Parent/Child Domain

Similar Messages

• User Folders in a Parent / Child Domain Structure

  Hi,
  I have a forest setup with a parent and 3 child domains.
  We have a DFS share setup for home folders.
  I used Group Policy to create the User's share folders, map the drive, and setup folder redirection.
  Each user has a separate ID for each domain.
  The desire is for each user to be able to use the same \\parent.com\home\%logonuser% share path from each domain in order to access files from any domain, and have privacy from other users doing so.
  The problem I have is, after "child1\JohnD" signs into a workstation on domain CHILD1.com, his folder is created at "\\parent.com\home\JohnD" and mapped.
  But if child2\JohnD then signs into domain CHILD2.com, he does not have permissions to map the drive.
  I realize why, but I'm wondering if anyone can think of a way to change this setup so that parent\JohnD, and child1\2\3\JohnD, all have rights to map and use the same Home Folder.
  Having domain specific home folders has been shot down.
  Giving all shares EVERYONE access has been shot down.
  Open to other suggestions.
  Thanks!
  -Matt
  There's no place like 127.0.0.1

  You might want to try creating a script that will grant the required rights to both user accounts using Powershell: http://blogs.technet.com/b/heyscriptingguy/archive/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions.aspx
  Once you create the script, you can schedule it using Task Scheduler.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile
  Interesting.  I've been playing with this module off and on today.  From what I can tell, this would have to be scripted to some sort of function like this:
  dir \\parent.com\dfshome | Get-NTFSAccess
  For each dir in "\\parent.com\dfshome", set $folder
  For each $folder where account = "childx\User", set $User
  For each $User, Add-NTFSAccess: child1\$user, child2\$user, and child3\$user
  (head scratch)
  I'll give it some more thought. :)
  Thanks!
  There's no place like 127.0.0.1

• Parent child domain best practice

  Currently we have multiple location, each location has its own AD and DNS, they are not connected to each other.
  Mostly the user at these location do not login/access resources of the other location. The few user that needed to login/access resources at multiple location have one account per location. This was fine since we had very few user who
  needed multiple account, but now with their number growing it is creating problems for many of the users.
  We are planning to redo our AD infra structure by installing new AD's on windows 2012 R2 Servers. We would like to setup one parent domain and multiple child domain (one per location).
  Users created on parent domain should be able to login/access resources from each location whereas user of a child domain should be able to only login/access resources at their location.
  Can someone please recommend a best way to do this?
  SKR

  if you are planning on redoing your AD infra, do not create additional AD domains, but rather CONSOLIDATE what you already have into one AD forest with one AD domain. Create OUs to manage objects differently or allow different teams to have their own delegation,
  and create AD sites/subnets to optimize replication and authentication.
  To consolidate AD domains see:
  http://jorgequestforknowledge.wordpress.com/2006/12/27/migrating-stuff-with-admtv3/
  http://jorgequestforknowledge.wordpress.com/2014/06/19/microsoft-released-an-admt-version-to-also-support-w2k12r2/
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• Problems with Centralized No Delegation DNS with forest wide replication in a Parent-Child domain

  Hi,
  I have a parent domain "parent" with a child domain "child" as shown below. There are no delegations and DNS replication is set to forest wide DNS replication for both the child and parent zone. I've read that forest wide replication
  in this scenario is not recommended, but no one explains why.
  Also, running "dcdiag /test:dns" produces the warning below (expected as child is not a DNS zone)
   (test:basic (Basc))
  Warning: The Active Directory zone on this DC/DNS server was not found (probably a misconfiguration)
  I'm looking at upgrading the domain, then forest functional level to 2008, but want to ensure that this DNS config doesn't cause any issues.
  Hoping someone can advise.
  The only thing I've noticed is that some SRV records for DCs are not up to date when viewed from other DCs (dns diagnostics and event logs report OK) and all else seems OK.
  Thanks
  IT Support/Everything

  Hey Aetius2012, So I am a little confused
  What is the current domain/forest functional level?
  Normally I would expect to see three dns forward lookup zones in a 2 domain (Parent/Child) environment
  2 zones if the domain/forest level is 2000/2003 where the _msdcs zone has not been moved to its own forward lookup zone - see image below
  In your environment I would expect to see 3 zones (_msdcs.parent.com, parent.com, child.parent.com) on every domain controller because all zones are replicated forest wide.
  I would also expect to see 2 delegation records under the parent.com for _msdcs and child
  I know you stated there was no delegations, and would like to understand better by what you mean. Not saying that anything is configured wrong just trying to get clarification on your environment to give you the best answer from the community as possible.
  Thanks

• Question about creating child domains "before" parent

  Ok, this is most probably a noob question.
  My company (A.com), has a DNS zone in a linux server with records pointing to different web pages, example: radio.a.com, www.a.com, webmail.a.com, etc..
  For a specific service, I need an Active directory domain called: daas.A.com
  Thing is, I don't have an AD domain A.com in place. So my question is:
  Do I need to create an AD domain for A.com before creating the one that I need?
  If I don't, and I just create the daas.A.com as a new forest, will I be able to add an A.com domain in the future as parent?
  As per DNS records in the linux box, I guess I would only need a NS pointing to the DNS of the new domain, and an A record resolving that to an IP. or Something like that..
  Thanks!

