Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Creating Multiple domains using 1 domain controller

Status
Not open for further replies.
jocasio

jocasio

IS-IT--Management
Oct 11, 2002
88
US
Hey Gang:

I have a question concerning my network. Currently I have one domain (XYZ). I'm using SBS2000 and have approximately 20 users. What I would like to do is the following:

1) Add a new Server to the domain

2) Create a new sub-domain (if possible - ABC)

3) Have certain people set up in Domain ABC and the rest in the original Domain (XYZ).

The reason for this is we are adding a few people who will be sharing our resources (Internet access) and I would like them to be a mini network.

Please let me know how I can accomplish these tasks. Right now I have some one who has access to the internet, but I have not added their computer to the domain, but I would like a cleaner way to do this.

Thanks for your help

jocasio
 
Sort by date Sort by votes
You can't do it with one DC. For each domain you'll have to have a separate DC.

You could create a child domain using the second server, but it will have to be a DC, and then you'll need to establish trusts between the two DC's.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
First, it is difficult to answer your questions because you have not given any information concerning the current domain and users.

Assuming you are using Win2000, adding a win2k server to the existing domain is the same as adding a workstation, right click on my computer, properties, network ID, add to the domain. If, however, you want to add this server as a DC, you need to first add it to the domain as a member server, then run DCPROMO on it to promote it to a dc.

You do not need to create another domain to control this new group of users. Add their systems to the existing domain, then simply create another OU (organizational Unit), add all these users to a group in the new OU, and put all the restrictions you desire on them. For example, you could deny access to specific systems, allow restricted access, etc., to the entire group of users by using group policy.

If you have simply added these users to the network for Internet access, then what are you worried about? If you have not added them to the domain, then they do not have a domain user access ID and will be refused access to any domain assets (printers, files, etc.). You do not need to add them to the Domain to allow them access to the Internet, and they will not have access to the domain resources either.

You could put all these users onto a subnetwork range of IP addresses to further prevent them from access to your DOmain resources, if you want additional seperation, and only give them the gateway address so they can get to the Internet only. Don't build yourself more headache than you need to, you do not appear to need another DOmain under your existing Domain (especially with only 20 users!), but without more specifics about what your real goal is I can not help much more.

HTH

David.
 
Upvote 0 Downvote
dholbrook:

Thanks for your reply. I actually have a couple of users in this type of setup as a workgroup. The problem is I felt this was a hack and wanted to clean it up. My setup is as follows:

I have two servers. My SBS 2000 server is, of course, my domain controller. I have another server (windows 200 server) that I added about 6 months ago. I'm about to add another server (Windows 2003 Server). The new arrivals to my company will be utilizing some resources (Network printer, Internet) and be their own separate little network (or at least look like it). They will be able to utilize all of the resources from the new 2003 server (files, drives, etc). They cannot have access to any of the resources from the SBS server or the 2000 server. I think the OU is the way to go. Please let me know the steps I should take to create an OU to have them properly segregate from the rest of the domain. One final thing: I am completely open to learning this on my own if someone could point me in the right direction.

Many, many thanks for both of your responses!!!!


jocasio
 
Upvote 0 Downvote
Guys you are missing something here, this is SBS!

You can have additional domain controllers in your domain but you can not create child domains with SBS and you can not have trusts between domains with SBS.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Whoops! lol, yeah, missed that.

You'll have to go the OU route.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
jocasio,

Sorry for the delay in getting back, I have been out of town.

Sounds like you have a few issues to address, but putting all these users in a special group is all you will need to do, and is probably the best way to go. However, if they are to have access to only the one new server, you should also make this server able to be a print server for your network for these few people, and then give their "special Group" access ONLY to the new server, and make the printer access from this new server only available to these users using group permissions also. With these special users in a single group, you can then deny them access to all server resources except those on the new server. Restrict their access to log on to only the new server (you will need that for local access if you are using terminal services) and only to the shares on the new server, and deny log on to shares on all other servers. That way they will have printing access and file access to the new server, but you can then deny them any access to any other resources in the network by setting the group restrictions accordingly. One other thought, do these users have to be able to access any resources on any other amchins in the entire system (such as between users, etc.), or are all files they need to acdess residing on the new server (please say yes! :))?

The Internet access is not a domain controlled resource, so that should not be a problem, and as long as they have the gateway address they should be able to get to the Internet.

By the way, it might be a good idea to promote the second server you have to be a DC also, just for redundancy and survivability of the network, so you can remain up and in operation if the current DC has to be taken off line or crashes. Having 20+ people unable to work while a single server is down is difficult to explain to your boss, versus having to explain you will be degraded while you repair the failed server. :) Along the same line, making it a backup print server would not hurt either, for the same reasons.

HTH,

David
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
683
fightaccording
fightaccording
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
379
ADB100
ADB100
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
882
fredmartinmaine
fredmartinmaine
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top