Solved

Sub domain issue in AD 2012

Posted on 2014-03-24
7
1,370 Views
Last Modified: 2014-03-31
Hi

I have just created a sub domain (in a different subnet) and cannot authorise the dhcp scope / server in the new child domain. It returns an error (access denied) which I think is because the administrator is not a member of the enterprise admins group. I cannot get the administrator@child.domain.local into this group.

The dns zones wont replicate either but the sites have been added to the child dns server under the _sites folders. However, the _kerberos and _ldap srv records point to the local child dns server, not the respective servers in those sites.

On the child domain server, the local dns IP should be 127.0.0.1 right as its running dns locally?

nltest /dsgetdc:child.domain.local /force and nltest /dsgetdc:domain.local /force all return successfully.

nltest /dclist:child.domain.local and nltest /dclist:domain.local also returns successfully.

Suggestions?
Thanks
0
Comment
Question by:ywilson_mm
  • 3
  • 2
  • 2
7 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 250 total points
ID: 39950089
Hello

In order to authorize a DHCP server you must be Enterprise Administrator or have delegated administration for this task

If this is not possible to configure permissions for your Child Domain Administrator account, you just need to authorize your DHCP using a different account (with Enterprise Administrators membership). As far as this is one time operation, you just need to make it once. You can logon to "any" server/workstation in your forest using your enterprise administrator account and authorize that DHCP server.

For example:

Logon to one server in your root domain, using an enterprise administrator account, open a DHCP mmc. Right click "DHCP Servers", which is the higher item on the left navigation pane and select the option in order to manage DHCP authorizations, then just add the IP address that corresponds to your server

Does it work for you?
0
 

Author Comment

by:ywilson_mm
ID: 39950152
Hi
Thats a good idea. I added the fqdn of the child server and tried authorising it. It says the specified servers are already present in the directory service but it remains unauthorised.

I also logged into the child server as an enterprise admin, which worked. Then when I open the dhcp snap-in, it returns this eventlog entry when I try and autorise.

Log Name:      System
Source:        Microsoft-Windows-DHCP-Server
Date:          24/03/2014 20:31:09
Event ID:      1046

The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain singapore.mediamath.local, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this:
      This machine is part of a directory service enterprise and is not authorized in the same domain.  (See help on the DHCP Service Management Tool for additional information).

      This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

      Some unexpected network error occurred.

Kind regards
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 150 total points
ID: 39950322
Logon to DHCP server with parent domain account which is member of domain admins and enterprise admins in parent domain and then try to authorize DHCP server

Also what is your domain functional level of child domain and parent domain ?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ywilson_mm
ID: 39950363
Hi
Yep, tried to login to the server as parent enterprise admin.
The forest is 2012 and domain is 2012 r2.

After a bit more poking and a reboot, it seems to have finally registered!
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39950428
Good,

It might be due to AD replication delay
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39950927
Its not replication latency

Some how you were not able to reach configuration partition with write access
may be you are having some connectivity issue previously because for authorizing DHCP replication is not required and direct connectivity and write access to configuration partition is required

Logging on DHCP server with root domain domain admins and enterprise admins account that lock has opened some how and you are able to authorized

Mahesh.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39959491
Hello Mahesh

It really can depend on replication latency, because of it I said that it might be the reason

DHCP authorization reads information from AD partitions and if there are many DCs, the server is not going to receive its authorization until it reads an updated one

We handle many environments, some of them with more than 100 DCs, and it is sure that it relays on replication and is affected with such delays, moreover the same apply for little environments. However, it depends if there is more than on DC, if they are in the same or different AD sites, replication configuration times, etc.

It depends... it could be the case, maybe yes, maybe not. We just shall look further in cases when it is necessary to investigate what really happened
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question