1

I have a Top level domain controller (DC1) running the top level forest on my network. I added a Tree Domain Controller (TDC1) as a new domain in the forest. I am trying to add ENTERPRISE ADMINS to the new Tree in Active Directory. So essentially those in the ENTERPRISE ADMINS group for the forest on DC1 are also admins on TDC1. When I try to add the group or a group from it from DC1 to TDC1 it does not allow me to select another domain to pull the group.

Is it possible to make the ENTERPRISE ADMINS, domain admins on the Tree domain or do I have to remake users are that domain to allow them to login to that domain? Or can I make a group on the forest level DC1 and add that group to the TDC1 domain as permissions require?

All Servers running Windows Server 2016.

EDIT Tree domain as shown here in the Server 2016 Configuration Manager section when adding a Domain to a Forest. enter image description here So I am adding a domain to the forest. In my Active Directory Administrative Center client I can add both domains to it to manage them both from DC1. So what I have a the DC1 domain which is an area for office work. And a TDC1 domain which is a test lab and security and management is run from the DC1. I guess I am wondering since on the DC1 domain I added an admin group to ENTERPRISE DOMAINS is that group admin on the TDC1?

The networks are not connected to each other other than the 2 DCs connected to each other. So logins from DC1 domain users will not work on TDC1 computers.

JukEboX
  • 815
  • 4
  • 17
  • 46
  • 1
    Hi jukebox, see my answer but also if you can give us a diagram of how your domains are related to each other that would help. in AD there is no such term as Tree Domain Controller or tree domain. im sure with a little more detail we can solve this problem today. – Michael Brown Jul 10 '17 at 15:20
  • @MichaelBrown I updated my question with some information. I am working a diagram for you. So I guess I have 2 separate domains in the same forest. Although I think I am confused about them being in a "forest" when there is not top level server to manage them. – JukEboX Jul 10 '17 at 15:45
  • 1
    Hi AD is made up of Domains, Trees and Forests. The first Domain you install is the Tree root and Forest Root domain. This domain hosts the enterprise admin group amongst other things. The domain you are creating (based on the screen shot) is going to be a new domain in a new tree (there are almost no reasons to do this on a production network), having said that my answer still applies. when you create this 2nd tree the admin groups for the forest root domain will already be added as members of the Administrator group in your new tree.......................... – Michael Brown Jul 10 '17 at 15:51
  • 1
    .........There is no need to add your Enterprise admin group in the way described in your question, the Administrator account from the Forest root domain will have admin access to your new tree. This article is a little bit old but still relevant: https://technet.microsoft.com/en-us/library/cc759073(v=ws.10).aspx – Michael Brown Jul 10 '17 at 15:53
  • Great Thanks @MichaelBrown . The Tree Domain is a new idea for me but it has some plausible application to what we need it for. Thanks for your help. – JukEboX Jul 10 '17 at 16:40

1 Answers1

1

Your terminology is very confusing. do you have two domains, one root domain and one child in a single tree or do you have two domains in two different trees in the same forest?

in either case you do not need to do what you are trying to do. if both domains are in the same tree or if they are two trees in the same forest you will find that the DomainAdmins group from the root domain is already added to the Domain Local Administrators group in the child domain. if it is a separate tree you have created then the same applies.

so you default Administrator account will already have admin writes in both examples. there is a table on this link that explains what these groups are and how they are already nested inside one another:

https://technet.microsoft.com/en-us/library/cc700835.aspx

if however you have created a new forest then you will have to create a forest trust first, then you will be able to add your admins groups from one domain to the other.

Michael Brown
  • 3,254
  • 2
  • 11
  • 11