  Yes, even if initially it is an empty root, otherwise the child domain will become the forest root.
  So the A.com domain will need to duplicate those records that Linux currently hosts otherwise AD clients will start having name resolution issues. If you just need to stand up AD for one application then I would go ahead and standup the empty root, add the
  child domain, install the service that needs AD and go from there. That is if you think at some point you will use the a.com domain.
  Active Directory will actually create 2 zones (A.com and _msdcs.A.com)
  Daas.A.com will have 1 dns zone daas.a.com and will also utilize the _msdcs.a.com
  So I have been in environments which have had both a windows dns server and a Linux dns server, eventually after enough duplication of records in both areas and the pain points that caused, we have retired the Linux dns servers and just used the AD DNS servers
  (with the exception of DNS servers that were internet facing which we kept on Linux) Primarily the ease of administration and the fact that AD and DNS are tightly coupled.
  Brad Held http://windorks.wordpress.com

• Added existing domain to the parent domain and now permission not inheriting on the child domain

  Hi Friends
  There was a existing Domain but we bought the company and make that Domain as a child domain of our Domain, problem is that users of Parent domain does not have access to the child domain. permissions are not inheriting from parent domain to child domain. 
  for e.g i created user on the parent domain i cant even login to the machine in other domain or access the resources which are on the child domain.

  Simply delegate the permissions you want to grant so that users from the root domain can have access to resources in the child domain.
  As an example, you make users from the parent domain login to computers from the child domain using
  Allow logon locally group policy: http://technet.microsoft.com/en-us/library/cc756809%28v=ws.10%29.aspx
  You can also make them able to RDP the computers if you add them to Remote Desktop Users
  group. This could be done by Restricted Groups Group Policy.
  So, for security reasons and depending on your current configuration, it is normal that users from the root domain might not have by default access to resources in the child domain. This could be fixed by doing the proper delegation.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.

• Manage client in parent domain from child domain

  My site has a root domain (mydomain.net) and a parent domain (ent.mydomain.net).
  My primary SCCM site is installed in ent.mydomain.net and is managing all my clients.
  I have 4 DC's installed in mydomain.net that I would like to manage from my child domain (ent.mydomain.net).
  It is my understanding that if the schema has been extended in the parent domain, and I manually install the client on the DC, it should be able to be managed from the child domain.  
  I have installed the client in the parent, but it cannot find the site in the child (I have not extended the schema yet).  i know that the client will not be able to find the site until the system management container has been created and populated
  (does not currently exist).  I know that I can create the container, but how would it get populated with the correct site information.  
  If anyone has any experience with this kind of configuration, the help would be appreciated.
  Thanks

   i know that the client will not be able to find the site until the system management container has been created and populated (does not currently exist).  I know that I can create the container, but how would it get populated with the
  correct site information.  
  You could enable AD publishing to that domain, but site assignment is also a matter of site assignment boundary groups. You can also assign a client to a site manually though.
  Torsten Meringer | http://www.mssccmfaq.de

• Time Sync from Child domain to Parent doamin

  Now the time in our child domain is fast 2 Mins than parent domain, how to sync the time by what command ?

  Hi,
  By default, the PDC Emulator of the Forest Root Domain is considered as the best time source in an Active Directory forest. Other domain controllers
  in the Forest Root Domain use it for time synchronization while domain controllers in child domains use the PDC Emulator or any domain controller from parent domain for time synchronization. Member servers and Workstation use domain controllers in their domain
  for time synchronization. With this hierarchy, we can maintain a reliable time synchronization system that allows avoiding Kerberos failure issues in an Active Directory domain. This configuration is by default in an Active Directory forest and does not need
  to be changed.
  As mentioned by SH.Hashemi, we can run command
  w32tm\resync to resynchronize the clock as soon as possible, disregarding all accumulated error statistics.
  Regarding time synchronization in active directory, the following articles can be referred to for more information.
  Time Synchronization in Active Directory Forests
  https://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  How the Windows Time Service Works
  http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx
  W32tm
  http://technet.microsoft.com/en-us/library/bb491016.aspx
  Best regards,
  Frank Shen

