"Access is denied" error message when you create a child domain remotely by using Install-AddsDomain

Article translations Article translations
Article ID: 2738060 - View products that this article applies to.
Expand all | Collapse all


When you use the Install-AddsDomain Windows Server 2012 AddsDeployment Windows PowerShell module cmdlet together with the Invoke-Command cmdlet to remotely create a new child domain, you receive the following error message:

Invoke-command -computer DC2-FULL -credential (get-credential) -scriptblock {Install-addsdomain -newdomainname child -parentdomain contoso.com -domaintype child -credential (get-credential) -dnsdelegationcredential (get-credential)}

PSComputerName : DC2-full
RunspaceId     : ca62ff66-cc34-4ec8-8504-863c950c473a
Message        : The operation failed because:

                 Failed to create a trust with domain child.contoso.com on the parent domain controller

                 "Access is denied."

                 This server has been disjoined from domain "CONTOSO".

Context        : DCPromo.General.54
RebootRequired : False
Status : Error

Additionally, the server is removed from the parent domain, and no child domain is created.


This issue occurs because credentials that were given to-dnsdelegationcredential contained a bad password.


To resolve this issue, follow these steps:
  1. Rejoin the server to the parent domain to enable remote Windows PowerShell connectivity through the Invoke-Command cmdlet. (By default, this cmdlet requires the Kerberos protocol.) 
  2. Try to create the domain again. When you do this, make sure that you provide the DNS Delegation credentials by using a valid username and password.

More information

Unlike the password for the other two credentials that are provided in this scenario, the password for the DNS delegation credential is not tested until it is actually used. However, at that point in the domain deployment, many other changes have been made, and the bad credentials cause a fatal error when they are used later.

This issue occurs only when you provide a bad password through remote Windows PowerShell invocation. If the DNS delegation is run locally, the delegation will still fail but will provide a warning that delegation was not configured and will let promotion otherwise succeed.


Article ID: 2738060 - Last Review: October 2, 2012 - Revision: 7.0
Applies to
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Standard

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com