This is something I meant to blog about months ago, but for some reason I let it slip my mind. It just came up again in a conversation I had yesterday, and I couldn't believe I forgot to post it here. (It also may or may not be similar to a test question that someone might encounter if he or she were taking some Microsoft-centric certification tests.)
It started when someone on ServerFault asked the question, "Do you need a GC online to DCPROMO?"
Well the short answer to that question is that no, you don't need a global catalog online (or reachable) from the computer you are trying to simply promote into a domain controller. But that got me thinking, I'd like to go a step farther and see for myself what the bare minimum requirements for promoting a computer to a domain controller in an existing domain, especially concerning the accessibility of certain FSMO roles from the new DC. I don't care about anything else right now (such as how useful this DC might be after it's promoted) except for just successfully completing the DCPromo process.
On one hand, this might seem like just a silly theoretical exercise, but on the other hand, you just might want to have this knowledge if you ever work in a large enterprise environment where your network is not fully routed, and all DCs are not fully meshed. You might need to create a domain controller in a segment of the network where it has network connectivity to some other DCs, but not all of them.
Well I have a fine lab handy, so let's get this show on the road.
- Create three computers.
- Make two of them DCs for the same single-domain forest (of the 2008+ variety.)
- Make only one of them a global catalog.
- Leave all FSMOs on the first domain controller, for now.
So when you promote a writable domain controller, you need two things: another writable domain controller online from which to replicate the directory, and your first RID pool allocation directly from the RID pool FSMO role holder. When you promote an RODC, you don't even need the RIDs, since RODCs don't create objects or outbound replicate. If the computer cannot reach the RID pool master, as in direct RPC connectivity, DCPROMO will give you this message:
You will not be able to install a writable replica domain controller at this time because the RID master DC1.domain.com is offline.
But you can still create an RODC, as long as the domain controller with whom you can communicate is not also an RODC - it has to be a RWDC.
So the final steps to prove this theory are:
- Transfer only the RID master to the second domain controller.
- Power down the first domain controller.
At this point, only the RID pool master is online, and no global catalog is online. Now run DCPromo on your third computer. Can you successfully promote the new domain controller as a RWDC?
Yes you can.
Now, you'll encounter some other problems down the road, such as the new DC not being able to process password changes because it cannot contact the PDCe, but you've successfully added a new domain controller to the domain nonetheless.