relationship between child dc and parent dc

[m]

Hello,

We have a AD on our corporate office, now we are in the
process of setting up a child domain for the branch office
that's in another state. We going to have the T1
connection between the 2 offices.
We currently have 1 segment that's inside the firewall
with the ip address is xxx.xxx.4.xxx we now going to have
a new segment for the branch office that's going to
connected through the dmz and stay outside of the firewall
with the ip address is xxx.xxx.8.xxx.
How can we have this setup so the Child DC from the branch
office can be connect to the corporate office?
Will Corporate office being able to manage accounts, dhcp
and dns over the branch office?
Can we have the branch office using the same DNS and DHCP
server services over the corporate office?
How about the policy? Can corporate office get the users
and computers policies over the corporate office (GP)?
This is very new to me, I have never set a child domain
before, please be detail how to set this up.
Thanks for all the advise!!!

M.

 

[Cary Shultz [A.D. MVP]]

M,

I might suggest that you forgo creating the child domain and simply set up
Sites. In WIN2000 there is often no reason for having child domains just
because the offices are located in geographically different areas. However,
*often* is the operative word here. You did not really provide much
information into the decision to set up a child domain vs. simply creating a
second Site. This is a common 'mistake' ( far too strong of a word ) that
experienced WINNT 4.0 Admins make when first dealing with WIN2000 AD.

Should you decide to proceed with the Sites situation instead of creating a
child domain, please take a look at the response that I gave to the thread
from Fablexo ( the subject is: forcing logon server in W2K domain ) where I
give the big picture on Sites as well as several links to MSKB Articles.

You *might* want to reconsider the child domain idea and go with Sites
instead. You would simply set up a Firewall-to-Firewall VPN between the two
Sites.

Please note, however, that if you do have a sound reason [ or unsound reason
;-) ] for moving forward with the child domain please let us know so that we
can help you there.

HTH,

Cary

 

[Danny Sanders]

I would suggest setting up separate sites instead of separate domains.
See:
How to create and configure an Active Directory Site in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;318480



hth

DDS W 2k MVP MCSE

 

[Herb Martin]

We have a AD on our corporate office, now we are in the

process of setting up a child domain for the branch office
that's in another state. We going to have the T1
connection between the 2 offices.
We currently have 1 segment that's inside the firewall
with the ip address is xxx.xxx.4.xxx we now going to have
a new segment for the branch office that's going to
connected through the dmz and stay outside of the firewall
with the ip address is xxx.xxx.8.xxx.

How can we have this setup so the Child DC from the branch
office can be connect to the corporate office?

If you allow network connectivity it will work. If you firewall filter
it, you must be very careful to allow certain/all traffic between the
specific pairs of DCs at least.

Will Corporate office being able to manage accounts, dhcp
and dns over the branch office?

If you allow RPCs and other stuff through the firewalls.

Can we have the branch office using the same DNS and DHCP
server services over the corporate office?

Probably should have their own DNS, and DHCP too.

But for DHCP you just set up more scopes and put a local
DHCP relay agent with the clients if you REALLY want to handle
it remote.

You must allow the corresponding requests through the firewall filters
too.

How about the policy? Can corporate office get the users
and computers policies over the corporate office (GP)?

GPOs come from the authenticating DC.

This is very new to me, I have never set a child domain
before, please be detail how to set this up.

Why are you doing it?

Hint: You don't need child domains for different sites usually.

(There are reasons for child domains, but this is seldom one of
them.)

If you don't already KNOW why you are using a child domain,
chances are you don't need one.

Thanks for all the advise!!!

 

[M]

Cary,

Thanks for your reply!

for the branch office we don't have a firewall setup, we
just have router. We only have on firewall on the
branch. Can the site option setup if we don't have
firewall on both offices?
We wanted to be able to manage users and computer account
and print services, including the GP.
What should I do Cary? Will site still an option if I
don't have firewall on both end? By the way, can you show
me how to setup a second site if the site option is
posible.

Thanks a lot Cary!!!

M

-----Original Message-----
M,

I might suggest that you forgo creating the child domain and simply set up
Sites. In WIN2000 there is often no reason for having child domains just
because the offices are located in geographically different areas. However,
*often* is the operative word here. You did not really provide much
information into the decision to set up a child domain vs. simply creating a
second Site. This is a common 'mistake' ( far too strong of a word ) that
experienced WINNT 4.0 Admins make when first dealing with WIN2000 AD.

Should you decide to proceed with the Sites situation instead of creating a
child domain, please take a look at the response that I gave to the thread
from Fablexo ( the subject is: forcing logon server in W2K domain ) where I
give the big picture on Sites as well as several links to MSKB Articles.

You *might* want to reconsider the child domain idea and go with Sites
instead. You would simply set up a Firewall-to-Firewall VPN between the two
Sites.

Please note, however, that if you do have a sound reason [ or unsound reason
;-) ] for moving forward with the child domain please let us know so that we
can help you there.

HTH,

Cary

Hello,

We have a AD on our corporate office, now we are in the
process of setting up a child domain for the branch office
that's in another state. We going to have the T1
connection between the 2 offices.
We currently have 1 segment that's inside the firewall
with the ip address is xxx.xxx.4.xxx we now going to have
a new segment for the branch office that's going to
connected through the dmz and stay outside of the firewall
with the ip address is xxx.xxx.8.xxx.
How can we have this setup so the Child DC from the branch
office can be connect to the corporate office?
Will Corporate office being able to manage accounts, dhcp
and dns over the branch office?
Can we have the branch office using the same DNS and DHCP
server services over the corporate office?
How about the policy? Can corporate office get the users
and computers policies over the corporate office (GP)?
This is very new to me, I have never set a child domain
before, please be detail how to set this up.
Thanks for all the advise!!!

M.

.