demote child domain and rejoin again

Hi,

I need demote my child domain from parent domain, because I note very comunication error betweem them.

What is the best way to do it?
 
When I demote and rejoin the child, I need to configure all user, gpo, etc, again?

Best regards

André Bolinhas
LVL 9
abolinhasAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Neil RussellTechnical Development LeadCommented:
You cannot "Demote" a domain from a forest all you can do is DELETE it.
What is the problem you are having? It may make more sense to find the problem.
0
 
abolinhasAuthor Commented:
Hi Neisr,

Thanks for you quick response.

1º - When try access to child trought ad user & computers console from parent domain. I get a access deny.
I'm loguin as domain admin
Check - http://itbyandrebolinhas.com/images/ad1.png


2º - My child domain are grey in DNS
Check -  http://itbyandrebolinhas.com/images/dns.png

3º - Check the output of dcdiag (from child)
C:\Users\Administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC01
   * Identified AD Forest.
   [CHLD01] LDAP bind failed with error 1326,
   Logon failure: unknown user name or bad password..
   Got error while checking if the DC is using FRS or DFSR. Error:
   Logon failure: unknown user name or bad password.The VerifyReferences,
   FrsEvent and DfsrEvent tests might fail because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         Message 0x621 not found.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... DC01 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01
      Skipping all tests, because server DC01 is not responding to directory
      service requests.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
abolinhasAuthor Commented:
Hi Neilsr:

Please ignore the last problem
"
3º - Check the output of dcdiag (from child)
C:\Users\Administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC01
   * Identified AD Forest.
   [CHLD01] LDAP bind failed with error 1326,
   Logon failure: unknown user name or bad password..
   Got error while checking if the DC is using FRS or DFSR. Error:
   Logon failure: unknown user name or bad password.The VerifyReferences,
   FrsEvent and DfsrEvent tests might fail because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         Message 0x621 not found.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... DC01 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01
      Skipping all tests, because server DC01 is not responding to directory
      service requests.
"

I run dcdiag from parent and not from child, my mistake.

Test that I made from child


C:\Users\Administrator>netdom query fsmo
Schema master               DC01.florasul.lan
Domain naming master        DC01.florasul.lan
PDC                         CHLD01.evora01.florasul.lan
RID pool manager            CHLD01.evora01.florasul.lan
Infrastructure master       CHLD01.evora01.florasul.lan
The command completed successfully.



C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2011-02-12 18:01:29

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 CHLD01                    10m:02s    0 /   4    0
 DC01                      09m:45s    0 /   4    0


Destination DSA     largest delta    fails/total %%   error
 CHLD01                    09m:45s    0 /   4    0
 DC01                      10m:02s    0 /   4    0


dcdiag /v /c
   Running enterprise tests on : florasul.lan
      Starting test: DNS
         Test results for domain controllers:

            DC: CHLD01.evora01.florasul.lan
            Domain: evora01.florasul.lan


               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  The OS
                  Microsoft Windows Server 2008 R2 Standard  (Service Pack level
: 0.0)
                  is supported.
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter
                  [00000016] Intel(R) Advanced Network Services Virtual Adapter:


                     MAC address is 00:30:48:7D:0E:60
                     IP Address is static
                     IP address: 192.168.2.101
                     DNS servers:
                        127.0.0.1 (CHLD01) [Valid]
                        192.168.1.101 (<name unavailable>) [Valid]
                  No host records (A or AAAA) were found for this DC
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found prim
ary
                  Root zone on this DC/DNS server was not found

               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     208.67.220.220 (<name unavailable>) [Invalid]
                     208.67.222.222 (<name unavailable>) [Invalid]
                     Error: All forwarders in the forwarder list are invalid.
                  Root hint Information:
                     Name: a.root-servers.net. IP: 198.41.0.4 [Invalid]
                     Name: d.root-servers.net. IP: 128.8.10.90 [Invalid]
                     Name: f.root-servers.net. IP: 192.5.5.241 [Invalid]
                  Error: Both root hints and forwarders are not configured or
                  broken. Please make sure at least one of them works.

