Windows 2003 Domain Tree

Printable View

February 6th, 2004, 07:52 PM
SDK

Windows 2003 Domain Tree

I got a few question about a Windows 2003 Active Directory Structure and DNS.

I got 2 servers in two different city that I want to start a fresh installation of Windows 2003 Server. I'm wondering if my DNS and Active Directory structure are possible?

Case #1

Antionline.com as parent Domains
City1.Antionline.com as child domains
City2.Antionline.com as child domains

Question : Can Antionline.com and City1.Antionline.com domains be on the SAME Server? I'm pretty sure for DNS, it's possible but I'm not sure if a domains tree and a domain can exist on the same server.

My goal to achived in this case :
1) City1 create a parent domain (Antionline.com)
2) City1 use the same server to create a child domaine nam (City1.Antionline.com)
3) City2 created a child domain name (City2.Antionline.com)
4) City2 computer DNS name should be computer.city2.antionline.com
5) City1 computer DNS name should be computer.city1.antionline.com

Case #2

Antionline.com as Domains
City1.Antionline.com as Primary DNS
City2.Antionline.com as Primary DNS

Question : Can Antionline.com and City1.Antionline.com be on the same computer and how to force computer at city1 to have the dns name like computer.city1.antionline.com

My goal to achived in this case :
1) City1 created a domain (Antionline.com)
2) City1 use the same server to create a primary dns (City1.Antionline.com)
3) City2 created a primary dns(City2.Antionline.com)
4) City2 computer DNS name should be computer.city2.antionline.com
5) City1 computer DNS name should be computer.city1.antionline.com

Thank for the answer!
February 7th, 2004, 09:33 AM
SonofGalen

That should be possible...I'd contact your host to ask them how to set it up exactly, unless you're that host. If that's the case, I don't know enough about DNS yet to be much of any help.

(I'm fairly sure from my experience with Server 2003 that it is possible, though.

Good luck...
February 7th, 2004, 09:57 PM
SDK

Yeap, I want to be the host. :)
February 10th, 2004, 03:20 PM
SDK

Since I don't get reply. Any of you know good site to ask this type of question? Thank you.
February 15th, 2004, 05:47 AM
tabich

One question, why do you want to name your domains this way? It seems that you have a small network and you probably want to keep it as simple as possible.

You can make just one Active Directory which spans both sites. Just specify your subnets and intersite transports in Active Directory Sites and Services mmc module so that replication works. Then you can have just

example.com

Active Directory domain, with different sites in the AD, and Organizational Units for each of the sites if you need to get fancy with rights, and group policy.

If you are talking just about dns, sure, you can do what you want. But, if you mean Active directory as well, a single server can only host one Active Directory Domain. so, if the server in city one hosts

example.com for a domain, it cannot also host city1.example.com

You could call the forest in which these domains live

example.com

with the domains

city1.example.com etc.

Or you could make two domains city1.example.com and city2.example.com and create a trust relationship without having them both in the same forest(would be better if they were just in the same forest).

Or you could just make one domain and seperate the rights and such using Organizational units and group policy.

I have got an Active Directory domain which spans 8 offices all in "example.com".
February 16th, 2004, 04:09 PM
SDK

My VPN/Internet Connection is kind of unstable. So I want be sure that my 2 sites will not go down if it cannot reach my AD. That why I'm was looking forward to 2 child domain with one parent domain.

But I'm checking some info about the Active Directory's global catalog witch is use to to authenticate both computer and user logons. If I could recreated a global catalog at my second site like a Read-Only Copie of my AD, I would probably be happy.

tabich; it's impossible to created a parent and child domain on the same computer? Right?
February 16th, 2004, 08:59 PM
tabich

You can have more than one global catalog, that should not be a problem.

As far as I know it is impossible to host parent and child active directories on the same box.

We have a site which has an unstable connection as well, it is on the list of things to fix, but not high priority as they do not complain very loudly.

They have a copy of the global catalog on their server, and can log in just fine.

