?
Solved

Cannot Authorise DHCP server on a Child DC

Posted on 2007-10-09
8
Medium Priority
?
1,215 Views
Last Modified: 2008-05-31
I cannot authorise a DHCP server on a Windows 2003 server that's a DC for a Child Domain. Dcpromo did not return any errors. I am logged in as Enterprise Administrator.
After Authorising ADSIedit shows a new entry for this server in CN=Services, CN=NetServices but the DHCP server remains anauthorized with a DhcpServer error: "The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this:.."
0
Comment
Question by:alex_harl
  • 5
  • 3
8 Comments
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 500 total points
ID: 20040407
Usually repl. latency -- since you're logged on as an EA, ADSIEDIT is sourcing he directory data from a forest root DC which is almost certainly where the change was also written.  Once replication occurs and the DHCP service notices (or is restarted), it will begin servicing clients.  You can, of course, force replication to speed up the process (or worse, replication may be broken) ...
0
 

Author Comment

by:alex_harl
ID: 20042973
The problem is with replication, 'Replicate now' from the Child DCs NTDS object brings up an error "The following error occurred during the attempt to contact domain controller: RPC server is unavailable".
Dcdiag output on child DC passes all checks, netdiag has several errors - Redir and Browser test : Failed
[FATAL] Cannot send mailslot message to '\\domain*\MAILSLOT\NET\NETLOGON' via redir. [ERROR_BAD_NETPATH], and
DC list test: Failed Failed to enumerate DCs by using the browser [ERROR_NO_BROWSER_SERVERS_FOUND]
Replmon on forest root DC shows successful replication attempts in both directions.
My first thought was DNS - child DC points to itself in NIC properties and has parent doamin DNS servers as forwarders.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20043047
Let's start with the simple/big wins -

1. Restart the DNS servers in the child domain
2. Flush the DNS cache on the DCs in the child domain
   - run a shell
   - type      ipconfig /flushdns
3. Verify the forwarders are functioning
4. Verify the DNS zones on the root DCs are populated as you'd expect
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:alex_harl
ID: 20044101
Hi, DHCP server is now authorised but the time stamp for the event is much earlier then restarting the DNS server and flushing DNS. Not to confuse matters - let's leave DHCP for a second and look at the replication
(I did get the DHCP server to authorize and it remained active for a few days, I would have made numerous changes since it stopped working so one of those could have caused it to start again - better look at the other problems, if that's OK).

Following your steps, forwarders are functioning OK,  the DNS zone for child.domain.com on root DCs has A records - servername and same as parent folder for the child DC, and as far as I can see correct fqdn SRV records for the child DC. Attempting to replicate still causes the RPC locator unavailable. Netdiag output has the same errors.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20044745
On the child DC, run a command shell and enter -

ipconfig /flushdns

... look for entries that state 'name not found' or the like and paste the corresponding RR back here.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20044802
Minor correction ... I erased one ofthe steps.  After you've flushed the resolver cache (/flushdns), use Sites and Services and force replication ... then follow the last instruction.
0
 

Author Comment

by:alex_harl
ID: 20047517
Apologies - the RPC Locator message was an error on my part - I mistakenly used NTDS object for a different site that is genuienly unavailable. There aren't any 'name not found' in DNS.

I'd say the reason for the DHCP problem was as you suggested replication latency, I would have then made changes to DNS without flushing the cache. So your seccond suggestion was also right.

I can force replication in both directions. As my DHCP problem is fixed I will assign the points, just to check if you have any suggestions re DC list and netdiag errors.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20065133
No browsers found is kinda moot since it's referring to a legacy service, that said though, it's not something I recollect seeing on a regular basis.  As for your other repl. issue, what's causing that?
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question