Solved

Sub domain issue in AD 2012

Posted on 2014-03-24
7
1,438 Views
Last Modified: 2014-03-31
Hi

I have just created a sub domain (in a different subnet) and cannot authorise the dhcp scope / server in the new child domain. It returns an error (access denied) which I think is because the administrator is not a member of the enterprise admins group. I cannot get the administrator@child.domain.local into this group.

The dns zones wont replicate either but the sites have been added to the child dns server under the _sites folders. However, the _kerberos and _ldap srv records point to the local child dns server, not the respective servers in those sites.

On the child domain server, the local dns IP should be 127.0.0.1 right as its running dns locally?

nltest /dsgetdc:child.domain.local /force and nltest /dsgetdc:domain.local /force all return successfully.

nltest /dclist:child.domain.local and nltest /dclist:domain.local also returns successfully.

Suggestions?
Thanks
0
Comment
Question by:ywilson_mm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 250 total points
ID: 39950089
Hello

In order to authorize a DHCP server you must be Enterprise Administrator or have delegated administration for this task

If this is not possible to configure permissions for your Child Domain Administrator account, you just need to authorize your DHCP using a different account (with Enterprise Administrators membership). As far as this is one time operation, you just need to make it once. You can logon to "any" server/workstation in your forest using your enterprise administrator account and authorize that DHCP server.

For example:

Logon to one server in your root domain, using an enterprise administrator account, open a DHCP mmc. Right click "DHCP Servers", which is the higher item on the left navigation pane and select the option in order to manage DHCP authorizations, then just add the IP address that corresponds to your server

Does it work for you?
0
 

Author Comment

by:ywilson_mm
ID: 39950152
Hi
Thats a good idea. I added the fqdn of the child server and tried authorising it. It says the specified servers are already present in the directory service but it remains unauthorised.

I also logged into the child server as an enterprise admin, which worked. Then when I open the dhcp snap-in, it returns this eventlog entry when I try and autorise.

Log Name:      System
Source:        Microsoft-Windows-DHCP-Server
Date:          24/03/2014 20:31:09
Event ID:      1046

The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain singapore.mediamath.local, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this:
      This machine is part of a directory service enterprise and is not authorized in the same domain.  (See help on the DHCP Service Management Tool for additional information).

      This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

      Some unexpected network error occurred.

Kind regards
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 150 total points
ID: 39950322
Logon to DHCP server with parent domain account which is member of domain admins and enterprise admins in parent domain and then try to authorize DHCP server

Also what is your domain functional level of child domain and parent domain ?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ywilson_mm
ID: 39950363
Hi
Yep, tried to login to the server as parent enterprise admin.
The forest is 2012 and domain is 2012 r2.

After a bit more poking and a reboot, it seems to have finally registered!
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39950428
Good,

It might be due to AD replication delay
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39950927
Its not replication latency

Some how you were not able to reach configuration partition with write access
may be you are having some connectivity issue previously because for authorizing DHCP replication is not required and direct connectivity and write access to configuration partition is required

Logging on DHCP server with root domain domain admins and enterprise admins account that lock has opened some how and you are able to authorized

Mahesh.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39959491
Hello Mahesh

It really can depend on replication latency, because of it I said that it might be the reason

DHCP authorization reads information from AD partitions and if there are many DCs, the server is not going to receive its authorization until it reads an updated one

We handle many environments, some of them with more than 100 DCs, and it is sure that it relays on replication and is affected with such delays, moreover the same apply for little environments. However, it depends if there is more than on DC, if they are in the same or different AD sites, replication configuration times, etc.

It depends... it could be the case, maybe yes, maybe not. We just shall look further in cases when it is necessary to investigate what really happened
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question