Solved

Issue with Child Domain user accessing resources in the parent domain

Posted on 2014-12-31
7
226 Views
Last Modified: 2015-01-03
We have recently run into an issue with one of our child domains in our forest.  Up until last week there was not an issue.  Now when users from the child domain try to access any of our resources in the parent domain, it requests a login.

When they put in the following,

domain\username
password

it will not allow them in.  However when they put

username@childdomainFQDN
password

It allows them to login.

This would not be as big of an issue except that we have now add window authentication to SQL for one of our applications.

When they try to login on machine that are connected to the Parent domain if they use pre-2000 login, it will not let them login.  If they use their normal login, then they get a "password or user name incorrect" error.

We think this is an issue with something with NetBIOS.  When we are in the child domain and try to connect to the ADUC of the parent, we can't type in "CORP", we have to search by Domain.net.   We can however connect to any of the other child domains by NetBIOS name with no issue.

Replication looks like it is working properly from all domains, but I am not sure where else to look.  This is only effecting one child domain.  We have several others that are working correctly.

Thank you
0
Comment
Question by:PLHGroup
  • 4
  • 3
7 Comments
 
LVL 41

Expert Comment

by:Amit
Comment Utility
What is the Domain functional level? How is your WINS server? Any patch or change happened recently in your child domain?
0
 

Author Comment

by:PLHGroup
Comment Utility
Functional level is 2008 R2.
We don't have a WINS server, just using DNS.   The only changes were normal patching, but that was a week before this issues started.
0
 

Author Comment

by:PLHGroup
Comment Utility
It looks like we have suffered from a USN rollback on one of our Parent level DC's.

I have pulled the bad DC out of the replication trees for all the child domains.  This has corrected the issue of passing the pre-2000 name for fileshares on the child domain DC's but we are still having issues on computers that are joined to the child domain.  

I cannot login on any computers outside the child domain with credentials from that child domain.  We have several child domains, and all others are working.  We are combing through the logs for this domain.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 41

Accepted Solution

by:
Amit earned 500 total points
Comment Utility
That's not good. Check this
http://support.microsoft.com/kb/875495
0
 

Author Comment

by:PLHGroup
Comment Utility
Yeah.  We are going through that process now.  To get our users from that domain working, we are changing the connections for the application they use from the server name to the server IP.  That is allowing them to pass their credentials properly to SQL.
0
 

Author Closing Comment

by:PLHGroup
Comment Utility
Amit thank you for your help.  That KB was what we were looking at.  One of my guys followed that down the rabbit hole and found some commands from Repadmin that would allow you restart the replication.

What we ended up doing was the following.

1) Removed the DC from the replication trees of every DC in our forest.  We ensured no one was making any changes in the parent domain so that we wouldn't have to have any replications being missed.
2) We waited a couple of hours making sure all other DC's in the forest were replicating properly (child domains only obviously)
3) We ran Repadmin /options Disable_inbound_repl and Repadmin /options disable_inbound_repl
4) We waiting 15 minutes and the replication restarted with no issues.

Again, Thank you Amit for your help
0
 
LVL 41

Expert Comment

by:Amit
Comment Utility
Great, thanks for sharing the solution. I also suggest you to put some monitoring for your AD environment...bare minimum you can run repadmin /replsum everyday and email it. You can also implement monitoring script or use scom
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Know what services you can and cannot, should and should not combine on your server.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now