Question : DCPROMO fails when existing DC's are on different subnet / segment

Hi Everyone,

Here is my set up:

All domain controllers are running Windows Server 2008 R2 Enterprise Edition.

ISA-SERVER:
Handles DHCP for 2 segments: 192.168.0.1 and 192.168.10.1.
Traffic between segments is routed and unrestricted.

192.168.0.1 Subnet:
Home to 3 DC's:
DC1-5025 (192.168.0.101)
DC2-5099 (192.168.0.102)
DC3-5099 (192.168.0.103)

192.168.10.1 Subnet:
I want to add:
DC4-5025 (192.168.10.10)

All 4 Servers:
Windows Firewall service is disabled.
Are running 2K8 R2 Enterprise Server.
Can ping one another by name and by IP address

In DC4-5025:
All NIC's except one are disabled.
Only one DNS server is specified (192.168.0.101).
DC4-5025 can join the domain as a member server, but keeps failing DCPROMO.  It also fails DCPROMO when trying to join from scratch.  I can't remember the exact error offhand, but it fails at the point where DCPROMO is trying to create an NTDS Settings object for DC4-5025.  It also says "remote procedure call failed" or "RPC failed" depending on what settings I played with prior to testing/trying.  Also, I don't know if this helps, but during DCPROMO, the "Examining DNS Configuration..." prompt takes about 5 minutes to pass, which seemed long to me.

When I plugged the same server (DC4-5025) into the 192.168.0.1 segment (and set a valid IP on that segment, of course), it was able to join the domain, albeit on a second attempt.

Is there some security setting I'm overlooking in 2K8 (R2) that prevents computers in other segments from becoming Domain Controllers?  The firewalls are already totally disabled.

Any help is greatly appreciated!

Answer : DCPROMO fails when existing DC's are on different subnet / segment

Folks,

The problem has been solved.

I disabled RPC Compliance on my rule for allowing all Internal Traffic

AND

I added the new would-be domain controller to the list for custom Flood Mitigation rules.

Thanks to everyone for their effort.