Solved

Problem with creating domain tree

Posted on 2008-10-08
7
387 Views
Last Modified: 2013-12-05
Hi,
I am trying to create a new domain tree. I have two domains: CERT (parrent domain)  with domain controller GC1.CERT (first domain controller of the tree)  and DW.CERT (child domain) with SRV1.DW.CERT (which is the unique domain controller of DW.CERT domain).


- I create a new zone on DNS server of CERT domain called DW
- I run dcpromo command on future domain controller of DW.CRT domain (SRV1.DW.CERT)
- Creation of AD DW.CERT terminates without errors or warnings

After that I can see AD of CERT domain from my new domain controller SRV1.DW.CERT, but I can't do so from GC1.CERT (which is the first domain controller of CERT).
For example, on SRV1.DW.CERT I can assign a permission to CRT domain users. When I try to do same thing on GC1.CRT I receive an error:
"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that autenticated you"
08-10-2008-11.47.33.jpg
0
Comment
Question by:minjakon
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:Rudram
ID: 22667980
* Is  the DNS setup all OK in the AD infrastruture??

* Could you try resolving names of the servers from DCs from both the parent and child domains

* Try using the dcdiag.exe and netdiag.exe tool to check for any anomalies (dcdiag /test:DNS might reveal something worthy)

Good Luck (^_^)

0
 

Author Comment

by:minjakon
ID: 22668137
Hi Rudram, thanks for response

I ran dcdiag.exe and this is the result:

1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49

What does it mean?


Performing initial setup:

   Done gathering initial info.
 

Doing initial required tests
 

   Testing server: Default-First-Site-Name\GC1

      Starting test: Connectivity

         ......................... GC1 passed test Connectivity
 

Doing primary tests
 

   Testing server: Default-First-Site-Name\GC1
 

DNS Tests are running and not hung. Please wait a few minutes...
 

   Running partition tests on : ForestDnsZones
 

   Running partition tests on : DomainDnsZones
 

   Running partition tests on : Schema
 

   Running partition tests on : Configuration
 

   Running partition tests on : cert
 

   Running enterprise tests on : cert

      Starting test: DNS

         Test results for domain controllers:
 

            DC: server.cert

            Domain: cert
 
 

               TEST: Delegations (Del)

                  Error: DNS server: server.cert. IP:172.27.50.49 [Broken delega

ted domain cert.cert.]
 

         Summary of test results for DNS servers used by the above domain contro

llers:
 

            DNS server: 172.27.50.49 (server.cert.)

               1 test failure on this DNS server

               Delegation is broken for the domain cert.cert. on the DNS server

172.27.50.49
 

         Summary of DNS test results:
 

                                            Auth Basc Forw Del  Dyn  RReg Ext

               ________________________________________________________________

            Domain: cert

               server                       PASS PASS PASS FAIL PASS PASS n/a

Open in new window

0
 
LVL 4

Expert Comment

by:lscapa
ID: 22668785
are you receiving any LSA service errors on either DC?
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22668797
since this is a child domain use mpsreports from Microsoft and look at the resulting logs. This will help you immensly in troubleshooting AD issues....
0
 
LVL 10

Accepted Solution

by:
Rudram earned 500 total points
ID: 22676234
* From the statement of yours - " I create a new zone on DNS server of CERT domain called DW" -  in the question i guess that you must have simply created a new zone in  the DNS server of the parent domain.

* So if you got to host the DNS zone of the child domain in the parent domain then you should be basically using the "New Delegation" wizard in the DNS snap-in (right click on the parent domain DNS forward lookup zone and select the option New Delegation)

* Follow the wizard and you would be creating a new sub-zone for the sub-domain (child domain)

Hope this works (^_^)
0
 
LVL 10

Expert Comment

by:Rudram
ID: 22676250
* The above condition matters when you are using the DNS server of the parent domain as the name resolution system for the child domain too (i.e. unless you have a DNS server of its own for the child domain)

(^_^)
0
 

Author Closing Comment

by:minjakon
ID: 31504162
0

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now