I have a small multi-site company which has not been using active
directory to date due to lack of time to set this up prior to now. I've
finally got some time to try my hand at this, but am new to it.

Based on a lot of reading, it seems like the best AD configuration is a
single forest with a single domain, and multiple sites. But currently,
we use site qualifiers in the domain names for existing computers and
would like to keep them that way - for example, joe's workstation in
San Francisco might be joe.sfo.domain.com and jane's in New York might
be jane.nyc.domain.com from a DNS perspective, but both users and both
computers would be in the single domain.com AD domain.

By default though, AD will set the dns suffix of each computer to the
AD domain of domain.com, not knowing about the sfo and nyc third-level
domain names.

It seems like I can create an OU for each site, and there is a group
policy setting called "primary DNS suffix" which can be set at the OU
level to set the correct dns domain suffixes for computers placed into
each OU. So by creating a different group policy applied to the "sfo"
and "nyc" OUs with the appropriate primary DNS suffix settings, I could
keep the existing FQDNs while still maintaining a single AD domain.

Has anyone out there done this?
Is this the right way to do this?
Is this a good idea?
Does anyone know where I can find more documentation on this?

I'd rather not change all our existing computer names if possible...

Thanks in advance!

Mike

P.S. I was also looking into a an empty forest root domain of
domain.com with child domains named after the sites, such as
sfo.domain.com, so the dns domain structure would match the AD domain
structure, but that seems too complicated for a small company of maybe
100 users across 4 sites. We also have a few sites which are basically
cities with one or two telecommuting workers, and I'm not sure how I'd
handle that situation in a multi-AD-domain setup.

I've read that you can do this, but it's tough to do it well and without
breaking Kerberos.

Personally, I'd either rename or take the empty root option.

In your case, the empty root does indeed seem like overkill. Is a rename
*that* bad?

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

<mjcsfmail-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
I have a small multi-site company which has not been using active
directory to date due to lack of time to set this up prior to now. I've
finally got some time to try my hand at this, but am new to it.

Based on a lot of reading, it seems like the best AD configuration is a
single forest with a single domain, and multiple sites. But currently,
we use site qualifiers in the domain names for existing computers and
would like to keep them that way - for example, joe's workstation in
San Francisco might be joe.sfo.domain.com and jane's in New York might
be jane.nyc.domain.com from a DNS perspective, but both users and both
computers would be in the single domain.com AD domain.

By default though, AD will set the dns suffix of each computer to the
AD domain of domain.com, not knowing about the sfo and nyc third-level
domain names.

It seems like I can create an OU for each site, and there is a group
policy setting called "primary DNS suffix" which can be set at the OU
level to set the correct dns domain suffixes for computers placed into
each OU. So by creating a different group policy applied to the "sfo"
and "nyc" OUs with the appropriate primary DNS suffix settings, I could
keep the existing FQDNs while still maintaining a single AD domain.

Has anyone out there done this?
Is this the right way to do this?
Is this a good idea?
Does anyone know where I can find more documentation on this?

I'd rather not change all our existing computer names if possible...

Thanks in advance!

Mike

P.S. I was also looking into a an empty forest root domain of
domain.com with child domains named after the sites, such as
sfo.domain.com, so the dns domain structure would match the AD domain
structure, but that seems too complicated for a small company of maybe
100 users across 4 sites. We also have a few sites which are basically
cities with one or two telecommuting workers, and I'm not sure how I'd
handle that situation in a multi-AD-domain setup.

--
Herb Martin


<mjcsfmail-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have a small multi-site company which has not been using active
> directory to date due to lack of time to set this up prior to now. I've
> finally got some time to try my hand at this, but am new to it.
>
> Based on a lot of reading, it seems like the best AD configuration is a
> single forest with a single domain, and multiple sites. But currently,
> we use site qualifiers in the domain names for existing computers and
> would like to keep them that way - for example, joe's workstation in
> San Francisco might be joe.sfo.domain.com and jane's in New York might
> be jane.nyc.domain.com from a DNS perspective, but both users and both
> computers would be in the single domain.com AD domain.
>
> By default though, AD will set the dns suffix of each computer to the
> AD domain of domain.com, not knowing about the sfo and nyc third-level
> domain names.

Why not just manually configure each DNS with
the site specific name and then let them all belong
to the REAL Domain/Zone automatically?

The computer doesn't really care what you call it
except as pertains to AD.

You can also add additional search suffixes to all
the machines can easily find their siblings with
unqualified names.

> Has anyone out there done this?
> Is this the right way to do this?
> Is this a good idea?

I think you are buying yourself a bunch of unwanted
trouble.

With idea I proposed above you can maintain it or
just stop if it ever becomes a nuisance (it will.)