               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server

               TEST: Dynamic update (Dyn)
                  Test record dcdiag-test-record added successfully in zone evor
a01.florasul.lan
                  Test record dcdiag-test-record deleted successfully in zone ev
ora01.florasul.lan

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000016] Intel(R) Advanced Network Services Virtual Adapter:


                     Matching CNAME record found at DNS server 192.168.2.101:
                     93313e43-0c25-412f-8d4b-6a45ff2318f1._msdcs.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.66cd515e-8176-4bde-8f4d-236b50aad6ff.domains._ms
dcs.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _kerberos._tcp.dc._msdcs.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.dc._msdcs.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _kerberos._tcp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _kerberos._udp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _kpasswd._tcp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.Default-First-Site-Name._sites.evora01.florasul.
lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.evo
ra01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.evora01
.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _kerberos._tcp.Default-First-Site-Name._sites.evora01.flora
sul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.gc._msdcs.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _gc._tcp.Default-First-Site-Name._sites.florasul.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.florasu
l.lan

                     Matching  SRV record found at DNS server 192.168.2.101:
                     _ldap._tcp.pdc._msdcs.evora01.florasul.lan

                     Matching CNAME record found at DNS server 192.168.1.101:
                     93313e43-0c25-412f-8d4b-6a45ff2318f1._msdcs.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.66cd515e-8176-4bde-8f4d-236b50aad6ff.domains._ms
dcs.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _kerberos._tcp.dc._msdcs.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.dc._msdcs.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _kerberos._tcp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _kerberos._udp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _kpasswd._tcp.evora01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.Default-First-Site-Name._sites.evora01.florasul.
lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.evo
ra01.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.evora01
.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _kerberos._tcp.Default-First-Site-Name._sites.evora01.flora
sul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.gc._msdcs.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _gc._tcp.Default-First-Site-Name._sites.florasul.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.florasu
l.lan

                     Matching  SRV record found at DNS server 192.168.1.101:
                     _ldap._tcp.pdc._msdcs.evora01.florasul.lan

               Error: Record registrations cannot be found for all the network
               adapters

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 128.8.10.90
               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 192.5.5.241
               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 198.41.0.4
               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 208.67.220.220 (<name unavailable>)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 208.67.220.220
               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 208.67.222.222 (<name unavailable>)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 208.67.222.222
               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 192.168.1.101 (<name unavailable>)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered

            DNS server: 192.168.2.101 (CHLD01)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: evora01.florasul.lan
               CHLD01                       PASS FAIL FAIL PASS PASS FAIL n/a

         ......................... florasul.lan failed test DNS
      Starting test: LocatorCheck
         GC Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         PDC Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         Time Server Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         Preferred Time Server Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         KDC Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         ......................... florasul.lan passed test LocatorCheck
      Starting test: FsmoCheck
         GC Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         PDC Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         Time Server Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         Preferred Time Server Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         KDC Name: \\CHLD01.evora01.florasul.lan
         Locator Flags: 0xe00031fd
         ......................... florasul.lan passed test FsmoCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... florasul.lan passed test Intersite
0
 
Darius GhassemCommented:
First thing you should not be using 127.0.0.1 put the actual IP address of the DC. Make sure you don't have external DNS servers listed in your TCP\IP properties it should onlhave internal DNS servers in the TCP\IP properties.

Run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix.

Liek already stated above you can't demote child domain from root you must delete completely then restart everything configured before this is the only way if you want to move forward but do the above then see how things work before deletion of the domain
0
 
abolinhasAuthor Commented:
Hi dariusg

Done:

C:\Users\Administrator>dcdig /fix
'dcdig' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = CHLD01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CHLD01
      Starting test: Connectivity
         Message 0x621 not found.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... CHLD01 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CHLD01
      Skipping all tests, because server CHLD01 is not responding to directory
      service requests.


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : evora01
      Starting test: CheckSDRefDom
         ......................... evora01 passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... evora01 passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running enterprise tests on : florasul.lan
      Starting test: LocatorCheck
         ......................... florasul.lan passed test LocatorCheck
      Starting test: Intersite
         ......................... florasul.lan passed test Intersite


Any more tests to do?
0
 
Darius GhassemCommented:
http://support.microsoft.com/kb/978387

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d5bebedd-bc3a-4b91-a053-7c04c78c2ec1/

This is a know issue on Windows 2008 Servers when using a team on a DC. There is an issue with dcdiag as well
0
 
abolinhasAuthor Commented:

Hi,

The hotfix don't solve my problem.

