MCITP 70-640: Active Directory adding a child domain
Articles,  Blog

MCITP 70-640: Active Directory adding a child domain

Welcome back. In this video I will look at
adding a child domain to an existing domain in Active Directory.
Each child domain makes your network more complex and harder to administer. In the past
extra domains were created due to the limitations of how many objects Active Directory could
have, especially in different groups. Active Directory has improved its ability to scale.
Now it can scale to millions of objects. Another limitation was password policies. Previously
Active Directory supported one password policy per domain. Now you can create more than one
password policy per domain. So before you create a child domain ask yourself, why are
you creating a child domain? When possible it is best to stay with one domain. There are times when you need to add a child
domain. In most cases, this will be because of business requirements. Active Directory
gives you the ability to separate departments and even different companies into different
management structures. In some cases the business may decide they want different domains to
keep business management separate. This may come down to different business units
having different budgets and this makes sharing resources such as servers difficult. Imagine
asking the accounting department to split a new server bill between different companies.
Now imagine the companies having different ideas about which hardware to buy. One company
may want quality reliable hardware and the other wants to save money. In cases like this
it is often simpler to have two domains. The next reason you may want to create new
domains is due to different IT support requirements. If your company deals with intellectual property
or has a secure department, they may want a network that is completely separate from
the main company. They may even hire their own IT staff to look after the network. One
network I worked on had two such networks: the commercial network and the secure network.
In some of the network cabinets in the company they had network equipment from both the secure
and the commercial networks. One day during routine maintenance, one of the support staff
found a network cable had been put in place connecting both of the networks together.
Probably just a mistake but the cable was quickly removed. The secure department then
arranged to have another locked cabinet installed inside the first. This ensured the network
equipment was separate and thus mistakes like this could not occur.
When deciding if you should create a new child domain, ask yourself this. Would having just
the one domain and having a small mistake like permissions set incorrectly cause the
data in the domain to be compromised? If so, in some cases it is worth the extra money
and resources to ensure that a little mistake won’t allow your intellectual property to
get into the wrong hands. You will sleep better at night knowing that you will have a job
to come back to in the morning. Lastly, before creating a new child domain
or removing one, consider the company structure and how it may change in the future. One company
that I did some work for decided to merge the child domain of another company with the
parent domain to reduce costs. The company paid the other company a fee each year to
manage the IT infrastructure. Once the two domains were merged into one domain the second
company decided to outsource their IT support. The change in the support agreement meant
the two companies had to be separated into two domains again. If you want to save yourself
some work in the future, consider the company’s current structure and how it may change before
starting the work. In this video I will look at adding a child
domain to IT Free Training. Currently this is a single forest with a single domain. In
this case I will add a second domain called East IT Free Training. This will be a new
child domain in the same forest. Since it shares the same name space with IT Free Training
it is considered to be in the same tree as IT Free Training. I will now switch to my
Windows Server to demonstrate how to add the east child domain to the forest.
Just like I did when I added my first domain controller, I need to run the command DCPromo
from the start menu. Once I skip past the welcome and information screens, I can choose
if I am adding this domain controller to an existing forest or a new forest.
In this case I will select the top option since I am creating a child domain. If I were
adding another domain controller to an existing domain I would select the next option “add
a domain controller to an existing domain.” Since I want to add a new child domain I will
select the next option, “create a new domain in an existing forest.”
On the next screen I need to enter in a username and password that has enough access to add
child domains. This will need to be someone in the enterprise administrators group. Usually
they will be found in the root domain, in this case ITFreeTraining.local. If however,
they are located in a different domain, including a child domain, I can enter in the domain
name here. At the bottom of the screen I will press the
set button to enter in the username and password of the user that is in the enterprise administrators
group. Then I will press next. Windows will now ask for the parent domain of the new child
domain. In this case the root domain will be ITFreeTraining.local. Under this I need
to enter in the name of the domain itself, in this case east. At the bottom, notice that
Windows will show the fully qualified domain name of east.ITFreeTraining.local.
When I press next, Windows will contact the Domain Naming Master to ensure the Domain
name can be added. On the next screen I can select the domain functional level. In this
case I only have two functional levels to choose from because my forest functional level
is set to Windows Server 2008. The next screen will ask me which site this
domain controller will go into. Later on in the course, I will cover sites. For now I
will accept the default option and move on. On the next screen I can decide if DNS will
be installed as well. I already have a Microsoft DNS server on my network so I will deselect
this and move on. I will receive a message telling me Windows
could not find the DNS records for this domain in the DNS server. This is normal because
they have not been created yet, so it is safe to ignore this message.
The next screen will ask where I want to store the active directory database, log files and
the SysVol folder. I will accept the default locations for these and move on. Just like
when I created the first domain controller, I will be asked for the Directory Service
Restore Mode password. This is used to repair or recover Active Directory when things go
wrong. Next I will receive a screen confirming my
options and after I press next this server will become the first Domain Controller in
a new child domain. The new child domain will be able to access resources in the parent
domain and the parent domain will be able to access resources in the child domain.
Now that all the hard work is done installing Active Directory, in the next video I will
look at how to uninstall Active Directory. In most cases you will simply be removing
a domain controller from a domain, but if you want to completely remove Active directory,
I will show you how to do that as well. As always, thanks for watching our always free


