Creating a new Child Domain in Windows Server 2008 R2
There are times when you need to separate or delegate some parts of your Active Directory infrastructure, and the best way in those cases is to simply create a new child domain in the existing AD forest. This way you don’t have to create trusts between the two domains; trusts are created automatically and are created in a two-way direction, meaning domain A automatically trusts domain B, and vice versa. Now I don’t want to bore you with a lot of theory here, so I will get to work. In this lab I have a Domain Controller in site A, and a Windows Server 2008 R2 server in site B. Site A and B are connected trough VPN. The server in site B will hold the child domain “amsterdam.vkernel.local”.
Before we go to Amsterdam (I don’t know, I just like the name) we need to create and configure sites by opening Active Directory Sites and Services from Administrative Tools. Right-click the Sites folder and choose New Site.
In the Name box type the name of the new site, which is Amsterdam in this example, then select the DEFAULTIPSITELINK and click OK.
An information screen pops-up telling us that we need to add a subnet to the site we just created. Click OK, because this was my next step anyway.
Right-click the Subnets folder and choose New Subnet.
In the Prefix box type the subnet for the branch office then select a site object for this prefix. In this case the subnet for the branch office is 192.168.100.0/24 and the site object is Amsterdam.
Now let’s take care of the main office site too. Right-click the Default-First-Site-Name and choose Rename. Give it a name that represents the main office location, and in this case is Cluj-Napoca.
Go to the Subnets folder again, right-click the folder and choose New Subnet. In the Prefix box type the subnet for the main office, then select the site object.
Now your Active Directory Sites and Services should look like this.
On the branch office server configure the IP’s. Of course in the DNS box you need to put the IP address of the Domain Controller in the main office so we can find the domain.
I assume you have a proper VPN connection between the two locations, and both servers can communicate. Now we can start creating the child domain in the branch office. Do a Start > Run > dcpromo and click OK.
After the binaries are installed the Active Directory Domain Services Installation Wizard appears. Check the Use Advanced mode installation box and click Next.
In Windows Server 2008 and 2008 R2 a new security setting was implemented and older clients may be affected. This is what the Operating System Compatibility page is telling us, but is not our case since we have only 2008 R2 operating systems. Click Next to continue.
On the Deployment Configuration page choose Existing Forest > Create a new domain in an existing forest. Do NOT check the box Create a new domain tree instead of a new child domain, because we are not creating the child domain in a separate tree.
Type the domain name in the main office, then provide the proper credentials to connect to the domain. The user account must be a member of the Domain Admins group or the Enterprise Admins group.
In the fist box click the Browse button to select the parent domain. In the second box type the name of your child domain, and in this example is Amsterdam.
Leave the defaults here and click Next to continue.
If you have the intention of creating additional domain controllers in this domain (amsterdam.vkernel.local) with older operating systems (2000-2003), leave the domain functional level at 2000 or 2003. Since we have only Windows 2008 R2 we can set the domain functional level at Windows Server 2008 R2.
As you can see the site, the correct site was automatically selected based on the subnet we created earlier. If the wizard selected the wrong site, uncheck the box Use the site that corresponds to the IP address of this computer, and select the proper site from the list. Never had to do that; you will only have to do it if you do not configure Active Directory Sites and Services correctly.
Check the Global Catalog box here, so we have faster searches for objects in AD. More information about Global Catalog servers can be found here.
Select the replication partner in the other domain. If you have multiple Domain Controllers in the main office you should set only one of them to be the replication partner with the one in the branch office.
Here you can change the Active Directory database and logs location, if you don’t like the default one.
Type a password for the Active Directory Restore Mode then click Next.
Review your selections on the Summary screen, and if everything it’s OK click Next button to start creating the child domain.
If during the Active Directory Domain Services installation process you get the error The operation failed because: Active Directory Domain Services could not replicate the directory partition… “Could not find the domain controller for this domain”, join the server to the domain, reboot then resume the dcpromo operation.
After the domain controller reboots, login using the Administrator account. You will be asked to change the password, and you will need to provide a complex password to be able to continue.
Now if you open Active Directory Sites and Services you can see the new domain controller created in the Amsterdam site.
Want content like this delivered right to your
email inbox?
Hi,
I have installed Ad Domain services and created a root domain with dcpromo.exe. i would like to do 2 things now.
1) I would like to create child domains inside that root domain.
2) I would like to create a new domain along with root domain.
I got lot of indo about creating a child domain on google but when i open dcpromo.exe i doesn’t show me “Advance Installation” option. Any help is greatly appreciated.
Thanks and Regards,
Chintan Desai
Hi,
I don’t know why you don’t have that option (never happened to me before) but you can try with the advanced switch and see if it works (dcpromo /adv).
Hi Adrian,
Thank you very much for your feedback and help. i come to know that we can not create 2 domain controller (and so child domain or another domain) on same machine. i am getting advance mode option after installing adds first time and there by i have created a root domain. so i have another machine on which i have created a domain root. now as you suggested i would like to make that 2nd domain available on my first machine so may be what you have explained in this article. when i create a subnet mask. address prefix is not working for me. please advice if i am into the right direction or not. Thanks for your interest.
You can’t install two domains on a single domain controller. For the Sites and Services part you need to know a little bit about subnetting then continue with the configuration. You can follow this post to guide you.
Excellent … easy and clear
Regards
Hi and thanks; trying…
Great article. Helped me a lot. Thanks…