"New Domain Tree" question...

Posted on 2009-02-18
Last Modified: 2012-06-27
"Sometimes, the learning curve is more of a cliff..."

I have a small AD Domain in chicago which is the "Forest Root Domain". This consists of 7 servers, two of which are Domain Controllers, One is an Exchange server. Both Chicago DC's are G.C's as well.

I also have a small office in Wisconsin connected to the Chicago office via a PPTP VPN. This office has 5 users, two printers, and no servers at this time. The plan here is to add a server to the Wisconsin office and in some fashion, make it a part of the Chicago Forest.

For now, I have the "New" DC here in Chicago, setup on a subnet so I can do the prelim. testing before shipping it all up to Wisconsin and making it live. When setting up the new Domain, I decided on a "New Domain Tree" as the method for installing AD and making that connection to the Forest Root.

All seems to be going well so far, but as usual, I have some questions on the remaining steps.

Basically, I know once I get everything talking correctly, I will have lots more to do for this new Domain like User and admin permissions, Local Wisconsin directories and resource setup and access permissions/restrictions, Etc, Etc. But, I believe that reguardless of how I want the two Domains in the forest to ultimitly "Co-habitate", there are still these basic foundational settings and systems that must be in place from the "Get-Go", before any of the rest will even hope to work.


The main domain is "" -

The new Domain is "" - - Testing only. will be once done.

When I was done with the "Wizard" setting up the AD on this new first DC, it had:

 - Added the new domain under the "Active Directory Domains and Trusts" in the existing Forest Root domain.
 - Set up a "Transitive, Tree root trust" between the two domains.
 - Added the new server to the default site I previously setup for the original domain under "Active Directory Sites and Services", also in the existing Forest Root domain.
 - I already added the "Subnet" settings for the test domain, also under "Active Directory Sites and Services" in the existing Forest Root domain.

Initial Problems/Questions:

1. On the new domain controller for the new domain, the default DNS server address it set for itself with the wizard was: as prefered DNS and nothing as secondary. Should this be: Prefered-its own IP and secondary-the IP of the DNS from the Root domain?
2. When I go to a DC in the root domain and verify the trust, it says it cannot find the Domain controller for the new domain tree. does this have something to do with question 1?

And then, in general:

What do I need to do to assure that both sides of this DNS puzzle is configured properly to communicate with each other and the outside world?

I am assuming I need to create a new Site in "Active Directory Sites and Services" and assign the proper subnet and server to that new site. Is there some prefered way to do this for a "New Domain Tree"?
I am also assuming I need to setup replication between the two Domains for AD. Again, A prefered method or procedure?

Based upon the above, am I missing anything that will be needed for this new domain, and its relationship with the Forest Root?

For example: I know I have to do Group Policy, permissions, and O.U. structures for the new Domain, but I am assuming that, once these above items are done, and basic "Inner-forest" tranquility has been achieved, the rest will just fall into place.

Thanks for the assistance!
Question by:RKoons
    LVL 95

    Accepted Solution

    While there can be a few circumstances where having multiple domains can make sense nowadays, Active Directory eliminates the need for most of them.  My question is WHY are you setting up multiple domains?  In all likelihood, you are unnecessarily complicating things.  Just place a domain controller in the remote site.
    LVL 1

    Author Comment

    I guess my initial thought was that a "seperate Domain" in the same forest would allow us all do be in the same forest yet still allow the segregation I will require for each office.
    Granted, the general permissions for the user pools in each office will be similar, but each office will be accessing a different set of resources based upon the projects the individual office will need.
    I also thought that if you were dealing with potentially a limited amount of bandwidth between offices, a new Domain would limit the amount of replication traffic across the WAN.
    I know that being across a router means that the other office needs to have a different subnet. I assumed that this also ment that it would therefore be more logical to have a seperate Domain as well.
    So... In your setup I would:
    1. Add the new DC to the existing Domain.
    2. Set up a new Site for this DC and move the DC to that site in AD.
    3. Make sure the new site has the proper subnet associated with it.
    But after this:
    1. Would I need to setup a site link?
    2. How would I control which server authenticates the users in the new office?
    3. How do I associate the Wisconsin office users as being in a seperate location from the rest of us.
    My problem is, I research this stuff but can never find the specific information needed that relates to my situation. Are there some white papers or articles that compare the pro's & Con's of these different options? I'm not apposed to simpler, as long as it works!
    LVL 95

    Expert Comment

    by:Lee W, MVP
    1.  You'll want the connections between other DCs - I don't remember if I had to create them manually or if they were created with the site/DC.
    2.  Based on site.  And it would LIMIT them to authenticating to the local server, but it would make the local server the preferred server.  If it was unavailable, they could still logon through the WAN link.  Logon traffic in a small network is not very significant.
    3.  Create an OU and place users and computers in that (or an entire OU structure).  Then you can even delegate the management of that OU to a local admin.  If you go with Server 2008, you can create Read-only DCs that only store the LOCAL user accounts and pass everything else back to the server.  It's a more secure way of doing things.
    LVL 1

    Author Comment

    Just when you thought you had it all figured out.
    So, in digest, what we are saying here is, my original plan is not necessarily wrong, just not really the best plan for the size and complexity of my network.
    So when you consider:
    • Expanding the existing domain, just add Sites & Subnets.
    • Adding a new Child Domain to the original Root/Tree.
    • Adding a new Root Tree in the same forest.
    Under what cercumstances is one better than the next?
    Got a long weekend coming... starting NOW! Gonna mull this around and decide on Monday Morning!
    Thanks in advance
    LVL 95

    Expert Comment

    by:Lee W, MVP
    NT4 Domains needed child domains for administrative purposes - and trusts.  There are few circumstances that I would recommend a separate domain.  It just doesn't make sense to me.  Not when everything can be handled in one domain and management can be delegated.  By staying with one domain, if your remote DC fails - or your main office DC fails - people can STILL log on because the other site's DC will be available to process requests.  Logons may take a little longer, but it becomes a useful method of redundancy - UNLESS your sites are not secureable.  Then you need to rethink that... but even then, I would suggest a RoDC before I'd suggest a separate domain.
    LVL 1

    Author Closing Comment

    Thanks for your help. I went into the "New Tree" approach a little, and the configuration quickly became a nightmare.

    I am just getting started setting up the "DC in a new Site" as you suggested, and it is already Much easier


    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now