This is the common problem that I have to.
For example.

From parent domain I can ping the child domain by name.
But if I try access child by unc path by name like \\child01 I get a "You don't have permission to access to \\chld01", but if I try by IP \\xxx.xxx.xxx.xxx works very well.
0
 
Darius GhassemCommented:
Do you have a DNS suffix listed?
0
 
Darius GhassemCommented:
Can you remove network team? If you have one setup?
0
 
abolinhasAuthor Commented:
Hi dariusg,

What do you mean with dns suffix listed ?

"Can you remove network team?"
I will try avoid this, this is my last option, because the child is very far of me, about 400km, and do this remotely is very dangerous.

Best ragards

André Bolinhas
0
 
Darius GhassemCommented:
If you look in your TCP\IP properties do you have dns suffix listed?
0
 
abolinhasAuthor Commented:
0
 
Darius GhassemCommented:
Yes.
0
 
abolinhasAuthor Commented:
Yes, I have suffix in both dns (parent and child)

But still don't work
0
 
Darius GhassemCommented:
Can you remove the team please?

Please run command prompt  as admin as well
0
 
abolinhasAuthor Commented:
Hi Darius,

I change team mode to fail over only (instead of load balancig + fail over).

Now I can access to chld via unc path by name \\chld.

Now I just need to fix this
http://itbyandrebolinhas.com/images/ad1.png
0
 
Darius GhassemCommented:
Are you using the correct username and password? Are you using Domain Admin from the child Domain?
0
 
abolinhasAuthor Commented:
no, on child I use the child admin user and pass.

From child to parent this http://itbyandrebolinhas.com/images/ad1.png work fine.

0
 
Darius GhassemCommented:
Can you access resources from the other domain?
0
 
abolinhasAuthor Commented:
From child I can access to all resources on parent domain.

From parent I can not access to all resources on child.

0
 
Darius GhassemCommented:
Do you have DNS zone for child domain in your HQ DNS server?
0
 
Darius GhassemCommented:
Seems like you don't have your delegated DNS zone for the child listed in the parent. You need to have this zone in the HQ DNS so it can resolve child domain's addresses
0
 
abolinhasAuthor Commented:
I create a new delagation on parent but the folder still grey
0
 
Darius GhassemCommented:
You should have zone listed.
0
 
abolinhasAuthor Commented:
You means this
http://itbyandrebolinhas.com/images/dns3.png
?

If so, this should be a primary or a secondary zone ?
0
 
Darius GhassemCommented:
Yes, create the zone for the child domain you should have it stored in AD
0
 
abolinhasAuthor Commented:
So it is a primary zone.

On the next board, what is the option that I need choose?
http://itbyandrebolinhas.com/images/dns4.png
0
 
Darius GhassemCommented:
Hold on go to your child DNS server go to the properties of that zone do you have replication setup to replicate to whole forest?
0
 
abolinhasAuthor Commented:
0
 
Darius GhassemCommented:
On zone transfers what do you have
0
 
abolinhasAuthor Commented:
Hi Dariusq,

Please ignore the last comment

Parent replication:
http://itbyandrebolinhas.com/images/dns6.png

Child replication
http://itbyandrebolinhas.com/images/dns7.png
0
 
Darius GhassemCommented:
Change the child zone to replicate to all of DC in forest. Then don't worry about creating the zone in parent it should replicate to parent now.
0
 
abolinhasAuthor Commented:
Ok, the child already repicate the zone to parent domain.

