There are times when you need to separate or delegate some parts of your Active Directory infrastructure, and the best way in those cases is to simply create a new child domain in the existing AD forest. This way you don’t have to create trusts between the two domains; trusts are created automatically and are created in a two-way direction, meaning domain A automatically trusts domain B, and vice versa. Now I don’t want to bore you with a lot of theory here, so I will get to work. In this lab I have a Domain Controller in site A, and a Windows Server 2008 R2 server in site B. Site A and B are connected trough VPN. The server in site B will hold the child domain “amsterdam.vkernel.local”.
Before we go to Amsterdam (I don’t know, I just like the name) we need to create and configure sites by opening Active Directory Sites and Services from Administrative Tools. Right-click the Sites folder and choose New Site.
In the Name box type the name of the new site, which is Amsterdam in this example, then select the DEFAULTIPSITELINK and clickOK.
An information screen pops-up telling us that we need to add a subnet to the site we just created. Click OK, because this was my next step anyway.
Right-click the Subnets folder and choose New Subnet.
In the Prefix box type the subnet for the branch office then select a site object for this prefix. In this case the subnet for the branch office is 192.168.100.0/24 and the site object is Amsterdam.
Now let’s take care of the main office site too. Right-click the Default-First-Site-Name and choose Rename. Give it a name that represents the main office location, and in this case is Cluj-Napoca.
Go to the Subnets folder again, right-click the folder and choose New Subnet. In the Prefix box type the subnet for the main office, then select the site object.
Now your Active Directory Sites and Services should look like this.
On the branch office server configure the IP’s. Of course in the DNS box you need to put the IP address of the Domain Controller in the main office so we can find the domain.
I assume you have a proper VPN connection between the two locations, and both servers can communicate. Now we can start creating the child domain in the branch office. Do a Start > Run > dcpromo and click OK.
After the binaries are installed the Active Directory Domain Services Installation Wizard appears. Check the Use Advanced mode installation box and click Next.
In Windows Server 2008 and 2008 R2 a new security setting was implemented and older clients may be affected. This is what the Operating System Compatibility page is telling us, but is not our case since we have only 2008 R2 operating systems. Click Nextto continue.
On the Deployment Configuration page choose Existing Forest > Create a new domain in an existing forest. Do NOT check the box Create a new domain tree instead of a new child domain, because we are not creating the child domain in a separate tree.
Type the domain name in the main office, then provide the proper credentials to connect to the domain. The user account must be a member of the Domain Admins group or the Enterprise Admins group.
In the fist box click the Browse button to select the parent domain. In the second box type the name of your child domain, and in this example is Amsterdam.
Leave the defaults here and click Next to continue.
If you have the intention of creating additional domain controllers in this domain (amsterdam.vkernel.local) with older operating systems (2000-2003), leave the domain functional level at 2000 or 2003. Since we have only Windows 2008 R2 we can set the domain functional level at Windows Server 2008 R2.
As you can see the site, the correct site was automatically selected based on the subnet we created earlier. If the wizard selected the wrong site, uncheck the box Use the site that corresponds to the IP address of this computer, and select the proper site from the list. Never had to do that; you will only have to do it if you do not configure Active Directory Sites and Services correctly.
Check the Global Catalog box here, so we have faster searches for objects in AD. More information about Global Catalog servers can be found here.
Select the replication partner in the other domain. If you have multiple Domain Controllers in the main office you should set only one of them to be the replication partner with the one in the branch office.
Here you can change the Active Directory database and logs location, if you don’t like the default one.
Type a password for the Active Directory Restore Mode then click Next.
Review your selections on the Summary screen, and if everything it’s OK click Next button to start creating the child domain.
If during the Active Directory Domain Services installation process you get the error The operation failed because: Active Directory Domain Services could not replicate the directory partition… “Could not find the domain controller for this domain”, join the server to the domain, reboot then resume the dcpromo operation.
After the domain controller reboots, login using the Administrator account. You will be asked to change the password, and you will need to provide a complex password to be able to continue.
Now if you open Active Directory Sites and Services you can see the new domain controller created in the Amsterdam site.
No comments:
Post a Comment