In this tutorial, we will see how to put a child domain in an Active Directory tree.
A child domain is a subdomain of one of the component domains in your Active Directory forest.
Subdomain segmentation allows logical partitioning of the Active Directory and also enforces rights delegations to children.
This tutorial follows: How to deploy an Active Directory environment.
Context
To illustrate this article, we will draw a parallel with a (fictional) scenario.
A company based in France uses an Active Directory domain (lab.intra) in its IT environment.
She wants to open offices in New York and delegates the administration of IT to a local team that can act on the domain ny.lab.intra.
Prerequisites
- Have an Active Directory Domain (Server + Computer)
- A Windows server compatible with the parent domain and the AD and DNS roles installed and unconfigured.
- A client (Windows 7 or +) to join in the child domain.
Target
Site configuration (optional)
1. On the existing domain controller, open the Active Directory Sites and Services console.
2. Right click on Sites 1 / New site … 2 .
3. Enter the site name 1 and click OK 2 .
4. Close the confirmation message by clicking OK 1 .
5. Right click on Subnets 1 / New Subnet … 2 .
6. Enter the prefix (network address / subnet mask) 1 , select the site 2 and click OK 3 .
7. Right click on 1 (New-York-1) / Properties. Check that the subnet is assigned to site 2 .
Creating the child domain
In the IP settings, specify a parent domain controller in DNS.
1. Go to the new server, from the server manager click Promote this domain controller server 1 .
2. Select the option Add new to an existing forest 1 , select Child domain 2 and click on the button Select 3 .
3. Enter the credentials of an administrator account of the parent domain 1 and click OK 2 .
4. Select parent domain 1 and click OK 2 .
5. Enter the prefix of the new domain name 1 then click Next 2 .
6. Enter the restore mode password 1 and click Next 2 .
7. Click Next 1 to validate the DNS options.
8. Validate the NETBIOS name by clicking Next 1 .
9. Click Next 1 to enter the path configuration.
10. Validate the options by clicking Next 1 .
11. Once the tests are validated, click on Install 1 .
12. Wait during the installation, the server should restart …
At reboot, the server will be domain controller, using the server manager, we see the domain to which the server 1 .
Now that we have our child domain and domain controller, we must finish the configuration and validate the proper functioning.
Configuration and validation
DNS
It is necessary to make sure that the domains can solve the different DNS records, for that it is necessary to add conditional forwarders.
Parent domain
1. Open the DNS console and verify that a folder with the child domain name 1 is present.
2. Right-click Conditional Redirectors 1 and click New Conditional Redirector … 2 .
3. Enter the DNS name 1 , add the IP address of the child domain controller 2 and click OK 3 .
4. The redirector is added to link to the child domain 1 .
Child domain
Do the same thing on the child controller with the parent domain.
Active Directory Sites and Services
On the parent domain, open the console and check that in the site created 1 , in the folder Server 2 is the domain control 3 and the replication link 4 .
Group Strategy
It is possible in the console to display the group policies of the other domains of the forest and to link them to another.
1. From the console, right click on Domain 1 and click on Show domains 2 .
2. Choose the domains to display 1 > and click OK 2 .
3. Both domains are manageable in console 1 .
Active Directory Domains and Trusts
1. On the parent controller open the console and verify that there is a link between the two domains (presence in the console) 1 .
2. (optional) Open the properties of each domain and validate the Parent / Child link.
FSMO Roles
1. On the child domain control (NY), open a command window and enter the following command:netdom query fsmo
2. It can be seen that 3 roles are carried on the DC of the child domain and the other two on the DC of the parent domain, which is normal because two FSMO roles are unique in the AD forest.
Using the child domain
As in the tutorial How to deploy an Active Directory environment, we will create 3 OR (IT, IT / Users, IT / Computers), a user and join a post to the NY.LAB.INTRA domain.
From this post, we will log in with the NY domain user and a user from the parent domain.
The following manipulations are done with the Active Directory Administrative Center console (ADAC).
I assume that you are already familiar with AD consoles, I will not go into detail about the creation of OU, user and domain junction.
Organizational unit
1. From the console, click on New 1 / Organizational Unit 2 .
2. Enter the name 1 and click OK 2 .
3. Position yourself in the new OR (IT) and repeat points 1 and 2 for the OU Computers and Users how to capture it below.
Users
1. Position yourself in the OU where the user is to be created or right-click on the OU, use the menu New 1 / User 2 .
2. Enter the user information * and confirm by clicking OK 1 .
3. User created.
Add the post to the domain
1. In the Windows system properties enter the child domain 1 .
2. Move the station to the correct OR in the ADAC console.
Connection to the post
Domain user (child)
1. Enter the user account 1 in the form (DOMAINlogin) / Password 2 and press Enter.
2. User logged in.
Parent Domain User
Using the created user when setting up the parent domain.
1. Enter the user account 1 in the form (DOMAIN_PARENTlogin) / Password 2 and press Enter.
2. Parent domain user logged in on a child domain machine.
Users can change sites using local hardware.