ch08lev1sec4.html


Previous Page Next Page

Adding a Regional (Child) Domain

After the root domain has been created, any number of child domains can be added to the domain tree. Windows Server 2008 puts a slightly different spin on the notion of the child domain (in comparison to Windows 2000 Server and Windows Server 2003). Because a single domain can accommodate a very large corporation, it’s really not necessary to create a tree of domains that mimics the company’s corporate structure. So, despite what the engineers or the marketing people say, they don’t need to have their own domains. The domain hierarchy provides groups that can be used to handle access issues for related groups of users (such as the engineers or marketing people).

Child domains or regional domains (Microsoft now prefers the latter term) are best used in situations where regional offices should be outfitted with their own domain controllers that “control” a regional domain. The domain structure for the organization would have a root domain (the tree) and these regional domains would be regional domains (subdomains, if you will) that branch off the main root domain.

Each regional domain controller would be a replication partner with the first domain controller that you brought online when you created the root domain (meaning your domain controller for the root domain). Each regional domain would reside in a site that would define the geographic location of the domain and allow you to determine the intersite replication that takes place between the various sites in the domain hierarchy (we talk more about sites in Hour 9.

To create the regional (child) domain and bring the first domain controller online in that new domain, you use the Add Roles Wizard to install the Active Directory Domain Services (as we did when we created the forest and root domain and brought the first domain controller online in the root domain).

The process of creating the child domain enables you to also configure a domain controller for the new domain and bring a DNS server online (by adding the DNS role to the new domain controller) for the new regional domain.

To create the new regional (child) domain and bring the first domain controller online in that domain, you need to use a Windows server in that domain that already has Windows Server 2008 installed. The steps to create the domain and bring the domain controller online are very similar to the steps for creating the root domain (as discussed in the previous section).

Follow these steps:

1. Open the Add Roles Wizard (click the appropriate icon) in either the Initial Configuration Tasks window or the Server Manager (with the Roles node selected).

2. Click Next to bypass the initial Wizard screen.

3. On the next screen, select the Active Directory Domain Services role. Then click Next.

4. The next screen provides a list of things to note as you proceed with the installation (as discussed in the previous section). Click Install to add the AD DS role.

5. On the final Add Roles Wizard screen, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe) as shown in Figure 8.5.

Figure 8.5. Specify the location for the database folder, log file, and SYSVOL folder.

[View full size image]

By the Way

Adding an additional domain controller for an existing domain is handled with the dcpromo.exe utility.

6. On the Active Directory Domain Services Installation Wizard’s welcome screen click Next.

7. On the next page (the Deployment Configuration page) click Existing Forest and then click Create a New Domain in an Existing Forest (see Figure 8.6). Then click Next to continue.

Figure 8.6. Select the options that enable you to create a new domain in an existing forest.

[View full size image]

8. On the next page (the Network Credentials page), enter the name of the existing domain that will contain the new domain you are creating. For example, if you are creating a regional domain that will be nested in the forest (the root domain), type the name of the forest.

9. Because you have to provide administrative credentials to continue the process, meaning credentials that provide you with the administrative right to add the new child domain to the forest (which includes the original administrative account and password used to create the forest), click either the My Current Logged On Credentials or the Alternate Credentials option. Remember that your current credentials would need to have the rights to add the domain to the forest. If you click Alternate Credentials, you then click Set. Provide the password for the Administrator account (that has administrative rights in the forest; see Figure 8.7.) Click OK and then click Next to continue.

Figure 8.7. Provide the password for the Administrator account that has administrative rights in the forest.

10. On the next wizard screen type the FQDN for the domain that will serve as the parent domain for the new child domain you are creating. If you are creating a nested regional domain, the name you enter is your root domain. Also enter the single-label DNS name of the child domain, meaning do not provide the DNS suffix or prefix (which would be the same as the NetBIOS name for the new domain if the label DNS name doesn’t exceed 15 characters). Then click Next.

11. On the next screen, the new domain’s NetBIOS name is listed (as generated by the wizard based on the single-label DNS name you entered in the previous step). You can edit it if you choose. Click Next.

12. The next screen asks you to select a site for the new domain. The sites you have created for your forest are listed on this screen (see Figure 8.8). Select a site and then click Next.

Figure 8.8. Select the site for the new domain.

[View full size image]

Did you Know?

It may make sense to create your site hierarchy before you begin to deploy your regional domain controllers (and create the regional domains). The sites are important in that they provide the links that allow replication between the domain controllers in each site. You can even pause at step 11 and create your sites and then continue with step 12. Or you can create the sites later if you prefer. For more about sites, see Hour 9.

13. On the next screen, select the domain controller options you want to add to this server installation. These are DNS Server and Global Catalog. If a DNS server is already available in the domain or you have already installed DNS on this server, the option is not selectable. It definitely makes sense to select the Global Catalog option for the domain controller if this will be the only domain controller in the regional (child) domain. Click Next.

14. On the next screen a list of domain controllers in the forest is listed. You can allow the wizard to choose a replication partner for the domain controller you are creating or you can choose a replication partner from the list. Then click Next.

15. On the next screen, select the location for the database folder, log file folder, and SYSVOL folder (you can go with the defaults); then click Next to continue.

16. On the next wizard page, you must set the Directory Services Restore Mode Administrator password. Then click Next.

17. A summary screen provides all the selections that you have made during the process. Click Next.

18. The wizard configures the Active Directory Domain Services and your new domain controller. When the process is complete, click Finish. The system then needs to be rebooted.

When the server reboots, The Initial Configuration Tasks window appears; it now lists the new role, Active Directory Domain Services, and any other roles such as DNS that you added during the domain and domain controller configuration.

Once you have the root domain and regional domain in place, you can view your domain hierarchy. Figure 8.9 shows a domain root (spinach.com) and a regional (child) domain (popeye.spinach.com) in the Active Directory Domains and Trusts snap-in (discussed later in this hour).

Figure 8.9. The domain tree can be viewed in the Active Directory Domains and Trusts snap-in.

[View full size image]

Previous Page Next Page

Leave a Reply


Time limit is exhausted. Please reload the CAPTCHA.

Categories