Can A Domain Trust Another Domain With The Same ‘Root Domain’ Name?

KB ID 0001288 Dtd 07/03/17

Problem

About a month ago I was with a client to do some investigation/consultancy, they were a large company with their head office in the UK and a number of other offices around the world. They had a number of domains and sub domains and wanted to consolidate them all into a new domain.

Well that’s all OK, but the UK company has been purchased by a large American company, who were putting a lot of pressure on them to ‘get this done’.

So what was the problem? Well the American company had a domain called olduscomp.com, and were undergoing their own migration (not yet started) to newuscomp.com. The UK company wanted to use ukcomp.newuscomp.com 

Me: Thats OK once newuscomp.com is built, we will make ukcomp a child domain of that, that’s not a problem.

Client: Well that might not be built for quite some time, the guys in the states have problems of their own.

Me: OK we will build it here, then build our child domain, then we can then give them the root domain?

Client: That probably wont fly either, can we just build ukcomp.newuscomp.com here, them make it a child domain later?

Me: No, (the fist DC in a child domain needs to be a member of the parent domain).

Client: OK can we build ukcomp.newuscomp.com, and then when the US guys build newuscomp.com, can we get the domains to trust each other?

Me: I dont think so, (they have a similar namespace), I don’t think that will work? I would need to test it to see if it was possible.

The problem was dancing about on my mental ‘back-burner’ for the next few weeks, so in my free time, I thought I would investigate if it was possible.

Root Domains same name

Solution

Well I built both the domains, my usual procedure to creating a domain trust is;

  1. Create a conditional DNS forwarder in domain A for domain B
  2. Create a conditional DNS forwarder in domain B for domain A
  3. Go to Active Directory Domains and Trusts and setup the trust

As you can see from the diagram above I used subdomain.domain.com for the first domain, and I used domain.com for the second domain. So when I started, the only thing these domains shared is some namespace.

Creating a conditional forwarder in subdomain.domain.com for domain.com went without a hiccup.

Setup Domain Conditional Forwarding

However when I tried to create a conditional forwarder in domain.com for subdomain.domain.com this happened;

A problem occurred when creating a conditional forwarder

A problem occurred when trying to add the conditional forwarder. A zone configuration problem has occurred.

Oh dear, some investigation explained why;

DNS server cannot forward for its one domain

Above from: Technet: Using Forwarders

However it does say I can delegate the namespace to another DNS server, would that work? If you don’t know what a delegation is read this article.

Create a Delegated Domain

Then I setup the trust, and validated it.

Validate a domain trust validate an incoming domain trust

So yes it does work, but you need to remember that these are two different domains that trust each other they just share a common piece of namespace. If it was a parent and child domain then when you were assigning permissions you would see something like this;

Child Domain Permissions

But instead, in our case when assigning permissions  you will see;

Trusted domain permissions

So yes it works and it looks like a sub domain, you can even call is a subdomain, but it isn’t, it’s just another domain that you can trust.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *