sohtnax
asked on
Adding a new domain
I currently have a Windows 2000 domain in my current building. A second building, connected via a dedicated T1, will be opened in the near future to accomodate the company's growth. The second building will be utilizing Windows 2003 Domain Controllers.
Employees in my current building will most likely be moved to the second building within the next 18-24 months, therefore the original AD structure can be phased out. In addition,
I need to set up a new domain in the second building and allow users from either building to be able to access resources from either domain, irrelevant of the physical location. If the link between the two buildingsdrops, each office should still be fully operational. If the domain in my existing building ever goes away, as planned, the second building should not be affected.
How do I go about setting up the new domain for the second building based on what I've described?
Employees in my current building will most likely be moved to the second building within the next 18-24 months, therefore the original AD structure can be phased out. In addition,
I need to set up a new domain in the second building and allow users from either building to be able to access resources from either domain, irrelevant of the physical location. If the link between the two buildingsdrops, each office should still be fully operational. If the domain in my existing building ever goes away, as planned, the second building should not be affected.
How do I go about setting up the new domain for the second building based on what I've described?
Setup the new domain as normal and then setup a two way trust between the two domains. This will allow users from either domain to access resources in the other domain, but will keep the domains completely independent.
because of this requirement "If the link between the two buildingsdrops, each office should still be fully operational." , you may need to do some additional steps:
- make sure that you have redundant services (WINS,DNS, DHCP, GC, DC,etc) for each domain in each physical location. This will probably require additional domain controllers.
- In order to keep the office fully operational, you will probably have to replicate data between the two offices....like if all file data is in office one, when the link breaks, you will lose access to this data. You may consider using DFS with FRS or some other means of replicating the data.
Another option is to make sure that you have a backup WAN link between these building...this is probably cheaper and easier to implement.
Just something to think about...
- make sure that you have redundant services (WINS,DNS, DHCP, GC, DC,etc) for each domain in each physical location. This will probably require additional domain controllers.
- In order to keep the office fully operational, you will probably have to replicate data between the two offices....like if all file data is in office one, when the link breaks, you will lose access to this data. You may consider using DFS with FRS or some other means of replicating the data.
Another option is to make sure that you have a backup WAN link between these building...this is probably cheaper and easier to implement.
Just something to think about...
ASKER
Each office will pretty much be self sufficient in terms of data. The primary reason for linking the two sites is to be able to print to each others printers, connect to terminal servers in the other building, and access intranet sites.
OK...then you will have to make sure that you can replicate all of the intranet sites, (printers will fail because of location), and terminal services. This way, even if the WAN link goes down, these services will be available :)
ASKER
These are not mission critical, so if the wan link does go down, it won't severely imped business.
Knowing this, is it better to create a two-way trust or set up another domain in my existing forest?
Knowing this, is it better to create a two-way trust or set up another domain in my existing forest?
If you are planning on totally phasing the original domain out, I would create a NEW domain. Then setup a trust.
If you want to continue to use the Windows 2000 domain (and maybe upgrade it to Windows 2003), I would install the new servers in the SAME domain.
The easiest thing for you to do would be to add the new server as a new domain controller of the existing domain. This way, you don't have to worry about trusts..and don't have to worry about migrating user accounts. Is there something wrong with your current domain? A domain can span two physical locations. You might consider upgrading your domain to Windows 2003 and then just add the new server to the existing domain. This strategy is least risky and is the easiest (in my opinion) to implement.
If you want to continue to use the Windows 2000 domain (and maybe upgrade it to Windows 2003), I would install the new servers in the SAME domain.
The easiest thing for you to do would be to add the new server as a new domain controller of the existing domain. This way, you don't have to worry about trusts..and don't have to worry about migrating user accounts. Is there something wrong with your current domain? A domain can span two physical locations. You might consider upgrading your domain to Windows 2003 and then just add the new server to the existing domain. This strategy is least risky and is the easiest (in my opinion) to implement.
