AD2008 Root privileges required to promote child DC?

Greetings,

I am upgrading our forest from 2000 to 2008. It appears that in 2008 adding
the DC into the delegated zones is now mandatory, and that seems to be a
reasonable change due to the fact that this step can be otherwise
overlooked. However, this may present a problem in practice though, because
child domain admins don't have rights to update the root DNS zone. Is this
a "feature" that I will have to work around, i.e. not installing DNS until
the DCpromo is complete then asking the root admin to manually update the
delegated zone? I guess I should add that I am of the opinion that it
should not be required that a root admin have to be involved in any part of
a child domain DCpromo. Anyway, since it's not on Google (yet) below is the
message:

------------------------------------------------------------------------------------------------------------
Update DNS Delegation

Access is denied.

To ensure that this domain controller can be found by other computers on the
network, you must create a DNS delegation in the parent zone for this domain
(xxxxx.com). Please enter alternate credentials to create this delegation.
------------------------------------------------------------------------------------------------------------

Kevin D. Goodknecht Sr. [MVP]

Read inline please.

In news:.gbl,
- <-> wrote:
> Greetings,
>
> I am upgrading our forest from 2000 to 2008. It appears that in 2008
> adding the DC into the delegated zones is now mandatory, and that
> seems to be a reasonable change due to the fact that this step can be
> otherwise overlooked. However, this may present a problem in
> practice though, because child domain admins don't have rights to
> update the root DNS zone. Is this a "feature" that I will have to
> work around, i.e. not installing DNS until the DCpromo is complete
> then asking the root admin to manually update the delegated zone? I
> guess I should add that I am of the opinion that it should not be
> required that a root admin have to be involved in any part of a child
> domain DCpromo. Anyway, since it's not on Google (yet) below is the
> message:
> ------------------------------------------------------------------------------------------------------------
> Update DNS Delegation
>
> Access is denied.
>
> To ensure that this domain controller can be found by other computers
> on the network, you must create a DNS delegation in the parent zone
> for this domain (xxxxx.com). Please enter alternate credentials to
> create this delegation.
> ------------------------------------------------------------------------------------------------------------

You should actually create the delegation before your promote the first
child DC if the child's zone is going to be hosted on the chld DCs. This
will prevent the child domain records being created in the parent zone when
you promote the child DCs.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================



===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more

===================================
Keep a back up of your OE settings and folders
with OEBackup:

===================================

Jorge Silva

Hi
the warning is telling you that you should create the delegation at the
root, that step should have been done before the child domain creation. If
you don't have permissions at the root you should ask the responsible to
create the delegation. When creating child domain you also need permissions
at the root to add that new domain, so is good to plan that with the
responsible of your network. At last, don't forget that the child domain
also needs to solve its parent root FQDN and the _msdcs zone.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services