• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 314
  • Last Modified:

Adding a new domain

I currently have a Windows 2000 domain in my current building.  A second building, connected  via a dedicated T1, will be opened in the near future to accomodate the company's growth.   The second building will be utilizing Windows 2003 Domain Controllers.  

Employees in my current building will most likely be moved to the second building within the next 18-24 months, therefore the original AD structure can be phased out.  In addition,

I need to set up a new domain in the second building and allow users from either building to be able to access resources from either domain, irrelevant of the physical location.  If the link between the two buildingsdrops, each office should still be fully operational.  If the domain in my existing building ever goes away, as planned, the second building should not be affected.

How do I go about setting up the new domain for the second building based on what I've described?  
0
sohtnax
Asked:
sohtnax
  • 5
  • 5
  • 2
  • +1
1 Solution
 
luv2smileCommented:
Setup the new domain as normal and then setup a two way trust between the two domains. This will allow users from either domain to access resources in the other domain, but will keep the domains completely independent.
0
 
NJComputerNetworksCommented:
because of this requirement "If the link between the two buildingsdrops, each office should still be fully operational." , you may need to do some additional steps:

- make sure that you have redundant services (WINS,DNS, DHCP, GC, DC,etc) for each domain in each physical location.  This will probably require additional domain controllers.

- In order to keep the office fully operational, you will probably have to replicate data between the two offices....like if all file data is in office one, when the link breaks, you will lose access to this data.  You may consider using DFS with FRS or some other means of replicating the data.

Another option is to make sure that you have a backup WAN link between these building...this is probably cheaper and easier to implement.

Just something to think about...
0
 
sohtnaxAuthor Commented:

Each office will pretty much be self sufficient in terms of data.  The primary reason for linking the two sites is to be able to print to each others printers, connect to terminal servers in the other building, and access intranet sites.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
NJComputerNetworksCommented:
OK...then you will have to make sure that you can replicate all of the intranet sites, (printers will fail because of location), and terminal services.  This way, even if the WAN link goes down, these services will be available :)

0
 
sohtnaxAuthor Commented:
These are not mission critical, so if the wan link does go down, it won't severely imped business.

Knowing this, is it better to create a two-way trust or set up another domain in my existing forest?
0
 
NJComputerNetworksCommented:
If you are planning on totally phasing the original domain out, I would create a NEW domain.  Then setup a trust.

If you want to continue to use the Windows 2000 domain (and maybe upgrade it to Windows 2003), I would install the new servers in the SAME domain.

The easiest thing for you to do would be to add the new server as a new domain controller of the existing domain.  This way, you don't have to worry about trusts..and don't have to worry about migrating user accounts.  Is there something wrong with your current domain?  A domain can span two physical locations.  You might consider upgrading your domain to Windows 2003 and then just add the new server to the existing domain.  This strategy is least risky and is the easiest (in my opinion) to implement.

0
 
sohtnaxAuthor Commented:
If I do simply add my new 2003 domain controllers to the existing domain, and the link between the two sites goes down, I guess it won't really matter since each site will have a controller in their physical location.   Does the fact that each building will be on its own subnet matter, even though communication between the two will be possible using my cisco equipment?

To be quite honest, I don't have much trust in my existing domain.   When I inherited it 3 years ago I found that the DNS was screwed up, which I did fix, but as time has passed I tend to notice little things that have caused me to lose trust in the people that configured it.  I was hoping to start anew in this new site, epecially since both building will most likely merge in the future.  Unfortunately, I don't have any hands-on experience with trusts.  What exactly would a trust between a 2000 domain and a separate 2003 domain entail?
0
 
joedoe58Commented:
If I were you I would still set up a new server in the same domain since that would be less painful for your users, especially if they alternate between the buildings. It is true that if you feel you have problems in the original domain you would hesitate, still problems on a domain level should always be ironed out and they usually can be if you make careful checks of log files and configurations of services.
therefore if you do not have anything that gives you real trouble but you just have a hunch that you have a problem I would go ahead and join the new building to your existing domain.
0
 
NJComputerNetworksCommented:
" Does the fact that each building will be on its own subnet matter, even though communication between the two will be possible using my cisco equipment?"

No, it does not matter.  Active Directory is designed to handle this situation.  In fact, if you set everything up properly, the clients in each site will utilize the local DC first.

You will have to perform the following steps (This is for joining the Windows 2003 server as a domain controller in the existing domain)

- Upgrade your existing Windows 2000 to Windows 2003
- Build and install your Windows 2003 new server as a member server of the existing domain.
- Run DCPROMO on the new Windows 2003 server and choose the option in the DCPROMO wizard to make this an ADDITIONAL domain controller in the existing domain.
- Wait for replication to complete....
- Install the DNS service on the new Windows 2003 server
- Create a NEW SITE and NEW SUBNET in AD Sites and Services
- Move the new Windows 2003 server (that exists on the new subnet) to the NEW SITE created in AD Sites and Servers (This is a simple drag and drop)
- Make the new Windows 2003 server a GLOBAL CATALOG SERVER (performed in AD Sites and Services)
- Change the TCP/IP settings of your domain controllers-  

Question: How do I set up DNS for other domain controllers in the domain that are running DNS?

Answer: For each additional domain controller that is running DNS, the preferred DNS setting is the parent DNS server (first domain controller in the domain), and the alternate DNS setting is the actual IP address of network interface.

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
- If you are using DNS forwarding, configure the new Windows 2003 DNS server to forward
   - Go into the DNS console
   - Right click the DNS server name and choose properties
   - click the FORWARDERS tab and enter the ISP DNS server IP's here then click OK
- add the DHCP service to your new Windows 2003 DC
- Change your DHCP scope options to include this new DNS server...


0
 
sohtnaxAuthor Commented:
NJComputerNetworks, thanks for the post!  

One thing, why do I need to upgrade my existing 2000 dc's to 2003 and what if I don't? At this time, I cannot do so.
0
 
NJComputerNetworksCommented:
You can not add a Windows 2003 Domain Controller to a Windows 2000 domain.  
0
 
sohtnaxAuthor Commented:
I remember reading that it was possible.  Upon looking into this further, I found the following:

"Make sure all your 2000 DC's have SP4 on them. Don't be afraid of all the articles out there that talk about hotfixes and what not. Save yourself the anxiety and get the 2000 DC's on SP4.

Put the Windows 2003 Server CD in your Master Schema W2K domain controller and copy the I386 directory somewhere on a local drive.

* Run the following steps with minimal activity on the server.

Open a command prompt and switch to that I386 directory.

Type:
adprep /forestprep
It will prompt you to press C then ENTER to continue.
Let this run. It took about 10 minutes for me. You'll see several "command completed successfully" messages along with dots going across the screen.

Next, wait about 20 minutes and type"
adprep /domainprep
It won't prompt you for anything. It will just do its thing (It took 2 minutes for me)

You are now ready to add your 2003 domain controller to the 2000 domain. On your 2003 server, run the Active Directory wizard as needed for your domain. "
0
 
joedoe58Commented:
As far as I understand it should be possible to have both w2k and w2k3 DC's in the same domain. See this article: http://support.microsoft.com/?id=325379
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now