![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 98%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
20,213 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Ka Ho Cheng,
Thank you for posting in Q&A forum.
In general, for tasks within a child domain, the Domain Admin account of the child domain should suffice. However, there are certain operations where you might need Enterprise Admin privileges, especially if the task requires making changes that affect the entire forest or involves interactions with the parent domain.
Here’s a more detailed breakdown:
Domain Controller Installation:
When you create a new domain controller in the child domain, you can perform this with the child domain's Domain Admin account. However, if the new domain controller needs to establish trust relationships or replicate certain data from the parent domain initially, you might need Enterprise Admin credentials to complete the setup.
DNS Server:
If you are configuring a DNS server within the child domain, the Domain Admin account of the child domain should normally be sufficient. However, if the DNS server needs to replicate or interact with DNS servers in the parent domain, you may require additional permissions.
DHCP Server:
For implementing a DHCP server in the child domain, the Domain Admin account for the child domain is usually adequate.
To ensure seamless integration, it is sometimes necessary to have Enterprise Admin rights, especially if:
1.Creating or modifying objects at the forest level.
2.Initial replication or interaction between parent and child domains during setup.
3.Configuring DNS delegation or replication where configurations span across domains.
If you are encountering specific issues or require specific integration steps between the child and parent domains, you might need to momentarily escalate privileges with an Enterprise Admin account.
Always refer to your organization's security policies and best practices when elevating privileges.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.