Hi,
I'm standing up a new resource forest. This will host services (Lync, Exchange and Sharepoint) for several other organizations, and we plan on using two-way forest trusts and disabled associated accounts for authentication. We will be supporting external
access of all three technologies at servernames.domain.com
I have a few questions, though. I wanted to go with domain.com for the root and then any child organizations could be child1.domain.com, child2.domain.com, etc. Domain.com is a 'real' DNS domain. The thought was that it would be simpler than splitting out ad.domain.com for the actual AD and then creating another zone for dns.com. Plus, it could get messy with child domains and the extra 'ad' hop in the names. Cert creation would be less cumbersome as well.
The issue with this approach seems to be DNS name publication. Since it's a real domain and will have several external resources, we need to expose some of the zone to the Internet. We don't necessarily want to publish all of our AD information to the Internet. We were thinking of performing a zone transfer with our external DNS advertisers for hosts that need to be seen by the outside world, and any organizations that we plan on trusting would use conditional forwarders and firewall rules to go directly to our DCs.
However, under the above scenario I'm not aware of any way to only allow certain hosts in a zone transfer. We could hand-crank a zone manually, but that's incredibly messy and cumbersome, especially with all the Lync _sipinternaltls entries and the like.
So, what's the best approach? I'm leaning towards an ad.domain.com root and then running a split-brain DNS scenario. If that's the best way to go I'll do it, but for the sake of simplicity (and the chaos of certificates) I would much rather run a domain.com root. I'm wondering if there are some DNS and/or AD technologies that I'm not thinking of, and would love to hear some other ideas. Thanks in advance.