none
Single forest child domain installation on multiple root domains issue

    Question

  • I am trying to replicate a scenario where an organization will have multiple child domains associated to multiple root domains in the same forest. 

    The child domain installation under the first root domain went fine because, it is the first domain installed in the forest and it has the enterprise admins group permissions under active directory users and computers.  

    The problem occurs when I try to create a child domain under the second root domain because it doesnt have the enterprise admins group permissions. And it says the child domain creation fails. 

    Is there a way to install child domains under multiple root domains in the same forest? 

    Please let me know if you have answers 

    Tuesday, November 06, 2012 7:25 AM

All replies

  • Is there a way to add Enterprise Admin group to the second root domain in the same forest? 

    I want to do this because, when i try to add a child domain under the second root domain, its  complaining about missing enterprise admin group on the second root domain. 


    Tuesday, November 06, 2012 7:56 AM
  • Is there a way to add Enterprise Admin group to the second root domain in the same forest? 

    I want to do this because, when i try to add a child domain under the second root domain, its  complaining about missing enterprise admin group on the second root domain. 


    Enterprise admin group only exists in the root(parent) domain in parent child domain scenario. There will be no enterprise admin group in the child domain, it only exists in the root domain.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, November 06, 2012 8:05 AM
  • Maybe i gave wrong explanation. So, the scenario is I have a single forest with multiple root domains. And the first root domain will automatically be part of enterprise admins groups. My question is Is there a way to add Enterprise Admin group to the second root domain in the same forest? 
    Tuesday, November 06, 2012 8:13 AM
  • Maybe i gave wrong explanation. So, the scenario is I have a single forest with multiple root domains. And the first root domain will automatically be part of enterprise admins groups. My question is Is there a way to add Enterprise Admin group to the second root domain in the same forest? 

    No, enterprise admin & schema admin group only exists in the root domain not any other domains.

    http://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx

    You can actually add users from other domain to the enterprise admin group using AGUDLP method

    AGUDLP(Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups.
    -Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups > Domain Local Groups to the group you want to assign the permission.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, November 06, 2012 8:27 AM
  • A forest can have only a single root domain - the first domain which you create when you create the forest.

    So I'm not really sure what you mean by "The problem occurs when I try to create a child domain under the second root domain because it doesnt have the enterprise admins group permissions. And it says the child domain creation fails. "

    How exactly are you going about creating "a child domain under the second root domain" ? More specifically, how do you create "the second root domain"?

    Can you elaborate?

    hth
    Marcin

    Tuesday, November 06, 2012 12:24 PM
  • Cant a forest have multiple roots? when you run DCPromo and when you select advanced installation mode, you can create a new domain in an existing forest and select create a new domain tree root instead of a child domain.

    Doesnt that mean you can have multiple root domains? 

    Please correct me if i am wrong.

    Tuesday, November 06, 2012 6:18 PM
  • You are referring to domain trees (and their respective roots) - not forest roots. You can have multiple domain trees in the forest if you want to introduce multiple namespaces (one namespace per each domain tree). However, even in this case, there is still only a single forest root where Enterprise Admins universal group is defined.

    As per http://technet.microsoft.com/en-us/library/cc977994.aspx

    When it is necessary for domains in the same organization to have different namespaces, create a separate tree for each namespace. In Windows 2000, the roots of trees are linked automatically by two-way, transitive trust relationships. Trees linked by trust relationships form a forest A single tree that is related to no other trees constitutes a forest of one tree.

    The tree structures for the entire Windows 2000 forest are stored in Active Directory in the form of parent-child and tree-root relationships. These relationships are stored as trust account objects (class trustedDomain ) in the System container within a specific domain directory partition. For each domain in a forest, information about its connection to a parent domain (or, in the case of a tree root, to another tree root domain) is added to the configuration data that is replicated to every domain in the forest.

    hth
    Marcin


    Tuesday, November 06, 2012 6:30 PM
  • Hi. Thanks for the reply. Now i understand that it is called domain trees and not forest roots. 

    So, my question is " Can all domain trees have child domains?". And if so, how do you create child domain on the different domain trees? 

    Please let me me know 

    Tuesday, November 06, 2012 6:43 PM
  • Yes, they can.

    The specifics would depend on the OS version of the system you are promoting (Windows Server 2003 - step 4 in http://technet.microsoft.com/en-us/library/cc787706(WS.10).aspx or Windows Server 2012 - http://technet.microsoft.com/en-us/library/jj574105.aspx ), but in short, you would reed to ensure that the FQDN of the new domain is within the tree root namespace - e.g. child1.tree1.domain.com or child2.tree2.domain.com

    hth
    Marcin

    Tuesday, November 06, 2012 6:56 PM
  • Hi,

    So i have naming convention like this for the forest. I have two primary domains one.dt and two.dt in the forest. one.dt is the forest root and it has the enterprise admin groups.

    Now i was successfully able to create two child domains for one.dt (which is qa.one.dt and dev.one.dt) 

    Now, when i try to create a child domain on two.dt, this is where its giving me errors. 

