"New Domain Tree" question...
"Sometimes, the learning curve is more of a cliff..."
I have a small AD Domain in chicago which is the "Forest Root Domain". This consists of 7 servers, two of which are Domain Controllers, One is an Exchange server. Both Chicago DC's are G.C's as well.
I also have a small office in Wisconsin connected to the Chicago office via a PPTP VPN. This office has 5 users, two printers, and no servers at this time. The plan here is to add a server to the Wisconsin office and in some fashion, make it a part of the Chicago Forest.
For now, I have the "New" DC here in Chicago, setup on a subnet so I can do the prelim. testing before shipping it all up to Wisconsin and making it live. When setting up the new Domain, I decided on a "New Domain Tree" as the method for installing AD and making that connection to the Forest Root.
All seems to be going well so far, but as usual, I have some questions on the remaining steps.
Basically, I know once I get everything talking correctly, I will have lots more to do for this new Domain like User and admin permissions, Local Wisconsin directories and resource setup and access permissions/restrictions, Etc, Etc. But, I believe that reguardless of how I want the two Domains in the forest to ultimitly "Co-habitate", there are still these basic foundational settings and systems that must be in place from the "Get-Go", before any of the rest will even hope to work.
So...
The main domain is "Knightcorp.knightea.com" - 10.10.70.0/23
The new Domain is "KNorth.knightea.com" - 10.10.76.0/23 - Testing only. will be 10.10.74.0/23 once done.
When I was done with the "Wizard" setting up the AD on this new first DC, it had:
- Added the new domain under the "Active Directory Domains and Trusts" in the existing Forest Root domain.
- Set up a "Transitive, Tree root trust" between the two domains.
- Added the new server to the default site I previously setup for the original domain under "Active Directory Sites and Services", also in the existing Forest Root domain.
- I already added the "Subnet" settings for the test domain, also under "Active Directory Sites and Services" in the existing Forest Root domain.
Initial Problems/Questions:
1. On the new domain controller for the new domain, the default DNS server address it set for itself with the wizard was: 127.0.0.1 as prefered DNS and nothing as secondary. Should this be: Prefered-its own IP and secondary-the IP of the DNS from the Root domain?
2. When I go to a DC in the root domain and verify the trust, it says it cannot find the Domain controller for the new domain tree. does this have something to do with question 1?
And then, in general:
What do I need to do to assure that both sides of this DNS puzzle is configured properly to communicate with each other and the outside world?
I am assuming I need to create a new Site in "Active Directory Sites and Services" and assign the proper subnet and server to that new site. Is there some prefered way to do this for a "New Domain Tree"?
I am also assuming I need to setup replication between the two Domains for AD. Again, A prefered method or procedure?
Based upon the above, am I missing anything that will be needed for this new domain, and its relationship with the Forest Root?
For example: I know I have to do Group Policy, permissions, and O.U. structures for the new Domain, but I am assuming that, once these above items are done, and basic "Inner-forest" tranquility has been achieved, the rest will just fall into place.
Thanks for the assistance!
I have a small AD Domain in chicago which is the "Forest Root Domain". This consists of 7 servers, two of which are Domain Controllers, One is an Exchange server. Both Chicago DC's are G.C's as well.
I also have a small office in Wisconsin connected to the Chicago office via a PPTP VPN. This office has 5 users, two printers, and no servers at this time. The plan here is to add a server to the Wisconsin office and in some fashion, make it a part of the Chicago Forest.
For now, I have the "New" DC here in Chicago, setup on a subnet so I can do the prelim. testing before shipping it all up to Wisconsin and making it live. When setting up the new Domain, I decided on a "New Domain Tree" as the method for installing AD and making that connection to the Forest Root.
All seems to be going well so far, but as usual, I have some questions on the remaining steps.
Basically, I know once I get everything talking correctly, I will have lots more to do for this new Domain like User and admin permissions, Local Wisconsin directories and resource setup and access permissions/restrictions, Etc, Etc. But, I believe that reguardless of how I want the two Domains in the forest to ultimitly "Co-habitate", there are still these basic foundational settings and systems that must be in place from the "Get-Go", before any of the rest will even hope to work.
So...
The main domain is "Knightcorp.knightea.com" - 10.10.70.0/23
The new Domain is "KNorth.knightea.com" - 10.10.76.0/23 - Testing only. will be 10.10.74.0/23 once done.
When I was done with the "Wizard" setting up the AD on this new first DC, it had:
- Added the new domain under the "Active Directory Domains and Trusts" in the existing Forest Root domain.
- Set up a "Transitive, Tree root trust" between the two domains.
- Added the new server to the default site I previously setup for the original domain under "Active Directory Sites and Services", also in the existing Forest Root domain.
