Can A Domain Trust Another Domain With The Same ‘Root Domain’ Name?

KB ID 0001288 

Problem

About a month ago I was with a client to do some investigation/consultancy, they were a large company with their head office in the UK and a number of other offices around the world. They had a number of domains and sub domains and wanted to consolidate them all into a new domain.

Well that’s all OK, but the UK company has been purchased by a large American company, who were putting a lot of pressure on them to ‘get this done’.

So what was the problem? Well the American company had a domain called olduscomp.com, and were undergoing their own migration (not yet started) to newuscomp.com. The UK company wanted to use ukcomp.newuscomp.com 

Me: Thats OK once newuscomp.com is built, we will make ukcomp a child domain of that, that’s not a problem.

Client: Well that might not be built for quite some time, the guys in the states have problems of their own.

Me: OK we will build it here, then build our child domain, then we can then give them the root domain?

Client: That probably wont fly either, can we just build ukcomp.newuscomp.com here, them make it a child domain later?

Me: No, (the fist DC in a child domain needs to be a member of the parent domain).

Client: OK can we build ukcomp.newuscomp.com, and then when the US guys build newuscomp.com, can we get the domains to trust each other?

Me: I dont think so, (they have a similar namespace), I don’t think that will work? I would need to test it to see if it was possible.

The problem was dancing about on my mental ‘back-burner’ for the next few weeks, so in my free time, I thought I would investigate if it was possible.

Solution

Well I built both the domains, my usual procedure to creating a domain trust is;

  1. Create a conditional DNS forwarder in domain A for domain B
  2. Create a conditional DNS forwarder in domain B for domain A
  3. Go to Active Directory Domains and Trusts and setup the trust

As you can see from the diagram above I used subdomain.domain.com for the first domain, and I used domain.com for the second domain. So when I started, the only thing these domains shared is some namespace.

Creating a conditional forwarder in subdomain.domain.com for domain.com went without a hiccup.

However when I tried to create a conditional forwarder in domain.com for subdomain.domain.com this happened;

A problem occurred when trying to add the conditional forwarder. A zone configuration problem has occurred.

Oh dear, some investigation explained why;

Above from: Technet: Using Forwarders

However it does say I can delegate the namespace to another DNS server, would that work? If you don’t know what a delegation is read this article.

Then I setup the trust, and validated it.

So yes it does work, but you need to remember that these are two different domains that trust each other they just share a common piece of namespace. If it was a parent and child domain then when you were assigning permissions you would see something like this;

But instead, in our case when assigning permissions  you will see;

So yes it works and it looks like a sub domain, you can even call is a subdomain, but it isn’t, it’s just another domain that you can trust.

Related Articles, References, Credits, or External Links

NA

Locate your FSMO Role Servers

KB ID 0000221

Problem

You would like to know which servers are holding which roles. To move your FSMO Servers CLICK HERE

Solution

FSMO Servers

There are five FSMO (Flexible Single Master Operations) Roles that need to Exist in a Windows AD Forest.

  • PDC Emulator (One per domain)
  • RID Master (One per domain)
  • Schema Master (One per forest)
  • Domain Naming Master (One per forest)
  • Infrastructure Master (One per domain)

But I’ve Googled it, and it says there are Seven FSMO Roles?

To save arguments there are two further roles;

  • Domain DNS Zone Master role (One per domain)
  • Forest DNS Zone Master role (One per forest)

These two roles are not well documented, and there is no way to display or transfer them, (without using ADSIEdit.)

Locate FSMO Servers via Command

Option 1: PowerShell

Use the following commands;

[box]

Get-ADDomain | Select-Object DistinguishedName, SchemaMaster, DomainNamingMaster, InfrastructureMaster, PDCEmulator, RIDMaster

Get-ADForest | Select-Object Name,SchemaMaster, DomainNamingMaster, InfrastructureMaster, PDCEmulator, RIDMaster

[/box]

Option 2: Command Line

1. Start > Run cmd {enter}

2. Execute the following command. (Note: Older versions of Windows servers will need the support tools installing to run the netdom command).

In a Forest;

[box]netdom query /domain:YOURDOMAINNAME fsmo[/box]

In a Single Domain;

[box]netdom query fsmo[/box]

Locate FSMO Servers Graphically

To View RID MASTER, PDC EMULATOR and INFRASTRUCTURE MASTER

1. Go to a domain controller.

2. Start > run > dsa.msc {enter}

3. Right click domain name > Operations masters

Note: You can change the server holding these roles from this console.

To view the SCHEMA MASTER graphically do the following

1. Start > Run > regsvr32 schmmgmt.dll {enter} > OK

2. Start > run > mmc {enter}.

3. File > Add / Remove Snap-In > Add > Active Directory Schema > Add Close > OK

4. Right Click “Active Directory Schema” > Operations Master.

To View the DOMAIN NAMING MASTER

1. Start > Run > domain.msc {enter}

2. Right Click “Active Directory Domains and Trusts” > Operations Master.

General Rules for FSMO Placement

If you only have 1 domain in the forest everything goes in that one domain.

If not….

Forest Root Domain gets the Domain Naming Master, and the Schema Master roles

Each Domain gets The PDC Emulator, Infrastructure Master and RID Master roles.

Though not an FSMO role each logon location should have a Global Catalogue server

(Note: Yes you can cache logon requests and have Read only domain controllers now but in an ideal world I still place a GC at each site)

FSMO Placement

1. Do not put the Infrastructure Master on a Global Catalogue Server (see below for how to see if a domain controller is a global Catalogue server).

2. The PDC Emulator and RID Master should be on the same Server, If possible NOT on a Global Catalogue Server (though not essential).

3. The Schema Master and Domain Naming Master should be on the same machine that IS a Global Catalogue Server. (This is not true if your forest functional level is Windows Server 2003).

Locate Global Catalogue Servers

To check if a domain controller is also a global catalogue server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.

3. Open the Servers folder, and then click the domain controller.

4. In the domain controller’s folder, double-click NTDS Settings.

5. On the Action menu, click Properties.

6. On the General tab, locate the Global Catalogue check box to see if it is selected.

Related Articles, References, Credits, or External Links

Windows Server – Locating, Transferring, and Seizing FSMO Roles

Transferring Your FSMO Roles