Mike Howells's Blog

Just another WordPress.com site

Adding a Child Domain Using Windows Server 2003 vs Windows Server 2008 R2

Posted by mikehowells on April 5, 2011

If you’ve ever had to add a new domain tree to an existing domain in Active Directory using Windows Server 2003 you may have already realized that you must have DNS configured properly before creating the new child domain. Put another way, if you didn’t know what you were doing you could get into trouble very quickly. With Windows Server 2008 R2 this process is dramatically simplified and the steps for DNS delegation are done for you automatically.

Our example forest is simple with bigfirm.biz representing the forest root domain and ecoast.bigfirm.biz representing the child domain.

The domain controller in bigfirm.biz is bigdog.bigfirm.biz at 192.168.2.130.

The domain controller in ecoast.bigfirm.biz is srv1.ecoast.bigfirm.biz at 192.168.2.131.

If you’ve read any of Mark Minasi’s books you’ll notice that this is the naming convention he uses.

In the below screenshot you can see that I already ran DCPROMO on bigdog.bigfirm.biz and DNS is already configured with the DNS forward lookup zones already populated.

Note: I had the DCPROMO process automatically install and create DNS for me for this process.

DNS on bigdog.bigfirm.biz (Windows 2003)

Now we’re at the point where we want to add the child domain of ecoast.bigfirm.biz to the existing forest root domain of bigfirm.biz.

With Window Server 2003 you must create the DNS domain on the parent before you run DCPROMO on the child domain controller.

Therefore, right-click the bigfirm.biz DNS zone and select the option to create a new domain and then enter the domain name of ecoast. You don’t have to enter any records in ecoast.

DNS on bigdog.bigfirm.biz (Windows 2003)

The next step is to prepare the child domain controller in the child domain.

On srv1.ecoast.bigfirm.biz you need to point its primary DNS server to the parent DNS domain controller (bigdog.bigfirm.biz) at 192.168.2.130. If you screw-up here and point DNS to itself the child domain controller will have no way to get home to the “mothership” and report an error once you try to run DCPROMO.

TCP/IP settings on srv1.ecoast.bigfirm.biz (Windows 2003)

There is another minor but very important procedure that you must also do on the child domain controller (srv1).

You must populate the DNS suffix box with the new domain that you are creating (ecoast.bigfirm.biz). If you don’t do this step then the child domain controller will not populate the DNS records properly at the parent DNS zone.

DNS suffix settings on srv1.ecoast.bigfirm.biz (Windows 2003)

Once all of these procedures have been done you can now run DCPROMO on the child domain controller srv1.ecoast.bigfirm.biz.

Note: Don’t forget to allow dynamic updates on the parent DNS server (bigdog.bigfirm.biz) or else the process will fail. The DCPROMO process should warn you of this.

What I see happen a lot with Windows Server 2003 is that it takes WAY too long for these DNS records to populate at the parent. In fact, it may take upwards of 10-15 minutes or so. Don’t be surprised if you see errors in the system event log on srv1 such as this (see screenshot below). This type of problem usually auto-corrects itself but if it doesn’t you can try opening a command prompt and typing ipconfig/registerdns on srv1 to see if it can help speed up the process.

Event viewer on srv1.ecoast.bigfirm.biz (Windows 2003)

After waiting the aforementioned 10-15 minutes for replication to occur and\or after manually issuing the ipconfig/registerdns command on srv1 the DNS zone on bigdog.bigfirm.biz should now look like this:

DNS on bigdog.bigfirm.biz (Windows 2003)

You’ll notice that DNS is not being hosted on srv1 but is instead being hosted on the parent domain controller bigdog. What if you want to have srv1 host the DNS zone ecoast.bigfirm.biz instead? You can easily do this by a process called DNS delegation. DNS delegation can be a good idea especially if you want to reduce network traffic, provide redundancy and simplify your DNS environment. There is a great KB article on how to create a child domain in Active Directory and delegate the DNS namespace to the child domain. The KB article for this is listed at the end of this article.

