Forest vs Child Domain

Similar Messages

• Active Directory: 2003 to 2012 R2 Upgrade across single forest with child domains

  I just have a quick questions about something that should be simple. We will be upgrading our current domain from Windows 2003 functionality to Windows 2012 R2.  This forest has domain and two child domains.  I have two questions.  Since we
  have to do this in a few steps in order to get up to 2012 functionality I am wondering where is it consider best practice to start?  In the Root (top level) domain of the forest or in one of the child domains?  I want to say the root (top level)
  domain is where I would place my first Windows 2012 R2 box and promote it to a domain controller.  Then move to the child domains one the root domain controllers have all be replaced with Server 2012.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

  Yes.  We are working with the client to migrate any dependencies off these 3 NT legacy domains.  We will be able to decommission 2 of the 3 without any issues.  However, they still have an old NT box running SQL 6.5 databases for a application
  still in production.  Yes, they are very aware that NT isn't supported, that that version of SQL isn't supported, and that this will hold up their upgrade.
  Our plans for them will be to deploy all new Windows Server 2012 R2 domain controllers but keep the domain and the forest functionality at 2003 in order to support that final NT Legacy domain until they can get that application migrated.
  Once that NT domain is decommissioned then we can raise the functionality of the rest of their domains from 2003 to 2012 R2.
  Kristopher Turner | Not the brightest bulb but by far not the dimmest bulb.

• Need help with process for installation of DNS when establishing a child domain in AD forest using Windows Server 2012

  Additional guidance is needed regarding process for configuring DNS and for configuring the server Network settings (IPv4 properties) for installing a child domain. For example, when installing the Root domain, it is recommended to install DNS when installing
  the AD on the forest root. This ensures the proper records are added to DNS for the forest during DC promo. However, when installing the child domain, I'm unsure if a child-domain hosted DNS needs to be pre-installed prior to the child domain install and dcpromo
  or included in the child domain install.
  Second, there is conflicting guidance as to how to set IPV4 properties for the net interface when installing child-domain DNS. Should primary DNS address be 127.0.0.1 or the address of the Root domain DNS? or both?
  Thanks

  Additional guidance is needed regarding process for configuring DNS and for configuring the server Network settings (IPv4 properties) for installing a child domain. For example, when installing the Root domain, it is recommended to install DNS when installing
  the AD on the forest root. This ensures the proper records are added to DNS for the forest during DC promo. However, when installing the child domain, I'm unsure if a child-domain hosted DNS needs to be pre-installed prior to the child domain install and dcpromo
  or included in the child domain install.
  Second, there is conflicting guidance as to how to set IPV4 properties for the net interface when installing child-domain DNS. Should primary DNS address be 127.0.0.1 or the address of the Root domain DNS? or both?
  Thanks

• Forest Root non-accessible\Child Domain still accessible. Can I recreate Forest Root and create Trust to current Child Domain?

  Hi,
  The 2 DCs for our Forest Root took a hit and are non-accessible, however the Child domain is still accessible.  Can I recreate the Forest Root from scratch and Trust/Link to current Child Domain?  So Im looking for my options to keep an accessible
  Child Domain, but recreate a new Forest Root cause the current one is inaccessible.
  Thanks for your help! SdeDot

  Hi, 
  Would you please tell us that what do you mean by they
  are non-accessible?
  Are you able to log onto any of the two DCs in the forest root domain? If yes, we can use dcdiag.exe to analyze the state of the dc in the forest root domain.
  If you have any system state backup of the DCs in the root domain, please restore the DC from backup.
  Best Regards,
  Erin

• Forest root domain displayed as network label, rather than child domain

  Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
  I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
  from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
  Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
  a viable explanation for the behaviour, as opposed to 'it's by design'

  Can I ask if something is not working correctly because of this?  The display of the connected network does not affect communication or how DNS will resolve.  Are you chasing this down because you don't like the display, or is there an outage?
  Thanks!
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Problems with Centralized No Delegation DNS with forest wide replication in a Parent-Child domain

  Hi,
  I have a parent domain "parent" with a child domain "child" as shown below. There are no delegations and DNS replication is set to forest wide DNS replication for both the child and parent zone. I've read that forest wide replication
  in this scenario is not recommended, but no one explains why.
  Also, running "dcdiag /test:dns" produces the warning below (expected as child is not a DNS zone)
   (test:basic (Basc))
  Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)
  I'm looking at upgrading the domain, then forest functional level to 2008, but want to ensure that this DNS config doesn't cause any issues.
  Hoping someone can advise.
  The only thing I've noticed is that some SRV records for DCs are not up to date when viewed from other DCs (dns diagnostics and event logs report OK) and all else seems OK.
  Thanks
  IT Support/Everything