But still get access denied
http://itbyandrebolinhas.com/images/ad1.png
0
 
Darius GhassemCommented:
Run dcdiag /fix

Post dcdiag
0
 
abolinhasAuthor Commented:
From parent:

C:\Users\Administrator>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC01
   * Identified AD Forest.
   [CHLD01] LDAP bind failed with error 1326,
   Logon failure: unknown user name or bad password..
   Got error while checking if the DC is using FRS or DFSR. Error:
   Logon failure: unknown user name or bad password.The VerifyReferences,
   FrsEvent and DfsrEvent tests might fail because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Advertising
         ......................... DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... DC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC01 passed test Replications
      Starting test: RidManager
         ......................... DC01 passed test RidManager
      Starting test: Services
         ......................... DC01 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x8000000E
            Time Generated: 02/17/2011   20:21:44
            Event String:
            The password stored in Credential Manager is invalid. This might be
caused by the user changing the password from this computer or a different comp
ter. To resolve this error, open Credential Manager in Control Panel, and reent
r the password for the credential FLORASUL\vanessa.paulo.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   20:21:44
            Event String:
            Driver EPSON SX125 Series required for printer EPSON SX125 Series i
 unknown. Contact the administrator to install the driver before you log in aga
n.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   20:21:45
            Event String:
            Driver PDFCreator required for printer PDFCreator is unknown. Conta
t the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   20:21:48
            Event String:
            Driver Adobe PDF Converter required for printer Adobe PDF is unknow
. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   20:21:48
            Event String:
            Driver PDF995 Printer Driver required for printer PDF995 is unknown
 Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0xC0002719
            Time Generated: 02/17/2011   20:23:25
            Event String:
            DCOM was unable to communicate with the computer 208.67.220.220 usi
g any of the configured protocols.
         An error event occurred.  EventID: 0xC0002719
            Time Generated: 02/17/2011   20:23:46
            Event String:
            DCOM was unable to communicate with the computer 208.67.222.222 usi
g any of the configured protocols.
         An error event occurred.  EventID: 0x0000042E
            Time Generated: 02/17/2011   21:04:55
            Event String:
            Iashlpr initialization failed: The DHCP service was unable to acces
 path specified for the audit log.
         ......................... DC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : florasul
      Starting test: CheckSDRefDom
         ......................... florasul passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... florasul passed test CrossRefValidation

   Running enterprise tests on : florasul.lan
      Starting test: LocatorCheck
         ......................... florasul.lan passed test LocatorCheck
      Starting test: Intersite
         ......................... florasul.lan passed test Intersite



From child
C:\Users\Administrator>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = CHLD01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CHLD01
      Starting test: Connectivity
         ......................... CHLD01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CHLD01
      Starting test: Advertising
         ......................... CHLD01 passed test Advertising
      Starting test: FrsEvent
         ......................... CHLD01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... CHLD01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... CHLD01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... CHLD01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... CHLD01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... CHLD01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... CHLD01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... CHLD01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... CHLD01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... CHLD01 passed test Replications
      Starting test: RidManager
         ......................... CHLD01 passed test RidManager
      Starting test: Services
         ......................... CHLD01 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   21:17:26
            Event String:
            Driver EPSON SX125 Series required for printer EPSON SX125 Series is
 unknown. Contact the administrator to install the driver before you log in agai
n.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   21:17:26
            Event String:
            Driver Adobe PDF Converter required for printer Adobe PDF is unknown
. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   21:17:30
            Event String:
            Driver PDF995 Printer Driver required for printer PDF995 is unknown.
 Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 02/17/2011   21:17:30
            Event String:
            Driver PDFCreator required for printer PDFCreator is unknown. Contac
t the administrator to install the driver before you log in again.
         ......................... CHLD01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... CHLD01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : evora01
      Starting test: CheckSDRefDom
         ......................... evora01 passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... evora01 passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running enterprise tests on : florasul.lan
      Starting test: LocatorCheck
         ......................... florasul.lan passed test LocatorCheck
      Starting test: Intersite
         ......................... florasul.lan passed test Intersite
0
 
Darius GhassemCommented:
Still points to a network team issue.
0
 
abolinhasAuthor Commented:
ok, if there is no more options to testing, I'll try disable the team remotely

Thanks
0
 
Darius GhassemCommented:
No more from me right now
0
 
abolinhasAuthor Commented:
Hi dariusq

I already remove the team, reboot the server and run dcdiag /fix.

