Solved

Windows 2003 AD domain and plans to (rename the domain and) expand it with a branch office/child domain

Posted on 2006-11-30
17
415 Views
Last Modified: 2008-02-01
Hi,

Currrently we have a windows 2003 domain and are planning to rename our domain and expand it with a branch office/child domain.

The name of the AD domain we have is hm.nl and will be hm.net (or hm.local) and is positioned on one DC server in the Netherlands at our main office.
Our branch office in China is ready to deploy a new server and needs to be connected with the domain in the netherlands...

The China domain should have the dns name cn.hm.net
and the workstations/clients there should have wrkstn55.cn.hm.net
As for our workstations in the netherlands, i would like them to have a dns name such as wrkstn99.nl.hm.net

Since we only have one DC in the netherlands, is this possible and wise to design/make or should it be just wrkstn99.hm.net
Can it also be done on 1 DC in the netherlands or do we need to have more? (we have servers available..)



I hope someone can help me.
Thnx in advance

Rick
0
Comment
Question by:Rick
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 4

Assisted Solution

by:Drizzt420
Drizzt420 earned 100 total points
Comment Utility
If you set things up the way you would like, that would be 3 domains, hm.net and 2 child domains cn.hm.net and nl.hm.net
It wouldnt be a bad way to set things up but you would need another server, 3 domains requires at least 3 Domain Controllers.

If you do it this way, I would suggest just keeping the parent domain (hm.net) empty, and use the child domains to hold your infrastructure.

The difficult part of doing it this way is that if you want the current domain to be nl.hm.net, it will have to become a child domain of an as of yet non-existent domain. Server 2003 allows you to rename domains, but I am not sure if it would be possible to rename it into the position of the child of another domain. You could change the name to hm.net, create the child domain of nl.hm.net, and then migrate everything to that new child domain, but it would be a lot of work compared to just renaming the domain and making China the first child. I think the 3 domain option is a better design, but it may not be worth the hoops that you would have to jump through, it all depends on how good your implementation team is at these things.
0
 
LVL 10

Expert Comment

by:MATTHEW_L
Comment Utility
Before you go migrating to multiple domains etc.  Is there a specific reason that you want more than one domain.  Is there a specific schema difference between the domains, password policies etc that have prompted you to have more than one domain instead of site / ou structure that will fit your needs.  If it is external domain presence such as email, you can maintain multiple external domains for web / emial and a single internal domain.
0
 

Author Comment

by:Rick
Comment Utility
Our chinese branch office needs a seperate Domain Controller becuase we dont trust our VPN site-to-site connection and dont want the clients to login thru the VPN connection.
The chinese site has a 8 hour time difference and we have a system administrator there also..

if you can name you domain hm.net, you can also name it nl.hm.net in my opionion (the .net domain is also not hosted interally and made up..)


I think its not worth it yet, using three domain controllers for the purpose of using hm.net, nl.hm.net and cn.hm.net
Its still only for the looks and might take a while when we add another branch office in a other country..

I am planning to use our old DC (after a format and a clean windows2003 installation) as an secondary DNS server.
Is it wise to make this a backup domain controller also?


0
 
LVL 10

Expert Comment

by:MATTHEW_L
Comment Utility
From what you said.  If you keep one domain, and deploy a DC in China, clients will authenticate to the local DC not over the VPN.  The time difference will not cause a problem.  The administrator there can be delegated authority to the OU's that he manages corresponding to China.
0
 
LVL 2

Expert Comment

by:eric_bender
Comment Utility
Agree with Matthew L.  The only distinction you would really get out of it is the unique Domain names.  Use the OU's to manage the organization.  KISS Methodology (Keep It Simple Stupid)... I am not calling you that, tis just what is stands for.  

Also Do you have a NEW DC that you are planning on installing at your side?  I kinda got lost with the clean install and secondary DNS comment...... If you don't already have a DC in place to perform the primary FSMO roles.......you would need to recreate your entire directory anyway..... Also when you do create your China DC, insure that you make it a Global Catalog Server.........
0
 

Author Comment

by:Rick
Comment Utility
Recently we migrated from a windows 2000 DC server to a new windows 2003 DC server and now we have a native windows 2003 AD.
Until the china DC is added, its the only DC we have.

The demoted DC will get a hardware upgrade and then will be reinstalled with a clean installation of windows 2003 R2.
Many times i have heard its best to have a secondary dns server for an AD env..
So thats what i want to do

Maybe if advised, i can make it a (backup) domain controller for our main DC that now has the FSMO roles...
Also, In 2007 we want to deploy a new Exchange 2007 server at our main office , currently we dont use exchange in our main or branch office.
mostly i want to have a good AD structure to build on in the future...

Any ideas or tips in that?