  Hey Aetius2012, So I am a little confused
  What is the current domain/forest functional level?
  Normally I would expect to see three dns forward lookup zones in a 2 domain (Parent/Child) environment
  2 zones if the domain/forest level is 2000/2003 where the _msdcs zone has not been moved to its own forward lookup zone - see image below
  In your environment I would expect to see 3 zones (_msdcs.parent.com, parent.com, child.parent.com) on every domain controller because all zones are replicated forest wide.
  I would also expect to see 2 delegation records under the parent.com for _msdcs and child
  I know you stated there was no delegations, and would like to understand better by what you mean. Not saying that anything is configured wrong just trying to get clarification on your environment to give you the best answer from the community as possible.
  Thanks

• Migrate Users from a child domain to a root domain in different forest

  Hello,
  it supported to migrate users from child source doman to target root domain?
  I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visible

  You should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
  nltest /DOMAIN_TRUSTS
  If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Migrating 2 domains into child domains in a new forest

  I have a unique senario in which my company merged with another. 
  My Company:
  Windows 2003 AD
  Exchange 2003 SP3
  192.x.x.x
  New Company
  Windows 2008 AD
  Exchange 2010
  10.x.x.x
  Each domain has its own resources, servers and workstations.  For political reasons we still need some management seperation. 
  My Goals:
  Create a new root neutral forest/domain. 
  Migrate both domains to 2 child domains under this new root
  Bring the domain to 2012 R2
  Create a single Exchange 2010/2013 cluster with all mailboxes
  What is the best way to accomplish this? Where exactly does Exchange sit?
  Thanks!

  Hi,
  >>What is the best way to accomplish this?
  In Active Directory, we can use ADMT to do the migration. However, if we need Inter-forest migration from Domain Controller 2003 to Domain Controller 2012, at this time MS
  has not ADMT for Windows Server 2012. We can downgrade our forest and Domain functional level to Windows Server 2008 R2, add an additional Domain Controller 2008 R2 and use ADMT 3.2 for migration. After migration is completed, we can demote Domain Controller
  2008 R2 and raise again FFL & DFT to Windows Server 2012.
  Regarding specific procedures for performing the migration, the following article can be referred to as reference.
  Interforest Migration with ADMT 3.2 - Part 1
  http://social.technet.microsoft.com/wiki/contents/articles/11996.interforest-migration-with-admt-3-2-part-1.aspx
  Interforest Migration with ADMT 3.2 - Part 2
  http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx
  Interforest Migration with ADMT 3.2 - Part 3
  http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx
  >>Where exactly does Exchange sit?
  For mailbox migration, in order to get better help, we can ask for suggestions in the following exchange forum.
  Exchange Server 2013- Setup, Deployment, Updates, and Migration
  http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrdeploy
  Best regards,
  Frank Shen

• Traffic between AD DCs in child domain and AD DCs in other forest

  Hello, fellows.
  I feel really stupid: cannot find a definitive answer on a very simple question. Let's say, there is on forest (F1) with two domains: forest root (F1-RDOMAIN) and a child domain (F1-CDOMAIN), single tree. There is another forest (F2) with only single domain
  F2-RDOMAIN. If I setup two-way forest transitive trust between F1 and F2 forests, I know that some firewall ports must be open to allow communication between DCs in F1-RDOMAIN and F2-RDOMAIN. However, what I cannot say for sure whether there will any traffic
  between F1-CDOMAIN and F2-RDOMAIN! Do I need to open the firewall ports between them as well? Let's assume that DNS servers in F1-CDOMAIN forward requests to DNS servers in F1-RDOMAIN, all domains have GCs.
  Could someone refer me to the MS KB or something else that would say: "...all DCs must communicate with each other" or "only DCs in the root forests domains", please?
  Many thanks in advance,
  Rustam.

  You do not need to open for direct communication between F1-CDOMAIN-DC and F2-RDOMAIN-DC, but workstations located in F1-CDOMAIN must be allowed to communicate with DC in F2-RDOMAIN if they are going to access resources that reside in F2-RDOMAIN. Take
  a look at this description
  of authentication process for more info.
  Gleb.

