Solved

Problem with creating domain tree

Posted on 2008-10-08
7
425 Views
Last Modified: 2013-12-05
Hi,
I am trying to create a new domain tree. I have two domains: CERT (parrent domain)  with domain controller GC1.CERT (first domain controller of the tree)  and DW.CERT (child domain) with SRV1.DW.CERT (which is the unique domain controller of DW.CERT domain).


- I create a new zone on DNS server of CERT domain called DW
- I run dcpromo command on future domain controller of DW.CRT domain (SRV1.DW.CERT)
- Creation of AD DW.CERT terminates without errors or warnings

After that I can see AD of CERT domain from my new domain controller SRV1.DW.CERT, but I can't do so from GC1.CERT (which is the first domain controller of CERT).
For example, on SRV1.DW.CERT I can assign a permission to CRT domain users. When I try to do same thing on GC1.CRT I receive an error:
"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that autenticated you"
08-10-2008-11.47.33.jpg
0
Comment
Question by:minjakon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:Rudram
ID: 22667980
* Is  the DNS setup all OK in the AD infrastruture??

* Could you try resolving names of the servers from DCs from both the parent and child domains

* Try using the dcdiag.exe and netdiag.exe tool to check for any anomalies (dcdiag /test:DNS might reveal something worthy)

Good Luck (^_^)

0
 

Author Comment

by:minjakon
ID: 22668137
Hi Rudram, thanks for response

I ran dcdiag.exe and this is the result:

1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49

What does it mean?


Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\GC1
      Starting test: Connectivity
         ......................... GC1 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\GC1
 
DNS Tests are running and not hung. Please wait a few minutes...
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : cert
 
   Running enterprise tests on : cert
      Starting test: DNS
         Test results for domain controllers:
 
            DC: server.cert
            Domain: cert
 
 
               TEST: Delegations (Del)
                  Error: DNS server: server.cert. IP:172.27.50.49 [Broken delega
ted domain cert.cert.]
 
         Summary of test results for DNS servers used by the above domain contro
llers:
 
            DNS server: 172.27.50.49 (server.cert.)
               1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49
 
         Summary of DNS test results:
 
                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: cert
               server                       PASS PASS PASS FAIL PASS PASS n/a

Open in new window

0
 
LVL 4

Expert Comment

by:lscapa
ID: 22668785
are you receiving any LSA service errors on either DC?
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 4

Expert Comment

by:lscapa
ID: 22668797
since this is a child domain use mpsreports from Microsoft and look at the resulting logs. This will help you immensly in troubleshooting AD issues....
0
 
LVL 10

Accepted Solution

by:
Rudram earned 500 total points
ID: 22676234
* From the statement of yours - " I create a new zone on DNS server of CERT domain called DW" -  in the question i guess that you must have simply created a new zone in  the DNS server of the parent domain.

* So if you got to host the DNS zone of the child domain in the parent domain then you should be basically using the "New Delegation" wizard in the DNS snap-in (right click on the parent domain DNS forward lookup zone and select the option New Delegation)

* Follow the wizard and you would be creating a new sub-zone for the sub-domain (child domain)

Hope this works (^_^)
0
 
LVL 10

Expert Comment

by:Rudram
ID: 22676250
* The above condition matters when you are using the DNS server of the parent domain as the name resolution system for the child domain too (i.e. unless you have a DNS server of its own for the child domain)

(^_^)
0
 

Author Closing Comment

by:minjakon
ID: 31504162
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question