This video looks at how to add a child domain to an existing domain in Active Directory. Child domains can access resources from the parent and also from any other domain in the forest. This video will look at adding the east domain to the existing domain.
Demonstration at 04:35
Things to consider before adding a child domain
The more domains that you have in your forest, the harder it will be to administer your network. When possible, you should attempt to reduce the number of domains in your forest. Sometimes due to company needs or security reasons, extra domains may be created. It should be remembered that in Windows Server 2008 there have been a number of improvements and features which in previous versions of Windows would have required additional domains. These are:
1) Active Directory could previously only have one password policy per domain. If your domain functional level is Windows Server 2008 or higher, you can support multiple password policies for the same domain.
2) With Windows NT the database was limited to 40 MB, which was around 40,000 objects. Because of this multiple domains may have been required, whereas Active Directory now only requires one.
New domains may also be created due to different business unit requirements. In a lot of cases you can separate departments and even companies using organization units inside Active Directory; however, dealing with things like different company budgets is not as simple. If the companies have different IT support staff, they will probably want different domains.
Creating a new domain or adding a domain controller to an existing domain is all done using DCPromo.
1) When asked, select the option at the top existing forest. Under this, select the option, “create a new domain in an existing forest.” This will create the first domain controller in your new domain in the existing forest.
2) You will next be asked for the credentials for a user to add the domain to the existing forest. This needs to be a user in the enterprise administrators group; however, the user does not need to be in the root domain: they can be located in any domain in the forest.
3) Next you need to enter in the name of the parent domain of the child domain. If you are creating a new tree, enter in the new namespace. DCPromo will understand this is a new tree rather than a child domain.
4) Once the relevant details are entered, a Domain Naming Master will be contacted to see if this domain already exists. If the Doman Naming Master can’t be contacted DCPromo will fail.
5) Once the Domain Naming Master has been contacted and it has been confirmed this domain does not already exist, you will be asked for the domain functional level. What is available will be determined by what the current forest functional level is.
6) Next you need to select the site where the domain controller will be. If no sites have been created, you can use “default first site name” for the site.
7) Next you can decide if the domain controller is a DNS server and/or a global catalog server. Even if you are creating a completely separate domain you can use a DNS server or even a 3rd party DNS system like UNIX.
8) The wizard will ask you where to put the database, log file and SysVol folder. In most cases leave this on the default.
9) The next screen will ask for an Active Directory recovery password. This is used in certain recovery situations including restoring deleted objects.