Creating Child Domain in AD

[jchim32]

First server up and running, DOMAIN.COM, DNS installed and working with Allow updates ON.

Problem when I attempt to configure the 2nd server as a child within that domain. 2nd server's DNS points to first server. Here are the steps I get through before the error:

1. Domain controller for new domain
2. Create a new child domain in an existing domain tree
3. Enter username, password and domain (it will only proceed if I enter DOMAIN, entering DOMAIN.COM will not work. If I enter DOMAIN.COM it tells me that the domain is not an AD domain or the DC cannot be contacted)
4. Enter parent domain, DOMAIN, and child domain, xyz (Again, if I enter it as DOMAIN.COM it does not see it, I click NEXT and it asks me if I am referring to DOMAIN.COM, I acknowledge and it proceeds)
5. Confirm Domain NetBIOS name, xyz
6. Confirm Database Log and Locations
7. Confirm Shared System Volume
8. Select Permissions compatible only with Windows 2000 servers
9. Enter and confirm password
10. Summary says it will create first domain controller in new domain xyz.domain.com with NetBIOS name xyz, click NEXT
11. Configuring Active Directory attempts to create the domain

Finally it times out saying the operation failed, it was not able to find a suitable domain controller for DOMAIN.COM, says it either does not exist or cannot be contacted.

Any insight on configuration items I am missing?

Thanks,

Jeff

 

[billieT]

It sounds very much like a DNS/network connectivity kind of problem. When you say that the child server's DNS is pointing at the parent server, is it running DNS only as a client? I.E. it's not running DNS as a service itself?

Presuming that the network connectivity is actually ok, and that the child server is not running a DNS service, I suggest you install DNS on the client server and make it primary for the new xyz.domain.com and secondary for domain.com. Check that it gets the zone records for domain.com. Being secondary for domain.com isn't necessary, but it's one way of ensurint the servers are talking to each other, DNS-wise. Try dcpromo again - if you get to step 3 again, and it says domain.com is not found, it's failed (no need to go any further).

If that doesn't work, I'd start again, after getting rid of the DNS. When it gets to the bit in dcpromo where it prompts you for a DNS server, accept the option to create a new DNS server. I can't remember when that part comes up, since it's several months since I last installed Win2k server...

And here's some info from Microsoft which describes the the first approach I suggested in a slightly different way:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;255248

 

[MSMVP]

Check the DNS on the parent domain and see if you have it set to secure updates only. There have been cases in which a DNS server will not allow updates from servers that are not fully recognized inthe domain - and yours apparently is not.

This might be the cause, otherwise I would also run Netdiag and DCdiag, as well as a DNSLint scan.



Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone -

http://www.microsoft.com/windowsxp/expertzone

 

[Breakerfall]

•Probably you done this already but, are you able to at least
ping the parent DC?

•In your steps #3 & #4,
you should never use the NetBIOS name to contact the parent DC,
even if the installations goes through, you'll get into all kind
of trouble later on. So as billieT suggested, if you get to that
point, don't even bother to go any further.

this is what I usually do when creating a Parent/Child setup:

•Install my parent DC. Allow zone transfer to the IP of the child computer.
(secure updates and zone transfers are different thing, I guess you know that)

•Setup a "new delegation" of your DOMAIN.com's AD integrated forward lookup zone.
During the delegation process, you need to enter the FQDN for your child computer:
<childcomputername>.<childdomainname>.<fulldomainname>
You also need to enter the IP of the child ccomputer.

•Setup TCP/IP settings on the child
Static IP + point to parent for DNS.

•Run dcpromo (btw, your steps are ok)
Note: since you created a delegation on the parent, the child is expecting
to have DNS installed, it will ask you for DNS installation, provide the
path to the I386, etc.
Note that when you run dcpromo on the child whithout creating the delegation,
the AD installation wizard doesn't ask you for DNs installation.

•Important: if installation of child domain runs FINE, before rebooting you should point
to yourself for DNS. If you forget that, the child will have problems creating it's own records

•Also, I'd suggest to create (on the child) a forward-secondary zone to be able to resolve DNS
queries of hosts on the parent domain, otherwise, the child domain will think he
is the root, when in reality, the root is the parent.

I hope this is of any help for you.
let us all know if any suggestion brought any solution

thank you.


Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[theredbeard]

Great thread. Billie's link above was also helpful. I've checked these steps, but I'm having a different problem in creating my child domain.

Upon running dcpromo, I get an &quot;Access Denied&quot; message and dcpromo asks me for an account that has the authority to create a child domain.

I've checked that this account is in the Domain admins and in the Enterprise Admins groups. Is there a policy I've missed someplace?