[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Unable to add user accounts to ACL from a trusted domain after inadvertently removing DNS from local domain controller

Posted on 2009-04-22
Medium Priority
Last Modified: 2012-05-06
I accidentally removed DNS from one of the domain controllers in my domain ( I meant to remove it from a DC I was retiring) and I quickly realized my mistake and added DNS back to the DC.  We have a transitive forest trust set up with our parent company, and before I removed DNS from the DC, we were able to permission user accounts from the trusted domain to ACLs on folders/shares created on our main file server.  Now we are no longer able to permission the folders/shares with the trusted domain's accounts.  One odd thing to note is that we ARE able to permission folders/shares on our domain controllers with the trusted domain's accounts.

The DC in question that had DNS removed holds the RID Master and PDC emulator roles.
Question by:jdmotsney
  • 3
  • 2

Accepted Solution

Antsoair earned 2000 total points
ID: 24205935
This is most likely a name resolution problem.  What DNS server does your file server point to?  Is there a DNS zone for the trusted forest on that DNS server?  If you can set permissions on the domain controllers then they are able to resolve the names of the other domain.  Is it possible that the domain controllers have static hosts or lmhosts entries?  Can you ping the domain controllers from the trusted forest from your file server?  Can you run a command against the trusted domain controllers such as net view \\trusted-domain-controller-name or nbtstat -a trusted-domain-controller-name?

Author Comment

ID: 24206311
Thanks for your quick response

The name server that the file server was pointed to was the one that had DNS removed, although it did have 2 additional DNS servers/domain controllers listed as secondary and tertiary options.  I did modify the DNS options to point to the secondary DC only for DNS but the issue persisted.  

There is a secondary DNS zone for the trusted forest on all of our DNS servers.  I manually added it back to the one that had DNS removed.

There are no entries in the hosts or lmhosts files on the DCs.

There is a firewall that seperates the forests that has ICMP disabled, so I am unable to get a reply from the domain controllers on the other side when performing a ping.  The name does resolve successfully to the ip addresses of the DC's on the other side when pinged from the file server.  This is the same when you ping from our local DC's.

When attempting the net view command from the domain controller I get "System error 53 has occurred.  The network path was not found."  My guess is that the firewall is not allowing this traffic.  The nbtstat command returns Host not found.  I'm guessing firewall here as well.

Expert Comment

ID: 24229810
You could verify that it is the firewall by trying the nbtstat command with the ip address of the remote domain controller.  This article discusses what ports you need open to have a trust work.  http://support.microsoft.com/kb/179442  so you can verify that you have the correct ports open.  It could be that your the ports are open for your domain controllers but not the file server.  The file server needs to be able to get a list of users from the remote domain controller.

Expert Comment

ID: 24251333
Did my comments help them at all?  If it helped them to find the answer then I don't think it should be deleted.

Author Comment

ID: 24259543
Turns out if was a DNS issue on my side.  A domain controller being prepped for retirement had the DNS service stopped.  The service was started and the issue is now resolved.  Thanks for your help.

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question