Active directory: How to set up a child domain


Windows Server 2016 Windows Server 2019 Windows Server 2022

In this tutorial, we will see how to put a child domain in an Active Directory tree.

A child domain is a subdomain of one of the component domains in your Active Directory forest.

Subdomain segmentation allows logical partitioning of the Active Directory and also enforces rights delegations to children.

This tutorial follows: How to deploy an Active Directory environment.

Context

To illustrate this article, we will draw a parallel with a (fictional) scenario.

A company based in France uses an Active Directory domain (lab.intra) in its IT environment.

She wants to open offices in New York and delegates the administration of IT to a local team that can act on the domain ny.lab.intra.

Prerequisites

  • Have an Active Directory Domain (Server + Computer)
  • A Windows server compatible with the parent domain and the AD and DNS roles installed and unconfigured.
  • A client (Windows 7 or +) to join in the child domain.

Target

Domaine enfant objectif

Site configuration (optional)

1. On the existing domain controller, open the Active Directory Sites and Services console.

2. Right click on Sites 1 / New site … 2 .

Nouveau site

3. Enter the site name 1 and click OK 2 .

Nom du site

4. Close the confirmation message by clicking OK 1 .

Confirmation site ajouté

5. Right click on Subnets 1 / New Subnet … 2 .

Création réseau

6. Enter the prefix (network address / subnet mask) 1 , select the site 2 and click OK 3 .

Configuration du réseau

7. Right click on 1 (New-York-1) / Properties. Check that the subnet is assigned to site 2 .

Réseau ajouté

Creating the child domain

In the IP settings, specify a parent domain controller in DNS.

1. Go to the new server, from the server manager click Promote this domain controller server 1 .

Lancer l'assistant

2. Select the option Add new to an existing forest 1 , select Child domain 2 and click on the button Select 3 .

Ajout d'un domaine dans une foret

3. Enter the credentials of an administrator account of the parent domain 1 and click OK 2 .

Entrer les identifiants d'un administrateur du domaine

4. Select parent domain 1 and click OK 2 .

Choisir le domaine

5. Enter the prefix of the new domain name 1 then click Next 2 .

Saisir le sous-domaine

6. Enter the restore mode password 1 and click Next 2 .

Mot du passe du mode restauration

7. Click Next 1 to validate the DNS options.

Option DNS

8. Validate the NETBIOS name by clicking Next 1 .

Nom NETBIOS

9. Click Next 1 to enter the path configuration.

Chemin d'accès des fichiers AD

10. Validate the options by clicking Next 1 .

Resume des options

11. Once the tests are validated, click on Install 1 .

Lancer l'installation

12. Wait during the installation, the server should restart …

At reboot, the server will be domain controller, using the server manager, we see the domain to which the server 1 .

Serveur dans son domaine

Now that we have our child domain and domain controller, we must finish the configuration and validate the proper functioning.

Configuration and validation

DNS

It is necessary to make sure that the domains can solve the different DNS records, for that it is necessary to add conditional forwarders.

Parent domain

1. Open the DNS console and verify that a folder with the child domain name 1 is present.

Console DNS

2. Right-click Conditional Redirectors 1 and click New Conditional Redirector … 2 .

Nouveau redirecteur

3. Enter the DNS name 1 , add the IP address of the child domain controller 2 and click OK 3 .

Configuration du redirecteur

4. The redirector is added to link to the child domain 1 .

Redirecteur ajouté

Child domain

Do the same thing on the child controller with the parent domain.

Redirecteur domaine enfant

Active Directory Sites and Services

On the parent domain, open the console and check that in the site created 1 , in the folder Server 2 is the domain control 3 and the replication link 4 .

Vérification lien de réplication

Group Strategy

It is possible in the console to display the group policies of the other domains of the forest and to link them to another.

1. From the console, right click on Domain 1 and click on Show domains 2 .

GPO sélection domaine

2. Choose the domains to display 1 > and click OK 2 .

Choisir les domaines

3. Both domains are manageable in console 1 .

Domaine ajoute

Active Directory Domains and Trusts

1. On the parent controller open the console and verify that there is a link between the two domains (presence in the console) 1 .

Vérification approbation

2. (optional) Open the properties of each domain and validate the Parent / Child link.

FSMO Roles

1. On the child domain control (NY), open a command window and enter the following command:netdom query fsmo

2. It can be seen that 3 roles are carried on the DC of the child domain and the other two on the DC of the parent domain, which is normal because two FSMO roles are unique in the AD forest.

Vérification rôle FSMO

Using the child domain

As in the tutorial How to deploy an Active Directory environment, we will create 3 OR (IT, IT / Users, IT / Computers), a user and join a post to the NY.LAB.INTRA domain.

From this post, we will log in with the NY domain user and a user from the parent domain.

The following manipulations are done with the Active Directory Administrative Center console (ADAC).

I assume that you are already familiar with AD consoles, I will not go into detail about the creation of OU, user and domain junction.

Organizational unit

1. From the console, click on New 1 / Organizational Unit 2 .

Ajout OU

2. Enter the name 1 and click OK 2 .

Configuration

3. Position yourself in the new OR (IT) and repeat points 1 and 2 for the OU Computers and Users how to capture it below.

Liste des OU

Users

1. Position yourself in the OU where the user is to be created or right-click on the OU, use the menu New 1 / User 2 .

Ajouter un utilisateur

2. Enter the user information * and confirm by clicking OK 1 .

Configuration du compte

3. User created.

Utilisateur ajouté

Add the post to the domain

1. In the Windows system properties enter the child domain 1 .

Poste a ajouté au domaine

2. Move the station to the correct OR in the ADAC console.

Connection to the post

Domain user (child)

1. Enter the user account 1 in the form (DOMAINlogin) / Password 2 and press Enter.

Connexion utilisateur domaine du poste

2. User logged in.

Utilisateur connecté

Parent Domain User

Using the created user when setting up the parent domain.

1. Enter the user account 1 in the form (DOMAIN_PARENTlogin) / Password 2 and press Enter.

Connexion avec utilisateur domaine parent

2. Parent domain user logged in on a child domain machine.

Utilisateur connecté

Users can change sites using local hardware.




Leave a Comment