"Access is denied" error message when you create a child domain remotely by using Install-AddsDomain

Article translations Article translations
Article ID: 2738060 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When you use the Install-AddsDomain Windows Server 2012 AddsDeployment Windows PowerShell module cmdlet together with the Invoke-Command cmdlet to remotely create a new child domain, you receive the following error message:

Invoke-command -computer DC2-FULL -credential (get-credential) -scriptblock {Install-addsdomain -newdomainname child -parentdomain contoso.com -domaintype child -credential (get-credential) -dnsdelegationcredential (get-credential)}

PSComputerName : DC2-full
RunspaceId     : ca62ff66-cc34-4ec8-8504-863c950c473a
Message        : The operation failed because:

                 Failed to create a trust with domain child.contoso.com on the parent domain controller
                 dc1-full.contoso.com

                 "Access is denied."

                 This server has been disjoined from domain "CONTOSO".

Context        : DCPromo.General.54
RebootRequired : False
Status : Error

Additionally, the server is removed from the parent domain, and no child domain is created.

Cause

This issue occurs because credentials that were given to-dnsdelegationcredential contained a bad password.

Resolution

To resolve this issue, follow these steps:
  1. Rejoin the server to the parent domain to enable remote Windows PowerShell connectivity through the Invoke-Command cmdlet. (By default, this cmdlet requires the Kerberos protocol.) 
  2. Try to create the domain again. When you do this, make sure that you provide the DNS Delegation credentials by using a valid username and password.

More information

Unlike the password for the other two credentials that are provided in this scenario, the password for the DNS delegation credential is not tested until it is actually used. However, at that point in the domain deployment, many other changes have been made, and the bad credentials cause a fatal error when they are used later.

This issue occurs only when you provide a bad password through remote Windows PowerShell invocation. If the DNS delegation is run locally, the delegation will still fail but will provide a warning that delegation was not configured and will let promotion otherwise succeed.

Properties

Article ID: 2738060 - Last Review: October 2, 2012 - Revision: 7.0
Applies to
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Standard
Keywords: 
KB2738060

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com