Join an existing domain as a child domain in 2008R2?

Greetings Experts -

We're looking to build a 2008R2 lab domain geolocation.company.com and later join it to the main company.com domain as a child domain.  The catch is the new company.com domain doesn't exist yet so we'd be creating the child domain first as a standalone domain and then "converting" it to a child domain a few months down the road.

Is this possible with 2008R2?  We have the option to set up a domain trust between them but our understanding is that the parent-child domain setup would be more seamless.

Any advice/info you can offer is much appreciated.  Thank you!  :)
annexitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

George KhairallahCTOCommented:
I've never done something like this, but I know it's not going to be a simple process. These domains have nothing to do with each other. Creating external trusts would mean that they don't share the same parent domain, and creating internal trusts, will require them sharing some of the FSMO roles of the Forest Root.

I think if this is your only option, that the Active Directory Migration Tool is going to be your best bet.
http://technet.microsoft.com/en-us/library/cc974332%28v=ws.10%29.aspx 

I would wait on another expert's opinion regarding this though, as I'm not 100% sure of this, and there may another option available.
0
annexitAuthor Commented:
There are two main reasons we want to keep the geolocation.company.com domain as a child domain and not migrate everything to the company.com domain:

#1 the main company domain won't be up for quite a while yet and we want to start putting local infrastructure in place now instead of months from now

#2 we'd be domain admins of the child domain and could manage it locally without needing special permissions in company.com which we're likely not to get.
0
George KhairallahCTOCommented:
Gotcha.
Well there are a couple of things I'm thinking of and/or concerned about:
1) You always have the option to create a 2 way trust between the domains.
2) if your current domain: geolocation.company.com is slated to be a child domain of a currently non-existent company.com Forest Root, I'm reluctant to say that you'll be able to seamlessly integrated just because of the fact that they have the same name.  
Your current geolocation.company.com will have a completely different set of SIDs and identifiers for your current domain than the similarly named Forest Root.

I would think that, if you're looking at a true parent/child relationship in the domains, that you would be better off having your current domains named something like: geolocation.someothername.com, then when the "company.com" domain comes in as a forest root, you would then create a child domain under forest root, called: geolocation.company.com, and then migrate your AD objects from geolocation.someothername.com to geolocation.company.com using ADMT.

Again, it's not simple, but it's definitely doable.

I hope I addressed your actual scenario this time around? :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

annexitAuthor Commented:
You got it pretty much nailed.  To summarize:

> make geolocation.temporary.com locally and add all our domain objects there

> down the road, after company.com is running, make a new child domain geolocation.company.com

> migrate our AD objects from geolocation.temporary.com to geolocation.company.com

Is that right?  Step 2/3 would likely require us to work with the company IT department and I'm not certain how willing they'll be to do this for us, so I was aiming for a method with minimal requirements from IT... but if this is the only way we'll have to make it work.

I'm leaving this open as long as I can for others to comment if they have anything else on their minds for this particular situation.  :)
0
George KhairallahCTOCommented:
Yes, you got it.
I think this would be the cleanest method to get the domains in a true parent/child configuration.
Of course, if the parent company isn't willing to help with that process, then, hopefully they'd be willing to work with you to setup a two way trust relationship between the domains.

Good luck :)
0
Darius GhassemCommented:
Actually this is not possible to just make the child domain part of the new company.com domain. Even though you name the domain child.company.com does not mean that this domain can be part of a new domain forest called company.com.

Let me explain when you create a domain like you want you are creating a new domain forest with one domain tree with the first domain as your root domain. So, if you create another domain called company.com you are creating another domain forest with one domain tree with a new root domain. You will now have two different forest so, you can only setup trusts.

If you want like someone has already suggested you can migrate the sub.company.com into a company.com forest by creating another sub.company.com within the domain tree but moving all objects in your sub.domain.com domain into the other domain so, you are not connecting the sub.company.com to the company.com you are actually migrating the objects to another domain then you would remove the old sub.domain.com which is not part of the company.com forest.

I hope I didn't confuse you but the answer to your question is no you can't do what you want to do but there is a way to migrate to the new domain.
0
annexitAuthor Commented:
That's kind of what we were thinking but we thought we'd ask anyway.  It looks like the trust is the only way to get this to work then.
0
George KhairallahCTOCommented:
The trust, or creating your current domain to be of a different name than the incoming new forest root. this will enable you to do an ADMT migration.
If you name your current domain the same as the incoming forest root, you may be shooting yourself in the foot.
0
Darius GhassemCommented:
Yeah the trust will be the only way but I warn you that sub.company.com is not a good root domain you should name it with company.com which should be a different name then the other domain will be named. For example. subcompany.com or departcompany.com
0
George KhairallahCTOCommented:
darius...
what he's looking to do is to call his domain geolocation.whateverdomain.com  in order to ultimately relocate this domain as a child domain of company.com , in which he will end up with a domain called: geolocation.company.com, which would be a valid child domain within the forest.

I guess it wouldn't hurt to call your current domain a name that you would be ok with in the future, in case the parent company doesn't want to work with you to do a proper  domain migration. In which case, call your current domain something like: geolocation.mycurrentcompany.com. So that in the future, if the consolidation doesn't work as you want, and you need to go towards the route of a 2 way trust, at least, you would have a naming that you're ok with. To take it a step further, you may even want to create your currentl geolocation1.mycompany.com and geolocation2.mycompany.com under a mycompany.com forest root (so the former would actually be children of mycompany.com), so that you can at least centrally manage your domains, otherwise, if your incoming parent company refuses to help, you will end up with a bunch of scatter and de-centrally managed domains.  

the name of the destination child domain does not necessarily need to match your current child domain name.
0
Darius GhassemCommented:
Right but starting with a subdomain DNS space can cause issues.

Now you can create a empty root domain called company.com then have your child domain with all of your objects.
0
George KhairallahCTOCommented:
darius, we're arguing the same thing I believe.
I'm recommending he use a DIFFERENT parent domain than the incoming parent company, NOT the same. I guess I should've used a different nomenclature for the naming than mycompany.com and company.com to differentiate the two.
0
emadallanCommented:
no, you can not make geolocation.company.com as your first domain then later you create company.com and make geolocation.company.com as sub-domain, why?
1. your forest fsmo( schema master and domain naming) role will reside on geolocation.company.com and not on the company.com
2. your primary DNS Suffix will be geolocation.company.com
and there are a lot of reason that will make your process difficut, because you will need to redesign your active directory!!
i think beginning from scrach and get the best AD designed will be more efficient to redesign you active directory.
0
Darius GhassemCommented:
Right we are talking the same. For example. subcompany.com or departcompany.com something different from the other doamin
0
annexitAuthor Commented:
Yep, looks like we'll make our local domain something like locallab.com and just have a trust set up between this and company.com.
0
George KhairallahCTOCommented:
I think you're on the right track annexit. I've had to read the new suggestions a couple times to realize that they're responding directly to your initial inquiring, and not confirming what we were talking about. But essentially, everyone is saying the same thing. So, I believe it's safe to move forward based on our suggestion.
0
Darius GhassemCommented:
Sounds good but I would think the company would migrate this at some point because of the ease of administration with one domain forest and tree
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.