- I already added the "Subnet" settings for the test domain, also under "Active Directory Sites and Services" in the existing Forest Root domain.
Initial Problems/Questions:
1. On the new domain controller for the new domain, the default DNS server address it set for itself with the wizard was: 127.0.0.1 as prefered DNS and nothing as secondary. Should this be: Prefered-its own IP and secondary-the IP of the DNS from the Root domain?
2. When I go to a DC in the root domain and verify the trust, it says it cannot find the Domain controller for the new domain tree. does this have something to do with question 1?
And then, in general:
What do I need to do to assure that both sides of this DNS puzzle is configured properly to communicate with each other and the outside world?
I am assuming I need to create a new Site in "Active Directory Sites and Services" and assign the proper subnet and server to that new site. Is there some prefered way to do this for a "New Domain Tree"?
I am also assuming I need to setup replication between the two Domains for AD. Again, A prefered method or procedure?
Based upon the above, am I missing anything that will be needed for this new domain, and its relationship with the Forest Root?
For example: I know I have to do Group Policy, permissions, and O.U. structures for the new Domain, but I am assuming that, once these above items are done, and basic "Inner-forest" tranquility has been achieved, the rest will just fall into place.
Thanks for the assistance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. You'll want the connections between other DCs - I don't remember if I had to create them manually or if they were created with the site/DC.
2. Based on site. And it would LIMIT them to authenticating to the local server, but it would make the local server the preferred server. If it was unavailable, they could still logon through the WAN link. Logon traffic in a small network is not very significant.
3. Create an OU and place users and computers in that (or an entire OU structure). Then you can even delegate the management of that OU to a local admin. If you go with Server 2008, you can create Read-only DCs that only store the LOCAL user accounts and pass everything else back to the server. It's a more secure way of doing things.
2. Based on site. And it would LIMIT them to authenticating to the local server, but it would make the local server the preferred server. If it was unavailable, they could still logon through the WAN link. Logon traffic in a small network is not very significant.
3. Create an OU and place users and computers in that (or an entire OU structure). Then you can even delegate the management of that OU to a local admin. If you go with Server 2008, you can create Read-only DCs that only store the LOCAL user accounts and pass everything else back to the server. It's a more secure way of doing things.
ASKER
...Wow...
Just when you thought you had it all figured out.
So, in digest, what we are saying here is, my original plan is not necessarily wrong, just not really the best plan for the size and complexity of my network.
So when you consider:
Got a long weekend coming... starting NOW! Gonna mull this around and decide on Monday Morning!
Thanks in advance
Just when you thought you had it all figured out.
So, in digest, what we are saying here is, my original plan is not necessarily wrong, just not really the best plan for the size and complexity of my network.
So when you consider:
- Expanding the existing domain, just add Sites & Subnets.
- Adding a new Child Domain to the original Root/Tree.
- Adding a new Root Tree in the same forest.
Got a long weekend coming... starting NOW! Gonna mull this around and decide on Monday Morning!
Thanks in advance
NT4 Domains needed child domains for administrative purposes - and trusts. There are few circumstances that I would recommend a separate domain. It just doesn't make sense to me. Not when everything can be handled in one domain and management can be delegated. By staying with one domain, if your remote DC fails - or your main office DC fails - people can STILL log on because the other site's DC will be available to process requests. Logons may take a little longer, but it becomes a useful method of redundancy - UNLESS your sites are not secureable. Then you need to rethink that... but even then, I would suggest a RoDC before I'd suggest a separate domain.
ASKER
Thanks for your help. I went into the "New Tree" approach a little, and the configuration quickly became a nightmare.
I am just getting started setting up the "DC in a new Site" as you suggested, and it is already Much easier
Thanks
I am just getting started setting up the "DC in a new Site" as you suggested, and it is already Much easier
Thanks
ASKER
Granted, the general permissions for the user pools in each office will be similar, but each office will be accessing a different set of resources based upon the projects the individual office will need.
I also thought that if you were dealing with potentially a limited amount of bandwidth between offices, a new Domain would limit the amount of replication traffic across the WAN.
I know that being across a router means that the other office needs to have a different subnet. I assumed that this also ment that it would therefore be more logical to have a seperate Domain as well.
So... In your setup I would:
- Add the new DC to the existing Domain.
- Set up a new Site for this DC and move the DC to that site in AD.
- Make sure the new site has the proper subnet associated with it.
But after this:- Would I need to setup a site link?
- How would I control which server authenticates the users in the new office?
- How do I associate the Wisconsin office users as being in a seperate location from the rest of us.
My problem is, I research this stuff but can never find the specific information needed that relates to my situation. Are there some white papers or articles that compare the pro's & Con's of these different options? I'm not apposed to simpler, as long as it works!Thanks