Creating a Child Domain and integrating CA from parent domain
1.) Windows server 2008 R2 servers and a 2008 FFL. I was wondering if someone could walk me through the creation of a Child domain. Such as, what actions need to be taken to prepare the Parent domain and also the actual creation of the Child domain. Is there anything in particular that is need to be done on the Child domain during creation?
2.) Once the Child domain is created what steps/actions are required to enable the Child domain to use a Certificate Authority located in the Parent domain. This is required for servers in the Child domain to authenticate to Identity and Access Management servers and databases.
Thank you in advance.
2.) Once the Child domain is created what steps/actions are required to enable the Child domain to use a Certificate Authority located in the Parent domain. This is required for servers in the Child domain to authenticate to Identity and Access Management servers and databases.
Thank you in advance.
Hi MAG03,
first of all, I would like to know some more details (if possible).
1) AD relation between parent - child
Do you plan to use more that one child domain? If so, do you want to use them in the same tree (root domain namespace) or in different tree?
2) Child domain
Is it the same company with the same administrators or another one managed by parent domain's administrators?
ONe more option is that parent (forest root domain) is treated as "management domain" and child domain i sactually the first one where users can work? Is that case?
3) Windows Server edition
Which server editions you want to use in child domain? Standard, Enterprise or Datacanter? It's important in case of CA configuration and its features. Does DC will be more than DC+DNS+DHCP ? I suppose you want to also put there CA role ?
4) CA
What purpose of that CA will be in child domain? What kind of certificates you want to deploy? Do you plan simple structure (only one CA) or whole CA tier (standalone root CA + sub CAs)?
Thank you in advance
Regards,
Krzysztof
first of all, I would like to know some more details (if possible).
1) AD relation between parent - child
Do you plan to use more that one child domain? If so, do you want to use them in the same tree (root domain namespace) or in different tree?
2) Child domain
Is it the same company with the same administrators or another one managed by parent domain's administrators?
ONe more option is that parent (forest root domain) is treated as "management domain" and child domain i sactually the first one where users can work? Is that case?
3) Windows Server edition
Which server editions you want to use in child domain? Standard, Enterprise or Datacanter? It's important in case of CA configuration and its features. Does DC will be more than DC+DNS+DHCP ? I suppose you want to also put there CA role ?
4) CA
What purpose of that CA will be in child domain? What kind of certificates you want to deploy? Do you plan simple structure (only one CA) or whole CA tier (standalone root CA + sub CAs)?
Thank you in advance
Regards,
Krzysztof
ASKER
Hi iSiek,
1.) There will be 2 Child domains and am a little uncertain if to have thim in the same tree or different. Just need them to not replicate AD objects to the parent domain (user account, computer accounts, GPO, GAL, etc.) Any suggestions?
2.) Same company and same admins will be managing all domains. The child domains need to be seperated from the parent domain as much as possible but still be able to use Identity and Access Management database from the parent domain. I suppose that means that certain users from the child domains need to be able to logon to the parent domain. (this is also the reason for needing to use the CA located in the parent domain)
3.) To the best of my knowledge the last of the Server 2003 will be removed next week so all servers will be 2008 standard or 2008 R2 standard (again this is to the best of my knowledge). Will be possible to upgrade to 2008 FFL if needed (am also thinking I will suggest upgrading to 2008 FFL anyway.) I should get more info later today but as far as I am aware right now, is that DC, DNS, and DHCP are seperate (I will confirm later).
4.) This is what I am currently trying to figure out. From my understanding the CA in the parent domain will be used to authenticate users/computers int the child domains when accessing the IAM and Oracle databases. (again I should be able to clarify this later today)
1.) There will be 2 Child domains and am a little uncertain if to have thim in the same tree or different. Just need them to not replicate AD objects to the parent domain (user account, computer accounts, GPO, GAL, etc.) Any suggestions?
2.) Same company and same admins will be managing all domains. The child domains need to be seperated from the parent domain as much as possible but still be able to use Identity and Access Management database from the parent domain. I suppose that means that certain users from the child domains need to be able to logon to the parent domain. (this is also the reason for needing to use the CA located in the parent domain)
3.) To the best of my knowledge the last of the Server 2003 will be removed next week so all servers will be 2008 standard or 2008 R2 standard (again this is to the best of my knowledge). Will be possible to upgrade to 2008 FFL if needed (am also thinking I will suggest upgrading to 2008 FFL anyway.) I should get more info later today but as far as I am aware right now, is that DC, DNS, and DHCP are seperate (I will confirm later).
4.) This is what I am currently trying to figure out. From my understanding the CA in the parent domain will be used to authenticate users/computers int the child domains when accessing the IAM and Oracle databases. (again I should be able to clarify this later today)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It seems as though IP addresses and Server names will be decided on by those doing the installation. It also looks like I have free regn to decide to separate all rolls if I choose to do so.
Could you help me to understand sub-CAs? How to set it up, what is required..etc.
Thanks
Could you help me to understand sub-CAs? How to set it up, what is required..etc.
Thanks
Hi,
yes of course. Just give me some time and I will write an explanation for you. Today, it's not possible but I would try to do that tomorrow, morning.
Krzysztof
yes of course. Just give me some time and I will write an explanation for you. Today, it's not possible but I would try to do that tomorrow, morning.
Krzysztof
ASKER
Hi iSiek,
I have decided to change my whole approche and am no longer going for child domains as there will be issues with hiding the child domain GAL but still have the child domains to be able to view the GAL with child domain users. I know this will be sorted in exchange 2010 SP2, but I think all in all seperate domains is a better way to go.
thanks for all you help.
I have decided to change my whole approche and am no longer going for child domains as there will be issues with hiding the child domain GAL but still have the child domains to be able to view the GAL with child domain users. I know this will be sorted in exchange 2010 SP2, but I think all in all seperate domains is a better way to go.
thanks for all you help.
OK :)
You're welcome :)
Wish you luck
Krzysztof
You're welcome :)
Wish you luck
Krzysztof
Refer this, Creating a new child domain:
server2003- http://technet.microsoft.com/en-us/library/cc779539(WS.10).aspx
server 2008/R2- http://technet.microsoft.com/en-us/library/cc771856(WS.10).aspx
2008 using Using an Answer File- http://technet.microsoft.com/en-us/library/cc731541(WS.10).aspx
Refer this:
http://support.microsoft.com/kb/281271
http://technet.microsoft.com/en-us/library/cc737834%28WS.10%29.aspx
Regards,
Abhijit Waikar.