Windows 2003 AD domain and plans to (rename the domain and) expand it with a branch office/child domain


Currrently we have a windows 2003 domain and are planning to rename our domain and expand it with a branch office/child domain.

The name of the AD domain we have is and will be (or hm.local) and is positioned on one DC server in the Netherlands at our main office.
Our branch office in China is ready to deploy a new server and needs to be connected with the domain in the netherlands...

The China domain should have the dns name
and the workstations/clients there should have
As for our workstations in the netherlands, i would like them to have a dns name such as

Since we only have one DC in the netherlands, is this possible and wise to design/make or should it be just
Can it also be done on 1 DC in the netherlands or do we need to have more? (we have servers available..)

I hope someone can help me.
Thnx in advance

Who is Participating?

Improve company productivity with a Business Account.Sign Up

MATTHEW_LConnect With a Mentor Commented:
Yes.  Having two DC's both with inegrated DNS zones is a good idea for failover and redundancy.  Still creating a single AD Forest with One domain sounds like the best move for you.  Creating an OU structure will help with administration and organizing resources based on office etc.
Drizzt420Connect With a Mentor Commented:
If you set things up the way you would like, that would be 3 domains, and 2 child domains and
It wouldnt be a bad way to set things up but you would need another server, 3 domains requires at least 3 Domain Controllers.

If you do it this way, I would suggest just keeping the parent domain ( empty, and use the child domains to hold your infrastructure.

The difficult part of doing it this way is that if you want the current domain to be, it will have to become a child domain of an as of yet non-existent domain. Server 2003 allows you to rename domains, but I am not sure if it would be possible to rename it into the position of the child of another domain. You could change the name to, create the child domain of, and then migrate everything to that new child domain, but it would be a lot of work compared to just renaming the domain and making China the first child. I think the 3 domain option is a better design, but it may not be worth the hoops that you would have to jump through, it all depends on how good your implementation team is at these things.
Before you go migrating to multiple domains etc.  Is there a specific reason that you want more than one domain.  Is there a specific schema difference between the domains, password policies etc that have prompted you to have more than one domain instead of site / ou structure that will fit your needs.  If it is external domain presence such as email, you can maintain multiple external domains for web / emial and a single internal domain.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

RickAuthor Commented:
Our chinese branch office needs a seperate Domain Controller becuase we dont trust our VPN site-to-site connection and dont want the clients to login thru the VPN connection.
The chinese site has a 8 hour time difference and we have a system administrator there also..

if you can name you domain, you can also name it in my opionion (the .net domain is also not hosted interally and made up..)

I think its not worth it yet, using three domain controllers for the purpose of using, and
Its still only for the looks and might take a while when we add another branch office in a other country..

I am planning to use our old DC (after a format and a clean windows2003 installation) as an secondary DNS server.
Is it wise to make this a backup domain controller also?

From what you said.  If you keep one domain, and deploy a DC in China, clients will authenticate to the local DC not over the VPN.  The time difference will not cause a problem.  The administrator there can be delegated authority to the OU's that he manages corresponding to China.
Agree with Matthew L.  The only distinction you would really get out of it is the unique Domain names.  Use the OU's to manage the organization.  KISS Methodology (Keep It Simple Stupid)... I am not calling you that, tis just what is stands for.  

Also Do you have a NEW DC that you are planning on installing at your side?  I kinda got lost with the clean install and secondary DNS comment...... If you don't already have a DC in place to perform the primary FSMO would need to recreate your entire directory anyway..... Also when you do create your China DC, insure that you make it a Global Catalog Server.........
RickAuthor Commented:
Recently we migrated from a windows 2000 DC server to a new windows 2003 DC server and now we have a native windows 2003 AD.
Until the china DC is added, its the only DC we have.

The demoted DC will get a hardware upgrade and then will be reinstalled with a clean installation of windows 2003 R2.
Many times i have heard its best to have a secondary dns server for an AD env..
So thats what i want to do

Maybe if advised, i can make it a (backup) domain controller for our main DC that now has the FSMO roles...
Also, In 2007 we want to deploy a new Exchange 2007 server at our main office , currently we dont use exchange in our main or branch office.
mostly i want to have a good AD structure to build on in the future...

Any ideas or tips in that?


