How to add a second trusted domain to existing Active Directory forest


Our business has opened a new business unit on our premises that is suppsoed to be a seperate entity. However, a couple of our users will be 'seconded' to the new entity. What I would like to do is run up a new Windows Server 2008 Domain Controller in a virtual machine and establish their own domain in the business name. I need our existing domain to trust the new domain and allow those couple of users access into the new domain. However, I do not need users in the new domain to access the main domain.

Its not really a 'child' domain; it's not a totally seperate domain (so not child.domain.local but rather domain2.local). It will share the same network (I'll put it on its own VLAN) and it will use the same resources such as internet connectivity, firewall, routers and the exisitng Exchange 2010 infrastructure etc.

Is it simply a matter of running up the VM, establishing network connectivity and then doing a DCPROMO and running through the wizard to create the new domain in an exisitng forest and away we go?

I just want to double check and make sure my thinking is right before I go ahead. Anything I need to watchout for or plan for that I am missing?

Best Answer

  1. If this is an independent Domain then it's not going to be in the same Forest. It's going to be in its own Forest. Is that what you're looking to do?

  2. If the answer to number 1 is yes, then you'll select the option to create a new Domain in a new Forest during DCPROMO.

  3. If the answer to 1 is yes, then once the new Forest/Domain is created you can create a one-way, outgoing external trust from the new Forest to the old Forest and select to use "Selective Authentication" for the trust. This will allow selected users from the original Forest to access selected resources in the new Forest.

Related Topic