• Puzzled - parent domain user as administrator in child domain cannot add printer

  I've got a bare domain at the forest with 3 users and several "child" domains.  I'm trying to set it up so that the user (let's call it EA-Service) in the forest can do administrative work in each of the sub domains without having to log on to the various
  domains as each domain's domain administrator.  There are a handful of these domains at this time, but as we pick up more accounts (think hosting), we expect the number of domains to reach the hundreds.  I don't want hundreds of domain accounts
  to track.
  I thought adding EA-Service to a forest group called EA-Universal and adding EA-Universal to Builtin\Administrators on each of the domain controllers would give me administrator access on each of the domains.
  I spent a frustrating two days trying to add an internet printer's driver using EA-Service on one of the child domains and it kept failing (message wasn't clear).  Today I said, What the Heck, logon with my domain admin account on the child domain and
  try.  It worked.  I dropped the printer and then logged out and back in with my EA-Service account and I couldn't do it.  Clearly Builtin\Administrator isn't everything on a DC.
  What right, privilege, or piece of arcane magic did the domain administrator account have that the EA-Service account did not?  And how can I give that special whatever-it-might-be to my EA-Service account?
  How can I determine exactly what rights & privileges a particular userid on a machine has?  I could then compare the two sets of rights and see what was different.
  I really need to have a super-duper-administrator account to do various maintenance tasks and I don't want to have to use each domain's Admin account to do it. 
  Can y'all help me?
  -g

  I had an entire post built that took me all day with interruptions and poof, it's gone.  Rats.  Here is my second attempt:
  Assign permission on the resource using DL group.
  This last one is the one I'm having trouble with.
  I have to admint that I'm feeling very stupid about this whole thing.  Everyone seems to understand it completely.  I have read many posts and believe I understand them, but I'm not getting something as I've certainly not got it to work.
  I have seen some excellent writeup by Ace, Awinish, Meinolf that have really helped me understand the RBAC/AGUDLP/IGDLA.  This
  post by Ace Fekay is one such example among others.  I have read about the different group types and scopes.  I have read about rights, privileges and permissions.  I believe I understand them.  I've worked in security since IBM's
  RACF which is also RBAC.
  The problem is just what permissions need to be given to DA-DomainLocal (the group to which EA-Service, the forest user, ultimately belongs) so that its members have the same abilities as DA-Service (a domain administrator account on a child domain)?
  Clearly adding to Administrators on the child AD is insufficient as the EA-Service ID was directly added to it and it could not add a printer while DA-Service could.  EA-Service is also a member of the Enterprise Admins group on the parent/forest domain.
  What other permissions/rights/privileges does the DA-DomainLocal group (or directly, the EA-Service ID) still lack?  What are the differences between the access tokens/descriptors of EA-Service and DA-Service?  And how do I find out? 
  I believe I've seen some tool that showed them, but I can't seem to find it now that I'm looking.
  I listed the NTFS permissions (via AccessEnum from SysInternals) for the entire C drive and note that Administrators is on most of them and not once did I see something like Domain Admins appear and I saw nothing to do with printers at all.  The list
  was very long so I could have missed it if it was there.  I also used the same tool to look at the HKLM hive, but that was too large to browse through.
  I have set up the group structure exactly as Awinish suggested and remain stuck at the last piece.  If it was some specific resource I'd have no problem, I could add it, give it permissions/rights/privileges as needful.  The problem remains is
  that I don't know what those permissions/rights/privileges are nor how to discover a definitive list (I've seen some generic lists, but they don't list the exact names of the right/privileges).
  I'm sure I'm just being dumb.
  How do I go about discovering what permissions/rights/privileges that DA-Service has that EA-Service (via the DA-DomainLocal group) needs?
  I thank all of you for helping me.  I appreciate the time you are taking.
  -g

• Administrator in parent domain has no administrator rights when logging into child domain systems.

  We have a simple layout, parent domain in the office is foo.com, I've adding a child domain in the datacenter called prod.foo.com (we have machines with the same names in the office and production, not my doing :p)  Prior to this all of our production
  machines were standalone and various users just had the local administrator account, which has led to some problems. 
  Anyway, on to my issue;
  I have a security group in foo.com called Production Logins that I've added myself to, and on the test windows 2003 server I've allowed FOO\Production Logins the ability to remote desktop, and I'm able to remote into the box web01.prod.foo.com
  just fine, however;   When I log into web01.prod.foo.com under my admin account in the parent domain, I only have basic user rights on that machine, not administrator rights.  Shouldn't administrator rights carry over to the child domain for
  my account?  Is there something specific I need to do to allow that?