From my perspective, the above procedure seems time consuming and laborious. Wouldn’t it be nice if Microsoft improved on this procedure? With Windows Server 2008 R2 your wish has come true. I get the impression that the directory services team at Microsoft took some heat for this procedure on Windows 2003.

For the below example, everything remains the same except we are now using Windows Server 2008 R2 as our operating system.

After running DCPROMO on bigdog in our forest root domain bigfirm.biz our DNS zone looks like this:

DNS on bigdog.bigfirm.biz (Windows 2008 R2)

Now, here is where things get super cool. Remember all of the steps that we went through to prepare our DNS environment before we could even introduce a new child domain into the mix?

Well, prepare to be amazed.

As before with our Windows 2003 example, on srv1 make sure that you point the primary DNS server to the parent DNS server (bigdog.bigfirm.biz).

TCP/IP settings on srv1.ecoast.bigfirm.biz (Windows 2008 R2)

Once you do that all you have to do now is run DCPROMO on srv1!

One thing I like about the new DCPROMO with Windows Server 2008 R2 is that it automatically checks and detects that there is no DNS server authoritative for the ecoast.bigfirm.biz domain. Therefore, because it could not find an existing DNS server authoritative for ecoast.bigfirm.biz it will automatically create a DNS delegation for you. Brilliant!

Below you can see in the DCPROMO summary screen that it will automatically create the DNS delegation for you since you did not pre-create the ecoast.bigfirm.biz domain on the parent server.

Below is a screenshot of what the bigfirm.biz DNS zone looks like on bigdog.bigfirm.biz after the DCPROMO process completes on srv1.

Notice that ecoast is greyed-out indicating that the zone is now delegated.

Delegated DNS on bigdog.bigfirm.biz (Windows 2008 R2)

After logging into srv1, DNS was installed automatically and the ecoast.bigfirm.biz DNS zone was created and populated with all of the DNS records. No errors in the event log and everything just works and works immediately.

DNS on srv1.ecoast.bigfirm.biz (Windows 2008 R2)

They say the devil’s in the details and Window Server 2008 R2 does not disappoint. Below you can see that the DCPROMO process automatically adjust the primary DNS server on srv1 to itself and points its secondary DNS server to its parent DNS server.

TCP/IP settings on srv1.ecoast.bigfirm.biz (Windows 2008 R2)

One final note I should mention is that it is no longer required to populate the DNS suffix on the child domain controller srv1 as we were required to do with Windows Server 2003.

How To Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain
http://support.microsoft.com/kb/255248

Advertisements

6 Responses to “Adding a Child Domain Using Windows Server 2003 vs Windows Server 2008 R2”

  1. Jobish George said

    Good Article. Keep on sharing……

  2. Erin said

    Heya just wanted to give you a brief heads up and let you know a few of the images
    aren’t loading correctly. I’m not sure why but I
    think its a linking issue. I’ve tried it in two different browsers and both show the same results.

  3. This is really the third blog, of your blog I personally read through.

    Nonetheless I actually love this specific one, “Adding a Child
    Domain Using Windows Server 2003 vs Windows Server 2008 R2 Mike Howells’s Blog” the very best. Thank you -Adeline

  4. Geri said

    I am really loving the theme/design of your blog.
    Do you ever run into any internet browser compatibility issues?
    A small number of my blog audience have complained about
    my blog not operating correctly in Explorer but looks great in Chrome.
    Do you have any recommendations to help fix this issue?

    • Hi Geri, I’ve never run into any issues like that. However, I have run into issues where WordPress decides to get into an infinite loop and crash the browser. But, this seems to happen less and less these days.

  5. I’m not sure where you are getting your information, but great topic. I needs to spend some time learning more or understanding more. Thanks for great information I was looking for this information for my mission.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: