• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Delegat Control - The Server is not Operational

Hello, I have a test lab with all Server 2003 DCs. Both domain's functional levels are Win2000 native mode. The two way trust is in place and validated. I am able to log into member servers and desktops in either domain (log on to drop down displays both domains). From either domain I am unable to Delegate Control, or connect to another domain in AD. I can ping the PDC for both domains from the trusting domain. They are all VMs and I have tried booting in specific order, one PDC then the other. I also tried booting up one PDC, waited 15 minutes and booted the other. Please help!
0
entint
Asked:
entint
  • 6
  • 3
1 Solution
 
Mike KlineCommented:
So within a domain if you log into the DC and right click and try to run the delegation control wizard it errors out or is it only if you try to connect to the other domain?

What errors are you seeing in the logs or dcdiag.  Can you verify the trusts?

Thanks

Mike
0
 
Chev_PCNCommented:
If you are trying to delegate control across the trust, you need to ensure that the account you are using has permissions to CREATE the delegation in the alternate domain.
0
 
entintAuthor Commented:
Running DCDIAG gave me the answers. All my SRV records are gone!. I removed the DNS role, deleted the system32/ DNS folder and I still get the same zones. What am I forgetting to delete?
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
entintAuthor Commented:
Cancel, DNS is okay after reinstalling DNS then stop/start netlogon then stop/start DNS. DCDIAG passes connectivity now but fails in both domains under the systemlog bit

DC from one forest:

Starting test: systemlog
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/06/2011   23:49:24
            Event String: The dynamic registration of the DNS record
         An Error Event occured.  EventID: 0x825A0011
            Time Generated: 09/07/2011   00:03:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/07/2011   00:08:55
            Event String: The dynamic registration of the DNS record
         ......................... SERVER2 failed test systemlog

DC from other forest::

Starting test: systemlog
         An Error Event occured.  EventID: 0x825A0011
            Time Generated: 09/07/2011   00:00:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/07/2011   00:14:25
            Event String: The dynamic registration of the DNS record
         ......................... SERVER3 failed test systemlog



The trust was validated and verified before I made the correction. So my question to Chev_PCN is how am I supposed to grant access to the other domain, if I am unable to Delgate Control?
0
 
Chev_PCNCommented:
You have to HAVE access in the other domain first.
It would look something like this:

You have a domain admin account in domain A
You want that account to be delegated rights in domain B
You use a domain admin account in domain B to create a group for delegation
You use the same domain B account to add the domain A account to the domain B group.
You then delegate the necessary rights to the group in domain B, which has the domain admin from A as a member.
0
 
entintAuthor Commented:
Oh a group, right. Thanks Chev_PCN. Do you think that systemlog
 failure in dcdiag will still cause me issues still? I will give it a whirl tonight and let you know
0
 
Chev_PCNCommented:
The system log entry is not a failure in intself - it's an alert that there are items in the system log that need attention. These indicate that you have a DNS problem that you should try to resolve. If you're struggling with that then post another question in the AD / DNS forum.  This specific log entry should not have any effect on the cross-forest trust unless there are definite resolution issues.
0
 
entintAuthor Commented:
When I attempt to add a user object  as a member of a group in the trusted domain, I get the error still. I tested this in my production domain and it works fine without being a member of any group. What other area can I look at?
0
 
entintAuthor Commented:
RESOLVED!!!! After adding my SRV records I remembered that I deleted my Forwarders in DNS. Added the forwards back and then could ping the trusting domains!
0
 
entintAuthor Commented:
I completely forgot about using DNSDIAG. This made me realize I had no SRV records!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now