second domain tree

bighornsheepbighornsheep Member Posts: 1,506
I'm trying to add a second domain tree in an existing forest. It's a single domain forest with only one domain controller, and one DNS server.

Both servers run Windows 2003, and the 3rd will also run Windows 2003, I'm using server roles to install AD as normal, and I choose the "domain in existing forest" option, but I am having problems with the part where I am asked about network creditials. It makes sense that I have to input login and password + domain information from my existing forest, however, it's returning an error all the time that it's not locating the domain (the existing one).

I've tried to install DNS service on the new (3rd) machine and forward requests to the existing DNS server, and I've also tried to add a secondary zone to transfer from the DNS server in the existing forest, but it's complaining that the transfer fails. Zone transfer is enabled, and security rights are set properly.

Does anyone have any ideas?
Jack of all trades, master of none


  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Before you do anything, go onto the parent domain's dns server and configure a conditional forwarder to point to new tree domain's dns server. Now on the new domain tree, configure the dns ip to point to the parent domain's dns server. This will allow the new tree domain to contact the parent domain controller to confirm credentials that live on the parent domain. Now you can create the new tree. When AD/DNS finishes installing, you'll of course get a prompt to reboot. Before you do the actual reboot, go into the dns console and configure a conditional forwarder to point to the parent domain's namespace with one or more of the dns servers for that parent namespace. Why do this? Well since you promoted a new DC and had it install DNS, it changes its DNS IP to How is it supposed to contact the parent dns server for replication and pull the forest wide ForestDNSZone which includes the _msdcs.rootdomain.com? So by creating this delegation, upon reboot, both the parent can contact the new tree through the forwarder created on the parent domain from earlier and vice versa from the forwarder you created on the new tree DC before the reboot. When you do the reboot, both the new tree and the parent domain will do some registrations with each other that should take 5 minutes or so and eventually they will replicate with each other and be fully replicated. The process should take around 10-15 minutes.

    This help?
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • Options
    bighornsheepbighornsheep Member Posts: 1,506
    Thanks Royal, your explaination didn't directly solve the problem, but it gave me something to try out and eventually I did discover what the real problem was. When I added the conditional forwarder, I could communicate by ping and tracert, and the dc is up & running, why is the creditial verification failing on dcpromo?

    Then I realized......I have RRAS enabled on the DC for NAT, the basic firewall was not configured to allow incoming AD traffic......sigh...

    Thanks again!
    Jack of all trades, master of none
Sign In or Register to comment.