Solved

Sub domain issue in AD 2012

Posted on 2014-03-24
7
1,335 Views
Last Modified: 2014-03-31
Hi

I have just created a sub domain (in a different subnet) and cannot authorise the dhcp scope / server in the new child domain. It returns an error (access denied) which I think is because the administrator is not a member of the enterprise admins group. I cannot get the administrator@child.domain.local into this group.

The dns zones wont replicate either but the sites have been added to the child dns server under the _sites folders. However, the _kerberos and _ldap srv records point to the local child dns server, not the respective servers in those sites.

On the child domain server, the local dns IP should be 127.0.0.1 right as its running dns locally?

nltest /dsgetdc:child.domain.local /force and nltest /dsgetdc:domain.local /force all return successfully.

nltest /dclist:child.domain.local and nltest /dclist:domain.local also returns successfully.

Suggestions?
Thanks
0
Comment
Question by:ywilson_mm
  • 3
  • 2
  • 2
7 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 250 total points
ID: 39950089
Hello

In order to authorize a DHCP server you must be Enterprise Administrator or have delegated administration for this task

If this is not possible to configure permissions for your Child Domain Administrator account, you just need to authorize your DHCP using a different account (with Enterprise Administrators membership). As far as this is one time operation, you just need to make it once. You can logon to "any" server/workstation in your forest using your enterprise administrator account and authorize that DHCP server.

For example:

Logon to one server in your root domain, using an enterprise administrator account, open a DHCP mmc. Right click "DHCP Servers", which is the higher item on the left navigation pane and select the option in order to manage DHCP authorizations, then just add the IP address that corresponds to your server

Does it work for you?
0
 

Author Comment

by:ywilson_mm
ID: 39950152
Hi
Thats a good idea. I added the fqdn of the child server and tried authorising it. It says the specified servers are already present in the directory service but it remains unauthorised.

I also logged into the child server as an enterprise admin, which worked. Then when I open the dhcp snap-in, it returns this eventlog entry when I try and autorise.

Log Name:      System
Source:        Microsoft-Windows-DHCP-Server
Date:          24/03/2014 20:31:09
Event ID:      1046

The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain singapore.mediamath.local, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this:
      This machine is part of a directory service enterprise and is not authorized in the same domain.  (See help on the DHCP Service Management Tool for additional information).

      This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

      Some unexpected network error occurred.

Kind regards
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 150 total points
ID: 39950322
Logon to DHCP server with parent domain account which is member of domain admins and enterprise admins in parent domain and then try to authorize DHCP server

Also what is your domain functional level of child domain and parent domain ?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:ywilson_mm
ID: 39950363
Hi
Yep, tried to login to the server as parent enterprise admin.
The forest is 2012 and domain is 2012 r2.

After a bit more poking and a reboot, it seems to have finally registered!
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39950428
Good,

It might be due to AD replication delay
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39950927
Its not replication latency

Some how you were not able to reach configuration partition with write access
may be you are having some connectivity issue previously because for authorizing DHCP replication is not required and direct connectivity and write access to configuration partition is required

Logging on DHCP server with root domain domain admins and enterprise admins account that lock has opened some how and you are able to authorized

Mahesh.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39959491
Hello Mahesh

It really can depend on replication latency, because of it I said that it might be the reason

DHCP authorization reads information from AD partitions and if there are many DCs, the server is not going to receive its authorization until it reads an updated one

We handle many environments, some of them with more than 100 DCs, and it is sure that it relays on replication and is affected with such delays, moreover the same apply for little environments. However, it depends if there is more than on DC, if they are in the same or different AD sites, replication configuration times, etc.

It depends... it could be the case, maybe yes, maybe not. We just shall look further in cases when it is necessary to investigate what really happened
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now