Welcome back. In this video I will look at
adding a child domain to an existing domain in Active Directory.
Each child domain makes your network more complex and harder to administer. In the past
extra domains were created due to the limitations of how many objects Active Directory could
have, especially in different groups. Active Directory has improved its ability to scale.
Now it can scale to millions of objects. Another limitation was password policies. Previously
Active Directory supported one password policy per domain. Now you can create more than one
password policy per domain. So before you create a child domain ask yourself, why are
you creating a child domain? When possible it is best to stay with one domain. There are times when you need to add a child
domain. In most cases, this will be because of business requirements. Active Directory
gives you the ability to separate departments and even different companies into different
management structures. In some cases the business may decide they want different domains to
keep business management separate. This may come down to different business units
having different budgets and this makes sharing resources such as servers difficult. Imagine
asking the accounting department to split a new server bill between different companies.
Now imagine the companies having different ideas about which hardware to buy. One company
may want quality reliable hardware and the other wants to save money. In cases like this
it is often simpler to have two domains. The next reason you may want to create new
domains is due to different IT support requirements. If your company deals with intellectual property
or has a secure department, they may want a network that is completely separate from
the main company. They may even hire their own IT staff to look after the network. One
network I worked on had two such networks: the commercial network and the secure network.
In some of the network cabinets in the company they had network equipment from both the secure
and the commercial networks. One day during routine maintenance, one of the support staff
found a network cable had been put in place connecting both of the networks together.
Probably just a mistake but the cable was quickly removed. The secure department then
arranged to have another locked cabinet installed inside the first. This ensured the network
equipment was separate and thus mistakes like this could not occur.
When deciding if you should create a new child domain, ask yourself this. Would having just
the one domain and having a small mistake like permissions set incorrectly cause the
data in the domain to be compromised? If so, in some cases it is worth the extra money
and resources to ensure that a little mistake won’t allow your intellectual property to
get into the wrong hands. You will sleep better at night knowing that you will have a job
to come back to in the morning. Lastly, before creating a new child domain
or removing one, consider the company structure and how it may change in the future. One company
that I did some work for decided to merge the child domain of another company with the
parent domain to reduce costs. The company paid the other company a fee each year to
manage the IT infrastructure. Once the two domains were merged into one domain the second
company decided to outsource their IT support. The change in the support agreement meant
the two companies had to be separated into two domains again. If you want to save yourself
some work in the future, consider the company’s current structure and how it may change before
starting the work. In this video I will look at adding a child
domain to IT Free Training. Currently this is a single forest with a single domain. In
this case I will add a second domain called East IT Free Training. This will be a new
child domain in the same forest. Since it shares the same name space with IT Free Training
it is considered to be in the same tree as IT Free Training. I will now switch to my
Windows Server to demonstrate how to add the east child domain to the forest.
Just like I did when I added my first domain controller, I need to run the command DCPromo
from the start menu. Once I skip past the welcome and information screens, I can choose
if I am adding this domain controller to an existing forest or a new forest.
In this case I will select the top option since I am creating a child domain. If I were
adding another domain controller to an existing domain I would select the next option “add
a domain controller to an existing domain.” Since I want to add a new child domain I will
select the next option, “create a new domain in an existing forest.”
On the next screen I need to enter in a username and password that has enough access to add
child domains. This will need to be someone in the enterprise administrators group. Usually
they will be found in the root domain, in this case ITFreeTraining.local. If however,
they are located in a different domain, including a child domain, I can enter in the domain
name here. At the bottom of the screen I will press the
set button to enter in the username and password of the user that is in the enterprise administrators
group. Then I will press next. Windows will now ask for the parent domain of the new child
domain. In this case the root domain will be ITFreeTraining.local. Under this I need
to enter in the name of the domain itself, in this case east. At the bottom, notice that
Windows will show the fully qualified domain name of east.ITFreeTraining.local.
When I press next, Windows will contact the Domain Naming Master to ensure the Domain
name can be added. On the next screen I can select the domain functional level. In this
case I only have two functional levels to choose from because my forest functional level
is set to Windows Server 2008. The next screen will ask me which site this
domain controller will go into. Later on in the course, I will cover sites. For now I
will accept the default option and move on. On the next screen I can decide if DNS will
be installed as well. I already have a Microsoft DNS server on my network so I will deselect
this and move on. I will receive a message telling me Windows
could not find the DNS records for this domain in the DNS server. This is normal because
they have not been created yet, so it is safe to ignore this message.
The next screen will ask where I want to store the active directory database, log files and
the SysVol folder. I will accept the default locations for these and move on. Just like
when I created the first domain controller, I will be asked for the Directory Service
Restore Mode password. This is used to repair or recover Active Directory when things go
wrong. Next I will receive a screen confirming my
options and after I press next this server will become the first Domain Controller in
a new child domain. The new child domain will be able to access resources in the parent
domain and the parent domain will be able to access resources in the child domain.
Now that all the hard work is done installing Active Directory, in the next video I will
look at how to uninstall Active Directory. In most cases you will simply be removing
a domain controller from a domain, but if you want to completely remove Active directory,
I will show you how to do that as well. As always, thanks for watching our always free