KB ID 0001288
Problem
About a month ago I was with a client to do some investigation/consultancy, they were a large company with their head office in the UK and a number of other offices around the world. They had a number of domains and sub domains and wanted to consolidate them all into a new domain.
Well that’s all OK, but the UK company has been purchased by a large American company, who were putting a lot of pressure on them to ‘get this done’.
So what was the problem? Well the American company had a domain called olduscomp.com, and were undergoing their own migration (not yet started) to newuscomp.com. The UK company wanted to use ukcomp.newuscomp.com
Me: Thats OK once newuscomp.com is built, we will make ukcomp a child domain of that, that’s not a problem.
Client: Well that might not be built for quite some time, the guys in the states have problems of their own.
Me: OK we will build it here, then build our child domain, then we can then give them the root domain?
Client: That probably wont fly either, can we just build ukcomp.newuscomp.com here, them make it a child domain later?
Me: No, (the fist DC in a child domain needs to be a member of the parent domain).
Client: OK can we build ukcomp.newuscomp.com, and then when the US guys build newuscomp.com, can we get the domains to trust each other?
Me: I dont think so, (they have a similar namespace), I don’t think that will work? I would need to test it to see if it was possible.
The problem was dancing about on my mental ‘back-burner’ for the next few weeks, so in my free time, I thought I would investigate if it was possible.
Solution
Well I built both the domains, my usual procedure to creating a domain trust is;
- Create a conditional DNS forwarder in domain A for domain B
- Create a conditional DNS forwarder in domain B for domain A
- Go to Active Directory Domains and Trusts and setup the trust
As you can see from the diagram above I used subdomain.domain.com for the first domain, and I used domain.com for the second domain. So when I started, the only thing these domains shared is some namespace.
Creating a conditional forwarder in subdomain.domain.com for domain.com went without a hiccup.
However when I tried to create a conditional forwarder in domain.com for subdomain.domain.com this happened;
A problem occurred when trying to add the conditional forwarder. A zone configuration problem has occurred.
Oh dear, some investigation explained why;
Above from: Technet: Using Forwarders
However it does say I can delegate the namespace to another DNS server, would that work? If you don’t know what a delegation is read this article.
Then I setup the trust, and validated it.
So yes it does work, but you need to remember that these are two different domains that trust each other they just share a common piece of namespace. If it was a parent and child domain then when you were assigning permissions you would see something like this;
But instead, in our case when assigning permissions you will see;
So yes it works and it looks like a sub domain, you can even call is a subdomain, but it isn’t, it’s just another domain that you can trust.
Related Articles, References, Credits, or External Links
NA