none
validation of child domain inputs failed you cannot create a new domain at this time because the domain naming master is offline

    Question

  • We have clone production Active Directory in our testing environment which is in private VLAN.

    Active Directory with all 2 Additional domain controller.

    we are going to add and test Parent Child Domain Controllers with this domain controller.

    Getting the following error on adding child domain controller...additional domain controller is working fine.but on adding new child domain controller in the same test environemnt.getting the following error.

    validation of child domain inputs failed you cannot create a new domain at this time because the domain naming master is offline

    Kindly help.....

    Monday, December 26, 2016 1:48 PM

Answers

  • hi Dev,

    by default in order to add a child domain the Domain naming master should be up and running and reachable from AD replication level, Global catalog level as well as DNS name resolving level.

    this is a by design in AD and this is one of the main responsibilities of a domain name master part of AD FSMO roles actually.

    if it's saying it's offline then it could be that you are not able to reach that domain name master server.

    1- determine which server is acting as domain name master by running this command: netdom query fsmo

    2- the result will show you who is the domain name master. then you can try ping it to make sure it's reachable

    would you confirm?

    Thanks


    Thanks Mahmoud

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:09 PM
    Monday, December 26, 2016 2:44 PM
  • that's weird.. i'd say try to move the domain naming master role to another server as you already have 2 additional and see if you get same error may be that server is having something so try this to proceed then troubleshoot later

    Thanks Mahmoud

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:09 PM
    Monday, December 26, 2016 2:53 PM
  • HI Dev,

    first you need to try from another domain controller and see if you get same error.

    by the way the word "clone" stopped me actually. would you provide more details on how exactly it was cloned? and what is the existing forest structure? how many DCs and how many sites?

    i'm asking about clone because if you are cloning a domain controller then well it's not a straight forward operation and might have so many complication and stability issues ..

    I think at this point if you try to move primary domain controller to another server and then try adding the child domain and still get same error then we will need answers to questions I mentioned about your testing forest configuration and setup

    I hope this helps for now

    Thanks


    Thanks Mahmoud

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:08 PM
    Tuesday, December 27, 2016 4:11 AM
  • You can also use the Get-ADForest PowerShell cmdlet to check which DC holds the FSMO role. It probably uses the same method to determine the DC, but you can target a DC with your query, to make sure you get the response from all of them.

    Get-ADForest -Server MyDC01.mydomain.com

    Maybe one DC has sync problems. You can run the cmdlet from any DC with Windows Server 2008 R2 or higher, or any client with RSAT installed (the DC with the FSMO role does not need to be Windows Server 2008 R2, just the one where you run the command).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:09 PM
    Monday, December 26, 2016 3:35 PM

All replies

  • hi Dev,

    by default in order to add a child domain the Domain naming master should be up and running and reachable from AD replication level, Global catalog level as well as DNS name resolving level.

    this is a by design in AD and this is one of the main responsibilities of a domain name master part of AD FSMO roles actually.

    if it's saying it's offline then it could be that you are not able to reach that domain name master server.

    1- determine which server is acting as domain name master by running this command: netdom query fsmo

    2- the result will show you who is the domain name master. then you can try ping it to make sure it's reachable

    would you confirm?

    Thanks


    Thanks Mahmoud

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:09 PM
    Monday, December 26, 2016 2:44 PM
  • I run this commmand and it show fsmo role....1 domain have 5 roles and it shows in operation master...

    still everything is working fine...all domain services are up and running but still getting this error by adding child domain....is there any mehtod to manually check that this role is working or not...is there any command  or mannuly to stat this service if it is stoped or not working.....

    Monday, December 26, 2016 2:49 PM
  • that's weird.. i'd say try to move the domain naming master role to another server as you already have 2 additional and see if you get same error may be that server is having something so try this to proceed then troubleshoot later

    Thanks Mahmoud

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:09 PM
    Monday, December 26, 2016 2:53 PM
  • You can also use the Get-ADForest PowerShell cmdlet to check which DC holds the FSMO role. It probably uses the same method to determine the DC, but you can target a DC with your query, to make sure you get the response from all of them.

    Get-ADForest -Server MyDC01.mydomain.com

    Maybe one DC has sync problems. You can run the cmdlet from any DC with Windows Server 2008 R2 or higher, or any client with RSAT installed (the DC with the FSMO role does not need to be Windows Server 2008 R2, just the one where you run the command).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:09 PM
    Monday, December 26, 2016 3:35 PM
  • Primary domain have all role...Netdom query fsmo......

    Just getting error when creating child domain......creating additional domain is working fine..

    I think i will transfer the role to another additional domain and then will try...

    But i dont have all dcs replica ...i already mentioned that this is not production Server...

    we have clone the Primary domain controller other additonal controller are not available in test environment and we are adding child in test environement.later on we will transfer to production...as we are testing parent child archetecture....

    Monday, December 26, 2016 5:05 PM
  • One PDC and One ADC are cloned other sites additional are not using in test environment..will this make problem....
    Monday, December 26, 2016 5:06 PM
  • HI Dev,

    first you need to try from another domain controller and see if you get same error.

    by the way the word "clone" stopped me actually. would you provide more details on how exactly it was cloned? and what is the existing forest structure? how many DCs and how many sites?

    i'm asking about clone because if you are cloning a domain controller then well it's not a straight forward operation and might have so many complication and stability issues ..

    I think at this point if you try to move primary domain controller to another server and then try adding the child domain and still get same error then we will need answers to questions I mentioned about your testing forest configuration and setup

    I hope this helps for now

    Thanks


    Thanks Mahmoud

    • Marked as answer by Dev0099 Thursday, December 29, 2016 3:08 PM
    Tuesday, December 27, 2016 4:11 AM
  • Thanks Mr Mehmoud,,, I will try this to transfer role to another server and then add child domain...n will post it the result...

    Clone in vmware vms ...and using the same environment in test environment and testing parent child archetecture for security purpose...

    well thanks for you support....

    Tuesday, December 27, 2016 4:15 AM
  • hi Dev,

    while doing clone in vmware actually you have to do a "sysprep" and since this server is not a normal server and it's a domain controller then i believe it would result in some complications in the environment later unless you have followed the best practice on cloning domain controllers in vmware if there is any...

    we will be waiting for your result anyway to see how it will go and will take it from there..

    feel free to get back to us



    Thanks Mahmoud

    Thursday, December 29, 2016 4:37 PM