Solved

Problem with creating domain tree

Posted on 2008-10-08
7
412 Views
Last Modified: 2013-12-05
Hi,
I am trying to create a new domain tree. I have two domains: CERT (parrent domain)  with domain controller GC1.CERT (first domain controller of the tree)  and DW.CERT (child domain) with SRV1.DW.CERT (which is the unique domain controller of DW.CERT domain).


- I create a new zone on DNS server of CERT domain called DW
- I run dcpromo command on future domain controller of DW.CRT domain (SRV1.DW.CERT)
- Creation of AD DW.CERT terminates without errors or warnings

After that I can see AD of CERT domain from my new domain controller SRV1.DW.CERT, but I can't do so from GC1.CERT (which is the first domain controller of CERT).
For example, on SRV1.DW.CERT I can assign a permission to CRT domain users. When I try to do same thing on GC1.CRT I receive an error:
"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that autenticated you"
08-10-2008-11.47.33.jpg
0
Comment
Question by:minjakon
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:Rudram
ID: 22667980
* Is  the DNS setup all OK in the AD infrastruture??

* Could you try resolving names of the servers from DCs from both the parent and child domains

* Try using the dcdiag.exe and netdiag.exe tool to check for any anomalies (dcdiag /test:DNS might reveal something worthy)

Good Luck (^_^)

0
 

Author Comment

by:minjakon
ID: 22668137
Hi Rudram, thanks for response

I ran dcdiag.exe and this is the result:

1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49

What does it mean?


Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\GC1
      Starting test: Connectivity
         ......................... GC1 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\GC1
 
DNS Tests are running and not hung. Please wait a few minutes...
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : cert
 
   Running enterprise tests on : cert
      Starting test: DNS
         Test results for domain controllers:
 
            DC: server.cert
            Domain: cert
 
 
               TEST: Delegations (Del)
                  Error: DNS server: server.cert. IP:172.27.50.49 [Broken delega
ted domain cert.cert.]
 
         Summary of test results for DNS servers used by the above domain contro
llers:
 
            DNS server: 172.27.50.49 (server.cert.)
               1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49
 
         Summary of DNS test results:
 
                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: cert
               server                       PASS PASS PASS FAIL PASS PASS n/a

Open in new window

0
 
LVL 4

Expert Comment

by:lscapa
ID: 22668785
are you receiving any LSA service errors on either DC?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 4

Expert Comment

by:lscapa
ID: 22668797
since this is a child domain use mpsreports from Microsoft and look at the resulting logs. This will help you immensly in troubleshooting AD issues....
0
 
LVL 10

Accepted Solution

by:
Rudram earned 500 total points
ID: 22676234
* From the statement of yours - " I create a new zone on DNS server of CERT domain called DW" -  in the question i guess that you must have simply created a new zone in  the DNS server of the parent domain.

* So if you got to host the DNS zone of the child domain in the parent domain then you should be basically using the "New Delegation" wizard in the DNS snap-in (right click on the parent domain DNS forward lookup zone and select the option New Delegation)

* Follow the wizard and you would be creating a new sub-zone for the sub-domain (child domain)

Hope this works (^_^)
0
 
LVL 10

Expert Comment

by:Rudram
ID: 22676250
* The above condition matters when you are using the DNS server of the parent domain as the name resolution system for the child domain too (i.e. unless you have a DNS server of its own for the child domain)

(^_^)
0
 

Author Closing Comment

by:minjakon
ID: 31504162
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question