Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 647
  • Last Modified:

Creating a Child Domain and integrating CA from parent domain

1.) Windows server 2008 R2 servers and a 2008 FFL. I was wondering if someone could walk me through the creation of a Child domain. Such as, what actions need to be taken to prepare the Parent domain and also the actual creation of the Child domain. Is there anything in particular that is need to be done on the Child domain during creation?

2.) Once the Child domain is created what steps/actions are required to enable the Child domain to use a Certificate Authority located in the Parent domain. This is required for servers in the Child domain to authenticate to Identity and Access Management servers and databases.

Thank you in advance.


0
Marius Gunnerud
Asked:
Marius Gunnerud
  • 4
  • 3
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi MAG03,

first of all, I would like to know some more details (if possible).

1) AD relation between parent - child
Do you plan to use more that one child domain? If so, do you want to use them in the same tree (root domain namespace) or in different tree?

2) Child domain
Is it the same company with the same administrators or another one managed by parent domain's administrators?
ONe more option is that parent (forest root domain) is treated as "management domain" and child domain i sactually the first one where users can work? Is that case?

3) Windows Server edition
Which server editions you want to use in child domain? Standard, Enterprise or Datacanter? It's important in case of CA configuration and its features. Does DC will be more than DC+DNS+DHCP ? I suppose you want to also put there CA role ?

4) CA
What purpose of that CA will be in child domain? What kind of certificates you want to deploy? Do you plan simple structure (only one CA) or whole CA tier (standalone root CA + sub CAs)?

Thank you in advance

Regards,
Krzysztof
0
 
Marius GunnerudSenior Systems EngineerAuthor Commented:
Hi iSiek,

1.) There will be 2 Child domains and am a little uncertain if to have thim in the same tree or different.  Just need them to not replicate AD objects to the parent domain (user account, computer accounts, GPO, GAL, etc.) Any suggestions?

2.) Same company and same admins will be managing all domains. The child domains need to be seperated from the parent domain as much as possible but still be able to use Identity and Access Management database from the parent domain. I suppose that means that certain users from the child domains need to be able to logon to the parent domain. (this is also the reason for needing to use the CA located in the parent domain)

3.) To the best of my knowledge the last of the Server 2003 will be removed next week so all servers will be 2008 standard or 2008 R2 standard (again this is to the best of my knowledge). Will be possible to upgrade to 2008 FFL if needed (am also thinking I will suggest upgrading to 2008 FFL anyway.) I should get more info later today but as far as I am aware right now, is that DC, DNS, and DHCP are seperate (I will confirm later).

4.) This is what I am currently trying to figure out. From my understanding the CA in the parent domain will be used to authenticate users/computers int the child domains when accessing the IAM and Oracle databases. (again I should be able to clarify this later today)
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Krzysztof PytkoActive Directory EngineerCommented:
OK, so let's try to write somethig more with these details. The rest I will write when you post other missing parts :)

1) OK, so firest root domain and 2 child domains. That's no problem. Do you know what IP subnets you would use for them? It will help us to create Sites and Subnets. In case that 2 child domains are in the same forest there is no problem with domains trust. You don't have to create them manually. It will be done automatically during child domain promotion (two-way transitive trust), The most important part during new domain set up is DNS configuration on the new DCs. They must point only to DNS server in paret root domain and you need to use enterprise administrators account to be able to set up them. When new domain is created Domain Naming Master is modified and this is a forest-wide master which requires enterprise admin credentials. According to GAL and Exchange, sorry I can't help. I don't use Exchange and I have no experience with that. I've just started learning how to use that. You have to ask another expert in Exchange category

No objects (users/computers/GPOs) will be replicated from child domains to parent domain. That's for sure :)

2) OK, that's good. It will be much more easier with administration for your company. IAM database is secured over certificate access, right? So we need for sure CA certificate from parent root domain or each child domain will have its own sub CA which is part of CA in parent domain

3) OK, there is no need to have DFL/FFL 2008 for CA but it's good to have it for other domain features. Please ask, if it's possible to have 2008 R2 instead of 2008. It's much better and has new great features like AD Recycle Bin aso.
Remember that, when you remove all 2003 DCs and you will have only 2008/2008R2 with 2008/2008R2 DFL/FFL you need to buy new users/devices CALs :] (or if you have Software Assurance, don't worry about that)

4) And this can be done easily. Domains trust are available and cetrificates can be used but I would suggest to set up sub CA in each child domain. We will discuss it a little bit latter with more details :]

I'm looking forward for new details from you

Krzysztof
0
 
Marius GunnerudSenior Systems EngineerAuthor Commented:
It seems as though IP addresses and Server names will be decided on by those doing the installation.  It also looks like I have free regn to decide to separate all rolls if I choose to do so.

Could you help me to understand sub-CAs? How to set it up, what is required..etc.

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi,

yes of course. Just give me some time and I will write an explanation for you. Today, it's not possible but I would try to do that tomorrow, morning.

Krzysztof
0
 
Marius GunnerudSenior Systems EngineerAuthor Commented:
Hi iSiek,

I have decided to change my whole approche and am no longer going for child domains as there will be issues with hiding the child domain GAL but still have the child domains to be able to view the GAL with child domain users.  I know this will be sorted in exchange 2010 SP2, but I think all in all seperate domains is a better way to go.

thanks for all you help.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK :)
You're welcome :)
Wish you luck

Krzysztof
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now