  Hi,
  To
  do what
  the friend
  said
  above you need
  to configure
  restricted groups
  GPO
  More
  information:
  http://www.windowsecurity.com/articles/Using-Restricted-Groups.htmlMCP, MCDST e MCSA 2003

• Separating a child domain from a forest/parent domain

  Our infrastructure is currently as follows:
  There are two domains which I will call "apple.local" and "banana.local". The domain "apple.local" is the parent/forest which is at a Windows 2003 Functional Level. The domain "banana.local" is a child domain of "apple.local"
  which is at a Windows 2008 Functional Level. This unusual arrangement was the result of a merger.
  Recent business changes have meant that the domain "banana.local" needs to become the forest and "apple.local" needs to be permanently retired. I have been searching as to whether this is possible but the general consensus is "no".
  However, many of the discussions are several years old and I am interested in whether anything has changed with recent updates.
  As an added "bonus", a single Exchange 2010 SP3 server is present and - just to complicate things further - is a member of the child domain "banana.local". Mailboxes (shared and user) and DGs from both domains are present. Access to shared
  mailboxes is granted using a mixture of users and security groups from both domains.
  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  I am in a position to purchase new servers, software and licenses as required to meet the ultimate goal and - within reason - additional expenditure is not an obstacle. We also have the option to create new IP ranges if required.
  Any ideas and/or suggestions welcomed!

  Is the best way forward to simply create a new domain on a fresh server? What would be the most straight-forward solution with minimal impact to the users and - in particular - the Exchange platform?
  It is not possible to detach a child domain from its parent. One of the things you can do is to create your domain and establish trusts between them and migrate resources from old domain to the new domain. Note that computer account migration will take some
  time. For exchange part you can ask in Exchange forums but the one thing you can do is to Cross-Forest mailbox move after you set up the new forest.
  Exchange 2010 Cross-Forest Mailbox Moves
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Importing Child Domain Object Along With Parent Domain Objects

  I have two AD AWS services. Both are doing full sync. Once is pointing to Domain A which has x users, the other is pointing to Domain B which has y users. Domain B is a child domain of Domain A, when the job runs to Sync Domain A, Domain B's users also get imported. Is this by design?
  Craig

  Hi Craig,This is probably a sided effect of your user query filter - does it include the sub domain?
  To get around this, you can go down either of two routes:
  a) change your query filter so it doedsn't include Domain B in the Domain A auth source editor
  b) change your Domain A sync type to Partial Users, and choose the subgroups you'd like to have synced to that domain
  The later solution only works if there is no overlap in group membership between domains and domain B has a group that can just be discluded in the partial users sync.
  If you provide some more details on your exact hierarchy, we might be able to give you some more specific solutions.
  Thanks,Akash

• User Migration from Parent Domain to Child Domain..The user is enabled with Exchange 2010 Mailbox in Parent Domain

  We currently have a single Windows 2008 R2 Active Directory domain controller, and an Exchange 2010 server. We are in the process of adding a child domain on a second Active Directory server for an offsite office location for a subdivision of our company.
  The two locations will be connected via VPN.
  Currently users exist on the root domain with Exchange accounts who will be moving to the new offsite company/location. We would like to be able to move these user accounts to the child domain while maintaining their existing Exchange mailboxes and
  email addresses. Is this possible, and if so how would we do it?

  Hi Srinivasa,
  According to your description, I think you have done all the preparation.
  For DL migration, the following article may give your some hints:
  How to Migrate Distribution Groups Across a Forest
  Good Luck!
  Niko Cheng
  TechNet Community Support

• Migrating to Lync in a child domain from OCS in a Parent domain

  I am looking to migrate from OCS to Lync 2010.  I have gotten as far as deploying the target pool, but when I try and merge the topologies it fails.
  OCS is in The root domain of my forest but Lync is planned for the primary Child domain where 80% of my users live.  I just need to know if this is a supported migration scenario for Lync.  If it is how do I merge the two topologies, as it looks
  like the merge tool is only looking at the child domain for the configuration of OCS?
  Jeff

  Hi,
  Did you build a new pool with Side by side approach?
  It is supported to migrate Lync from one domain to another domain in the same forest. Here is the supported server migration paths in the link below:
  http://technet.microsoft.com/en-us/library/gg425764.aspx
  For the issue merge topology failed, did you receive any error message from FE server Event Viewer?
  The Lync server default sip domain should be the same when migrating from OCS to Lync server. If not, you can add sip domain in Lync topology and then run the command such as below on Lync FE server:
  Set-CsSipDomain –Identity new sip domain name –IsDefault $True    
  Note: (change new sip domain name to your Lync server sip domain name)
  Then run OCS merge again to test the issue again.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support