Problem solve Get help with specific problems with your technologies, process and projects.

Active Directory: Designing two AD domains

Check out this collection of expert responses to real reader questions from Active Directory expert Laura E. Hunter.

The following is a collection of expert responses to reader questions by Laura Hunter.

What is difference between ADS & domain controller?

Laura Hunter: ADS is the Automated Deployment Service, which is used to quickly image, deploy, and administer servers and domain controllers on a large scale. You can find more information at the ADS Technology Center.

We are migrating our old file server to a new file server. How can I modify the path of all my users' home directory within Active Directory using a vbs logon script? Our DC is Windows Server 2000.

LH: Check out the source code from Robbie Allen's "Active Directory Cookbook," located here. Recipe 6.4 shows you how to modify a property value for multiple users. Essentially, you select a container such as an OU or a domain and then use a FOR loop to loop through each user object in that container.

I am trying to add a domain account to the local Administrators group on a Windows 2000 Pro workstation. My network is Windows 2000 Server / Active Directory. On the workstation: Administrative Tools > Computer Management > Local Users and Groups > Groups.

I open the Administrator group, and then press "Add..." In the Select Users or Groups dialog, I change the "Look in" value to my domain name. I see a whole list of domain users.

When I add any domain user by double clicking on the users in the list, an error is generated:

"Processing of object x failed with the following error: The specified domain either does not exist or could not be contacted."

What can I do to fix this?

LH: Try adding the user from the command line using the following syntax: net localgroup administrators domaindomainuser /add. If that doesn't work, this error is usually the result of either (1) name resolution woes or (2) the workstation's computer account was not added to the domain correctly. Once you've ruled out name resolution as the culprit, try resetting the workstation's computer account password and dropping/re-adding it to the domain.

I am designing two Active Directory domains in my client network. The domains are Domain A and Domain B. Can you please provide a step-by-step guide for designing two domains with DNS and Active Directory?

1. Setting up Active Directory.
2. Setting up trusts.
3. Setting up DNS Servers.

LH: For Windows Server 2003, your best bet is going to be the Deployment Kit, which is available online from the Microsoft Web site. The section on "Deploying Network Services" will assist you in designing and installing your DNS servers, and the section on "Designing and Deploying Directory and Security Services" will assist you with deploying Active Directory and configuring trust relationships.

I want to restrict 10 drives in Active Directory (Windows 2003). How can I add Registry Key in AD to do that?

LH: You can use Group Policy Objects to restrict access to any combination of the A, B, C and D drive letters, or to restrict access to all drive letters. If you need more granular control than that, you can roll up a custom .ADM template to restrict access to the particular drive letter that you need. See the following KB article for more details.

Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.