I've come across this problem twice. Both times I spent days banging my head against a wall. Only after carefully retracing my steps and re-stating the problem to someone who knew little of how AD works was I able to work out a solution once, and then again. Recently a colleague called with the same problem. I drew a blank again. As I started to write this week's AD tip as a request for help from the community of peers, I remembered...
the simple and obvious solution that doesn't want to stick in my head.
Here is the situation:
I built a small Windows 2000 network. It has a single Windows 2000 Server system acting as the DC with 6 domain clients: 3 Windows 2000 Professional and 3 Windows XP Professional. All Windows 2000 systems are SP2. This network shares a cable modem Internet link managed by Routing and Remote Access on the W2K Server system and is protect by ZoneAlarm.
I wanted to add a second DC to this configuration. So, I built a Windows 2000 Server SP2 system fairly similar to the one already online. But when I ran DCPROMO to create the second DC, I get an error: "The specified domain either does not exist or could not be contacted".
So, I ran through the obvious possible problems and resolutions: disable firewall, IP address duplication, wrong subnet mask, duplicate system name, using wrong domain name, NIC driver error, Windows Update patches, and fully reconfiguring DNS with forward and reverse lookup zones, even creating root zones. But nothing worked; I got the same error every time.
Until you really understand what the problem is, it is hard to formulate a plan to resolve it. I read through dozens of Knowledge Base documents and white papers on AD. I was convinced I had a DNS problem. But I was completely off.
Think about it. I wanted to take a new system and make it into a new domain controller. That sounds great at first until you phrase it like this: I want to take a foreign system and make it a trusted domain controller. It should be obvious now: the new system must join the existing domain first as a member server before it can be transformed into a domain controller for that domain. In other words, you must first trust the system by allowing it into the secured AD domain before you can make it a security sentry to protect that domain.
So, armed with this realization, I went back and did what I should have done in the first place, namely make the new Windows 2000 Server a member of the existing domain. Then I ran DCPROMO to promote it to a domain controller.
Hopefully, the tale of my ability to forget some of the basics of general security and AD administration, even after re-learning them twice, will help you avoid loosing a few days of your life while you dent the sheetrock in the server room with your forehead.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.