• Deploy an AD controller from IFM support
• Create starter GPOs

In an Active Directory infrastructure, each Active Directory domain (or subdomain) is managed on one or more domain controllers.
So, you need at least one domain controller per domain or subdomain to manage.
Note that it's therefore not possible to create several Active Directory domains and/or subdomains on the same domain controller (server).

1. Add a new domain
2. Approval relationship created automatically
3. DNS delegation created automatically

1. Add a new domain

To add a domain to an Active Directory infrastructure, you must therefore install a new domain controller using the "Active Directory Domain Services" role.

Once the "Active Directory Domain Services" role is installed, click on the "Promote this server to a domain controller" link.

To add a new domain to an existing forest, select "Add a new domain to an existing forest" and click the "Select" button.

Specify the credentials of an account authorized to join this server to the desired parent domain.

Select the desired parent domain and click OK.

The parent domain and credentials appear automatically.

For the type of domain, you have the choice between :

• child domain : allows you to specify the name of the child domain (subdomain) in one part. In our case, we indicate "web" to create the "web.informatiweb.lan" domain.
• tree domain : allows you to specify a valid fully qualified root domain name

Source : Deployment Configuration

In our case, we select "Child Domain" and we click on Next.

When you create an Active Directory subdomain, you have the option of choosing a lower functional level than the forest if you want to support older versions of Windows Server (if that is your case).
In our case, we only have servers on Windows Server 2016, so we leave the default.

For explanations of the other options available here, refer to our tutorial : Create an Active Directory domain controller on Windows Server 2016.

As explained in our "The basics of Active Directory Domain Services (AD DS)" article, a trust relationship is automatically created between the child domain and the parent domain when you add a new domain to an existing forest.
The wizard therefore also automatically creates a delegation at DNS level.

The wizard generates a NETBIOS domain name based on the name of the subdomain.
So, in our case : WEB.

As usual, you have the option of changing the location of the various folders for the database, log files, and SYSVOL folder of your domain controller.

A summary is displayed indicating that the new "web" domain will be a child of "informatiweb.lan".

Wait while checking the system requirements.

Once the verification is complete, click Install.

Wait while the domain controller is installed.

After the domain controller is installed, the server will restart.

Log in as the administrator of the subdomain ("web" in our case).

As you can see, this domain controller (dc2) is a member of the "web" subdomain of our "informatiweb.lan" domain.

2. Approval relationship created automatically

As explained in our "The basics of Active Directory Domain Services (AD DS)" article, a trust relationship is automatically created between the subdomain and its parent.
To check this, open the "Active Directory Domains and Trusts" console.

If you right-click "Properties" on the parent domain ("informatiweb.lan" in our case), you will see that a two-way (outgoing + inbound) trust relationship of the "transitive" type has automatically been created with the "web" sub-domain that we have just created.

In the properties of the subdomain you just created ("web" in our case), you will see the corresponding trust relationship.

3. DNS delegation created automatically

Since the DNS zone of the subdomain is not on the same server as the DNS zone of the parent domain, a DNS delegation was automatically created.
Indeed, as you can see, the "web" folder which corresponds to this subdomain has a gray icon which indicates that the management of this subdomain is delegated to another DNS server.

If you view the properties of this "web" subdomain, you will see that the specified name server is your new domain controller.

And on your new domain controller, you will find the DNS zone for your subdomain.