11

I'm attempting to determine whether it is possible to have two Active Directory domain controllers running on the same network, within the same subnet, with two separate domains. I do not want these two domain controllers to be linked in anyway (accounts, etc), except by the switch I have connecting them.

My current concern is in regards to DNS -- as far as I am concerned, this is the main problem. Since I have one single DHCP server handling the entire network, I want to have one set of DNS server IP addresses handed out to all clients. However, the DNS server of DomainA won't be able to answer queries for DomainB, and so on.

I imagine this could be resolved via forwarders -- IE, I could set the IP addresses of both DNS servers in my DHCP config and then tell DomainA to forward requests for *.DomainB to DomainB's DNS, and vice-versa. I could also use a single aggregation which properly forwards the requests to the individual servers.

However, I don't know if this will this work, or if there is there a better option. If this was a business network, I would go ahead and setup VLANS, multiple DHCP servers, etc. However, I'm looking for simplicity (as much simplicity as you can achieve with a domain controller in your house...)

The reason for running two domain controllers on the same network? I run a lab at my home and I've now convinced the person I live with to run a domain controller of their own. However, I want to keep everything segregated for security reasons.

Any assistance is appreciated.

BSchlinker
  • 340
  • 2
  • 3
  • 12

4 Answers4

8

The two domains will not interfere with each other on the same network. There will be no trust established between them unless you manually establish one.

The DHCP issue is a valid point, and your potential fix is correct - You can hand out the DNS address of one domain via DHCP, and use a forwarder to resolve the other domain's namespace. An alternative fix would be to manually configure networking for the clients on one of the domains, and point their DNS manually at the correct domain controller. You can leave the other domain's client working from DHCP.

We have a few subnets that are used for internal testing and have 5+ different domains running on them, no real issues to speak of.

Chris Thorpe
  • 9,903
  • 22
  • 32
3

I had a fairly long answer all typed up on why you shouldn't go down this road, and then I reread your question and saw the part where you said that this is in your house, so here's my revised answer:

Assign only one domain's DNS servers via DHCP. On those DNS servers either set up conditional forwarders for the other domain or create a stub zone for the other domain.

I haven't done this so I'm not 100% positive that it would work, but I can't think of any reason it wouldn't.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
3

I just finished doing this for a migration scenario. It worked...Kinda.

The caveat to watch out for the is domain name suffix. If you specify one the clients will have a difficult time resolving some hostnames. So don't specify one. That way, the clients will resolve hostnames based upon the domain they're joined to.

Aside from that, just setup your DNS conditional forwarders correctly and you should be fine.

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
  • You don't have to configure the DNS suffix option for the DHCP scope. Left unconfigured via DHCP, the DHCP clients should use the primary DNS suffix from their domain membership. In fact, in an AD domain there's no reason to configure a DNS suffix option in the DHCP scope. I only configure this option when I'm dealing with non-domain joined clients that I want to have common DNS name resolution and DNS name registration. – joeqwerty Aug 27 '11 at 14:51
  • @joe - I don't seem to be able to -1 my own post, so I've just corrected it. Thank you for your knowledge and input. – Jason Berg Aug 27 '11 at 16:03
  • Glad to help. +1 for the updated answer. – joeqwerty Aug 27 '11 at 17:21
0

I recommend moving DNS services to a Linux system. Windows Domains are not the same thing as Internet domains, but I see clients confuse this all the time.

And, the less exposed your Windows environment is exposed to the Internet, the happier you'll be.

Ralph H
  • 1
  • 2