• Separating a child domain from a forest/parent domain

  Our infrastructure is currently as follows:
  There are two domains which I will call "apple.local" and "banana.local". The domain "apple.local" is the parent/forest which is at a Windows 2003 Functional Level. The domain "banana.local" is a child domain of "apple.local"
  which is at a Windows 2008 Functional Level. This unusual arrangement was the result of a merger.
  Recent business changes have meant that the domain "banana.local" needs to become the forest and "apple.local" needs to be permanently retired. I have been searching as to whether this is possible but the general consensus is "no".
  However, many of the discussions are several years old and I am interested in whether anything has changed with recent updates.
  As an added "bonus", a single Exchange 2010 SP3 server is present and - just to complicate things further - is a member of the child domain "banana.local". Mailboxes (shared and user) and DGs from both domains are present. Access to shared
  mailboxes is granted using a mixture of users and security groups from both domains.
  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  I am in a position to purchase new servers, software and licenses as required to meet the ultimate goal and - within reason - additional expenditure is not an obstacle. We also have the option to create new IP ranges if required.
  Any ideas and/or suggestions welcomed!

  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  It is not possible to detach a child domain from its parent. One of the things you can do is to create your domain and establish trusts between them and migrate resources from old domain to the new domain. Note that computer account migration will take some
  time. For exchange part you can ask in Exchange forums but the one thing you can do is to Cross-Forest mailbox move after you set up the new forest.
  Exchange 2010 Cross-Forest Mailbox Moves
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Enter the forest and it locks me out of entering the domain controller or any child domains

  Using Windows Server 2008 R2 SP1, no matter if I use the Graphical User Interface (GUI) or the Answer Method to enter the forest and it locks me out of entering the domain controller or any child domains. 
  Is there a remedy to this?

  Hi Philo,
  Would you please tell us that how did you try to enter the forest?
  Are you able to run dcpromo to add domain controllers or create child domain?
  Best Regards,
  Amy

• Bidirectional forest trust does not list child domains

  Hi all,
  we have this setup
  DomainA-ForestA <--------> Forest B-DomainB
  A bidirectional forest trust between ForestA and ForestB with domain-wide authentication. ForestA includes a domain DomainA and ForestB includes a domain DomainB. We're trying to authenticate via NTLM from a machine under DomainA to a resource under DomainB
  by contacting a PDC in ForestA without success.
  If we query a DC in DomainA for the trusts, we see that ForestB is listed, but ForestB.DomainB is not.
  What could be the cause?
  Thanks in advance

  Hello Frank,
  We're using NTLM because the customer wants it that way. The relevant part of the environment is:
  domainA(root) under forestA
  domainA1 under domainA (root) under forestB
  domainB under forestB
  Bidirectional forest trust. I do not know about transitivity. There are many other domains and forests which we do not care about in this instance.
  We're using a Java library (JESPA) to query a PDC emulator in domainA for the trusts. A non-complete edited sample output is:
  forestA={domain.netbios.name=forestA, domain.flags=0x0000001D, domain.trust.attributes=0x00000000, domain.dns.name=some.domain, domain.trust.type=2, objectGUID=, objectSid=},
  forestB={domain.netbios.name=forestB, domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=forestB.domain, domain.trust.type=2, objectGUID=, objectSid=},
  forestA.domainA={domain.netbios.name=forestA.domainA, domain.flags=0x0000001D, domain.trust.attributes=0x00000000, domain.dns.name=forestA.domainA, domain.trust.type=2, objectGUID=, objectSid=},
  forestB.domainB={domain.netbios.name=forestB.domainB, domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=forestB.domainB, domain.trust.type=2, objectGUID=, objectSid=},
  forestB.domainA={domain.netbios.name=forestB, domain.flags=0x00000022, domain.trust.attributes=0x00000008, domain.dns.name=forestB.domain, domain.trust.type=2, objectGUID=, objectSid=},
  ~={domain.netbios.name=forestA, domain.flags=0x0000001D, domain.trust.attributes=0x00000000, domain.dns.name=forestA.domainA, domain.trust.type=2, objectGUID=, objectSid=}
  In the full sample there are many other domains not interesting in this scenario. You can see that forestB.domainA is listed as well as forestB.domainB but forestB.domainA1 is not. 
  We know this is not a library issue - and have already checked internally and with the library's vendor support - rather it's either a trust setup issue or PDC/DC configuration issue but do not know where the problem resides and how to solve it or work around
  it.
  In detail, the library we're using "sometimes may need to canonicalize a domain name (convert the NetBIOS name to the DNS name or visa versa). Unfortunately it is not uncommon for one or both names to be missing from trust information of foreign domains
  retrieved through the local NETLOGON service. This seems to be particularly true of older networks where Windows NT domains were migrated and merged into an AD forest over time."
  Although there's a workaround from the library side, it's not scalable enough to cover the entire network as we would need in the future.
  Do you have any inputs? Is this solution from the thread you linked the only way to add that missing information?
  You have to create a shortcut Trust to view the child Domain. For more information about shortcut trust,
  please refer to the article below. 
  Since this is a production environment we would like to limit the impacts as much as possible.
  Thank you again
  Best regards

• Converting a Domain in an other forest to a child domain in another forest!!

