Link to home
Start Free TrialLog in
Avatar of minjakon
minjakonFlag for Italy

asked on

Problem with creating domain tree

Hi,
I am trying to create a new domain tree. I have two domains: CERT (parrent domain)  with domain controller GC1.CERT (first domain controller of the tree)  and DW.CERT (child domain) with SRV1.DW.CERT (which is the unique domain controller of DW.CERT domain).


- I create a new zone on DNS server of CERT domain called DW
- I run dcpromo command on future domain controller of DW.CRT domain (SRV1.DW.CERT)
- Creation of AD DW.CERT terminates without errors or warnings

After that I can see AD of CERT domain from my new domain controller SRV1.DW.CERT, but I can't do so from GC1.CERT (which is the first domain controller of CERT).
For example, on SRV1.DW.CERT I can assign a permission to CRT domain users. When I try to do same thing on GC1.CRT I receive an error:
"The system detected a possible attempt to compromise security. Please ensure that you can contact the server that autenticated you"
08-10-2008-11.47.33.jpg
Avatar of Shyjin Varaprath
Shyjin Varaprath
Flag of India image

* Is  the DNS setup all OK in the AD infrastruture??

* Could you try resolving names of the servers from DCs from both the parent and child domains

* Try using the dcdiag.exe and netdiag.exe tool to check for any anomalies (dcdiag /test:DNS might reveal something worthy)

Good Luck (^_^)

Avatar of minjakon

ASKER

Hi Rudram, thanks for response

I ran dcdiag.exe and this is the result:

1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49

What does it mean?


Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\GC1
      Starting test: Connectivity
         ......................... GC1 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\GC1
 
DNS Tests are running and not hung. Please wait a few minutes...
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : cert
 
   Running enterprise tests on : cert
      Starting test: DNS
         Test results for domain controllers:
 
            DC: server.cert
            Domain: cert
 
 
               TEST: Delegations (Del)
                  Error: DNS server: server.cert. IP:172.27.50.49 [Broken delega
ted domain cert.cert.]
 
         Summary of test results for DNS servers used by the above domain contro
llers:
 
            DNS server: 172.27.50.49 (server.cert.)
               1 test failure on this DNS server
               Delegation is broken for the domain cert.cert. on the DNS server
172.27.50.49
 
         Summary of DNS test results:
 
                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: cert
               server                       PASS PASS PASS FAIL PASS PASS n/a

Open in new window

Avatar of lscapa
lscapa

are you receiving any LSA service errors on either DC?
since this is a child domain use mpsreports from Microsoft and look at the resulting logs. This will help you immensly in troubleshooting AD issues....
ASKER CERTIFIED SOLUTION
Avatar of Shyjin Varaprath
Shyjin Varaprath
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
* The above condition matters when you are using the DNS server of the parent domain as the name resolution system for the child domain too (i.e. unless you have a DNS server of its own for the child domain)

(^_^)