Join Ed Liberman for an in-depth discussion in this video Deploying a child domain, part of Windows Server 2016: Active Directory Enterprise Infrastructure.
- [Instructor] When working with Active Directory Domain Services, sometimes you make the decision that it's time to create a new domain. It's time to branch out from that single domain environment. Now why would we do this? Well in the old days, we used to say that a domain was a security boundary, but we've since proven that to not be completely true. It's really more of an administrative boundary, so it's when you decide that it's time for a new core administrative unit in your environment. Then you have to decide, are we going to be talking about jumping over to a new namespace, and so it'll be a tree domain? Or, are we talking about staying within the existing namespace and calling it a child domain? Well for now, I want to talk about the creation of a child domain.
So my environment here. I have three domain controllers currently running. They are called DC-1, DC-2 and DC-3. They are all domain controllers for the landonhotel.local domain, okay, and that's our forest root domain. I also have another server here called Child-DC, and Child-DC, even though it's named that, right now it's just a standalone server, so I want to go ahead and promote this to a domain controller as a child domain within the landonhotel.local name structure.
So let's connect to Child-DC now. Okay here in the Server Manager, I have Child-DC. I would like to point that I've already gone through the Add roles and features wizard to add the Active Directory Domain Services role. You can see that down in the lower left-hand area here that I've added that role, and in the upper right, you'll see that I have a notification telling me that I still need to promote this server to a domain controller. So let's go ahead and click on that link. This will take us into the Active Directory Domain Services Configuration Wizard, where I need to choose, am I adding a domain controller to an existing domain? Well no, we said we wanted to do a new domain, so this is going to be a new domain in an existing forest, or is it a new forest? Well we want to work within the same forest, so we're going to have the second choice here.
Then we have to select a domain type. Is it going to be a Child Domain or Tree Domain? Just as I was talking about before. Right now, we're dealing with a Child Domain, so we have to select who the parent is, and the parent is landonhotel.local, and the new domain name, I'm going to call it simply lhchild, okay, for the Landon Hotel Child domain. May not be the most realistic name if this was a production environment.
Okay you'd want to actually have something that relates to why you were creating that new administrative unit, but in this case since it's just for the purposes of teaching, I'm going with lhchild. I need to then provide credentials of who can do this, so I'm going to say that we're going to do the landonhotel\administrator. Put in the password for that account. Click OK and then Next. At this point it's going to go through and validate the credentials, and validate that it can connect with the domain naming master.
Okay, because if we're creating a new domain, the domain naming master has to be reachable to be able to approve this change, or this update. We select the domain functional level, and in this case we only have the choice of Windows Server 2016. You'll see if I drop that down I don't have any other choice, and the reason is because I'm in a forest that is already set to Windows Server 2016. Basically you want the functional level to be as low as whatever the lowest domain controller is that you're going to have in the domain or the forest.
Okay but for this course, everything's going to be Windows Server 2016, so this is fine. We then can determine if we want this domain controller to also be a DNS server, which is a good idea because we need a DNS server to be able to server this new namespace. And do we want it to be a Global Catalog server? Which again, not a bad idea, especially for the first domain controller in a new domain. We cannot make it a Read only domain controller because we don't have a writable domain controller to replicate from, because it's a new domain.
We won't worry about the site. We only have one right now, okay, I'll talk about creating different sites and moving domain controller sites in a different video. We need to enter in a Directory Services Restore Mode password, so I will enter that now, and we have to actually enter it twice. Then I will click Next. Now we have a choice to be able to go ahead and create a DNS delegation. Okay and the reason we're saying that is because do we want to put a delegation in the parent domain that tells DNS up at landonhotel.local that this server is going to be a DNS server for the child domain? We do want to do that, so we'll click Next.
It's now going to verify if the NetBIOS name, lhchild, if that's valid or not, and if this was longer than 15 characters, it would truncate it down, but since lhchild is less, we'll get the full name. There it is, LHCHILD, so I'll click Next once again. Now it wants me to specify the location of where to put the database log files and SYS file. I only have the one hard drive so there's nothing to change here, so I'll click Next again. Here is a full review of everything we're about to do. I could view the script if I wanted to hold onto a PowerShell script for other future deployments that are similar.
But in this case, I'm good with everything, so I'm just going to click Next. It now is going to go through and check the prerequisites to make sure that this server is acceptable to be able to install Active Directory and become a domain controller. While we can see that there is a warning that came up, the important thing is that we get the green circle with the checkmark in it, saying that all prerequisites did pass, and we are ready to install. All right so I'm going to go ahead and click Install, and at this point, it's going to go through and you'll see the warnings come up again.
It's the same warning. It's a warning we don't care about, about backward compatibility with NT 4, so it's a very common thing. We see it every time. So at this point it's going to install DNS, it's going to install Active Directory as a domain controller, and then it's going to reboot, and so through the magic of video editing, I'm going to go ahead and fast-forward us to after we've rebooted and logged back in. If you are following along, go ahead and pause the video and then resume when you get there as well. All right so my system has completed all the installation and the promotion process as well as rebooted, and then I logged in and since we are no longer a standalone computer, and we're now a domain controller, I logged in as the lhchild administrator.
Because that's essentially the local administrator. As you can see here that I now have the DNS role, the Active Directory Domain Services role. If I look on the Tools menu, you can see that I have a variety of Active Directory tools, as well as DNS available to me, so that is pretty much it. I have successfully created a child domain in my forest, so I'm now officially a two-domain forest. All right, so again, please keep in mind that at some point in time, you may get to a point where you need to branch out beyond a single domain environment, and the easiest first step is if you can stay within the naming hierarchy and create a child domain, and that's what we've just done here.