Solved

Delegat Control - The Server is not Operational

Posted on 2011-09-06
10
282 Views
Last Modified: 2012-05-12
Hello, I have a test lab with all Server 2003 DCs. Both domain's functional levels are Win2000 native mode. The two way trust is in place and validated. I am able to log into member servers and desktops in either domain (log on to drop down displays both domains). From either domain I am unable to Delegate Control, or connect to another domain in AD. I can ping the PDC for both domains from the trusting domain. They are all VMs and I have tried booting in specific order, one PDC then the other. I also tried booting up one PDC, waited 15 minutes and booted the other. Please help!
0
Comment
Question by:entint
  • 6
  • 3
10 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 36488671
So within a domain if you log into the DC and right click and try to run the delegation control wizard it errors out or is it only if you try to connect to the other domain?

What errors are you seeing in the logs or dcdiag.  Can you verify the trusts?

Thanks

Mike
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36489424
If you are trying to delegate control across the trust, you need to ensure that the account you are using has permissions to CREATE the delegation in the alternate domain.
0
 

Author Comment

by:entint
ID: 36493384
Running DCDIAG gave me the answers. All my SRV records are gone!. I removed the DNS role, deleted the system32/ DNS folder and I still get the same zones. What am I forgetting to delete?
0
 

Author Comment

by:entint
ID: 36493483
Cancel, DNS is okay after reinstalling DNS then stop/start netlogon then stop/start DNS. DCDIAG passes connectivity now but fails in both domains under the systemlog bit

DC from one forest:

Starting test: systemlog
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/06/2011   23:49:24
            Event String: The dynamic registration of the DNS record
         An Error Event occured.  EventID: 0x825A0011
            Time Generated: 09/07/2011   00:03:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/07/2011   00:08:55
            Event String: The dynamic registration of the DNS record
         ......................... SERVER2 failed test systemlog

DC from other forest::

Starting test: systemlog
         An Error Event occured.  EventID: 0x825A0011
            Time Generated: 09/07/2011   00:00:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/07/2011   00:14:25
            Event String: The dynamic registration of the DNS record
         ......................... SERVER3 failed test systemlog



The trust was validated and verified before I made the correction. So my question to Chev_PCN is how am I supposed to grant access to the other domain, if I am unable to Delgate Control?
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36494280
You have to HAVE access in the other domain first.
It would look something like this:

You have a domain admin account in domain A
You want that account to be delegated rights in domain B
You use a domain admin account in domain B to create a group for delegation
You use the same domain B account to add the domain A account to the domain B group.
You then delegate the necessary rights to the group in domain B, which has the domain admin from A as a member.
0
 

Author Comment

by:entint
ID: 36495718
Oh a group, right. Thanks Chev_PCN. Do you think that systemlog
 failure in dcdiag will still cause me issues still? I will give it a whirl tonight and let you know
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36495777
The system log entry is not a failure in intself - it's an alert that there are items in the system log that need attention. These indicate that you have a DNS problem that you should try to resolve. If you're struggling with that then post another question in the AD / DNS forum.  This specific log entry should not have any effect on the cross-forest trust unless there are definite resolution issues.
0
 

Author Comment

by:entint
ID: 36500140
When I attempt to add a user object  as a member of a group in the trusted domain, I get the error still. I tested this in my production domain and it works fine without being a member of any group. What other area can I look at?
0
 

Author Comment

by:entint
ID: 36500179
RESOLVED!!!! After adding my SRV records I remembered that I deleted my Forwarders in DNS. Added the forwards back and then could ping the trusting domains!
0
 

Author Closing Comment

by:entint
ID: 36500183
I completely forgot about using DNSDIAG. This made me realize I had no SRV records!
0

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now