Solved

Delegat Control - The Server is not Operational

Posted on 2011-09-06
10
292 Views
Last Modified: 2012-05-12
Hello, I have a test lab with all Server 2003 DCs. Both domain's functional levels are Win2000 native mode. The two way trust is in place and validated. I am able to log into member servers and desktops in either domain (log on to drop down displays both domains). From either domain I am unable to Delegate Control, or connect to another domain in AD. I can ping the PDC for both domains from the trusting domain. They are all VMs and I have tried booting in specific order, one PDC then the other. I also tried booting up one PDC, waited 15 minutes and booted the other. Please help!
0
Comment
Question by:entint
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 36488671
So within a domain if you log into the DC and right click and try to run the delegation control wizard it errors out or is it only if you try to connect to the other domain?

What errors are you seeing in the logs or dcdiag.  Can you verify the trusts?

Thanks

Mike
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36489424
If you are trying to delegate control across the trust, you need to ensure that the account you are using has permissions to CREATE the delegation in the alternate domain.
0
 

Author Comment

by:entint
ID: 36493384
Running DCDIAG gave me the answers. All my SRV records are gone!. I removed the DNS role, deleted the system32/ DNS folder and I still get the same zones. What am I forgetting to delete?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:entint
ID: 36493483
Cancel, DNS is okay after reinstalling DNS then stop/start netlogon then stop/start DNS. DCDIAG passes connectivity now but fails in both domains under the systemlog bit

DC from one forest:

Starting test: systemlog
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/06/2011   23:49:24
            Event String: The dynamic registration of the DNS record
         An Error Event occured.  EventID: 0x825A0011
            Time Generated: 09/07/2011   00:03:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/07/2011   00:08:55
            Event String: The dynamic registration of the DNS record
         ......................... SERVER2 failed test systemlog

DC from other forest::

Starting test: systemlog
         An Error Event occured.  EventID: 0x825A0011
            Time Generated: 09/07/2011   00:00:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x0000168E
            Time Generated: 09/07/2011   00:14:25
            Event String: The dynamic registration of the DNS record
         ......................... SERVER3 failed test systemlog



The trust was validated and verified before I made the correction. So my question to Chev_PCN is how am I supposed to grant access to the other domain, if I am unable to Delgate Control?
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36494280
You have to HAVE access in the other domain first.
It would look something like this:

You have a domain admin account in domain A
You want that account to be delegated rights in domain B
You use a domain admin account in domain B to create a group for delegation
You use the same domain B account to add the domain A account to the domain B group.
You then delegate the necessary rights to the group in domain B, which has the domain admin from A as a member.
0
 

Author Comment

by:entint
ID: 36495718
Oh a group, right. Thanks Chev_PCN. Do you think that systemlog
 failure in dcdiag will still cause me issues still? I will give it a whirl tonight and let you know
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36495777
The system log entry is not a failure in intself - it's an alert that there are items in the system log that need attention. These indicate that you have a DNS problem that you should try to resolve. If you're struggling with that then post another question in the AD / DNS forum.  This specific log entry should not have any effect on the cross-forest trust unless there are definite resolution issues.
0
 

Author Comment

by:entint
ID: 36500140
When I attempt to add a user object  as a member of a group in the trusted domain, I get the error still. I tested this in my production domain and it works fine without being a member of any group. What other area can I look at?
0
 

Author Comment

by:entint
ID: 36500179
RESOLVED!!!! After adding my SRV records I remembered that I deleted my Forwarders in DNS. Added the forwards back and then could ping the trusting domains!
0
 

Author Closing Comment

by:entint
ID: 36500183
I completely forgot about using DNSDIAG. This made me realize I had no SRV records!
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question