Solved

Sub domain issue in AD 2012

Posted on 2014-03-24
7
1,297 Views
Last Modified: 2014-03-31
Hi

I have just created a sub domain (in a different subnet) and cannot authorise the dhcp scope / server in the new child domain. It returns an error (access denied) which I think is because the administrator is not a member of the enterprise admins group. I cannot get the administrator@child.domain.local into this group.

The dns zones wont replicate either but the sites have been added to the child dns server under the _sites folders. However, the _kerberos and _ldap srv records point to the local child dns server, not the respective servers in those sites.

On the child domain server, the local dns IP should be 127.0.0.1 right as its running dns locally?

nltest /dsgetdc:child.domain.local /force and nltest /dsgetdc:domain.local /force all return successfully.

nltest /dclist:child.domain.local and nltest /dclist:domain.local also returns successfully.

Suggestions?
Thanks
0
Comment
Question by:ywilson_mm
  • 3
  • 2
  • 2
7 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 250 total points
ID: 39950089
Hello

In order to authorize a DHCP server you must be Enterprise Administrator or have delegated administration for this task

If this is not possible to configure permissions for your Child Domain Administrator account, you just need to authorize your DHCP using a different account (with Enterprise Administrators membership). As far as this is one time operation, you just need to make it once. You can logon to "any" server/workstation in your forest using your enterprise administrator account and authorize that DHCP server.

For example:

Logon to one server in your root domain, using an enterprise administrator account, open a DHCP mmc. Right click "DHCP Servers", which is the higher item on the left navigation pane and select the option in order to manage DHCP authorizations, then just add the IP address that corresponds to your server

Does it work for you?
0
 

Author Comment

by:ywilson_mm
ID: 39950152
Hi
Thats a good idea. I added the fqdn of the child server and tried authorising it. It says the specified servers are already present in the directory service but it remains unauthorised.

I also logged into the child server as an enterprise admin, which worked. Then when I open the dhcp snap-in, it returns this eventlog entry when I try and autorise.

Log Name:      System
Source:        Microsoft-Windows-DHCP-Server
Date:          24/03/2014 20:31:09
Event ID:      1046

The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain singapore.mediamath.local, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this:
      This machine is part of a directory service enterprise and is not authorized in the same domain.  (See help on the DHCP Service Management Tool for additional information).

      This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

      Some unexpected network error occurred.

Kind regards
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 150 total points
ID: 39950322
Logon to DHCP server with parent domain account which is member of domain admins and enterprise admins in parent domain and then try to authorize DHCP server

Also what is your domain functional level of child domain and parent domain ?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:ywilson_mm
ID: 39950363
Hi
Yep, tried to login to the server as parent enterprise admin.
The forest is 2012 and domain is 2012 r2.

After a bit more poking and a reboot, it seems to have finally registered!
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39950428
Good,

It might be due to AD replication delay
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39950927
Its not replication latency

Some how you were not able to reach configuration partition with write access
may be you are having some connectivity issue previously because for authorizing DHCP replication is not required and direct connectivity and write access to configuration partition is required

Logging on DHCP server with root domain domain admins and enterprise admins account that lock has opened some how and you are able to authorized

Mahesh.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 39959491
Hello Mahesh

It really can depend on replication latency, because of it I said that it might be the reason

DHCP authorization reads information from AD partitions and if there are many DCs, the server is not going to receive its authorization until it reads an updated one

We handle many environments, some of them with more than 100 DCs, and it is sure that it relays on replication and is affected with such delays, moreover the same apply for little environments. However, it depends if there is more than on DC, if they are in the same or different AD sites, replication configuration times, etc.

It depends... it could be the case, maybe yes, maybe not. We just shall look further in cases when it is necessary to investigate what really happened
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now