  Hi All,
  I Was wondering if there is any possibility to convert a domain to a child domain?
  I'm aware of ADMT and i have used it before. I want to know if there is any trick for managing the name resolution with internal and published web applications?
  **************** Sincerely Yours Ziyaei Ali *****************

  I Was wondering if there is any possibility to convert a domain to a child domain?
  No.
  Imagine There are 2 servers published through out the internet. (actually a lot more) this servers has web applications. Both internal users and external users are using the web applications. Obviously the internal users are using the private IP and
  the external users are browsing through the Public IP. (All done by name resolution through internal and external DNS servers)
  Now, in these web applications there are some hyperlinks which forward the client to the other server by FQDN.
  I do not see a problem with that. If your internal domain name has the same name as your external domain then simply maintain properly a split-DNS setup. You can manage internally the DNS resolution for internal users and make them point to private / public
  IP addresses to access your resources depending on your needs. I do not see a problem with that and I do not see why you would like to do major changes to avoid that.
  If for some reasons you would like to rename your domain then you can consider reading that: https://technet.microsoft.com/en-us/library/cc738208%28v=ws.10%29.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Why can the users in one child domain logon to computers in a different child domain in Server 2012 R2?

  I have setup a test system. It has a domain with 2 child domains.  DomainA.xyz.com has users and workstations. DomainB.xyz.com is a resource domain and has servers.  wyx.com is for IT administration.
  Users in domainA can logon to the domainB computers.  I searched to find out why it was so.  I found a "NT AUTHORITY\INTERACTIVE" entry in the local users group that enables this.
  This is rather confusing.  1.  When a user enters his credentials, he is not logged on and therefore would not be "INTERACTIVE" at that time.  2.  If everybody that signs on a computer is interactive, then does that mean
  everyone in the forest can sign on?
  So my issue is: Can I delete the "INTERACTIVE" entry in the local users group and not cause any problems?  I want to protect the resource domain from users signing on to them and give them access to the resources they need.

  Hi,
  The Interactive group includes all users that have logged on locally.
  In addition, it is not recommended to remove the
  interactive group from the local user group since it would cause all kinds of problems. For more detailed information, please refer to the similar thread and link below:
  Interactive
  group
  Staring
  at a blank desktop, due to Interactive missing from Users group
  Best regards,
  Susie

• Exchange 2013 sp1 smtp NTLM auth for child domain users

  i have exchange organization with exchange 2007 sp 3 & exchange 2013 sp1.
  there are  all users in Exchange 2013 server (mail flow is through Exchange 2013 server)
  i have single forest, 2 site (site1, site2), root domain root.local and 1 child domain ch.root.local
  DC  for child domain is located in site2 (dc.ch.root.local)
  multirole exchange 2013 server is installed in root domain.
  i am traing to configure smtp receive connector with NTLM auth and have one problem.
  when user in child domain try send email through this receive connector i see in log
  <,AUTH NTLM,
  >,334 <authentication response>,
  *,SMTPSubmit SMTPAcceptAnyRecipient BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
  *,CH\user1,authenticated
  *,,Setting up client proxy session failed with error: 535 5.7.3 Unable to proxy authenticated session because either the backend does not support it or failed to resolve the user
  *,,"Setting up client proxy session failed with error: 451 4.4.0 Primary target IP address responded with: ""535 5.7.3 Unable to proxy authenticated session because either
  the backend does not support it or failed to resolve the user."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.15:465"
  but authentication is succesfull for users from root domain.
  why do it can be?
  Thanks.

  thanks for link
  at smtp receive logs (Hub transport role) i've found the  next:
  Client Proxy EXMAIL2013,08D134DAF6CE1C51,49,192.168.1.15:465,
  *,NT AUTHORITY\SYSTEM,authenticated
  >,235 <authentication response>,
  <,XPROXY SID=08D130D354F520D1 IP=192.168.1.21 PORT=57085 DOMAIN=[192.168.1.21] CAPABILITIES=0 SECID=Uy0xxx...
  *,,Error while looking up SamAccountName chuser: The user name or password is incorrect.\r\n
  *,None,Set Session Permissions
  >,250 XProxy accepted but user identity could not be obtained,