    Steps followed to install child domain on two.dt is: 

    Run dcpromo

    Create a new domain in an existing forest 

    Type the name of any domain in the forest where you plan to install this DC -- two.dt given Alternate credentials: one.dt\Admin credentials (credentials for one.dt is given because it is the only one with enterprise admin permissions) 

    FQDN of parent domain - two.dt single label dns name - ten (FQDN of new child domain would be ten.two.dt) 

    After that all default options

    And finally I get the error: 

    The operation failed because: Active Directory Domain Services could not create the object CN=TEN, CN=Partitions CD=Configuration, DC=one, DC=dt. "Could not access a partition of teh directory service located on a remote server. Make sure at least one server is running for the partition in question. 

    Do you know what i am doing wrong here? Please let me know.

    Thanks

    Tuesday, November 06, 2012 7:41 PM
  • Hi,

    So i have naming convention like this for the forest. I have two primary domains one.dt and two.dt in the forest. one.dt is the forest root and it has the enterprise admin groups.

    Now i was successfully able to create two child domains for one.dt (which is qa.one.dt and dev.one.dt) 

    Now, when i try to create a child domain on two.dt, this is where its giving me errors. 

    Steps followed to install child domain on two.dt is: 

    Run dcpromo

    Create a new domain in an existing forest 

    Type the name of any domain in the forest where you plan to install this DC -- two.dt given Alternate credentials: one.dt\Admin credentials (credentials for one.dt is given because it is the only one with enterprise admin permissions) 

    FQDN of parent domain - two.dt single label dns name - ten (FQDN of new child domain would be ten.two.dt) 

    After that all default options

    And finally I get the error: 

    The operation failed because: Active Directory Domain Services could not create the object CN=TEN, CN=Partitions CD=Configuration, DC=one, DC=dt. "Could not access a partition of teh directory service located on a remote server. Make sure at least one server is running for the partition in question. 

    Do you know what i am doing wrong here? Please let me know.

    Thanks

    Tuesday, November 06, 2012 9:50 PM
  • Does the DCPromoUI.log file contain any further information?

    Alexei

    Tuesday, November 06, 2012 10:17 PM
  • Post the following:

    IPCONFIG /ALL from the server you are trying to promote, domain tree root, and forest root

    DCPROMOUI.LOG from the server you are trying to promote (%systemroot%\Debug folder)

    hth
    Marcin


    Tuesday, November 06, 2012 11:35 PM
  • Hi,

    Make sure the DNS settings are correct:

    Best practices for DNS client settings on Domain Controller.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Regards,
    Cicely

    Wednesday, November 07, 2012 2:21 AM
  • Hi Marcin,  i will post all the data soon. 

    Hi Cicely, In my scenario, I have 2 seperate DNS (one on the root domain (one.dt) and the other on the domain tree (two.dt). So, for creating child domain under second domain tree, what should my DNS point to on the child domain trying to install? 

    Wednesday, November 07, 2012 2:57 AM
  • Hi Martin here is all the information you had asked for: 

    **********************************************************************

                           THIS IS THE FOREST ROOT DOMAIN (contains the enterprise admins permissions) 

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : WIN-HRKS8QC79LM
       Primary Dns Suffix  . . . . . . . : one.dt
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : one.dt

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : 00-50-56-BF-E1-4A
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::24a1:bdcb:cada:a854%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.9.81.180(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . : 10.9.80.1
       DHCPv6 IAID . . . . . . . . . . . : 234901590
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-1E-44-07-00-50-56-BF-E1-4A

       DNS Servers . . . . . . . . . . . : ::1
                                           127.0.0.1
                                           10.9.81.181
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{19A939B2-9B29-46EE-9EDC-C593EA5F99F4}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:3c4d:c2e:f5f6:ae4b(Prefe
    rred)
       Link-local IPv6 Address . . . . . : fe80::3c4d:c2e:f5f6:ae4b%13(Preferred)
       Default Gateway . . . . . . . . . : ::
       NetBIOS over Tcpip. . . . . . . . : Disabled

    *********************************************************************************

    THIS IS THE SECOND DOMAIN TREE two.dt

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : WIN-EU3KJOLFLOI
       Primary Dns Suffix  . . . . . . . : two.dt
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : two.dt

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : 00-50-56-BF-E1-4B
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::9426:43af:ae1f:a601%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.9.81.181(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . : 10.9.80.1
       DHCPv6 IAID . . . . . . . . . . . : 234901590
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-1E-43-FB-00-50-56-BF-E1-4

       DNS Servers . . . . . . . . . . . : ::1
                                           10.9.81.180
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{2D20EE85-C3B4-43B6-A997-BE66ED638BB7}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    *********************************************************************************
    THIS IS THE CHILD FOREST UNDER THE 2nd DOMAIN TREE

    C:\Users\Administrator.TWO>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : WIN-PD2CD1
       Primary Dns Suffix  . . . . . . . : two.dt
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : two.dt

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
       Physical Address. . . . . . . . . : 00-50-56-BF-E1-4E
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::6882:e7f:b4be:f538%11(Preferre
       IPv4 Address. . . . . . . . . . . : 10.9.81.202(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . : 10.9.80.1
       DHCPv6 IAID . . . . . . . . . . . : 234901590
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-1E-5D-D7-00-50-56-BF-

       DNS Servers . . . . . . . . . . . : 10.9.81.181
                                           10.9.81.180
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{8F31BCDB-80F4-475E-8C49-789C05F238FD}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    *********************************************************************************
    This is the dcpromoui log from the server i am trying to promote.

