We help IT Professionals succeed at work.

"New Domain Tree" question...

RKoons asked
Medium Priority
Last Modified: 2012-06-27
"Sometimes, the learning curve is more of a cliff..."

I have a small AD Domain in chicago which is the "Forest Root Domain". This consists of 7 servers, two of which are Domain Controllers, One is an Exchange server. Both Chicago DC's are G.C's as well.

I also have a small office in Wisconsin connected to the Chicago office via a PPTP VPN. This office has 5 users, two printers, and no servers at this time. The plan here is to add a server to the Wisconsin office and in some fashion, make it a part of the Chicago Forest.

For now, I have the "New" DC here in Chicago, setup on a subnet so I can do the prelim. testing before shipping it all up to Wisconsin and making it live. When setting up the new Domain, I decided on a "New Domain Tree" as the method for installing AD and making that connection to the Forest Root.

All seems to be going well so far, but as usual, I have some questions on the remaining steps.

Basically, I know once I get everything talking correctly, I will have lots more to do for this new Domain like User and admin permissions, Local Wisconsin directories and resource setup and access permissions/restrictions, Etc, Etc. But, I believe that reguardless of how I want the two Domains in the forest to ultimitly "Co-habitate", there are still these basic foundational settings and systems that must be in place from the "Get-Go", before any of the rest will even hope to work.


The main domain is "Knightcorp.knightea.com" -

The new Domain is "KNorth.knightea.com" - - Testing only. will be once done.

When I was done with the "Wizard" setting up the AD on this new first DC, it had:

 - Added the new domain under the "Active Directory Domains and Trusts" in the existing Forest Root domain.
 - Set up a "Transitive, Tree root trust" between the two domains.
 - Added the new server to the default site I previously setup for the original domain under "Active Directory Sites and Services", also in the existing Forest Root domain.
 - I already added the "Subnet" settings for the test domain, also under "Active Directory Sites and Services" in the existing Forest Root domain.

Initial Problems/Questions:

1. On the new domain controller for the new domain, the default DNS server address it set for itself with the wizard was: as prefered DNS and nothing as secondary. Should this be: Prefered-its own IP and secondary-the IP of the DNS from the Root domain?
2. When I go to a DC in the root domain and verify the trust, it says it cannot find the Domain controller for the new domain tree. does this have something to do with question 1?

And then, in general:

What do I need to do to assure that both sides of this DNS puzzle is configured properly to communicate with each other and the outside world?

I am assuming I need to create a new Site in "Active Directory Sites and Services" and assign the proper subnet and server to that new site. Is there some prefered way to do this for a "New Domain Tree"?
I am also assuming I need to setup replication between the two Domains for AD. Again, A prefered method or procedure?

Based upon the above, am I missing anything that will be needed for this new domain, and its relationship with the Forest Root?

For example: I know I have to do Group Policy, permissions, and O.U. structures for the new Domain, but I am assuming that, once these above items are done, and basic "Inner-forest" tranquility has been achieved, the rest will just fall into place.

Thanks for the assistance!
Watch Question

Technology and Business Process Advisor
Most Valuable Expert 2013
While there can be a few circumstances where having multiple domains can make sense nowadays, Active Directory eliminates the need for most of them.  My question is WHY are you setting up multiple domains?  In all likelihood, you are unnecessarily complicating things.  Just place a domain controller in the remote site.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


I guess my initial thought was that a "seperate Domain" in the same forest would allow us all do be in the same forest yet still allow the segregation I will require for each office.
Granted, the general permissions for the user pools in each office will be similar, but each office will be accessing a different set of resources based upon the projects the individual office will need.
I also thought that if you were dealing with potentially a limited amount of bandwidth between offices, a new Domain would limit the amount of replication traffic across the WAN.
I know that being across a router means that the other office needs to have a different subnet. I assumed that this also ment that it would therefore be more logical to have a seperate Domain as well.
So... In your setup I would:
  1. Add the new DC to the existing Domain.
  2. Set up a new Site for this DC and move the DC to that site in AD.
  3. Make sure the new site has the proper subnet associated with it.
But after this:
  1. Would I need to setup a site link?
  2. How would I control which server authenticates the users in the new office?
  3. How do I associate the Wisconsin office users as being in a seperate location from the rest of us.
My problem is, I research this stuff but can never find the specific information needed that relates to my situation. Are there some white papers or articles that compare the pro's & Con's of these different options? I'm not apposed to simpler, as long as it works!
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

1.  You'll want the connections between other DCs - I don't remember if I had to create them manually or if they were created with the site/DC.
2.  Based on site.  And it would LIMIT them to authenticating to the local server, but it would make the local server the preferred server.  If it was unavailable, they could still logon through the WAN link.  Logon traffic in a small network is not very significant.
3.  Create an OU and place users and computers in that (or an entire OU structure).  Then you can even delegate the management of that OU to a local admin.  If you go with Server 2008, you can create Read-only DCs that only store the LOCAL user accounts and pass everything else back to the server.  It's a more secure way of doing things.


Just when you thought you had it all figured out.
So, in digest, what we are saying here is, my original plan is not necessarily wrong, just not really the best plan for the size and complexity of my network.
So when you consider:
  • Expanding the existing domain, just add Sites & Subnets.
  • Adding a new Child Domain to the original Root/Tree.
  • Adding a new Root Tree in the same forest.
Under what cercumstances is one better than the next?
Got a long weekend coming... starting NOW! Gonna mull this around and decide on Monday Morning!
Thanks in advance
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

NT4 Domains needed child domains for administrative purposes - and trusts.  There are few circumstances that I would recommend a separate domain.  It just doesn't make sense to me.  Not when everything can be handled in one domain and management can be delegated.  By staying with one domain, if your remote DC fails - or your main office DC fails - people can STILL log on because the other site's DC will be available to process requests.  Logons may take a little longer, but it becomes a useful method of redundancy - UNLESS your sites are not secureable.  Then you need to rethink that... but even then, I would suggest a RoDC before I'd suggest a separate domain.


Thanks for your help. I went into the "New Tree" approach a little, and the configuration quickly became a nightmare.

I am just getting started setting up the "DC in a new Site" as you suggested, and it is already Much easier

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.