Tip

Adding a new domain controller in Active Directory

I've come across this problem twice. Both times I spent days banging my head against a wall. Only after carefully retracing my steps and re-stating the problem to someone who knew little of how AD works was I able to work out a solution once, and then again. Recently a colleague called with the same problem. I drew a blank again. As I started to write this week's AD tip as a request for help from the community of peers, I remembered the simple and obvious solution that doesn't want to stick in my head.

Here is the situation:

I built a small Windows 2000 network. It has a single Windows 2000 Server system acting as the DC with 6 domain clients: 3 Windows 2000 Professional and 3 Windows XP Professional. All Windows 2000 systems are SP2. This network shares a cable modem Internet link managed by Routing and Remote Access on the W2K Server system and is protect by ZoneAlarm.

I wanted to add a second DC to this configuration. So, I built a Windows 2000 Server SP2 system fairly similar to the one already online. But when I ran DCPROMO to create the second DC, I get an error: "The specified domain either does not exist or could not be contacted".

So, I ran through the obvious possible problems and resolutions: disable firewall, IP address duplication, wrong subnet mask, duplicate system name, using wrong domain name, NIC driver error, Windows Update patches, and fully reconfiguring DNS with forward and reverse lookup zones, even creating root zones.

    Requires Free Membership to View

But nothing worked; I got the same error every time.

Until you really understand what the problem is, it is hard to formulate a plan to resolve it. I read through dozens of Knowledge Base documents and white papers on AD. I was convinced I had a DNS problem. But I was completely off.

Think about it. I wanted to take a new system and make it into a new domain controller. That sounds great at first until you phrase it like this: I want to take a foreign system and make it a trusted domain controller. It should be obvious now: the new system must join the existing domain first as a member server before it can be transformed into a domain controller for that domain. In other words, you must first trust the system by allowing it into the secured AD domain before you can make it a security sentry to protect that domain.

So, armed with this realization, I went back and did what I should have done in the first place, namely make the new Windows 2000 Server a member of the existing domain. Then I ran DCPROMO to promote it to a domain controller.

Hopefully, the tale of my ability to forget some of the basics of general security and AD administration, even after re-learning them twice, will help you avoid loosing a few days of your life while you dent the sheetrock in the server room with your forehead.


James Michael Stewart is a researcher and writer for Lanwrights, Inc.


This was first published in April 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.