[Last Call] Learn how to a build a cloud-first strategyRegister Now


HOw to create a new domain and set correct permissions

Posted on 2011-10-15
Medium Priority
Last Modified: 2012-05-12
I have a single domain (domain.local) which is spanned over a number of sites. Users use exchange address as username@domain.com  I have requirement where I want to create a separate domain so that I can stop domain admins for Domain.local from tinkering with resources on my site so that I can better manage resources and security. As of now changes cannot be tracked to one single admin as they are spread over all the sites.
I want to create a new domain (domain1.local) so that only domain admins within the new domain can make changes to the resources but users should be able to use the existing exchange address of username@domain.com.

Example Notes:
domain.local (already exists)
domain1.com (needs to be created as new domain)

Overall project goal:
-Create a new domain (domain1.local).  
-Users in the new domain (domain1.local) should be able to access resources in the old domain (domain.local); but users in the existing domain (domain.local) should not be able to access any resources in the new domain (domain1.local).
-Users in the new domain (domain1.local) should be able to access their email (username@domain.com). As the exchange servers reside in the existing domain (domain.local)

REsources avaialbe at hand:
all server will be Windows server 2008 R2 Enterprise.
Question by:Kiransukumar
  • 3
  • 2
  • 2
LVL 23

Expert Comment

ID: 36974230
would suggest you don't call your new domain 'domain1.com' - will cause problems in the future for you in 'domain1.com' also happens to be your internet based domain

after you have created your new domain, you will need to create a one way trust relationship.  the trust relationship needs to be domain.local TRUSTS domain1.com
LVL 23

Expert Comment

ID: 36974249
hit post by mistake.

once you have the trust relationship, you can add the accounts for users in domain1.com to their corresponding e-mail accounts.  similarly, you can add the users from domain1.com to other resources (file shares, sql etc).
LVL 15

Expert Comment

ID: 36974691
You're going about this the wrong way.  The creation of the new domain will give you nothing for security if you create the 2 way trusts.
What you want to do is create users and delegate roles to those users.

Look at this document:
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 37027181
hi jrhelgeson... if i have to follow your suggestion the domain admin and the enterprise admins for domain.local will still have access to resources with the site in which i want to create the new domain (domain1.local).  I donot have control to stop people/ admins from accessing our resources ( share/ applications etc.)
LVL 15

Expert Comment

ID: 37028113
Yes, Domain admin will still have access to *.* within the domain, and Enterprise will have access to *.* throughout all domains (throughout the enterprise).

You do NOT assign admin rights to people you wish to delegate tasks to - do not add them to "domain admins" group, but you assign users or groups delegated permissions to AD objects, which grants them access to manage and control whatever objects exist in the container in which they have stewardship.

Author Comment

ID: 37033368
Sorry jrhelqeson,
  I have no control over the domain.local domain.  there are enterprise admins and domain admins all over the place.. the Ad is so messed up that anyone who wishes to have access has domian wide and enterprise wide admin access.. This is the very reason I wanted to move out to a new domain so I as a domain adminstrator or enterprise adminsitrator for the new domain can have better control on resources and users and then delegate users within the new domain with the right right to perform various tasks.  
LVL 15

Accepted Solution

jrhelgeson earned 1000 total points
ID: 37035802
This would be my approach, if I were in your shoes.

If you are currently in a single domain environment, you should first revoke enterprise admin rights, as they are not being used (in a single domain, single forest environment, enterprise admin is essentially the same as domain admin).

If there are multiple domains, and you cannot revoke enterprise admin, then you'll need to create a 1 way trust to the new domain, and give users that are migrated over delegated authority, instead of admin rights.  Those migrated users can still have their admin rights in the old domain, because the old domain trusts all the users in the new domain, but the new domain trusts nothing and nobody.

If you can revoke enterprise admin, then you COULD set up a 2 way trust, but now that I'm thinking this through, that might not even work... because any domain admin rights holder could just grant themselves enterprise admin rights, and ... there goes the neighborhood.

Perhaps you want to stick with the 1 way trust, and only users that are migrated get to have rights in the new and old domains.

In the new domains, you'd migrate users into the newdomain.local using ADMT, then you'd put them into a group called "Legacy_Domain_Admins", and members of that group are granted domain admin rights in the oldDomain.local that you are looking to move away from (you just add 'NewDomain\Legacy_Domain_Admins' as a member of 'oldDomain\Domain Admin' user group).


Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question