Join an existing domain as a child domain in 2008R2?

Greetings Experts -

We're looking to build a 2008R2 lab domain and later join it to the main domain as a child domain.  The catch is the new domain doesn't exist yet so we'd be creating the child domain first as a standalone domain and then "converting" it to a child domain a few months down the road.

Is this possible with 2008R2?  We have the option to set up a domain trust between them but our understanding is that the parent-child domain setup would be more seamless.

Any advice/info you can offer is much appreciated.  Thank you!  :)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

George KhairallahCTOCommented:
I've never done something like this, but I know it's not going to be a simple process. These domains have nothing to do with each other. Creating external trusts would mean that they don't share the same parent domain, and creating internal trusts, will require them sharing some of the FSMO roles of the Forest Root.

I think if this is your only option, that the Active Directory Migration Tool is going to be your best bet. 

I would wait on another expert's opinion regarding this though, as I'm not 100% sure of this, and there may another option available.
annexitAuthor Commented:
There are two main reasons we want to keep the domain as a child domain and not migrate everything to the domain:

#1 the main company domain won't be up for quite a while yet and we want to start putting local infrastructure in place now instead of months from now

#2 we'd be domain admins of the child domain and could manage it locally without needing special permissions in which we're likely not to get.
George KhairallahCTOCommented:
Well there are a couple of things I'm thinking of and/or concerned about:
1) You always have the option to create a 2 way trust between the domains.
2) if your current domain: is slated to be a child domain of a currently non-existent Forest Root, I'm reluctant to say that you'll be able to seamlessly integrated just because of the fact that they have the same name.  
Your current will have a completely different set of SIDs and identifiers for your current domain than the similarly named Forest Root.

I would think that, if you're looking at a true parent/child relationship in the domains, that you would be better off having your current domains named something like:, then when the "" domain comes in as a forest root, you would then create a child domain under forest root, called:, and then migrate your AD objects from to using ADMT.

Again, it's not simple, but it's definitely doable.

I hope I addressed your actual scenario this time around? :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 Acronis Global Cyber Summit 2019 in Miami

The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.

annexitAuthor Commented:
You got it pretty much nailed.  To summarize:

> make locally and add all our domain objects there

> down the road, after is running, make a new child domain

> migrate our AD objects from to

Is that right?  Step 2/3 would likely require us to work with the company IT department and I'm not certain how willing they'll be to do this for us, so I was aiming for a method with minimal requirements from IT... but if this is the only way we'll have to make it work.

I'm leaving this open as long as I can for others to comment if they have anything else on their minds for this particular situation.  :)
George KhairallahCTOCommented:
Yes, you got it.
I think this would be the cleanest method to get the domains in a true parent/child configuration.
Of course, if the parent company isn't willing to help with that process, then, hopefully they'd be willing to work with you to setup a two way trust relationship between the domains.

Good luck :)
Darius GhassemCommented:
Actually this is not possible to just make the child domain part of the new domain. Even though you name the domain does not mean that this domain can be part of a new domain forest called

Let me explain when you create a domain like you want you are creating a new domain forest with one domain tree with the first domain as your root domain. So, if you create another domain called you are creating another domain forest with one domain tree with a new root domain. You will now have two different forest so, you can only setup trusts.

If you want like someone has already suggested you can migrate the into a forest by creating another within the domain tree but moving all objects in your domain into the other domain so, you are not connecting the to the you are actually migrating the objects to another domain then you would remove the old which is not part of the forest.

I hope I didn't confuse you but the answer to your question is no you can't do what you want to do but there is a way to migrate to the new domain.
annexitAuthor Commented:
That's kind of what we were thinking but we thought we'd ask anyway.  It looks like the trust is the only way to get this to work then.
George KhairallahCTOCommented:
The trust, or creating your current domain to be of a different name than the incoming new forest root. this will enable you to do an ADMT migration.
If you name your current domain the same as the incoming forest root, you may be shooting yourself in the foot.
Darius GhassemCommented:
Yeah the trust will be the only way but I warn you that is not a good root domain you should name it with which should be a different name then the other domain will be named. For example. or
George KhairallahCTOCommented:
what he's looking to do is to call his domain  in order to ultimately relocate this domain as a child domain of , in which he will end up with a domain called:, which would be a valid child domain within the forest.

I guess it wouldn't hurt to call your current domain a name that you would be ok with in the future, in case the parent company doesn't want to work with you to do a proper  domain migration. In which case, call your current domain something like: So that in the future, if the consolidation doesn't work as you want, and you need to go towards the route of a 2 way trust, at least, you would have a naming that you're ok with. To take it a step further, you may even want to create your currentl and under a forest root (so the former would actually be children of, so that you can at least centrally manage your domains, otherwise, if your incoming parent company refuses to help, you will end up with a bunch of scatter and de-centrally managed domains.  

the name of the destination child domain does not necessarily need to match your current child domain name.
Darius GhassemCommented:
Right but starting with a subdomain DNS space can cause issues.

Now you can create a empty root domain called then have your child domain with all of your objects.
George KhairallahCTOCommented:
darius, we're arguing the same thing I believe.
I'm recommending he use a DIFFERENT parent domain than the incoming parent company, NOT the same. I guess I should've used a different nomenclature for the naming than and to differentiate the two.
no, you can not make as your first domain then later you create and make as sub-domain, why?
1. your forest fsmo( schema master and domain naming) role will reside on and not on the
2. your primary DNS Suffix will be
and there are a lot of reason that will make your process difficut, because you will need to redesign your active directory!!
i think beginning from scrach and get the best AD designed will be more efficient to redesign you active directory.
Darius GhassemCommented:
Right we are talking the same. For example. or something different from the other doamin
annexitAuthor Commented:
Yep, looks like we'll make our local domain something like and just have a trust set up between this and
George KhairallahCTOCommented:
I think you're on the right track annexit. I've had to read the new suggestions a couple times to realize that they're responding directly to your initial inquiring, and not confirming what we were talking about. But essentially, everyone is saying the same thing. So, I believe it's safe to move forward based on our suggestion.
Darius GhassemCommented:
Sounds good but I would think the company would migrate this at some point because of the ease of administration with one domain forest and tree
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.