Solved

Creating Multiple domains using 1 domain controller

Posted on 2004-08-18
7
328 Views
Last Modified: 2010-04-11
Hey Gang:

I have a question concerning my network.  Currently I have one domain (XYZ).  I'm using SBS2000 and have approximately 20 users.  What I would like to do is the following:

1) Add a new Server to the domain

2) Create a new sub-domain (if possible - ABC)

3)  Have certain people set up in Domain ABC and the rest in the original Domain (XYZ).

The reason for this is we are adding a few people who will be sharing our resources (Internet access) and I would like them to be a mini network.

Please let me know how I can accomplish these tasks.  Right now I have some one who has access to the internet, but I have not added their computer to the domain, but I would like a cleaner way to do this.

Thanks for your help

jocasio
0
Comment
Question by:Juan Ocasio
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:Serpent77
ID: 11834404
ok, here's the low down in order...

1.  feel free to add another server, just make sure to have a SBS CAL for it (see the MS website faq here:http://www.microsoft.com/sbserver/community/sbs_faq.asp)

2. no new domains.  Sorry SBS supports single domain created at installation, and is not allowed to participate in trees or forests.

3. see #2

For a resolution to your problem you can simply set up ICS on the server and route everyone through (or nix the default gateway on the clients to prevent their access as a crude block.  You should also be able to block their access via the the firewall on the server (ISA), though I've never bothered to set that up and play with it before.

Another alternative would be to dual home the server (install two netcards with seperate IP addresses) and a router.  include a default route for those you want to allow access to the net, and don't include one for the other subnet.  If you need more explanation, feel free to ask.  This is really not too difficult ot set up once you've done it a few times.  

--Serp
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11834429
Hi jocasio123,

You can't create "subdomains" in this way.  Each domain needs it's own domain controller(s), although you can create "forests" of domains.

I would suggest that you use Organisational Units (OUs) for what you want to achieve.  This will allow you to control network policies for your guest users seperately from your main users.

I hope that this helps - let me know if you need any further help.
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 11834589
Thanks for the reply:

The new server is a windows 2003 server.  Do I have to do anything to have the resources on this machine available to other users?  (We added another Server (Win 2K Server) about  6 months ago and I'm not sure if I added it right.  If I try to access it whenI VPN into my network, I can never get it to work right....

Getting back to our guests:

I want everybody in the office to be able to access the internet.  I guess my biggest problem is that I need to segregate these 4 people into their own separate workgroup (should I use this methodolgy) and at the same time prevent them from accessing the resources on our main server.  The new server will basically be for them so I would like to have the server and all of it's resources available to them.  FOr the Organizattional Units, will I still add them as users of the domain and then just segregate them?  Right now I have a couple of people who we are doing the same thing for set up as separate workgroups and have mapped networked Printers to their machines using a TCP port.  I definitely want to clean that up.

Also, if you can point me to any readings on this, I am willing to learn (as opposed to being stepped through the process - although I don't object to that).

Many, many thanks for your help!!!

jocasio
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Accepted Solution

by:
scampgb earned 140 total points
ID: 11835795
Probably the simplest way of doing all this is as I described, using OUs.
You can control who has access to each server's resources (file shares, printers, databases etc) with reference to the Active Directory (AD)

It's important that you get your AD design right though.  It's a real pain if you have to completely rethink your plans after you've implemented it.

Essentially, you can do everything you want to achieve - but it'll take a bit of planning.

I agree with Serpent77's comments about licencing though - you'll need to ensure that this is done properly.

There are loads of resources available on the 'net about planning and implementing your AD infrastructure.  Probably a good place to start is http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx

Things to bear in mind:
Try not to rush - it'll take a while to plan your AD design
Consider what will/may happen in the future and how this will affect your systems
Take a modular approach to building the system.  Make sure that each bit works before you move on.
Test it as you go along - this will help with troubleshooting.

Getting it right will require a lot of work, but it'll be worth it in the long run.

I suggest that you come up with an overall plan, and then post a question on here asking for comments.  If nothing else, you'll have a very clear understanding of how to implement it by the end of it!

Sorry that I can't give a "click this button and it works" type of reply, but what you want to achieve isn't as simple as that :-)

Good luck!

0
 
LVL 1

Assisted Solution

by:Serpent77
Serpent77 earned 60 total points
ID: 11837870
If your primary concern is just restricting access to one server, while allowing it to the other, then Scam's got the right anser, set up two Ou's for your users say "internal users" and "external users" or somethinf similiar, you might want to create a an Ou to create these in since you can't create an Ou under the Users folder in the Active directory users manager.  I usaully do that, calling the ou "User Accts"so you'd have:

Active directory....
|-Yourdomain.intranet
  |-Other folders
  |-<...>
  |-User Accts
    |-Internal Users
    |-External Users
  \-<...>

Then move your users into their appropriate positions.  Right click the Internal Users Ou, go to the group policies page and create a new group policy.  

Another non-active directory method would be to simply put your users into two groups, and give groups access to the shares on the server (printer and file)  this alllows fairly easy to manage access.  If you'r not in the group, you don't get to connect, that simple.  With only 2-3 servers, that might be easier than trying to implement it in group policy until you've had more time to get up to speed on how the active directory works.  Using groups is more old school, much like NT and *nix would control access.

--Serp
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 11847460
Hey Guys:

I want to thank both of you for helping me with this.  I don't have all the answers, but I have a super starting point now.  I now know where to go and how to get there!!!!

Again, thanks for taking the time!

jocasio
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11850892
Hi.  Glad I could help :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now