Help how do i setup two domains on one network?

Discussion in 'DNS Server' started by timmy, Jul 18, 2005.

  1. timmy

    timmy Guest

    Ok im a newbie when it comes to windows 2003 dns and all that.

    Here is what i have i have a server setup for our staff active Directory and
    dns is setup all seems fine we do a roaming profiles and login times are
    quick so i think i have it setup right. But now i want to add a student
    server on its own new domain to keep them off the staff domain how do i do
    that? i have a new box with windows 2003 setup i started up active and dns
    setup a new user to test went over to the staff server and told Dns to
    forward any other requests to this dns first. but when i go to a PC and try
    to join that domain "student.local i cant see or find it but if i try to join
    the staff domain a login pops up and lets me i know im miss something with
    dns but what? i have the staff domain doing dhcp and its ip is the first dns
    setting and my internets dns as the 2nd.

    sorry for the newbe questions trying to get a handle on active Directory and
    dns before i take some classes on it.. and i would love to have studnet
    logins/profiles setup for the frist of the school year.

    timmy, Jul 18, 2005
    1. Advertisements

  2. timmy

    Todd J Heron Guest

    Microsoft reccoemnds single domain for ease of administration and
    centralized group policy model. Trust me, from experience, that is the way
    to go. Put students in their own OU. To get to your question are these
    domains in the same forest?

    255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
    DNS Namespace to the Child Domain:
    Todd J Heron, Jul 18, 2005
    1. Advertisements

  3. timmy

    timmy Guest

    Hi todd thanks for the help im not sure i understand you as of right now i
    have a staff domain on a windows 2003 box and i wanted to add a 2nd server
    for the students and have there own domain to keep them away from the staff
    server/domain can i do that by makeing a child forest on a differnt windows
    2003 server?
    timmy, Jul 18, 2005
  4. timmy

    timmy Guest

    Ok here is what i tried but failed i removed active Directory and dns from
    the new student server. restarted and ran active Directory told it to be a
    child of a existing tree "my staff server" filled out the user name password
    entered the domain i wanted it to be a child of and it waits a few minuets
    entered the domain info and the new child name and a few steps later it gives
    me this error

    The operation failed because: Active Directory could not replicate the
    directory partition
    CN=Schema,CN=Configuration,DC=eastcentral,DC=k12,DC=mn,DC=us from the remote
    domain controller "Access is denied."
    not sure why i have the admin login and pass?

    what i want to happen is

    i have a staff server setup with dns and active Directory every thing works
    great profiles are fast :) i want to add a 2nd server for the studnets and
    keep them away from the staff server i think by doing the child domain im on
    the right track but not sure help help help :)

    thanks in advance
    timmy, Jul 18, 2005
  5. In
    Join the new server to the current domain and logon to it using a domain
    administrator account. Then start DCpromo as a child domain of the existing
    domain, this should give you the permissions you need.

    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    Keep a back up of your OE settings and folders
    with OEBackup:
    Kevin D. Goodknecht Sr. [MVP], Jul 18, 2005
  6. In
    Or he can use the RunAs command to run dcpromo in the domain admin's


    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    Ace Fekay [MVP], Jul 19, 2005
  7. timmy

    timmy Guest

    I joined the domain and it worked great thanks one more thing

    ive noticed after i setup the student server i made a group policy and added
    users and it all seems good thanks about 40 sec's to login to a pc for the
    first time then after that its quick but i setup a wallpaper to be pushed
    thought the policy and every now and then it load on the screen about a
    quater of the way and the rest is black and then if i hit the refresh it
    loads the whole way in way for me to fix that ? its a jpg wall paper so i had
    to turn on active directory though the policy too so i could use jpgs ..

    thanks for all the great help
    timmy, Jul 19, 2005
  8. In
    Trusts are default, nothing to change.

    What exactly do you want a student logging into the child domain see in the
    parent domain?

    Ace Fekay [MVP], Jul 25, 2005
  9. timmy

    timmy Guest

    HI Ace i would like the students to only be able to see the student server
    not the parent at alll or at best the printers only but my plan was to just
    reset the hand full o printers that studnets should be abel to use on the
    studnet server so no accesss to the parent would be nice..

    thanks for helping
    timmy, Jul 25, 2005
  10. In
    Oh, ok, I see. Then just go into the parent domain's printer's properties
    and add the student group that you want to allow to print and give them
    "Print" permissions. It should be that easy.

    Ace Fekay [MVP], Jul 25, 2005
  11. timmy

    softtrain Guest


    I'm am doing the same exact configuration. There are transitive trusts
    between the domains so if I don't want the students to see the staff domain
    how do I accomplish this?

    1. I was going to set up a restrictive desktop profile.
    2. Permissions can be set, but do I set permissions on the staff DC's "c"
    drive and give permisisons only for the "staff?" I'm not clear on how to set
    permissions to keep the students out of the entire staff DC.
    3. Router rules. Has anybody set up router rules to restrict traffice?
    softtrain, Jul 26, 2005
  12. In
    By default anyone can see anything in network neighborhood. Is that what you
    are talking about? That can't be helped unless you remove My Network Places
    in the profile. Is that what you are talking about in step #1?

    Also by default, any user in a domain cannot access anything else in any
    other domain unless permissions are allowed for that user.
    Why would you be allowing access on a DC? Are you placing their profiles or
    home directories on a DC? If so, put it on a different spindle other than
    the system (c:\) drive. They can't access the drive. Create a test user
    account and test it.

    What kind of router rules are you referring to? What brand router? Is this
    between subnets (between offices/locations) or is this your entry-pont
    router, such as a Cisco router?

    Ace Fekay [MVP], Jul 27, 2005
  13. timmy

    timmy Guest

    hey ace im a bit confused how can i make it so the student server witch in a
    child of the staff server not see any of the shares? i want to make it so
    when a student logins in to the studnet server and goes to the network and
    clicks on the partent server to mess around nothing is seen or accesable

    thanks for help out a newbiee
    timmy, Jul 28, 2005
  14. timmy

    softtrain Guest

    Hi Ace
    Looks like I'm doing to the following:
    1. I'm working with the firewall vendor to create rules.
    2. making child domains

    I had a question...obviously...have you ever used the User Right "Deny Logon
    from over the Network" to ensure that a group doesn't log on to a machine? I
    was doing some more reading and came across this User Right. So, if on the
    parent domain DC I assigned this Deny logon right to the student user group
    from a child domain, that should be another level of protection. Your


    softtrain, Jul 28, 2005
  15. In
    You can always turn off broadcasting the shares on the parent domain's DC:

    net config server /hidden:yes

    This will not allow anyone to see the shares in the neighborhood, but will
    still allow you to map drives as long as you know what the sharenames are.

    As Softrain mentioned, you can also establish firewall and/or router rules
    to block 139 across the subnet, as long as the two domains are in different

    Ace Fekay [MVP], Jul 28, 2005
  16. In
    You can test this, but I believe it will block the ability for a user to
    logon to the domain. I forget specifically. You may want to use Deny Access
    from Across the Network:



    Ace Fekay [MVP], Jul 28, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.