Solved

Issue with Child Domain user accessing resources in the parent domain

Posted on 2014-12-31
7
236 Views
Last Modified: 2015-01-03
We have recently run into an issue with one of our child domains in our forest.  Up until last week there was not an issue.  Now when users from the child domain try to access any of our resources in the parent domain, it requests a login.

When they put in the following,

domain\username
password

it will not allow them in.  However when they put

username@childdomainFQDN
password

It allows them to login.

This would not be as big of an issue except that we have now add window authentication to SQL for one of our applications.

When they try to login on machine that are connected to the Parent domain if they use pre-2000 login, it will not let them login.  If they use their normal login, then they get a "password or user name incorrect" error.

We think this is an issue with something with NetBIOS.  When we are in the child domain and try to connect to the ADUC of the parent, we can't type in "CORP", we have to search by Domain.net.   We can however connect to any of the other child domains by NetBIOS name with no issue.

Replication looks like it is working properly from all domains, but I am not sure where else to look.  This is only effecting one child domain.  We have several others that are working correctly.

Thank you
0
Comment
Question by:PLHGroup
  • 4
  • 3
7 Comments
 
LVL 41

Expert Comment

by:Amit
ID: 40526604
What is the Domain functional level? How is your WINS server? Any patch or change happened recently in your child domain?
0
 

Author Comment

by:PLHGroup
ID: 40527158
Functional level is 2008 R2.
We don't have a WINS server, just using DNS.   The only changes were normal patching, but that was a week before this issues started.
0
 

Author Comment

by:PLHGroup
ID: 40527837
It looks like we have suffered from a USN rollback on one of our Parent level DC's.

I have pulled the bad DC out of the replication trees for all the child domains.  This has corrected the issue of passing the pre-2000 name for fileshares on the child domain DC's but we are still having issues on computers that are joined to the child domain.  

I cannot login on any computers outside the child domain with credentials from that child domain.  We have several child domains, and all others are working.  We are combing through the logs for this domain.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 41

Accepted Solution

by:
Amit earned 500 total points
ID: 40527974
That's not good. Check this
http://support.microsoft.com/kb/875495
0
 

Author Comment

by:PLHGroup
ID: 40528034
Yeah.  We are going through that process now.  To get our users from that domain working, we are changing the connections for the application they use from the server name to the server IP.  That is allowing them to pass their credentials properly to SQL.
0
 

Author Closing Comment

by:PLHGroup
ID: 40528638
Amit thank you for your help.  That KB was what we were looking at.  One of my guys followed that down the rabbit hole and found some commands from Repadmin that would allow you restart the replication.

What we ended up doing was the following.

1) Removed the DC from the replication trees of every DC in our forest.  We ensured no one was making any changes in the parent domain so that we wouldn't have to have any replications being missed.
2) We waited a couple of hours making sure all other DC's in the forest were replicating properly (child domains only obviously)
3) We ran Repadmin /options Disable_inbound_repl and Repadmin /options disable_inbound_repl
4) We waiting 15 minutes and the replication restarted with no issues.

Again, Thank you Amit for your help
0
 
LVL 41

Expert Comment

by:Amit
ID: 40529610
Great, thanks for sharing the solution. I also suggest you to put some monitoring for your AD environment...bare minimum you can run repadmin /replsum everyday and email it. You can also implement monitoring script or use scom
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now