AD2008 Root privileges required to promote child DC?

G

Guest

Greetings,

I am upgrading our forest from 2000 to 2008. It appears that in 2008 adding
the DC into the delegated zones is now mandatory, and that seems to be a
reasonable change due to the fact that this step can be otherwise
overlooked. However, this may present a problem in practice though, because
child domain admins don't have rights to update the root DNS zone. Is this
a "feature" that I will have to work around, i.e. not installing DNS until
the DCpromo is complete then asking the root admin to manually update the
delegated zone? I guess I should add that I am of the opinion that it
should not be required that a root admin have to be involved in any part of
a child domain DCpromo. Anyway, since it's not on Google (yet) below is the
message:

------------------------------------------------------------------------------------------------------------
Update DNS Delegation

Access is denied.

To ensure that this domain controller can be found by other computers on the
network, you must create a DNS delegation in the parent zone for this domain
(xxxxx.com). Please enter alternate credentials to create this delegation.
------------------------------------------------------------------------------------------------------------
 
K

Kevin D. Goodknecht Sr. [MVP]

Read inline please.

In
- said:
Greetings,

I am upgrading our forest from 2000 to 2008. It appears that in 2008
adding the DC into the delegated zones is now mandatory, and that
seems to be a reasonable change due to the fact that this step can be
otherwise overlooked. However, this may present a problem in
practice though, because child domain admins don't have rights to
update the root DNS zone. Is this a "feature" that I will have to
work around, i.e. not installing DNS until the DCpromo is complete
then asking the root admin to manually update the delegated zone? I
guess I should add that I am of the opinion that it should not be
required that a root admin have to be involved in any part of a child
domain DCpromo. Anyway, since it's not on Google (yet) below is the
message:
------------------------------------------------------------------------------------------------------------
Update DNS Delegation

Access is denied.

To ensure that this domain controller can be found by other computers
on the network, you must create a DNS delegation in the parent zone
for this domain (xxxxx.com). Please enter alternate credentials to
create this delegation.
------------------------------------------------------------------------------------------------------------
Click to expand...

You should actually create the delegation before your promote the first
child DC if the child's zone is going to be hosted on the chld DCs. This
will prevent the child domain records being created in the parent zone when
you promote the child DCs.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
J

Jorge Silva

Hi
the warning is telling you that you should create the delegation at the
root, that step should have been done before the child domain creation. If
you don't have permissions at the root you should ask the responsible to
create the delegation. When creating child domain you also need permissions
at the root to add that new domain, so is good to plan that with the
responsible of your network. At last, don't forget that the child domain
also needs to solve its parent root FQDN and the _msdcs zone.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
 
S

southpaw

Excellent info !. thank for sharing..
btw I think is a great improved in Windows 2008 AD DS . It was one of those
overlooked and easy make mistakes when adding a child domain..
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Rebuild Forest Root Domain Controller 3
Rebuilt forest root DC, now got repl errors, SIDs? 2
Only 1st Child DC to be built is visible in Root AD Sites & Servic 1
Child dc trouble 3
Zone transfers in AD-integrated DNS 1
Cannot Ping DC in child domain by dns 1
How do GC's register _MSDCS info in the DNS root from a child doma 5
DNS in child domains 2

Top