "minor problems" with using the same AD name as one's FQDN DNS
name?



Of course it's only a child from the perspective of the FQDN. It's not
a child from the AD perspective because if they have only 1 domain
controller - they can't possibly have a child domain, eg. every domain,
child or not, must have a domain controller.

Yes.

On the other hand, I have seen many domain.company.com type naming
implementations at very small companies. Is this just best practice?

It's a choice. This is not even the most important thing to worry about
for a domain that needs maintenance.

I would be far more concerned to see all DCs pass a full DCDiag.exe
(frequently), have all of their service packs and hotfixes, and be checked
for other security issues.


Service packs, hotfixes and DCDiag check out. The design and which
AD/DNS naming scheme to choose is the tricky bit. They do use BIND for
everything; the exception is that AD uses it's own DNS. Perhaps there
is no benefit to going to a company.com AD name when domain.company.com
is perhaps a better choice?


There is a pdf by John Dias called "A Guide to Microsoft Active
Directory (AD) Design" that has 5 DNS scenarios. It's quite informative
and well written.






--
Herb Martin, MCSE MVP
www.LearnQuick.Com

.

Relevant Pages

  • Re: set up first child DC in a remote site
    ... has not set its IP and DNS in the creation of ... delegation can the parent DC see the child DC-to-be? ... and child zone created as the Conditional forwarding configured pointing to ...
    (microsoft.public.windows.server.active_directory)
  • Re: set up first child DC in a remote site
    ... Since step 3 is done before installing the DNS on it, ... necessary to put the DNS server pointing to the parent domain. ... DC on the Child doamin and it's IP Address, at the moment that you create ...
    (microsoft.public.windows.server.active_directory)
  • Re: Trust between child and domain broken
    ... Does the root DNS delegate to the child or in some other ... > And, when I tried to demote the child domain, it prompted: ...
    (microsoft.public.windows.server.dns)
  • Re: set up first child DC in a remote site
    ... The reason I put step 3 in front of step 4 is that if the child DC-to-be has ... not set its IP and DNS in the creation of delegation ... can the parent DC see the child DC-to-be? ... Forwarding to point to the parent domain, point the server to itself under ...
    (microsoft.public.windows.server.active_directory)
  • Re: Trust between child and domain broken
    ... way provide for finding the child DNS ... -->What about the child to the parent? ... Do the child DNS servers ...
    (microsoft.public.windows.server.dns)