ASKER
If I do simply add my new 2003 domain controllers to the existing domain, and the link between the two sites goes down, I guess it won't really matter since each site will have a controller in their physical location. Does the fact that each building will be on its own subnet matter, even though communication between the two will be possible using my cisco equipment?
To be quite honest, I don't have much trust in my existing domain. When I inherited it 3 years ago I found that the DNS was screwed up, which I did fix, but as time has passed I tend to notice little things that have caused me to lose trust in the people that configured it. I was hoping to start anew in this new site, epecially since both building will most likely merge in the future. Unfortunately, I don't have any hands-on experience with trusts. What exactly would a trust between a 2000 domain and a separate 2003 domain entail?
To be quite honest, I don't have much trust in my existing domain. When I inherited it 3 years ago I found that the DNS was screwed up, which I did fix, but as time has passed I tend to notice little things that have caused me to lose trust in the people that configured it. I was hoping to start anew in this new site, epecially since both building will most likely merge in the future. Unfortunately, I don't have any hands-on experience with trusts. What exactly would a trust between a 2000 domain and a separate 2003 domain entail?
If I were you I would still set up a new server in the same domain since that would be less painful for your users, especially if they alternate between the buildings. It is true that if you feel you have problems in the original domain you would hesitate, still problems on a domain level should always be ironed out and they usually can be if you make careful checks of log files and configurations of services.
therefore if you do not have anything that gives you real trouble but you just have a hunch that you have a problem I would go ahead and join the new building to your existing domain.
therefore if you do not have anything that gives you real trouble but you just have a hunch that you have a problem I would go ahead and join the new building to your existing domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
NJComputerNetworks, thanks for the post!
One thing, why do I need to upgrade my existing 2000 dc's to 2003 and what if I don't? At this time, I cannot do so.
One thing, why do I need to upgrade my existing 2000 dc's to 2003 and what if I don't? At this time, I cannot do so.
You can not add a Windows 2003 Domain Controller to a Windows 2000 domain.
ASKER
I remember reading that it was possible. Upon looking into this further, I found the following:
"Make sure all your 2000 DC's have SP4 on them. Don't be afraid of all the articles out there that talk about hotfixes and what not. Save yourself the anxiety and get the 2000 DC's on SP4.
Put the Windows 2003 Server CD in your Master Schema W2K domain controller and copy the I386 directory somewhere on a local drive.
* Run the following steps with minimal activity on the server.
Open a command prompt and switch to that I386 directory.
Type:
adprep /forestprep
It will prompt you to press C then ENTER to continue.
Let this run. It took about 10 minutes for me. You'll see several "command completed successfully" messages along with dots going across the screen.
Next, wait about 20 minutes and type"
adprep /domainprep
It won't prompt you for anything. It will just do its thing (It took 2 minutes for me)
You are now ready to add your 2003 domain controller to the 2000 domain. On your 2003 server, run the Active Directory wizard as needed for your domain. "
"Make sure all your 2000 DC's have SP4 on them. Don't be afraid of all the articles out there that talk about hotfixes and what not. Save yourself the anxiety and get the 2000 DC's on SP4.
Put the Windows 2003 Server CD in your Master Schema W2K domain controller and copy the I386 directory somewhere on a local drive.
* Run the following steps with minimal activity on the server.
Open a command prompt and switch to that I386 directory.
Type:
adprep /forestprep
It will prompt you to press C then ENTER to continue.
Let this run. It took about 10 minutes for me. You'll see several "command completed successfully" messages along with dots going across the screen.
Next, wait about 20 minutes and type"
adprep /domainprep
It won't prompt you for anything. It will just do its thing (It took 2 minutes for me)
You are now ready to add your 2003 domain controller to the 2000 domain. On your 2003 server, run the Active Directory wizard as needed for your domain. "
As far as I understand it should be possible to have both w2k and w2k3 DC's in the same domain. See this article: http://support.microsoft.com/?id=325379