How do i setup a domain controller for an OU?

Posted on 2011-05-04
Last Modified: 2012-05-11

We are trying to setup a new customer site with Active Directory and Exchange Server.
The site is currently connected through a VPN to the root AD in head office -

There are multiple OU configured under this domain - with thousands of users.

This new customer site is for one of the OU.

Is it possible to setup a new domain controller for this OU, so that only users within this OU are replicated to the new domain controller and so that a local IT technician can create new accounts within this OU?

From my reading, this can be achieved by adding a new child domain controller, but this will complicate things.

Look forward to your suggestions.
Question by:Barry Craig
    LVL 57

    Expert Comment

    by:Mike Kline
    No you can't do that so that only certain objects are replicated within an OU.  All objects will be replicated.

    What you can do is delegate permissions so that that admin can only modify objects in that OU.  You can do that using the delegation control wizard.  You can also extend that wizard

    In 2008 RODCs were introduced (but they help more with physical security issues)


    LVL 29

    Expert Comment

    The DCs also have to be in the OUs they are in by default so that the Default Domain Controller Policy applies properly to them.  I'm judging that by your subject line and what it implies you might be trying to do.  I really can't figure out what you mean by the rest of what you are saying.
    LVL 1

    Author Comment

    by:Barry Craig
    My situation is that we don't have control of the domain forest or domain tree.

    Some background. The customer office that we are trying to look after has only 5 users at the moment and expect that to grow to 30 over the coming months. They would like us to configure their servers to be autonomous such that they can setup their own users and mailboxes without having to go back to head office which is in a different country / different time zone.

    So my question is, how is this best achieved?
    LVL 29

    Expert Comment

    I cannot be achieved, just doesn't work like that.

    Are there a few different [very] complex possibilities?  Yes,..but the fact that you are asking this question means it is probably going to be beyond your abilities to do anything about it.

    The best thing you could do is to work something out with those who do control the Forest and Domain,...they are the one who are going to have ultimate control in the end, need to work with them and find a way to "get along" with them,...because you aren't really going to be able to do anything without them
    LVL 29

    Accepted Solution

    Some of the different possible models:

    1. Master Domain - Child Domian (same Forest)
    2. Multiple equal Domains in the same Forest
    3. Two Domains, Two Forests,...with a Trust between the Forests
    4. One Domain, one Forest, with delegated permissions on certain OU holding users (not DCs)

    There may be a couple other options, but that is I all I can think of right now.  All of them require cooperation with those who already control the Forest,...and in most options they will remain in ultimate control.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now