1

I'm completely new to the Windows Server/AD thing. I'm a linux guy at heart and trying this Windows stuff is mind-boggling.

I have an existing AD domain that I don't manage and is out of my control which I want as the parent domain. I'm trying to create a child domain without having domain admin on the parent, I have a generic account if that helps?.

  1. Is it possible to do what I want to do?
  2. Is what I'm trying to do actually the right thing at all? See below for what I want to achieve...

I want to create a new domain that allows existing users of domain A (my proposed parent) to authenticate to machines attached to domain B (proposed child). I also want to be able to add accounts that just exist in domain B. Finally I want to be able to add extra groups to users of domain A that are only effective in domain B. In short: I want to use domain A for password authentication (and some of the existing groups) where possible and have everything else controlled by domain B.

Yeah, I'm a total beginner and I've heard the general concept of what I want to do is totally possible but I've no idea how to or what it's called. I think it might even be a one-way forest trust?

Extra info: My domain controller (domain B) is Windows Server 2016 virtualised on VMWare and is network routable to domain A.

Thanks!

Jamie Scott
  • 141
  • 5
  • Why do you want/need to do this? – joeqwerty Aug 20 '17 at 21:37
  • For a new virtualisation cluster we're commissioning – Jamie Scott Aug 20 '17 at 21:47
  • Please ask your admin, as you need admin right. As anyhow implenting a new cluster without their approval might get you in trouble, especially if you start creating new domain there – yagmoth555 Aug 20 '17 at 22:02
  • Your user account in the parent domain needs to be a member of the Enterprise Admins security group in the parent domain. If it isn't then you won't be able to create a child domain. – joeqwerty Aug 20 '17 at 22:04
  • 1
    I'm voting to close this question as off-topic because it's not a good idea to bypass the domain admin guy/team, best way to get fired. – yagmoth555 Aug 20 '17 at 22:05
  • Please don't question the ethical aspect of this. We have full permission to attempt to do what we are trying to do with the current situation, we are unlikely have a privileged account on the parent domain hence asking this question. So please - it is possible to do this without a domain/enterprise admin account or is it not? That's really my question - I was hoping it would be a simple yes/no? – Jamie Scott Aug 20 '17 at 22:24
  • 1
    I've already given you a simple yes/no in my second comment. It isn't possible. Your user account in the parent domain needs to be a member of the Enterprise Admins security group in the parent domain. If it isn't then you won't be able to create a child domain. – joeqwerty Aug 20 '17 at 22:31
  • @yagmoth555 I agree in general, but we don't know anything about his specific situation. Doing this can be perfectly okay (for testing purposes, or in a local department network inside a Big Company Network), and the details are not our concern. – peterh Aug 21 '17 at 04:13
  • @peterh To make it simple, a child domain is like a pregnant women, if the baby got a problem, it impact the women and viceversa. For that reason he need to discuss his plan with his collegue. I didnt answered, but the OP should keep domainb for testing (host), and he can use domaina for any vm. He will keep the liberty to make anything he want in domainb, and because each subnet are routed he could access domaina ressource too – yagmoth555 Aug 21 '17 at 11:43

0 Answers0