As far as I know you cannot make a read only version. Since in Active Directory, all domain controllers are equal, there is not really a primary/ and backup. Though there are some single master operation roles which are owned by a single dc.
February 16th, 2004, 09:24 PM
SDK

global catalog are read only version of Active Directory, Right?
February 17th, 2004, 04:34 AM
tabich

essentially, but, ANY domain controller can make changes to Active Directory by default(may be able to limit this), it is not like NT where there were clearly defined roles for domain controllers, where backups were just that, backups, and all changes needed to happen on the primary. Therefore, if you have a global catalog on each domain controller(and I believe the global catalog MUST be on a domain controller), it is NOT read only.

The catalog may be read only, but since the dc can modify it .....

I was just trying to say that you wont have two servers of which only one of them can modify the catalog.

EDIT:::
I understood you to say that you wanted one of them to be read only.
February 17th, 2004, 03:11 PM
SDK

So what I need to install a global catalog in city2. Can this be done without installing AD on the server? If not, if I install a AD in city2, can it be part on the same domain that the one I created in city1?
February 18th, 2004, 10:32 PM
tabich

AFAIK, you cannot have a global catalog on a server with out it being a domain controller.

So, install AD on server in city 2. It can be part of the domain you created in city 1.

Basic instructions for doing this(might wanna research a bit yourself as I am going from memory).

1. Install win 2003 server, add active directory to it with the dcpromo command make sure that the AD integrated dns stuff is setup in your dns settings afterward.
2. setup users and groups, etc, etc.
3. Go to STart>programs>admin tools>Active Directory sites and services, and add the following things
- Subnet for office in city 2
- Site for your office in city 2, using the subnet you just created.
- intersite transport between city1 and city2. (you may have to do this step after promoting server in city 2, but I seem to remember doing it before hand, give it a shot, see if it works).

4. now you have 2 choices,
OPTION 1 install the city 2 server at city 1 and promote to domain controller there, then move it, and change the site in active directory(I have had some issues with this, it never seemed to like what happened).

OPTION 2 and this one I have had lots of luck with, install win2003 on the other server but DO NOT join it to the domain during install.

Make sure that your vpn is up.
Point the second server to city1 server for dns info.

Run the dcpromo command on the city2 server and add it as a domain controller to the same domain you have already created. Again, check dns info afterward. make sure that city2 hosts an active directory integrated dns domain for the name you chose for active directory domain.

In network settings of city2 server, point it to itself for dns lookups.

Some other notes. Make sure that you install the admin tools and support tools for win2003 server, those can be located(I am going from memory here, and also memory of windows 2000) in cd drive\i386\adminpak.msi and another installer in cd drive\support somewhere.

Once that is installed you should have an option under your start programs, for support tools, then use Active directory replication monitor to verify that replication is working.

DNS info is VERY important for replication so make absolutely sure that city1 server hosts an active directory integrated zone for the domain in dns, and after install city2 needs the same thing.

You may be able to tell win2003 installer to do that dns stuff, I cant remember.

IF you have unstable links like you do, you probably want to check on the replication between servers fairly frequently, once a day anyway. If the last attempted replication failed, you will want to make sure your vpn is up, and then initiate another one from inside the Active Directory Replication monitor tools.

disclaimer, most of this information is directly related to windows 2000 and not specifically windows 2003, but it should be similar enough so as not to matter.

if you dont see adminpak.msi, or the support tools installer on the win2003 cdrom, search for windows 2003 adsiedit and then support tools and you should find where they live so you can install them.
February 18th, 2004, 10:48 PM
SDK

Good Info! I wish I could give you more AP but I cannot right now but they I'll come at some point!

Basically, this setting would give me one domain with 2 Domain Controler across 2 sites, both using the same Active Directory and DNS with a replication between those? After that, all I need it to set security so only city1 can make change to Active Directory on both Domain Controler? Right?

Another question : With this setting, it's easy to force all ip coming from a subjet to a specif DNS like computer.city1.domain.com