Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do i setup a domain controller for an OU?

Posted on 2011-05-04
5
Medium Priority
?
385 Views
Last Modified: 2012-05-11
Hi,

We are trying to setup a new customer site with Active Directory and Exchange Server.
The site is currently connected through a VPN to the root AD in head office - au.acme.com

There are multiple OU configured under this domain - au.acme.com with thousands of users.

This new customer site is for one of the OU.

Is it possible to setup a new domain controller for this OU, so that only users within this OU are replicated to the new domain controller and so that a local IT technician can create new accounts within this OU?

From my reading, this can be achieved by adding a new child domain controller, but this will complicate things.

Look forward to your suggestions.
0
Comment
Question by:Divya Bhatia
  • 3
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35689672
No you can't do that so that only certain objects are replicated within an OU.  All objects will be replicated.

What you can do is delegate permissions so that that admin can only modify objects in that OU.  You can do that using the delegation control wizard.  You can also extend that wizard

http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

In 2008 RODCs were introduced (but they help more with physical security issues)

Thanks

Mike
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35691639
The DCs also have to be in the OUs they are in by default so that the Default Domain Controller Policy applies properly to them.  I'm judging that by your subject line and what it implies you might be trying to do.  I really can't figure out what you mean by the rest of what you are saying.
0
 
LVL 1

Author Comment

by:Divya Bhatia
ID: 35710985
My situation is that we don't have control of the domain forest or domain tree.

Some background. The customer office that we are trying to look after has only 5 users at the moment and expect that to grow to 30 over the coming months. They would like us to configure their servers to be autonomous such that they can setup their own users and mailboxes without having to go back to head office which is in a different country / different time zone.

So my question is, how is this best achieved?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35720388
I cannot be achieved,...it just doesn't work like that.

Are there a few different [very] complex possibilities?  Yes,..but the fact that you are asking this question means it is probably going to be beyond your abilities to do anything about it.

The best thing you could do is to work something out with those who do control the Forest and Domain,...they are the one who are going to have ultimate control in the end,...you need to work with them and find a way to "get along" with them,...because you aren't really going to be able to do anything without them
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 35720425
Some of the different possible models:

1. Master Domain - Child Domian (same Forest)
2. Multiple equal Domains in the same Forest
3. Two Domains, Two Forests,...with a Trust between the Forests
4. One Domain, one Forest, with delegated permissions on certain OU holding users (not DCs)

There may be a couple other options, but that is I all I can think of right now.  All of them require cooperation with those who already control the Forest,...and in most options they will remain in ultimate control.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question