    One thing i dont understand is if i am joining the child domain to second domain tree (two.dt) and when I run DCPROMO its disjoining from two.dt domain and trying to replicate data on one.dt and its failing. I dont understand why.


    dcpromoui 9B4.8F0 0701 19:08:37.112     Enter State::SetFailureMessage The operation failed because:

    Active Directory Domain Services could not create the object CN=TWENTY,CN=Partitions,CN=Configuration,DC=one,DC=dt. Check the event log for possible system errors.

    "Could not access a partition of the directory service located on a remote server. Make sure at least one server is running for the partition in question."

    This server has been disjoined from domain "TWO".
    dcpromoui 9B4.8F0 0702 19:08:37.112   Enter State::GetFailureMessage The operation failed because:

    Active Directory Domain Services could not create the object CN=TWENTY,CN=Partitions,CN=Configuration,DC=one,DC=dt. Check the event log for possible system errors.

    "Could not access a partition of the directory service located on a remote server. Make sure at least one server is running for the partition in question."

    This server has been disjoined from domain "TWO".
    dcpromoui 9B4.8F0 0703 19:08:37.112   MessageBox: Active Directory Domain Services Installation Wizard : The operation failed because:

    Active Directory Domain Services could not create the object CN=TWENTY,CN=Partitions,CN=Configuration,DC=one,DC=dt. Check the event log for possible system errors.

    "Could not access a partition of the directory service located on a remote server. Make sure at least one server is running for the partition in question."

    This server has been disjoined from domain "TWO".


    *********************************************************************************

    The operation failed because: 
    Active Directory Domain Services could not create the object CN=twenty, CN=Partitions, CN=Configuration,DC=one, DC=dt.
    Check the event log for possible system errors.

    "Could not access a partition of the directory service located on a remote server. Make sure atleast one server is running for the partition in question.

    This server has been disjoined from domain "TWO" 

    *********************************************************************************


    Wednesday, November 07, 2012 3:18 AM
  • is there a way to send the whole DCPROMOUI.LOG ?? I have the text file. I am new to this forums and I dont know how to attach a text file. 

    Wednesday, November 07, 2012 3:23 AM
  • Hi,

    >>is there a way to send the whole DCPROMOUI.LOG ?? I have the text file. I am new to this forums and I dont know how to attach a text file. 

    Please use SkyDrive(https://skydrive.live.com/) and tell us the link.

    Regards,
    Cicely

    Wednesday, November 07, 2012 3:31 AM
  • Hi Cicely,

    The link to the DCPROMOUI.LOG is 

    https://skydrive.live.com/redir?resid=A1B097419C83E44D!107&authkey=!AJRMRPP9CqMiaiQ

    Wednesday, November 07, 2012 6:31 PM
  • Change the DNS configuration on the server you are trying to promote so it points to 10.9.81.180 as its only DNS server.

    Ensure that the replication scope of all DNS zones is forest-wide (steps at http://blogs.chrisse.se/2011/04/10/are-you-storing-your-ad-integrated-dns-zones-in-the-dns-application-partitions-ncs/ ). Do this on both existing domain controllers.

    On both domain controllers, run IPCONFIG /REGISTERDNS and restart Netlogon service.

    Re-run the promotion

    hth
    Marcin

    Wednesday, November 07, 2012 9:30 PM
  • Hi Marcin I am gonna try this over the weekend. will let you know if it worked. Thanks
    Thursday, November 08, 2012 6:41 PM
  • Hi apot,

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

    Cicely Feng

    ---------------------------------------------------

    TechNet Subscriber Support

    If you are TechNet Subscription  user and have any feedback on our support quality, please send your feedback here .

    Wednesday, November 14, 2012 7:46 AM
  • Hi,

    I am trying to do the same thing apot was doing, ie, set up a DC under a tree root. If I only use the forest root ip as the primary DNS, the server I am trying to promote has problem contacting tree root domain. If I put both forest root and tree root ip in primary DNS and secondary DNS, then I get the same error apot was getting: "Could not access a partition of teh directory service located on a remote server. Make sure at least one server is running for the partition in question."

    So far I have not been able to find a solution to this problem or step to step instructions.

    Any help would be greatly appreciated.

    Thanks,

    Shimin

    Tuesday, February 11, 2014 12:40 AM
  • Solved it by experts-exchange.com.
    Friday, February 14, 2014 10:58 PM