window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-SSTZC704MH');
Back to Insights

Creating a new child domain – Microsoft Windows 2016 Server

14/07/2017 Article

BG

Well, that was several hours of my life I won’t get back. Creating a new child domain is not an easy task, but we like challenges. This article will help you save many hours from finding how to create a new child domain.

TL;DR;

– Microsoft error messages still suck in Windows Server 2016
– Add the member server that will become the child-domain domain-controller to the parent domain before promoting it to a DC.

I was recently on a non-standard job. My client was interested in having a brand new Active Directory domain built to the best possible standards of information / “cyber” security.

I haven’t done much blue-team work for a little while, but I am always up for a challenge and this felt like a good opportunity to get my head around some of the challenges of setting up Windows 2016.

First of all, a side note: I hate Windows 2016 Core (aka non-GUI), I’m going to leave that there.

Moving on…

For reasons that are not best-described here, my client wants a silo’d active directory domain architecture.

Essentially, the ability to have different parts of the wider business belong to different container shells, whilst still having overarching control over the whole lot. This means a parent-domain (or root in *nix parlance), this parent domain sits at the top of the Active Directory forest hierarchy.

Each child-domain then inherits “stuff” (technical term) from the parent domain and can set its own controls. As a red-teamer, one goal in this scenario would be to become Enterprise admin, as this is the group that by default is truly in charge.

Long story short, I battled for hours trying to work out how to get this Windows 2016 vanilla-build server to become a domain controller for a child domain within the forest. No joy.

I kept getting a message “auth problem XXX”. Some research indicates that authentication is nothing to do with the problem, and in fact, DNS is the problem.

Go Microsoft with the useful error messages!

Having spent loads of time on the DNS configuration I got nowhere. I tried everything from the obvious pointing the child at the parent for DNS. Manually making DNS zones on the parent and child, and everything in between.

Literally hours of different combinations and I was still not getting anywhere.

I wish I could claim that this was my idea. However, in a state of despair, I called a friend and explained the situation.

His response was.

“Well you have tried everything I would have thought of and I’ll be honest, I’ve never done it before so I am not sure….”

He trailed off and as I was responding he suddenly interrupted me saying.

“have you joined the server that will become the child domain controller to the parent domain and then tried promoting it?”

The answer was no.

At first glance, this doesn’t make much sense as you are trying to add the machine to a sub-domain.

However, when you think a little deeper it does make sense.

The child would then appear in DNS correctly on the parent DNS service. Then they would have a basic trust relationship in place already making authentication “easier”.

So the very short version, to create a new child-domain domain-controller, add the member server that will be promoted to the parent domain first.

You want to upgrade your cybersecurity?

Contact us and increase your cybersecurity

Register interest or Get in touch

"*" indicates required fields

Submit