New domain root tree in existing forest

PenfoldPenfold Member Posts: 43 ■■■□□□□□□□
Hi all,

I'm having problems creating a new domain root tree in my forest, I've got two DCs setup in VMWare running srv 2003. The 2nd DC is setup so that the preferred DNS points to the 1st DC this is right I assume? AD install wizard seems to complete ok fine when promoting the 2nd DC and creating the new domain root tree however after restarting it gets stuck/hangs at preparing network connections.


  • bulletproof bababulletproof baba Member Posts: 12 ■□□□□□□□□□
    You will need to make sure the DC for DCAU is a :

    • Relative identifier master

    • Primary domain controller (PDC) emulator

    • Infrastructure master

    To create a new domain tree
    Click Start, click Run, and then type dcpromo to start the Active Directory Installation Wizard.

    On the Operating System Compatibility page, read the information and then click Next.

    If this is the first time you have installed Active Directory on a server running Windows Server 2003, click Compatibility Help for more information.

    On the Domain Controller Type page, click Domain controller for a new domain, and then click Next.

    On the Create New Domain page, click Domain tree in an existing forest.

    On the Network Credentials page, type the user name, password, and user domain of the user account you want to use for this operation, and then click Next.

    The user account must be a member of the Enterprise Admins group.

    On the New Domain Tree page, type the full DNS name for the new domain, and then click Next.

    On the NetBIOS Domain Name page, verify the NetBIOS name, and then click Next.

    On the Database and Log Folders page, type the location in which to install the database and log folders, or click Browse to choose a location, and then click Next.

    On the Shared System Volume page, type the location in which to install the Sysvol folder, or click Browse to choose a location, and then click Next.

    On the DNS Registration Diagnostics page, verify if an existing DNS server will be authoritative for this forest or, if necessary, choose to install and configure DNS on this server by clicking Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server, and then click Next.

    On the Permissions page, select one of the following:

    • Permissions compatible with pre-Windows 2000 Server operating systems

    • Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

    On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the Administrator account for this server, and then click Next.

    Use this password when starting the computer in Directory Services Restore Mode.

    Review the Summary page, and then click Next to begin the installation.

    Restart the computer.


    • To perform this procedure, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

    • Before installing Active Directory, you will need to consider pre-Windows 2000 compatible security levels and identify the DNS name of the domain. For more information, see the checklist in Related Topics.

    • When a new domain tree is created in an existing forest, a two-way, transitive tree root trust is established by default.

    • The wizard options on the Permissions page affect application compatibility with computers running pre-Windows 2000 and Windows Server 2003 operating systems and are not related to domain functionality. For more information about permissions, see Related Topics.

    • You can also use a smart card to verify administrative credentials. For more information about smart cards, see Related Topics.

    • The Active Directory Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters consuming three bytes. These limits do not apply to computer names.

    • You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a member server
  • PenfoldPenfold Member Posts: 43 ■■■□□□□□□□
    By DCAU you mean the 1st DC right? being the 1st DC it should already have the RID, Infastructure and Operations master roles plus Schema and Domain naming. So I've already followed the wizard right the way through but like I say it keeps hanging on preparing network connections after reboot.
  • NetAdmin2436NetAdmin2436 Member Posts: 1,076
    It certainly sounds like a DNS issue if it's hanging like that. Can you verify in DNS on server 1 that the appropriate DNS records were created for that new domain tree? You did set static IP's on all your servers right?

    Nice post and thanks for helping. However I wouldn't get in the habit of plagiarizing, you should start to use links or reference where you copied and pasted from.
    Create a new domain tree: Active Directory
    WIP: CCENT/CCNA (.....probably)
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Try restarting with the network disconnected. That might let you get in and poke around.
  • PenfoldPenfold Member Posts: 43 ■■■□□□□□□□
    Thanks for the replies guys, DNS should be ok as I tried a fresh server 2003 install on another VM to rule out anything wrong with the original but to be fair I've not run any diagnostics on DNS as of yet. Netadmin the dns records are not in DC1 after creating the domian root tree and ip's are static so not sure whats happening or why.

    Once the 2nd DC has restarted after dcpromo there is no way to change the tcp/ip properties, tried safe mode and directory services restore mode but no luck opening up the network connections.
  • NetAdmin2436NetAdmin2436 Member Posts: 1,076
    K, that sounds like a problem then. If DC2 is going to point to DC1 (DNS) then DC1 has to be configured with the second domain tree's zone. Have you created a zone for the other tree root?

    Do you have DNS running on DC2?
    WIP: CCENT/CCNA (.....probably)
  • PenfoldPenfold Member Posts: 43 ■■■□□□□□□□
    not tried adding in the zone into DC1 cause I thought the dcpromo wizard would have done this automatically shouldn't it? DNS isn't configured on DC2 as it was purely installed anew for lab purposes and has its preferred DNS as DC1 (before promotion).
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    What DNS option did you choose when running the promotion?
  • PenfoldPenfold Member Posts: 43 ■■■□□□□□□□
    The middle option - to allow the wizard to install and configure DNS and to set this computer to use this DNS server as its preferred server. I think that means after promotion DC2 then switches to using its own DNS service after it has been installed.
Sign In or Register to comment.