But the problem stiil
0
 
Darius GhassemCommented:
Do you have team at HQ as well?
0
 
abolinhasAuthor Commented:
I remove the team in both servers
0
 
Darius GhassemCommented:
Is there a firewall between the two?
0
 
abolinhasAuthor Commented:
no
0
 
abolinhasAuthor Commented:
the server are connected trough a vpn ipsec
0
 
abolinhasAuthor Commented:
I get a 500 Internal error
0
 
abolinhasAuthor Commented:
Please ignore the last comment.

"I get a 500 Internal error"
0
 
Darius GhassemCommented:
Could be that ports are open properly on VPN
0
 
abolinhasAuthor Commented:
what ports?
0
 
abolinhasAuthor Commented:
I have the ports open.
The parent detects the child online, but when I do "OK", I get uknow user or bad password

http://itbyandrebolinhas.com/images/dc_ad.png
0
 
Darius GhassemCommented:
Can you go Run \\Domaincontroller
0
 
abolinhasAuthor Commented:
yap, in both directions
0
 
Darius GhassemCommented:
Authentication is working fine. Something is wrong with connecting to the server. Are you using Domain Admin password from child to add to console? Are you using Enterprise Admin?
0
 
abolinhasAuthor Commented:
yes, I'm enterprise admin and I'm log with enterprise account
0
 
abolinhasAuthor Commented:
I found this error on dcdiag (on parent)

 [CHLD01] LDAP bind failed with error 1326,
 Logon failure: unknown user name or bad password..
 Got error while checking if the DC is using FRS or DFSR. Error:
 Logon failure: unknown user name or bad password.The VerifyReferences,
 FrsEvent and DfsrEvent tests might fail because of this error.
 * Found 2 DC(s). Testing 1 of them.
 Done gathering initial info.
0
 
abolinhasAuthor Commented:
And in child I get this
         The DC CHLD01 is advertising as having a writeable directory
         The DC CHLD01 is advertising as a Key Distribution Center
         The DC CHLD01 is advertising as a time server
         The DS CHLD01 is advertising as a GC.
         ......................... CHLD01 passed test Advertising
      Starting test: CheckSecurityError
         * Dr Auth:  Beginning security errors check!
         Found KDC CHLD01 for domain evora01.florasul.lan in site Default-First-
Site-Name
         Checking machine account for DC CHLD01 on DC CHLD01.
         * SPN found :LDAP/CHLD01.evora01.florasul.lan/evora01.florasul.lan
         * SPN found :LDAP/CHLD01.evora01.florasul.lan
         * SPN found :LDAP/CHLD01
         * SPN found :LDAP/CHLD01.evora01.florasul.lan/EVORA01
         * SPN found :LDAP/93313e43-0c25-412f-8d4b-6a45ff2318f1._msdcs.florasul.
lan
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/93313e43-0c25-412f-8d
4b-6a45ff2318f1/evora01.florasul.lan
         * SPN found :HOST/CHLD01.evora01.florasul.lan/evora01.florasul.lan
         * SPN found :HOST/CHLD01.evora01.florasul.lan
         * SPN found :HOST/CHLD01
         * SPN found :HOST/CHLD01.evora01.florasul.lan/EVORA01
         * SPN found :GC/CHLD01.evora01.florasul.lan/florasul.lan
         [CHLD01] No security related replication errors were found on this DC!
          To target the connection to a specific source DC use
         /ReplSource:<DC>.
         ......................... CHLD01 passed test CheckSecurityError
      Starting test: CutoffServers
0
 
abolinhasAuthor Commented:
Finally FIXED :)

Your link don't solve my problem but help me a lot to understand my problem and fixed.

So, is fair assign you the points.

To fix the problem, I did the following steps:

1º On parent domain go to control panel.
2º Find Credential Manager inside User account.
3º In Credential Manager, search for any entries that pointing to child domain and deleted.

Dariusq many many thanks for your help.

Best regards

André Bolinhas
0
 
Darius GhassemCommented:
You know I swore I put a link on before that said to do this but I guess I didn't paste it in glad it is working. We fixed some other issues as well.

Thanks again
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.