Win2k Server, two subnets via VPN, adding AD tree

[spaceman]

I'm trying to add a new domain as a tree to an existing forest. The new domain is remote and will be tied to the main forest via a VPN tunnel. I’m kind of new to this so bear with me.

192.168.0.20 is the first site, AD, DHCP, DNS,
192.168.0.100 is the router/gateway/vpn
192.168.3.20 is my remote stand-alone server that i am trying to promote to a DC and run AD, DHCP, DNS.
192.168.3.100 is the remote office router/gateway/vpn

For example sake, lets use the following server names:

Domains-
globalsite.com (for extranet, public)
main.globalsite.com (existing domain/tree)
us.globalsite.com (new remote domain/tree)

Servers-
server1.main (first DC w/AD)
server1.us (standalone, ready to promote)
exchange1.main (installed)
exchange1.us (standalone, ready to add as us.globalsite.com

All Win2k servers are running mixed mode with no wins servers in site.

My issue: I cannot get past the credentialed login to begin the AD install. It says it can't find an AD server/installation. I know its something to do with the DNS, but I need help after messing with it for a few days. What am i doing wrong? What zones should I add? Does the zone name matter? What record types do I need in each zone? Should I make sure the NS record has a fully qualified name instead of just the server name? Is there a temporary way to see the AD server during install?

Current details: I can ping the needed servers using their IP addresses. I was able to get it to work a few times but the AD replication process failed after 4800+ of 5800+ objects were replicated. It was complaining about incorrect credentials for a particular exchange object. Because I came on the scene late, I finally gave up and started over with a fresh server but now I can't even get the DC promotion to proceed because process can't find the remote AD install.

Any and all help would be appreciated!

 

[GrnEyedLdy]

"I'm trying to add a new domain as a tree to an existing forest".

During the AD promotion are you selecting;

Create a new domain tree,
or
Create a new child domain in an existing tree?

The first sentence of your post sounds like you are trying to create a new tree, (which would imply a dis-jointed namespace from your first tree), but the example naming scheme in your post shows a contigious namespace, (which implies that you would be creating a child domain in an exisiting tree).

Not sure which you want to do...

 

[spaceman]

Thanks GrnEyedLdy,

I see your point. I assume that I am aiming for a contigiuous namespace. I didn't do the orginal install so I can only assume that the globalsite.com is the parent domain and main.globalsite.com is a child of that domain. So it would stand to reason that us.globalsite.com is a child of globalsite.com. Is this correct? If so, I will use add child domain from now on.

Also, if for some reason I wanted to create a new domain called otherglobal.com (not too creative with my naming) it would be considered another tree in the forest. Correct?

Still trying to figure out how to get the promotion process to find the remote first DC through that darn VPN.

Thanks for your help on understanding what I was trying to accomplish

 

[GrnEyedLdy]

I think you've got it Spaceman! :-D

To create a child in the already exisiting globalsite.com domain, you would first select;

Domain Controler For A New Domain

Next select,

Create A New Child Domain In An Existing Tree

If you want to create a new domain with a new namespace, you would then Create a New Domain Tree.

Now I must admit that the rest of your problem is very interesting. (I doubt that I can solve it, but it is very interesting). :-D The new server you "started over with" is a member of the domain, and can successfully log in via the VPN, correct? The DCPROMO process starts....? At what point does the promotion hang?


Patty

 

[GlenJohnson]

Be careful with your dcpromo. I had one go bad, and ended up with a ghost dc. Still have it. Causes me fits with all the error messages. Users couldn't log onto what was a stand alone server after the dcpromo failed. Took me about 30 minutes to figure out if I gave the users the admin name and password, they could log in. Finally had to move all jobs that ran onto a new server, took the bad dcpromo, did an f-disk. Then took the new server, dcpromo worked on it. Bad dcpromo is now stand alone test server and that's all it'll ever be. Good luck, and keep us informed of where the dcpromo fails.


Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"How many things, too, are looked upon as quite impossible until they have been actually effected?."
Pliny the Elder, Caius Plinius Secundus(c.23-79 A.D.); Roman writer.

 

[spaceman]

Thanks for all the great replies. First of all, I wanted to report that all is well.

I phoned up the primary AD administrator and convinced him to let us just add an additional controller to the existing single domain. I realized that he had set the uuroot forest to main.globalsite.com. Even though root forest should have been globalsite.com, I still wasn't too keen on creating a child domain of us.main.globalsite.com instead of just us.globalsite.com - which would have made it non-contiguous (thanks greeneyes!!)

So in the end we decided just to add another DC and stick with one domain. I did move the new DC into it's own site to allow more managed bandwidth control over the replication process between DC's (one in Europe, one in USA).

DNS ISSUE:

I guess I was taking all the AD deployment books too seriously when they said "make sure to point your to be Domain Controller network DNS address to itself." And thus I did. The standalone server that I wanted to promote, I had set its network IP address to a fixed 192.168.3.20, and the DNS network settings to 192.168.3.20 as well. Then I made sure that the forwarding zone was set to the Internet DNS address as supplied by the local ISP. And I added a manual host entry for the remote Active Directory server so that the promotion wizard/app could find the AD install during the credential login of the process. Sounds good but I kept saying no Active Directory Installation found. After struggling to get past this point, another admin friend suggested that the server should point to the existing AD installs DNS server/DC. Remember that the goal was to DC's on different subnets.

I changed the network DNS settings from 192.168.3.20 (standalone server pointing to itself) to 192.168.0.20(existing DC w/DNS). Also, he suggested that I change the forwarder to be the same remote DNS. And like magic, the credential process during the beginning of the promotion succeeded!! It's always the little things that trip us up. The killer thing is that I had tried that already one time before but must have not give it full diligence that it deserved. Now moving on to install a separate Exchange Server in this site but fear not, more problems have arrived. Will post a new thread regarding this one.

Thanks to everyone for your kind responses !!!

 

[GrnEyedLdy]

Spaceman, glad to hear that things worked out so well. With Win2K, you learn something new everyday!

Patty