Regards,
Rick



0
 
LVL 2

Expert Comment

by:eric_bender
Comment Utility
When you say demoted...... is that a separate physical box..... (I assume the 2000 DC) and not just an upgrade.
If that is the case, there really isn't a "PDC/BDC" role anymore (unless you were still in the Mixed Mode, which you aren't).  And yes I would have at least 2 DC's available at your location, if for nothing more than fail over.  
We have a 2000 architecture that I have been trying to get them to move from, but money money money....
In the DC example we were fortunate to have a second DC as lost our primary to a hardware failure.  It took a little work to get the FSMO roles to the Secondary, but after all was said and done it was much, much,much better than having to rebuild the system and hope that our backup scheme was solid.  I had been complaining about that as well.....
0
 
LVL 10

Accepted Solution

by:
MATTHEW_L earned 200 total points
Comment Utility
Yes.  Having two DC's both with inegrated DNS zones is a good idea for failover and redundancy.  Still creating a single AD Forest with One domain sounds like the best move for you.  Creating an OU structure will help with administration and organizing resources based on office etc.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Rick
Comment Utility
Yes, the demoted DC is the Windows 2000 server (2 x 1,4 GHz Dell PowerEdge :-))

I will suggest the role of making the old Dell sever a secundairy DNS/Domain server, this also seems best to me.

Matthew, i do understand the advantages of making single AD Forest with One domain, but we have sys admin at the company there and the VPN connection isnt that reliable.
The chinese goverment also seems to enjoy itself and block some IP's once in a while..
If you call them and aksed why they blocked it, they dont say anything about that, what was wrong or so. Its also fun to surf with from a chinese server (remote desktop) and then visit american or european sites. If you try to visit those sites your breaking the law if I remember good (there are some nice reports about the internet regime)

Many of them are DNS/IP blocked (most of them politcal, sex, ..) . Also ICMP was blocked on the chinese network a year ago, there is one big firewall surrounding china.
Theres nothing like freedom of speach there, but the paychecks are low :-) so who gives a damn!
Our company sells machines to asia and is not yet focussed on export from china.

in Holland we have an 2Mbit Up/Down SDSL connection and in China we have a 10Mbit fiber connection from the China province network.
All ISP's and other media sources are owned by the goverment :-)

Thnx for the response and i always thought the KISS Methodology was something like -> Keep It Simple Sir...  :-Þ

Regards,
Rick





0
 
LVL 2

Assisted Solution

by:eric_bender
eric_bender earned 200 total points
Comment Utility
The only reason that I can think to need a separate "Domain" in your scenario is for public precesence.  Do you need to have a public site in China?  If not you would just configure the single forest/domain.  All 3 DC's would provide DNS (New, Rebuilt, China).  The only difference in the DNS routing is that in China you can configure that DNS server to be the first and or only for the clients.  The option of creating an OU within the Domain Allows you to place all of the China resources into that object, then allows you to assign administrative authority via delegation.... i.e. using the model Matthew refers to.
0
 
LVL 10

Expert Comment

by:MATTHEW_L
Comment Utility
And if you do need external presence.  You can maintain multiple external domain names, exchange email addresses with one domain.  you can even change the user prinicple name to reference user@china.com user@us.com and still be in one domain.
0
 

Author Comment

by:Rick
Comment Utility
Hey guys,

í've done some research of my own and came to the same conclusion as u did!
Why use a child domain? In my research couldnt really find the advantages/answer!

I dont know why i wanted this, i've seen it in whitepapers and so, but then again why use a child domain?
because i get the kicks out a nice dns structure? i dont know anymore :D

You talk about public presesence, whay do u mean by that?


0
 
LVL 10

Expert Comment

by:MATTHEW_L
Comment Utility
I mean public presence such as a web site at www.company.com and www.company2.com  or email addresses @company.com and email addresses @company2.com.

You can maintain separate external domain names for two company names and still have only one internal domain name.  You can have employees at your company who have @company.com and some that have @company2.com for their email addresses and all co-exist under one nicely managed domain.

There are reasons to use child domains and also a empty parent with a child, but your situation seems to be best solved by a single domain.  Anyway it decreases the complexity of management.
0
 

Author Comment

by:Rick
Comment Utility
oh, and sorry, i almost closed this thread and tried to write an closing argument/comment! :D
0
 

Author Comment

by:Rick
Comment Utility
yeah ok,

I do imagine that with several large subnets/departments one would like to have different dns (prefix) names and so..
easily tracking down which user uses a certain service and so.. thats why i wanted it in the first time i guess
but it didnt came to mind that it would make things so much difficulter

I understand that DNS records can point to a mail server on the internet, but would companies normally base there AD structure on this? (with the child domains)
its a nice thought but sys admins should now web/mail servers can run multiple virtual domains :-)

0
 

Author Comment

by:Rick
Comment Utility
Hi, I have one last question!

For now i want to deploy an OU based design, i have prepared it already but I still have a some last questions.

Internally we have agreed that we dont trust our sysadmin in china yet to give him the administrator password.
The data we have in our main office is to valuable.

The sysadmin in China will have control over the China OU but then there are still some mathers...

How does he add users and computer accounts and how does control the shares, folders and other resources on the server (DHCP, DNS)
When adding accounts they need to be moved to the China OU since he has deligated control over these...
For this i can add him to the Account Operators but is this the right thing to do...

I know (in 2003) there is a tool that can change the default (non OU) Users and Computers map (when added) in the AD to an available OU. (this would effect our office also)
But the objects still need to be moved to the right OU, i have searched for scripts but havent found any nice ones
I am c++ programmer so i can manage to program one myself i guess but there is something in me that is still wondering if this is the right thing to do...

This is why i choose to use a child-design in the first place...
In the future we want share more and more resources with china (exchange, dfs, sharepoint etc) and giving the administrator rights to all is no option

0
 

Author Comment

by:Rick
Comment Utility
also :-) Somethimes i do wonder why the sysadmin in China has been hired, there are no more then 15/20 computers over there!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now