Creating Multiple domains using 1 domain controller

Hey Gang:

I have a question concerning my network.  Currently I have one domain (XYZ).  I'm using SBS2000 and have approximately 20 users.  What I would like to do is the following:

1) Add a new Server to the domain

2) Create a new sub-domain (if possible - ABC)

3)  Have certain people set up in Domain ABC and the rest in the original Domain (XYZ).

The reason for this is we are adding a few people who will be sharing our resources (Internet access) and I would like them to be a mini network.

Please let me know how I can accomplish these tasks.  Right now I have some one who has access to the internet, but I have not added their computer to the domain, but I would like a cleaner way to do this.

Thanks for your help

LVL 15
Juan OcasioApplication DeveloperAsked:
Who is Participating?
scampgbConnect With a Mentor Commented:
Probably the simplest way of doing all this is as I described, using OUs.
You can control who has access to each server's resources (file shares, printers, databases etc) with reference to the Active Directory (AD)

It's important that you get your AD design right though.  It's a real pain if you have to completely rethink your plans after you've implemented it.

Essentially, you can do everything you want to achieve - but it'll take a bit of planning.

I agree with Serpent77's comments about licencing though - you'll need to ensure that this is done properly.

There are loads of resources available on the 'net about planning and implementing your AD infrastructure.  Probably a good place to start is

Things to bear in mind:
Try not to rush - it'll take a while to plan your AD design
Consider what will/may happen in the future and how this will affect your systems
Take a modular approach to building the system.  Make sure that each bit works before you move on.
Test it as you go along - this will help with troubleshooting.

Getting it right will require a lot of work, but it'll be worth it in the long run.

I suggest that you come up with an overall plan, and then post a question on here asking for comments.  If nothing else, you'll have a very clear understanding of how to implement it by the end of it!

Sorry that I can't give a "click this button and it works" type of reply, but what you want to achieve isn't as simple as that :-)

Good luck!

ok, here's the low down in order...

1.  feel free to add another server, just make sure to have a SBS CAL for it (see the MS website faq here:

2. no new domains.  Sorry SBS supports single domain created at installation, and is not allowed to participate in trees or forests.

3. see #2

For a resolution to your problem you can simply set up ICS on the server and route everyone through (or nix the default gateway on the clients to prevent their access as a crude block.  You should also be able to block their access via the the firewall on the server (ISA), though I've never bothered to set that up and play with it before.

Another alternative would be to dual home the server (install two netcards with seperate IP addresses) and a router.  include a default route for those you want to allow access to the net, and don't include one for the other subnet.  If you need more explanation, feel free to ask.  This is really not too difficult ot set up once you've done it a few times.  

Hi jocasio123,

You can't create "subdomains" in this way.  Each domain needs it's own domain controller(s), although you can create "forests" of domains.

I would suggest that you use Organisational Units (OUs) for what you want to achieve.  This will allow you to control network policies for your guest users seperately from your main users.

I hope that this helps - let me know if you need any further help.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Juan OcasioApplication DeveloperAuthor Commented:
Thanks for the reply:

The new server is a windows 2003 server.  Do I have to do anything to have the resources on this machine available to other users?  (We added another Server (Win 2K Server) about  6 months ago and I'm not sure if I added it right.  If I try to access it whenI VPN into my network, I can never get it to work right....

Getting back to our guests:

I want everybody in the office to be able to access the internet.  I guess my biggest problem is that I need to segregate these 4 people into their own separate workgroup (should I use this methodolgy) and at the same time prevent them from accessing the resources on our main server.  The new server will basically be for them so I would like to have the server and all of it's resources available to them.  FOr the Organizattional Units, will I still add them as users of the domain and then just segregate them?  Right now I have a couple of people who we are doing the same thing for set up as separate workgroups and have mapped networked Printers to their machines using a TCP port.  I definitely want to clean that up.

Also, if you can point me to any readings on this, I am willing to learn (as opposed to being stepped through the process - although I don't object to that).

Many, many thanks for your help!!!

Serpent77Connect With a Mentor Commented:
If your primary concern is just restricting access to one server, while allowing it to the other, then Scam's got the right anser, set up two Ou's for your users say "internal users" and "external users" or somethinf similiar, you might want to create a an Ou to create these in since you can't create an Ou under the Users folder in the Active directory users manager.  I usaully do that, calling the ou "User Accts"so you'd have:

Active directory....
  |-Other folders
  |-User Accts
    |-Internal Users
    |-External Users

Then move your users into their appropriate positions.  Right click the Internal Users Ou, go to the group policies page and create a new group policy.  

Another non-active directory method would be to simply put your users into two groups, and give groups access to the shares on the server (printer and file)  this alllows fairly easy to manage access.  If you'r not in the group, you don't get to connect, that simple.  With only 2-3 servers, that might be easier than trying to implement it in group policy until you've had more time to get up to speed on how the active directory works.  Using groups is more old school, much like NT and *nix would control access.

Juan OcasioApplication DeveloperAuthor Commented:
Hey Guys:

I want to thank both of you for helping me with this.  I don't have all the answers, but I have a super starting point now.  I now know where to go and how to get there!!!!

Again, thanks for taking the time!

Hi.  Glad I could help :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.