Solved

Join an existing domain as a child domain in 2008R2?

Posted on 2012-04-10
17
421 Views
Last Modified: 2012-04-20
Greetings Experts -

We're looking to build a 2008R2 lab domain geolocation.company.com and later join it to the main company.com domain as a child domain.  The catch is the new company.com domain doesn't exist yet so we'd be creating the child domain first as a standalone domain and then "converting" it to a child domain a few months down the road.

Is this possible with 2008R2?  We have the option to set up a domain trust between them but our understanding is that the parent-child domain setup would be more seamless.

Any advice/info you can offer is much appreciated.  Thank you!  :)
0
Comment
Question by:annexit
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830141
I've never done something like this, but I know it's not going to be a simple process. These domains have nothing to do with each other. Creating external trusts would mean that they don't share the same parent domain, and creating internal trusts, will require them sharing some of the FSMO roles of the Forest Root.

I think if this is your only option, that the Active Directory Migration Tool is going to be your best bet.
http://technet.microsoft.com/en-us/library/cc974332%28v=ws.10%29.aspx

I would wait on another expert's opinion regarding this though, as I'm not 100% sure of this, and there may another option available.
0
 

Author Comment

by:annexit
ID: 37830171
There are two main reasons we want to keep the geolocation.company.com domain as a child domain and not migrate everything to the company.com domain:

#1 the main company domain won't be up for quite a while yet and we want to start putting local infrastructure in place now instead of months from now

#2 we'd be domain admins of the child domain and could manage it locally without needing special permissions in company.com which we're likely not to get.
0
 
LVL 10

Accepted Solution

by:
George Khairallah earned 500 total points
ID: 37830198
Gotcha.
Well there are a couple of things I'm thinking of and/or concerned about:
1) You always have the option to create a 2 way trust between the domains.
2) if your current domain: geolocation.company.com is slated to be a child domain of a currently non-existent company.com Forest Root, I'm reluctant to say that you'll be able to seamlessly integrated just because of the fact that they have the same name.  
Your current geolocation.company.com will have a completely different set of SIDs and identifiers for your current domain than the similarly named Forest Root.

I would think that, if you're looking at a true parent/child relationship in the domains, that you would be better off having your current domains named something like: geolocation.someothername.com, then when the "company.com" domain comes in as a forest root, you would then create a child domain under forest root, called: geolocation.company.com, and then migrate your AD objects from geolocation.someothername.com to geolocation.company.com using ADMT.

Again, it's not simple, but it's definitely doable.

I hope I addressed your actual scenario this time around? :)
0
 

Author Comment

by:annexit
ID: 37830249
You got it pretty much nailed.  To summarize:

> make geolocation.temporary.com locally and add all our domain objects there

> down the road, after company.com is running, make a new child domain geolocation.company.com

> migrate our AD objects from geolocation.temporary.com to geolocation.company.com

Is that right?  Step 2/3 would likely require us to work with the company IT department and I'm not certain how willing they'll be to do this for us, so I was aiming for a method with minimal requirements from IT... but if this is the only way we'll have to make it work.

I'm leaving this open as long as I can for others to comment if they have anything else on their minds for this particular situation.  :)
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830260
Yes, you got it.
I think this would be the cleanest method to get the domains in a true parent/child configuration.
Of course, if the parent company isn't willing to help with that process, then, hopefully they'd be willing to work with you to setup a two way trust relationship between the domains.

Good luck :)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830273
Actually this is not possible to just make the child domain part of the new company.com domain. Even though you name the domain child.company.com does not mean that this domain can be part of a new domain forest called company.com.

Let me explain when you create a domain like you want you are creating a new domain forest with one domain tree with the first domain as your root domain. So, if you create another domain called company.com you are creating another domain forest with one domain tree with a new root domain. You will now have two different forest so, you can only setup trusts.

If you want like someone has already suggested you can migrate the sub.company.com into a company.com forest by creating another sub.company.com within the domain tree but moving all objects in your sub.domain.com domain into the other domain so, you are not connecting the sub.company.com to the company.com you are actually migrating the objects to another domain then you would remove the old sub.domain.com which is not part of the company.com forest.

I hope I didn't confuse you but the answer to your question is no you can't do what you want to do but there is a way to migrate to the new domain.
0
 

Author Comment

by:annexit
ID: 37830278
That's kind of what we were thinking but we thought we'd ask anyway.  It looks like the trust is the only way to get this to work then.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830285
The trust, or creating your current domain to be of a different name than the incoming new forest root. this will enable you to do an ADMT migration.
If you name your current domain the same as the incoming forest root, you may be shooting yourself in the foot.
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830289
Yeah the trust will be the only way but I warn you that sub.company.com is not a good root domain you should name it with company.com which should be a different name then the other domain will be named. For example. subcompany.com or departcompany.com
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830314
darius...
what he's looking to do is to call his domain geolocation.whateverdomain.com  in order to ultimately relocate this domain as a child domain of company.com , in which he will end up with a domain called: geolocation.company.com, which would be a valid child domain within the forest.

I guess it wouldn't hurt to call your current domain a name that you would be ok with in the future, in case the parent company doesn't want to work with you to do a proper  domain migration. In which case, call your current domain something like: geolocation.mycurrentcompany.com. So that in the future, if the consolidation doesn't work as you want, and you need to go towards the route of a 2 way trust, at least, you would have a naming that you're ok with. To take it a step further, you may even want to create your currentl geolocation1.mycompany.com and geolocation2.mycompany.com under a mycompany.com forest root (so the former would actually be children of mycompany.com), so that you can at least centrally manage your domains, otherwise, if your incoming parent company refuses to help, you will end up with a bunch of scatter and de-centrally managed domains.  

the name of the destination child domain does not necessarily need to match your current child domain name.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830320
Right but starting with a subdomain DNS space can cause issues.

Now you can create a empty root domain called company.com then have your child domain with all of your objects.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830326
darius, we're arguing the same thing I believe.
I'm recommending he use a DIFFERENT parent domain than the incoming parent company, NOT the same. I guess I should've used a different nomenclature for the naming than mycompany.com and company.com to differentiate the two.
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37830333
no, you can not make geolocation.company.com as your first domain then later you create company.com and make geolocation.company.com as sub-domain, why?
1. your forest fsmo( schema master and domain naming) role will reside on geolocation.company.com and not on the company.com
2. your primary DNS Suffix will be geolocation.company.com
and there are a lot of reason that will make your process difficut, because you will need to redesign your active directory!!
i think beginning from scrach and get the best AD designed will be more efficient to redesign you active directory.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830343
Right we are talking the same. For example. subcompany.com or departcompany.com something different from the other doamin
0
 

Author Comment

by:annexit
ID: 37830345
Yep, looks like we'll make our local domain something like locallab.com and just have a trust set up between this and company.com.
0
 
LVL 10

Expert Comment

by:George Khairallah
ID: 37830355
I think you're on the right track annexit. I've had to read the new suggestions a couple times to realize that they're responding directly to your initial inquiring, and not confirming what we were talking about. But essentially, everyone is saying the same thing. So, I believe it's safe to move forward based on our suggestion.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37830359
Sounds good but I would think the company would migrate this at some point because of the ease of administration with one domain forest and tree
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now