Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem with creating domain tree

Posted on 2008-10-08
7
Medium Priority
?
433 Views
Last Modified: 2013-12-05
Hi,
I am trying to create a new domain tree. I have two domains: CERT (parrent domain)  with domain controller GC1.CERT (first domain controller of the tree)  and DW.CERT (child domain) with SRV1.DW.CERT (which is the unique domain controller of DW.CERT domain).


- I create a new zone on DNS server of CERT domain called DW
- I run dcpromo command on future domain controller of DW.CRT domain (SRV1.DW.CERT)
- Creation of AD DW.CERT terminates without errors or warnings

After that I can see AD of CERT domain from my new domain controller SRV1.DW.CERT, but I can't do so from GC1.CERT (which is the first domain controller of CERT).
For example, on SRV1.DW.CERT I can assign a permission to CRT domain users. When I try to do same thing on GC1.CRT I receive an error:
"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that autenticated you"
08-10-2008-11.47.33.jpg
0
Comment
Question by:minjakon
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:Rudram
ID: 22667980
* Is  the DNS setup all OK in the AD infrastruture??

* Could you try resolving names of the servers from DCs from both the parent and child domains

* Try using the dcdiag.exe and netdiag.exe tool to check for any anomalies (dcdiag /test:DNS might reveal something worthy)

Good Luck (^_^)

0
 

Author Comment

by:minjakon
ID: 22668137
Hi Rudram, thanks for response

I ran dcdiag.exe and this is the result:

1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49

What does it mean?


Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\GC1
      Starting test: Connectivity
         ......................... GC1 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\GC1
 
DNS Tests are running and not hung. Please wait a few minutes...
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : cert
 
   Running enterprise tests on : cert
      Starting test: DNS
         Test results for domain controllers:
 
            DC: server.cert
            Domain: cert
 
 
               TEST: Delegations (Del)
                  Error: DNS server: server.cert. IP:172.27.50.49 [Broken delega
ted domain cert.cert.]
 
         Summary of test results for DNS servers used by the above domain contro
llers:
 
            DNS server: 172.27.50.49 (server.cert.)
               1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49
 
         Summary of DNS test results:
 
                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: cert
               server                       PASS PASS PASS FAIL PASS PASS n/a

Open in new window

0
 
LVL 4

Expert Comment

by:lscapa
ID: 22668785
are you receiving any LSA service errors on either DC?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Expert Comment

by:lscapa
ID: 22668797
since this is a child domain use mpsreports from Microsoft and look at the resulting logs. This will help you immensly in troubleshooting AD issues....
0
 
LVL 10

Accepted Solution

by:
Rudram earned 2000 total points
ID: 22676234
* From the statement of yours - " I create a new zone on DNS server of CERT domain called DW" -  in the question i guess that you must have simply created a new zone in  the DNS server of the parent domain.

* So if you got to host the DNS zone of the child domain in the parent domain then you should be basically using the "New Delegation" wizard in the DNS snap-in (right click on the parent domain DNS forward lookup zone and select the option New Delegation)

* Follow the wizard and you would be creating a new sub-zone for the sub-domain (child domain)

Hope this works (^_^)
0
 
LVL 10

Expert Comment

by:Rudram
ID: 22676250
* The above condition matters when you are using the DNS server of the parent domain as the name resolution system for the child domain too (i.e. unless you have a DNS server of its own for the child domain)

(^_^)
0
 

Author Closing Comment

by:minjakon
ID: 31504162
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question