Active Directory - Child domains

[Tarrant64]

Hello all, it's been awhile!

I need to be educated and at the very least pointed in the right direction. I have a couple of domains in my current network. I can't merge (not right now anyways) the two domains together, so I wanted to set it up for multiple domains. Is there a MS Wizard/Step-by-step doc for this?

My goal here is to have authentication between domains an option. I know there may be some changes with DNS that need to be made too, i'm prepared to make whatever changes need to be done.

At my last job we did this for a few months before doing a complete merge of the domains. I know after the change when logging in you have multiple drop-down domains on the login screen. This is the setup I am looking for.

Thank you!

 

[imagoon]

All the DNS servers need to be able to at least contact each other. This easy if you create stub zones for each of the other domains in the DNS servers.

You then create trusts between the 2 domains.

http://www.windowsnetworking.com/articles_tutorials/Creating-Trusts-Between-Forests.html

You need to decide what type of trust you need at this point also. Forest level / single domain etc.

You basically create a trust on each domain, each will generate a password that you have to enter in to the other to establish a 2 way trust. After which you need to start blending security as you believe you will only get "forest admin" rights. You need to add user rights on each side etc as needed

 

[Tarrant64]

That was perfect, thanks. Looks a little too easy, but I did see at the end that there are known problems with the last part creating the trust between forests. Noted.

 

[imagoon]

I find most people have issues because once the trust is established, MS doesn't have a pretty little script of what to do with it.

Note that 2003 btw. 2008 varies it. The have confederated forests and the ability to merge domains in to other forests if AD is at the 2008 level.