Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

KnowledgeBase: "Access is denied" error message when you create a child domain remotely by using Install-ADDSDomain

Microsoft has issued a new KnowledgeBase article that addresses an issue when you use the Install-ADDSDomain PowerShell Cmdlet from the ADDSDeployment PowerShell module remotely to create a child domain.

This issue is related to PowerShell remoting and the fact that the Install-ADDSDomain PowerShell Cmdlet doesn’t perform a pre-check on the password to create the DNS delegation.

    

The situation

You want to promote an installation of Windows Server 2012 that is a member of a domain to a Domain Controller for a new child domain in the existing Active Directory forest. You perform this action remotely from another domain-joined Windows Server 2012 installation or a domain-joined Windows 8 installation with the Remote Server Administration Tools (RSAT) installed.

The command you use looks like:

Invoke-command -computer HostNameDCtoBe -credential (get-credential) -scriptblock {Install-addsdomain -newdomainname child 
-parentdomain
domain.tld -domaintype child -credential (get-credential) -dnsdelegationcredential (get-credential)}

When you execute this command, you will be prompted for credentials.

After a while, the command outputs the following information:

          Message             : The operation failed because:

                                        Failed to create a trust with domain 
                                        child.contoso.com on the parent domain controller
                                       dc1.domain.tld

                                       "Access is denied."

                                       This server has been disjoined from domain "
DOMAIN".

          Context               : DCPromo.General.54
          RebootRequired  : False

          Status                 : Error

Subsequently, the child is not created.

Note:
This issue does not occur when you run the Install-ADDSDomain PowerShell Cmdlet locally, or when you perform a child domain creation through the Active Directory Domain Services Configuration Wizard.

    

The cause

This issue occurs because credentials that were given to -dnsdelegationcredential contained a bad password.

Unlike the password for the other two credentials that are provided in this scenario, the password for the DNS delegation credential is not tested until it is actually used. However, at that point in the domain deployment, many other changes have been made, and the bad credentials cause a fatal error when they are used later.

This issue occurs only when you provide a bad password through remote Windows PowerShell invocation. If the DNS delegation is run locally, the delegation will still fail but will provide a warning that delegation was not configured and will let promotion otherwise succeed.

   

The solution

To resolve this issue, follow these steps:

  1. Rejoin the server to the parent domain to enable remote Windows PowerShell connectivity through the Invoke-Command Cmdlet.
        
         Note:
         By default, this Cmdlet requires the Kerberos protocol.
        
  2. Try to create the domain again. When you do this, make sure that you provide the DNS Delegation credentials by using a valid username and password.

      

Related KnowledgeBase articles

"Access is denied" error message when you create a child domain remotely by using Install-AddsDomain 

Related Posts

Remote Server Administration Tools for Windows 8 
New features in AD DS in Windows Server 2012, Part 2: New Promotion Process 
You can only set the DFL to Windows Server 2012 when you create a new domain tree on a Windows Server 2012-based computer  

Further reading

Install-ADDSDomain 
Add Windows Server 2012 as a Domain Controller

Posted: Monday, October 22, 2012 9:45 PM by Sander Berkouwer

Comments

No Comments

Anonymous comments are disabled