Solved

Join an existing domain as a child domain in 2008R2?

Posted on 2012-04-10
17
450 Views
Last Modified: 2012-04-20
Greetings Experts -

We're looking to build a 2008R2 lab domain geolocation.company.com and later join it to the main company.com domain as a child domain.  The catch is the new company.com domain doesn't exist yet so we'd be creating the child domain first as a standalone domain and then "converting" it to a child domain a few months down the road.

Is this possible with 2008R2?  We have the option to set up a domain trust between them but our understanding is that the parent-child domain setup would be more seamless.

Any advice/info you can offer is much appreciated.  Thank you!  :)
0
Comment
Question by:annexit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830141
I've never done something like this, but I know it's not going to be a simple process. These domains have nothing to do with each other. Creating external trusts would mean that they don't share the same parent domain, and creating internal trusts, will require them sharing some of the FSMO roles of the Forest Root.

I think if this is your only option, that the Active Directory Migration Tool is going to be your best bet.
http://technet.microsoft.com/en-us/library/cc974332%28v=ws.10%29.aspx 

I would wait on another expert's opinion regarding this though, as I'm not 100% sure of this, and there may another option available.
0
 

Author Comment

by:annexit
ID: 37830171
There are two main reasons we want to keep the geolocation.company.com domain as a child domain and not migrate everything to the company.com domain:

#1 the main company domain won't be up for quite a while yet and we want to start putting local infrastructure in place now instead of months from now

#2 we'd be domain admins of the child domain and could manage it locally without needing special permissions in company.com which we're likely not to get.
0
 
LVL 10

Accepted Solution

by:
George Khairallah earned 500 total points
ID: 37830198
Gotcha.
Well there are a couple of things I'm thinking of and/or concerned about:
1) You always have the option to create a 2 way trust between the domains.
2) if your current domain: geolocation.company.com is slated to be a child domain of a currently non-existent company.com Forest Root, I'm reluctant to say that you'll be able to seamlessly integrated just because of the fact that they have the same name.  
Your current geolocation.company.com will have a completely different set of SIDs and identifiers for your current domain than the similarly named Forest Root.

I would think that, if you're looking at a true parent/child relationship in the domains, that you would be better off having your current domains named something like: geolocation.someothername.com, then when the "company.com" domain comes in as a forest root, you would then create a child domain under forest root, called: geolocation.company.com, and then migrate your AD objects from geolocation.someothername.com to geolocation.company.com using ADMT.

Again, it's not simple, but it's definitely doable.

I hope I addressed your actual scenario this time around? :)
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:annexit
ID: 37830249
You got it pretty much nailed.  To summarize:

> make geolocation.temporary.com locally and add all our domain objects there

> down the road, after company.com is running, make a new child domain geolocation.company.com

> migrate our AD objects from geolocation.temporary.com to geolocation.company.com

Is that right?  Step 2/3 would likely require us to work with the company IT department and I'm not certain how willing they'll be to do this for us, so I was aiming for a method with minimal requirements from IT... but if this is the only way we'll have to make it work.

I'm leaving this open as long as I can for others to comment if they have anything else on their minds for this particular situation.  :)
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830260
Yes, you got it.
I think this would be the cleanest method to get the domains in a true parent/child configuration.
Of course, if the parent company isn't willing to help with that process, then, hopefully they'd be willing to work with you to setup a two way trust relationship between the domains.

Good luck :)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830273
Actually this is not possible to just make the child domain part of the new company.com domain. Even though you name the domain child.company.com does not mean that this domain can be part of a new domain forest called company.com.

Let me explain when you create a domain like you want you are creating a new domain forest with one domain tree with the first domain as your root domain. So, if you create another domain called company.com you are creating another domain forest with one domain tree with a new root domain. You will now have two different forest so, you can only setup trusts.

If you want like someone has already suggested you can migrate the sub.company.com into a company.com forest by creating another sub.company.com within the domain tree but moving all objects in your sub.domain.com domain into the other domain so, you are not connecting the sub.company.com to the company.com you are actually migrating the objects to another domain then you would remove the old sub.domain.com which is not part of the company.com forest.

I hope I didn't confuse you but the answer to your question is no you can't do what you want to do but there is a way to migrate to the new domain.
0
 

Author Comment

by:annexit
ID: 37830278
That's kind of what we were thinking but we thought we'd ask anyway.  It looks like the trust is the only way to get this to work then.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830285
The trust, or creating your current domain to be of a different name than the incoming new forest root. this will enable you to do an ADMT migration.
If you name your current domain the same as the incoming forest root, you may be shooting yourself in the foot.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830289
Yeah the trust will be the only way but I warn you that sub.company.com is not a good root domain you should name it with company.com which should be a different name then the other domain will be named. For example. subcompany.com or departcompany.com
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830314
darius...
what he's looking to do is to call his domain geolocation.whateverdomain.com  in order to ultimately relocate this domain as a child domain of company.com , in which he will end up with a domain called: geolocation.company.com, which would be a valid child domain within the forest.

I guess it wouldn't hurt to call your current domain a name that you would be ok with in the future, in case the parent company doesn't want to work with you to do a proper  domain migration. In which case, call your current domain something like: geolocation.mycurrentcompany.com. So that in the future, if the consolidation doesn't work as you want, and you need to go towards the route of a 2 way trust, at least, you would have a naming that you're ok with. To take it a step further, you may even want to create your currentl geolocation1.mycompany.com and geolocation2.mycompany.com under a mycompany.com forest root (so the former would actually be children of mycompany.com), so that you can at least centrally manage your domains, otherwise, if your incoming parent company refuses to help, you will end up with a bunch of scatter and de-centrally managed domains.  

the name of the destination child domain does not necessarily need to match your current child domain name.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830320
Right but starting with a subdomain DNS space can cause issues.

Now you can create a empty root domain called company.com then have your child domain with all of your objects.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830326
darius, we're arguing the same thing I believe.
I'm recommending he use a DIFFERENT parent domain than the incoming parent company, NOT the same. I guess I should've used a different nomenclature for the naming than mycompany.com and company.com to differentiate the two.
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37830333
no, you can not make geolocation.company.com as your first domain then later you create company.com and make geolocation.company.com as sub-domain, why?
1. your forest fsmo( schema master and domain naming) role will reside on geolocation.company.com and not on the company.com
2. your primary DNS Suffix will be geolocation.company.com
and there are a lot of reason that will make your process difficut, because you will need to redesign your active directory!!
i think beginning from scrach and get the best AD designed will be more efficient to redesign you active directory.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830343
Right we are talking the same. For example. subcompany.com or departcompany.com something different from the other doamin
0
 

Author Comment

by:annexit
ID: 37830345
Yep, looks like we'll make our local domain something like locallab.com and just have a trust set up between this and company.com.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830355
I think you're on the right track annexit. I've had to read the new suggestions a couple times to realize that they're responding directly to your initial inquiring, and not confirming what we were talking about. But essentially, everyone is saying the same thing. So, I believe it's safe to move forward based on our suggestion.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830359
Sounds good but I would think the company would migrate this at some point because of the ease of administration with one domain forest and tree
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question