Creating a new W2K3 domain from inside an existing domain

By balfour ·
The company I am working for just bought a new Dell PowerEdge 2950 and I have been tasked with getting it up and running. I have already installed Windows 2003 Server with SP2 and have it online in the same subnet as our existing 2003 domain. I have not joined it to our existing domain yet. It is in it's own workgroup for now until I get this figured out.

Our current domain controller has some problems and I'm not sure the person who set it up knew what they were doing as it has a lot of Active Directory issues that I don't really want to get into as it's a long story. Anyway, I don't want to just transfer over the DC duties to this new server and demote the old one as I don't want to transfer over the old AD/DNS/Group Policy problems to the new domain/DC.

So, how do I go about building a new domain controller/domain on the same subnet, side by side with the existing domain without messing anything up with the current domain? What would be the best approach? Steps, procedures, etc?

Thanks in advance,


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

whats the final outcome supposed to be ?

by CG IT In reply to Creating a new W2K3 domai ...

if your tasked to get the server up and running, there obviously is a final outcome that the powers that be want, and it's that outcome that determines what needs to be done. Just saying you want to create a new domain doesn't answer the question, will the company change their domain name and everything associated with it to fit the new domain created?

But... to answer your question, Single forest single AD domains are security boundries. you can create a second single forest, single domain on a server with DNS and Active Directory also on the same subnet [no DHCP server though] and they are seperate from each other [seperate domain name spaces and DNS Zones].

Collapse -

create additional domain for an existing domain

by rnoldlucas In reply to whats the final outcome s ...

If you will create additional domain not associated with your existing domain will be a lot of works, you will have to re-member all you workstations. What I suggest is that create an additional domain controller in your existing domain. Try to member first your new server to your domain then using dcpromo you can add additional domain controller replicating your existing domain. After which you can now use the ntdsutil transferring or seizing all the functions of your existing domain to your new domain. You should make it your new PDC and as your new Global cataloger then you can demote your old domain.

Addition, you may check on the event viewer for all potential errors that you can resolve or help you go along with your configurations..

Hope this help you...

Collapse -

Final Outcome...

by balfour In reply to whats the final outcome s ...

OK, to clarify a bit. The final outcome is to have our new PE2950 be the main file and application server for our company, as well as becoming the new domain controller. It will host such services as DHCP, WINS, Active Directory, FTP, 3rd party applications and miscellaneous others. The domain name is not that important in this situation and can stay the same or change, depending on how I proceed.

What do you mean by "security boundries"? I'm a little confused by that statement.

I would have no problem setting up NEW_SERVER as a replication partner, promoting it to PDC of our existing domain and demoting OLD_PDC, and relegate it to being a replication partner, except for the fact that I did not originally setup OLD_PDC, and our current domain, so I don't know what all configurations were made. As I said before, there are some issues with DNS and Group Policy that I can't seem to figure out on OLD_PDC and I don't want those problems to show up on NEW_PDC if I replicate and then promote it as stated before. Would that happen if I did this?
If so, then I want to build a new domain from the ground up (obviously with PE2590 as NEW_DOMAIN_PDC), side by side with the old domain, and then make the switchover as seamless as possible.

Collapse -

domains=security boundries

by CG IT In reply to Final Outcome...

In an W2K/W2003 Active Directory domain, only those users that are members of that domain and can authenticate their user name and password can access resources on that domain. Therefore domains are security boundries.

If there are DNS problems in the existing domain, then you should work to resolve those issues as Active Directory utilizes DNS to function properly. Troubleshooting Group Policy can be a daunting task without documentation. Often the best course of action is to plan out what Group Policies you want, then remove all old exsisting group policies and apply the new policy templates.

If you create a new domain, you can migrate AD and Exchange [if you run exchange] by using the ADMT and Exmerge.

note: there are no PDCs in a W2K/W2003 Active Directory environment. W2K/W2004 AD is multi-master. All DCs are peers. NT is the only MS O/S that used Primary domain controllers and secondary domain controllers. W2K/W2003 does have a PDC emulator role for pre W2K [NT on a W2K AD network].

Related Discussions

Related Forums