  • Pho3nix

    Thank you so much, I learned that you covered my question in the videos >,<
    you are awesome!!! keep up the great work

  • Brock

    Great Instructional Videos! I am a big fan. I have watched all of the AD 2008 free courses I could fit in so far. Will continue to watch them.


    Great work!!!! Thanks for your willigness to share this awesome videos. Very good quality, topics very well explained and easy to understand! Please keeo up the great work
    Is there any plan for videos on Exchange 2010 topics by any chance?


  • itfreetraining

    Thanks, glad to hear that you like the video. At this stage we don't have have any plans to make any videos on Exchange. We do want to, hopefully one day we will have time to do so.

  • itfreetraining

    The way to think of it is, can a client resolve an address? If a DC in a child domain needs to resolve a DC in the root domain can it do that? For this reason it does not matter which server holds the DNS records. You could have them on a UNIX server that is not a member of the domain. As long as records can be resolved as require it will work fine, so you can add a DNS role in a child domain any time you want. If a child domain has a different DNS name it is anther tree in the forest.

  • itfreetraining

    If you have users separated by a WAN, 2 miles away or on the other side of the globe, you would use sites to separate the users. Sites allow you to break up a domain to match your network topology. This means you only need the one domain and no child domains are required.

  • Hlaaby A

    thanks alot
    i have one Q: i have two servers and only one domain and i was created domain for first server (dhcp-dns-AD-echange) but i dont know what the best way for join second server (antivarius server ) to first one
    i need only one domain and join two server in one domain
    what the best way ??? child domain or what ????
    help me please

  • itfreetraining

    One domain can have any number of servers or clients in it. If possible, you should always limit your network to one domain however sometimes it is not possible. Personally I would join the second server to the same domain as a member server or promote it to a domain controller and add it to the exist domain.

  • Mike Taylor

    I have just started 70-640 I have been given access to two servers. I have installed ADDS and DNS on one and set up a domain. On the second, I want to install a child domain linked to the domain in the first server. When I run dcpromo, and select 'create a new domain in existing forest (this being on the other server), it wont accept the authentication username/password. Help!

  • itfreetraining

    I think what you would need to do is add the IP Address of the first Domain Controller to the DNS list for the server you want to make the second Domain Controller. It should like it is having trouble resolving the first domain. You could for example have 2 dns entries. and the first domain controller as the second DNS entry.

  • melat eshetu

    I followed the step but Active Directory Replication Not Working Between Parent Domain and Child Domain. Am I missing something?

  • Anand Rajput

    You are the best to explain things in such a easy way . I would love to see around more on System center products and storage

  • Animal Talent

    Hello Sir ,
    Thanks for very awesome video .I follow you along but at the step'' name the new domain" when I press next , I got a warning that an AD DC for the domain "" could not be contacted. Could you have an idea why and what should I do?

  • Raghav Sood

    itfreetraining Do you think it's possible to establish a forest/root domain called: located in Brisban and then at a remote location add in another child domain controller located in Sydney to be part of that located in Brisban?

    I hope the child domain controller does not have to be implemented within the same network as
    I feel that it should be possible but if it's not then please advise. If it's possible can you tell me how to do that?

    So again i want to establish a child domain controller for a forest at a remote site. This child DC will be located at another network? Don't you simply add in the address in the DNS forward/reverse lookup for the forest?

Leave a Reply

Your email address will not be published. Required fields are marked *