MORE INFORMATION

NOTE: Access control lists on certain objects in the Active Directory must also be changed to allow a pre-created Dcpromo.exe domain promotion to succeed.

The Configuration and Schema containers are forest wide, so child domains need to replicate these containers. Because of this, the user or group that is creating the child domain must have rights for these containers. Also, the user or group must have rights to the Site Container object that will hold the domain controller that is being promoted.

To enable a user to add a child domain, an enterprise administrator must perform the following steps:

1. Create a user or group that will perform the Dcpromo.exe operations.
2. Use ADSI Edit to add the user or group you created in step 1 to the following Configuration container permissions
   • cn=Configuration
   • dc=root domain.com
   • dc=com

   where root domain.com is your domain name.
   
   

3. Add the user or group you created in step 1 to the following Schema container permissions:
   • cn=Schema
   • dc=root domain
   • dc=com
4. Grant the user or group you created in step 1 the following permissions to the Configuration and Schema containers:
   • Read
   • Manage Replication Topology
   • Replicating Directory Changes
   • Replication Synchronization
5. Add the user or group you created in step 1 to the site object that will contain the first domain controller (DC) for the child domain, and then grant the user or group Read and Create child objects for this object and all child objects.
6. Add the Creator Owner group, and give it Full Control for this object and all child objects.
7. Create a DNS new zone for the domain to be added under its parent domain.
8. Add a resource record to the zone file for the server you are going to DCPROMO.
9. If you want the NetBIOS name of the domain to be different from its DNS name, go to step 17.
   
   If you do not want the NetBIOS name of the domain to be different from its DNS name, follow steps 10 through 16.
10. At the command prompt of a DC in the forest, type ntdsutil, and then press ENTER.
11. Type Domain Management, and then press ENTER.
12. Type connections, and then press ENTER.
13. Connect to the Domain Naming Master Role Owner. Note that you can find this Flexible Single Master Operation (FSMO) owner by using the netdom query fsmo command.
    
    NOTE: The Netdom.exe tool is included in the Windows 2000 Support Tools on the Windows 2000 Server CD-ROM.
14. Type q at the command prompt, and then press ENTER to return to the Domain Management prompt.
15. Type Precreate dc=YOURDOMAIN,dc=parent_domain,dc=root_domain,dc=com your_server.yourdomain.parent_domain.root_domain.com, and then press ENTER to create the cross-reference.
    
    NOTE: When you specify the cross-reference to the child domain, you must use the NetBIOS name of the child domain in UPPER CASE letters. The second parameter is the fully qualified domain name (FQDN) of the server that will be promoted to the first DC in the child domain.
16. When you receive a prompt that asks if you are certain that you want to create the cross-reference, click OK, and then quit the Ntdsutil.exe tool.
17. Follow this step only if you want the NetBIOS name of the domain to be different from its DNS name. If you do not want the name to be different and if you already completed steps 10 through 16, go to step 18.
    
    You cannot use Ntdsutil to create a crossRef object for a domain whose NetBIOS name is different from its DNS name. The NetBIOS name of the domain is referenced in the CN attribute of its crossRef object, and the DNS name of the domain is referenced in its nCname attribute. Ntdsutil automatically assigns the CN attribute to be the same as the first part of the nCname attribute. For them to be different, you must create the crossRef object manually by using Adsieidt or Ldp. To create the crossRef object manually with Adsiedit, follow these steps:
    1. Install Adsiedit from the Windows 2000 Server CD-ROM.
    2. Right-click the cn=Partitions,cn=configuration,dc=root_domain,dc=com partitions container, and then click New Object.
    3. Verify the class that is proposed for the new object is crossRef, and then click Next.
    4. For the CN attribute value, type the NetBIOS name in uppercase letters. For example, type NBTYOURDOMAIN, and then click Next.
    5. For the nCnameType attribute value, type the distinguished name of the partition that will be created for the domain, and then click Next.
       
       Note The distinguished name must match the DNS name of the domain to create (for example, dc=YOURDOMAIN,dc=parent_domain,dc=root_domain,dc=com).
    6. For the dnsRootEnter attribute value, type the FQDN for the first domain controller that will be promoted in the new domain. For example, type your_server.yourdomain.parent_domain.root_domain.com.
    7. Click Next.
    8. Click More Attributes, and then click to select the Enabled attribute in the Select property to view list.
    9. In the Edit Attribute box, type False, and then click Set.
    10. Click OK, and then click Finish.
        
        Note You must set the Enabled attribute of the crossRef object to False. Otherwise, when you run DCPROMO on the first domain controller in the new domain, it will fail with an error that says that the domain already exists.
18. After you create the Cross-Reference object, you need to grant full control to the user or group you created in step 1. Note that the cross-reference will be in the partitions container within the configuration naming context.
19. On the System Object within the Domain Naming context System container, add the user or group you created in step 1 and grant Read and Create child object permissions. Add the Creator Owner Group and grant Full Control permissions.
20. Verify the primary DNS suffix of the server contains the FQDN of the child domain to be created.
    
    NOTE: The user or group should now be able to use Dcpromo.exe to promote the specified server to establish the specified domain as defined in the previous Ntdsutil.exe commands. When Dcpromo.exe prompts for credentials to use for the operation, the user or member of the group you created in the preceding steps will have the proper permissions to successfully complete and create the child domain.