Solved

Creating Multiple domains using 1 domain controller

Posted on 2004-08-18
7
335 Views
Last Modified: 2010-04-11
Hey Gang:

I have a question concerning my network.  Currently I have one domain (XYZ).  I'm using SBS2000 and have approximately 20 users.  What I would like to do is the following:

1) Add a new Server to the domain

2) Create a new sub-domain (if possible - ABC)

3)  Have certain people set up in Domain ABC and the rest in the original Domain (XYZ).

The reason for this is we are adding a few people who will be sharing our resources (Internet access) and I would like them to be a mini network.

Please let me know how I can accomplish these tasks.  Right now I have some one who has access to the internet, but I have not added their computer to the domain, but I would like a cleaner way to do this.

Thanks for your help

jocasio
0
Comment
Question by:Juan Ocasio
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:Serpent77
ID: 11834404
ok, here's the low down in order...

1.  feel free to add another server, just make sure to have a SBS CAL for it (see the MS website faq here:http://www.microsoft.com/sbserver/community/sbs_faq.asp)

2. no new domains.  Sorry SBS supports single domain created at installation, and is not allowed to participate in trees or forests.

3. see #2

For a resolution to your problem you can simply set up ICS on the server and route everyone through (or nix the default gateway on the clients to prevent their access as a crude block.  You should also be able to block their access via the the firewall on the server (ISA), though I've never bothered to set that up and play with it before.

Another alternative would be to dual home the server (install two netcards with seperate IP addresses) and a router.  include a default route for those you want to allow access to the net, and don't include one for the other subnet.  If you need more explanation, feel free to ask.  This is really not too difficult ot set up once you've done it a few times.  

--Serp
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11834429
Hi jocasio123,

You can't create "subdomains" in this way.  Each domain needs it's own domain controller(s), although you can create "forests" of domains.

I would suggest that you use Organisational Units (OUs) for what you want to achieve.  This will allow you to control network policies for your guest users seperately from your main users.

I hope that this helps - let me know if you need any further help.
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 11834589
Thanks for the reply:

The new server is a windows 2003 server.  Do I have to do anything to have the resources on this machine available to other users?  (We added another Server (Win 2K Server) about  6 months ago and I'm not sure if I added it right.  If I try to access it whenI VPN into my network, I can never get it to work right....

Getting back to our guests:

I want everybody in the office to be able to access the internet.  I guess my biggest problem is that I need to segregate these 4 people into their own separate workgroup (should I use this methodolgy) and at the same time prevent them from accessing the resources on our main server.  The new server will basically be for them so I would like to have the server and all of it's resources available to them.  FOr the Organizattional Units, will I still add them as users of the domain and then just segregate them?  Right now I have a couple of people who we are doing the same thing for set up as separate workgroups and have mapped networked Printers to their machines using a TCP port.  I definitely want to clean that up.

Also, if you can point me to any readings on this, I am willing to learn (as opposed to being stepped through the process - although I don't object to that).

Many, many thanks for your help!!!

jocasio
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 15

Accepted Solution

by:
scampgb earned 140 total points
ID: 11835795
Probably the simplest way of doing all this is as I described, using OUs.
You can control who has access to each server's resources (file shares, printers, databases etc) with reference to the Active Directory (AD)

It's important that you get your AD design right though.  It's a real pain if you have to completely rethink your plans after you've implemented it.

Essentially, you can do everything you want to achieve - but it'll take a bit of planning.

I agree with Serpent77's comments about licencing though - you'll need to ensure that this is done properly.

There are loads of resources available on the 'net about planning and implementing your AD infrastructure.  Probably a good place to start is http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx

Things to bear in mind:
Try not to rush - it'll take a while to plan your AD design
Consider what will/may happen in the future and how this will affect your systems
Take a modular approach to building the system.  Make sure that each bit works before you move on.
Test it as you go along - this will help with troubleshooting.

Getting it right will require a lot of work, but it'll be worth it in the long run.

I suggest that you come up with an overall plan, and then post a question on here asking for comments.  If nothing else, you'll have a very clear understanding of how to implement it by the end of it!

Sorry that I can't give a "click this button and it works" type of reply, but what you want to achieve isn't as simple as that :-)

Good luck!

0
 
LVL 1

Assisted Solution

by:Serpent77
Serpent77 earned 60 total points
ID: 11837870
If your primary concern is just restricting access to one server, while allowing it to the other, then Scam's got the right anser, set up two Ou's for your users say "internal users" and "external users" or somethinf similiar, you might want to create a an Ou to create these in since you can't create an Ou under the Users folder in the Active directory users manager.  I usaully do that, calling the ou "User Accts"so you'd have:

Active directory....
|-Yourdomain.intranet
  |-Other folders
  |-<...>
  |-User Accts
    |-Internal Users
    |-External Users
  \-<...>

Then move your users into their appropriate positions.  Right click the Internal Users Ou, go to the group policies page and create a new group policy.  

Another non-active directory method would be to simply put your users into two groups, and give groups access to the shares on the server (printer and file)  this alllows fairly easy to manage access.  If you'r not in the group, you don't get to connect, that simple.  With only 2-3 servers, that might be easier than trying to implement it in group policy until you've had more time to get up to speed on how the active directory works.  Using groups is more old school, much like NT and *nix would control access.

--Serp
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 11847460
Hey Guys:

I want to thank both of you for helping me with this.  I don't have all the answers, but I have a super starting point now.  I now know where to go and how to get there!!!!

Again, thanks for taking the time!

jocasio
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11850892
Hi.  Glad I could help :)
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN Connection WIndows 10 5 60
Lightweight Networking 9 60
FreeRADIUS vs Windows NPS (server 2016) 2 114
Need network only 1 user? 10 65
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question