Sub domain issue in AD 2012


I have just created a sub domain (in a different subnet) and cannot authorise the dhcp scope / server in the new child domain. It returns an error (access denied) which I think is because the administrator is not a member of the enterprise admins group. I cannot get the administrator@child.domain.local into this group.

The dns zones wont replicate either but the sites have been added to the child dns server under the _sites folders. However, the _kerberos and _ldap srv records point to the local child dns server, not the respective servers in those sites.

On the child domain server, the local dns IP should be right as its running dns locally?

nltest /dsgetdc:child.domain.local /force and nltest /dsgetdc:domain.local /force all return successfully.

nltest /dclist:child.domain.local and nltest /dclist:domain.local also returns successfully.

Who is Participating?
Schnell SolutionsConnect With a Mentor Systems Infrastructure EngineerCommented:

In order to authorize a DHCP server you must be Enterprise Administrator or have delegated administration for this task

If this is not possible to configure permissions for your Child Domain Administrator account, you just need to authorize your DHCP using a different account (with Enterprise Administrators membership). As far as this is one time operation, you just need to make it once. You can logon to "any" server/workstation in your forest using your enterprise administrator account and authorize that DHCP server.

For example:

Logon to one server in your root domain, using an enterprise administrator account, open a DHCP mmc. Right click "DHCP Servers", which is the higher item on the left navigation pane and select the option in order to manage DHCP authorizations, then just add the IP address that corresponds to your server

Does it work for you?
ywilson_mmAuthor Commented:
Thats a good idea. I added the fqdn of the child server and tried authorising it. It says the specified servers are already present in the directory service but it remains unauthorised.

I also logged into the child server as an enterprise admin, which worked. Then when I open the dhcp snap-in, it returns this eventlog entry when I try and autorise.

Log Name:      System
Source:        Microsoft-Windows-DHCP-Server
Date:          24/03/2014 20:31:09
Event ID:      1046

The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain singapore.mediamath.local, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this:
      This machine is part of a directory service enterprise and is not authorized in the same domain.  (See help on the DHCP Service Management Tool for additional information).

      This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

      Some unexpected network error occurred.

Kind regards
MaheshConnect With a Mentor ArchitectCommented:
Logon to DHCP server with parent domain account which is member of domain admins and enterprise admins in parent domain and then try to authorize DHCP server

Also what is your domain functional level of child domain and parent domain ?
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

ywilson_mmAuthor Commented:
Yep, tried to login to the server as parent enterprise admin.
The forest is 2012 and domain is 2012 r2.

After a bit more poking and a reboot, it seems to have finally registered!
Schnell SolutionsSystems Infrastructure EngineerCommented:

It might be due to AD replication delay
Its not replication latency

Some how you were not able to reach configuration partition with write access
may be you are having some connectivity issue previously because for authorizing DHCP replication is not required and direct connectivity and write access to configuration partition is required

Logging on DHCP server with root domain domain admins and enterprise admins account that lock has opened some how and you are able to authorized

Schnell SolutionsSystems Infrastructure EngineerCommented:
Hello Mahesh

It really can depend on replication latency, because of it I said that it might be the reason

DHCP authorization reads information from AD partitions and if there are many DCs, the server is not going to receive its authorization until it reads an updated one

We handle many environments, some of them with more than 100 DCs, and it is sure that it relays on replication and is affected with such delays, moreover the same apply for little environments. However, it depends if there is more than on DC, if they are in the same or different AD sites, replication configuration times, etc.

It depends... it could be the case, maybe yes, maybe not. We just shall look further in cases when it is necessary to investigate what really happened
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.