When you say demoted...... is that a separate physical box..... (I assume the 2000 DC) and not just an upgrade.
If that is the case, there really isn't a "PDC/BDC" role anymore (unless you were still in the Mixed Mode, which you aren't).  And yes I would have at least 2 DC's available at your location, if for nothing more than fail over.  
We have a 2000 architecture that I have been trying to get them to move from, but money money money....
In the DC example we were fortunate to have a second DC as lost our primary to a hardware failure.  It took a little work to get the FSMO roles to the Secondary, but after all was said and done it was much, much,much better than having to rebuild the system and hope that our backup scheme was solid.  I had been complaining about that as well.....
RickAuthor Commented:
Yes, the demoted DC is the Windows 2000 server (2 x 1,4 GHz Dell PowerEdge :-))

I will suggest the role of making the old Dell sever a secundairy DNS/Domain server, this also seems best to me.

Matthew, i do understand the advantages of making single AD Forest with One domain, but we have sys admin at the company there and the VPN connection isnt that reliable.
The chinese goverment also seems to enjoy itself and block some IP's once in a while..
If you call them and aksed why they blocked it, they dont say anything about that, what was wrong or so. Its also fun to surf with from a chinese server (remote desktop) and then visit american or european sites. If you try to visit those sites your breaking the law if I remember good (there are some nice reports about the internet regime)

Many of them are DNS/IP blocked (most of them politcal, sex, ..) . Also ICMP was blocked on the chinese network a year ago, there is one big firewall surrounding china.
Theres nothing like freedom of speach there, but the paychecks are low :-) so who gives a damn!
Our company sells machines to asia and is not yet focussed on export from china.

in Holland we have an 2Mbit Up/Down SDSL connection and in China we have a 10Mbit fiber connection from the China province network.
All ISP's and other media sources are owned by the goverment :-)

Thnx for the response and i always thought the KISS Methodology was something like -> Keep It Simple Sir...  :-Þ


eric_benderConnect With a Mentor Commented:
The only reason that I can think to need a separate "Domain" in your scenario is for public precesence.  Do you need to have a public site in China?  If not you would just configure the single forest/domain.  All 3 DC's would provide DNS (New, Rebuilt, China).  The only difference in the DNS routing is that in China you can configure that DNS server to be the first and or only for the clients.  The option of creating an OU within the Domain Allows you to place all of the China resources into that object, then allows you to assign administrative authority via delegation.... i.e. using the model Matthew refers to.
And if you do need external presence.  You can maintain multiple external domain names, exchange email addresses with one domain.  you can even change the user prinicple name to reference and still be in one domain.
RickAuthor Commented:
Hey guys,

í've done some research of my own and came to the same conclusion as u did!
Why use a child domain? In my research couldnt really find the advantages/answer!

I dont know why i wanted this, i've seen it in whitepapers and so, but then again why use a child domain?
because i get the kicks out a nice dns structure? i dont know anymore :D

You talk about public presesence, whay do u mean by that?

I mean public presence such as a web site at and  or email addresses and email addresses

You can maintain separate external domain names for two company names and still have only one internal domain name.  You can have employees at your company who have and some that have for their email addresses and all co-exist under one nicely managed domain.

There are reasons to use child domains and also a empty parent with a child, but your situation seems to be best solved by a single domain.  Anyway it decreases the complexity of management.
RickAuthor Commented:
oh, and sorry, i almost closed this thread and tried to write an closing argument/comment! :D
RickAuthor Commented:
yeah ok,

I do imagine that with several large subnets/departments one would like to have different dns (prefix) names and so..
easily tracking down which user uses a certain service and so.. thats why i wanted it in the first time i guess
but it didnt came to mind that it would make things so much difficulter

I understand that DNS records can point to a mail server on the internet, but would companies normally base there AD structure on this? (with the child domains)
its a nice thought but sys admins should now web/mail servers can run multiple virtual domains :-)

RickAuthor Commented:
Hi, I have one last question!

For now i want to deploy an OU based design, i have prepared it already but I still have a some last questions.

Internally we have agreed that we dont trust our sysadmin in china yet to give him the administrator password.
The data we have in our main office is to valuable.

The sysadmin in China will have control over the China OU but then there are still some mathers...

How does he add users and computer accounts and how does control the shares, folders and other resources on the server (DHCP, DNS)
When adding accounts they need to be moved to the China OU since he has deligated control over these...
For this i can add him to the Account Operators but is this the right thing to do...

I know (in 2003) there is a tool that can change the default (non OU) Users and Computers map (when added) in the AD to an available OU. (this would effect our office also)
But the objects still need to be moved to the right OU, i have searched for scripts but havent found any nice ones
I am c++ programmer so i can manage to program one myself i guess but there is something in me that is still wondering if this is the right thing to do...

This is why i choose to use a child-design in the first place...
In the future we want share more and more resources with china (exchange, dfs, sharepoint etc) and giving the administrator rights to all is no option

RickAuthor Commented:
also :-) Somethimes i do wonder why the sysadmin in China has been hired, there are no more then 15/20 computers over there!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.