Creating Multiple domains using 1 domain controller

Posted on 2004-08-18
Last Modified: 2010-04-11
Hey Gang:

I have a question concerning my network.  Currently I have one domain (XYZ).  I'm using SBS2000 and have approximately 20 users.  What I would like to do is the following:

1) Add a new Server to the domain

2) Create a new sub-domain (if possible - ABC)

3)  Have certain people set up in Domain ABC and the rest in the original Domain (XYZ).

The reason for this is we are adding a few people who will be sharing our resources (Internet access) and I would like them to be a mini network.

Please let me know how I can accomplish these tasks.  Right now I have some one who has access to the internet, but I have not added their computer to the domain, but I would like a cleaner way to do this.

Thanks for your help

Question by:Juan Ocasio
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2

Expert Comment

ID: 11834404
ok, here's the low down in order...

1.  feel free to add another server, just make sure to have a SBS CAL for it (see the MS website faq here:

2. no new domains.  Sorry SBS supports single domain created at installation, and is not allowed to participate in trees or forests.

3. see #2

For a resolution to your problem you can simply set up ICS on the server and route everyone through (or nix the default gateway on the clients to prevent their access as a crude block.  You should also be able to block their access via the the firewall on the server (ISA), though I've never bothered to set that up and play with it before.

Another alternative would be to dual home the server (install two netcards with seperate IP addresses) and a router.  include a default route for those you want to allow access to the net, and don't include one for the other subnet.  If you need more explanation, feel free to ask.  This is really not too difficult ot set up once you've done it a few times.  

LVL 15

Expert Comment

ID: 11834429
Hi jocasio123,

You can't create "subdomains" in this way.  Each domain needs it's own domain controller(s), although you can create "forests" of domains.

I would suggest that you use Organisational Units (OUs) for what you want to achieve.  This will allow you to control network policies for your guest users seperately from your main users.

I hope that this helps - let me know if you need any further help.
LVL 14

Author Comment

by:Juan Ocasio
ID: 11834589
Thanks for the reply:

The new server is a windows 2003 server.  Do I have to do anything to have the resources on this machine available to other users?  (We added another Server (Win 2K Server) about  6 months ago and I'm not sure if I added it right.  If I try to access it whenI VPN into my network, I can never get it to work right....

Getting back to our guests:

I want everybody in the office to be able to access the internet.  I guess my biggest problem is that I need to segregate these 4 people into their own separate workgroup (should I use this methodolgy) and at the same time prevent them from accessing the resources on our main server.  The new server will basically be for them so I would like to have the server and all of it's resources available to them.  FOr the Organizattional Units, will I still add them as users of the domain and then just segregate them?  Right now I have a couple of people who we are doing the same thing for set up as separate workgroups and have mapped networked Printers to their machines using a TCP port.  I definitely want to clean that up.

Also, if you can point me to any readings on this, I am willing to learn (as opposed to being stepped through the process - although I don't object to that).

Many, many thanks for your help!!!

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

LVL 15

Accepted Solution

scampgb earned 140 total points
ID: 11835795
Probably the simplest way of doing all this is as I described, using OUs.
You can control who has access to each server's resources (file shares, printers, databases etc) with reference to the Active Directory (AD)

It's important that you get your AD design right though.  It's a real pain if you have to completely rethink your plans after you've implemented it.

Essentially, you can do everything you want to achieve - but it'll take a bit of planning.

I agree with Serpent77's comments about licencing though - you'll need to ensure that this is done properly.

There are loads of resources available on the 'net about planning and implementing your AD infrastructure.  Probably a good place to start is

Things to bear in mind:
Try not to rush - it'll take a while to plan your AD design
Consider what will/may happen in the future and how this will affect your systems
Take a modular approach to building the system.  Make sure that each bit works before you move on.
Test it as you go along - this will help with troubleshooting.

Getting it right will require a lot of work, but it'll be worth it in the long run.

I suggest that you come up with an overall plan, and then post a question on here asking for comments.  If nothing else, you'll have a very clear understanding of how to implement it by the end of it!

Sorry that I can't give a "click this button and it works" type of reply, but what you want to achieve isn't as simple as that :-)

Good luck!


Assisted Solution

Serpent77 earned 60 total points
ID: 11837870
If your primary concern is just restricting access to one server, while allowing it to the other, then Scam's got the right anser, set up two Ou's for your users say "internal users" and "external users" or somethinf similiar, you might want to create a an Ou to create these in since you can't create an Ou under the Users folder in the Active directory users manager.  I usaully do that, calling the ou "User Accts"so you'd have:

Active directory....
  |-Other folders
  |-User Accts
    |-Internal Users
    |-External Users

Then move your users into their appropriate positions.  Right click the Internal Users Ou, go to the group policies page and create a new group policy.  

Another non-active directory method would be to simply put your users into two groups, and give groups access to the shares on the server (printer and file)  this alllows fairly easy to manage access.  If you'r not in the group, you don't get to connect, that simple.  With only 2-3 servers, that might be easier than trying to implement it in group policy until you've had more time to get up to speed on how the active directory works.  Using groups is more old school, much like NT and *nix would control access.

LVL 14

Author Comment

by:Juan Ocasio
ID: 11847460
Hey Guys:

I want to thank both of you for helping me with this.  I don't have all the answers, but I have a super starting point now.  I now know where to go and how to get there!!!!

Again, thanks for taking the time!

LVL 15

Expert Comment

ID: 11850892
Hi.  Glad I could help :)

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Suggested Courses
Course of the Month8 days, 17 hours left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question