Empty Root Domain

[bumba]

Hello everybody,

I am installing (trying to) a new Domain Controller on a powerfull
computer.
My company has several branches, geographically apart from each other.

I want to give those branches the control of their own domain, and
also I will have my own domain.

We (me and the other branches) will have a domain name like:
-branch1.mycorp.com
-branch2.mycorp.com
-branch3.mycorp.com, etc, etc

I am branch1. Problem, How do I install the first domain controller ?

When asked by the FQDN (following the active directory wizard), should
I try:
machineonbranch1.branch1.mycorp.com ?
If I do that, then my root forest will be branch1.mycorp.com, and not
mycorp.com as I wanted to be ?

I don't want to waste a good machine only to be an empty domain
controller of mycorp.com, I want that machine to be the domain
controller of branch1 domain, but at the same time, I want that when
someone in branch2 creates his domain controller, he can use
branch2.mycorp.com and not branch2.branch1.mycorp.com.


Do I make any sense ? If not, this is a summary:
forest domain: mycorp.com
child domain 1: branch1.mycorp.com
child domain 2: branch2.mycorp.com

domain controller of branch1: machineonbranch1

domain controller of branch2: machineonbranch2


machineonbranch1 is the first domain controller ever installed in my
company, which makes it the root domain controller, but I don't want
branch1.mycorp.com be the root domain of my company. Any way to do
that?



Thanks a lot for your inputs,

Regards,
Tommy

 

[Oli Restorick [MVP]]

Have you fully thought through the possibility of using OUs in a single
domain to achieve the same thing?

Investigate this first, because it will give you optimum use of hardware and
simplify your environment, while still allowing full delegation of control
of OUs.

The usual reason for creating a multi-domain forest is to allow different
password policies.

Regards

Oli

 

[bumba]

Have you fully thought through the possibility of using OUs in a single
domain to achieve the same thing?

Investigate this first, because it will give you optimum use of hardware and
simplify your environment, while still allowing full delegation of control
of OUs.

The usual reason for creating a multi-domain forest is to allow different
password policies.

Regards

Oli

Thanks a lot Oli!

I will have probably 10-15 different domains with their respective
administrators on each branch. Will the replication traffic be a
problem if I go with OUs instead of domains ?

 

[Cary Shultz [A.D. MVP]]

Correct.

What Oli is saying is that you would use Sites from the ADSS MMC ( Active
Directory Sites and Services MMC ) for each location ( if that is how things
are ) and create an OU for each location and then, if necessary, use the
Delegation Wizard to grant a certain user - or group, even if there is just
one person in it - the ability to do 'things' ( whatever that might mean ).

HTH,

Cary

 

[Hugo]

Hi !

If you don't need to delegate DNS administration or, like Oli said, need to
configure different password policies, you don't need to create so many DNS
domains.

Hugo

 

[Oli Restorick [MVP]]

You're welcome.

AD has the concept of sites (sets of IP subnets that have high bandwidth and
a permanent connection), so inter-site replication is handled differently.

With NT4, you had to use domains to restrict replication traffic. Don't let
the compromises you had to make under NT4 cloud your AD design decisions!

Go and grab a copy of Mark Minasi's "Mastering Windows Server 2003",
published by Sybex (even if you're still using Windows 2000, as it covers
both).

Cheers

Oli