STEHelp
asked on
2008 R2 DCPromo with strange authentication and workstation issues
I DCPromo'd 4 new domain controllers in the last 2 weeks. I am seeing some intermittent issues and I wanted to see if anyone could help.
We have an empty forest root. "ad.example.com". I obviously ran the R2 schema updates for the forest and domain. We have actually had a 2008 R2 DC in the forest root for 7 months without issue.
We have child domains for each country. For example, "us.ad.example.com". I also promoted 2 DC's in this domain within the past 2 weeks. This domain has the majority of our users. The majority of our users are XP based with about 15-20% Windows 7.
A couple things I have noticed personally and in my group. After my dcpromo on the us.ad.example.com domain, i had an issue where my Windows 7 Desktop had the following issue:
We login to our systems with our regular user accounts. For administration we run as our user-admin accounts.
I clicked "Run as another user" and entered my us.ad.example.com\user-adm
Today I had a co-worker with the EXACT same issue on Windows 7. His system also stated "The trust relationship between this workstation and the primary domain failed." He ended up rejoining his system to the domain to get it working again. I did nothing and after 30 minutes or so it started working again.
I want to troubleshoot this further since we have had 2 issues already and i dont want this widespread. We are also seeing strange issues with authentication on our Cisco ACS Wireless in remote domains but that may be unrelated.
DCDiags and all the typical troubleshooting has looked fine. Has anyone seen this before? It is very strange that it works fine, except for those few users.
We have an empty forest root. "ad.example.com". I obviously ran the R2 schema updates for the forest and domain. We have actually had a 2008 R2 DC in the forest root for 7 months without issue.
We have child domains for each country. For example, "us.ad.example.com". I also promoted 2 DC's in this domain within the past 2 weeks. This domain has the majority of our users. The majority of our users are XP based with about 15-20% Windows 7.
A couple things I have noticed personally and in my group. After my dcpromo on the us.ad.example.com domain, i had an issue where my Windows 7 Desktop had the following issue:
We login to our systems with our regular user accounts. For administration we run as our user-admin accounts.
I clicked "Run as another user" and entered my us.ad.example.com\user-adm
Today I had a co-worker with the EXACT same issue on Windows 7. His system also stated "The trust relationship between this workstation and the primary domain failed." He ended up rejoining his system to the domain to get it working again. I did nothing and after 30 minutes or so it started working again.
I want to troubleshoot this further since we have had 2 issues already and i dont want this widespread. We are also seeing strange issues with authentication on our Cisco ACS Wireless in remote domains but that may be unrelated.
DCDiags and all the typical troubleshooting has looked fine. Has anyone seen this before? It is very strange that it works fine, except for those few users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It could be a domain suffix ,
take alook at the GPO entry :
computer configuration/administrati
did you make any update earlier ?
what are sp installed ?
can you also check the forest fonctionnal level ? and the domain fonctionnal level .
did you get any of the domain upgraded from older win NT or 2000 domain ?? (just in case )
take alook at the GPO entry :
computer configuration/administrati
did you make any update earlier ?
what are sp installed ?
can you also check the forest fonctionnal level ? and the domain fonctionnal level .
did you get any of the domain upgraded from older win NT or 2000 domain ?? (just in case )
ASKER
I have SP1 on the 2008 R2 DC's and both Windows 7 boxes with the issue are at SP1. I am using "Append primary and connection specific DNS Suffixes. Append parent suffixes of the primary DNS Suffix".
This won't be an issue for a while so I am going to close this. We ended up having an issue with our version of Cisco ACS. We had some older wireless handhelds and wireless label printers that could not authenticate with 2008 R2 DC's. Cisco said that we have to replace our appliances before they can support 2008 R2... So have to demote these DC's and put this on hold :(.
Thank you for the help.
This won't be an issue for a while so I am going to close this. We ended up having an issue with our version of Cisco ACS. We had some older wireless handhelds and wireless label printers that could not authenticate with 2008 R2 DC's. Cisco said that we have to replace our appliances before they can support 2008 R2... So have to demote these DC's and put this on hold :(.
Thank you for the help.
ASKER
This wasnt really the solution but i didnt see any other way to award points.
ASKER
The trust type is parent-child, two way, transitive.
The accounts we are trying to "run as another user" with are US Domain Admins.