Solved

Issue with Child Domain user accessing resources in the parent domain

Posted on 2014-12-31
7
264 Views
Last Modified: 2015-01-03
We have recently run into an issue with one of our child domains in our forest.  Up until last week there was not an issue.  Now when users from the child domain try to access any of our resources in the parent domain, it requests a login.

When they put in the following,

domain\username
password

it will not allow them in.  However when they put

username@childdomainFQDN
password

It allows them to login.

This would not be as big of an issue except that we have now add window authentication to SQL for one of our applications.

When they try to login on machine that are connected to the Parent domain if they use pre-2000 login, it will not let them login.  If they use their normal login, then they get a "password or user name incorrect" error.

We think this is an issue with something with NetBIOS.  When we are in the child domain and try to connect to the ADUC of the parent, we can't type in "CORP", we have to search by Domain.net.   We can however connect to any of the other child domains by NetBIOS name with no issue.

Replication looks like it is working properly from all domains, but I am not sure where else to look.  This is only effecting one child domain.  We have several others that are working correctly.

Thank you
0
Comment
Question by:PLHGroup
  • 4
  • 3
7 Comments
 
LVL 42

Expert Comment

by:Amit
ID: 40526604
What is the Domain functional level? How is your WINS server? Any patch or change happened recently in your child domain?
0
 

Author Comment

by:PLHGroup
ID: 40527158
Functional level is 2008 R2.
We don't have a WINS server, just using DNS.   The only changes were normal patching, but that was a week before this issues started.
0
 

Author Comment

by:PLHGroup
ID: 40527837
It looks like we have suffered from a USN rollback on one of our Parent level DC's.

I have pulled the bad DC out of the replication trees for all the child domains.  This has corrected the issue of passing the pre-2000 name for fileshares on the child domain DC's but we are still having issues on computers that are joined to the child domain.  

I cannot login on any computers outside the child domain with credentials from that child domain.  We have several child domains, and all others are working.  We are combing through the logs for this domain.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 42

Accepted Solution

by:
Amit earned 500 total points
ID: 40527974
That's not good. Check this
http://support.microsoft.com/kb/875495
0
 

Author Comment

by:PLHGroup
ID: 40528034
Yeah.  We are going through that process now.  To get our users from that domain working, we are changing the connections for the application they use from the server name to the server IP.  That is allowing them to pass their credentials properly to SQL.
0
 

Author Closing Comment

by:PLHGroup
ID: 40528638
Amit thank you for your help.  That KB was what we were looking at.  One of my guys followed that down the rabbit hole and found some commands from Repadmin that would allow you restart the replication.

What we ended up doing was the following.

1) Removed the DC from the replication trees of every DC in our forest.  We ensured no one was making any changes in the parent domain so that we wouldn't have to have any replications being missed.
2) We waited a couple of hours making sure all other DC's in the forest were replicating properly (child domains only obviously)
3) We ran Repadmin /options Disable_inbound_repl and Repadmin /options disable_inbound_repl
4) We waiting 15 minutes and the replication restarted with no issues.

Again, Thank you Amit for your help
0
 
LVL 42

Expert Comment

by:Amit
ID: 40529610
Great, thanks for sharing the solution. I also suggest you to put some monitoring for your AD environment...bare minimum you can run repadmin /replsum everyday and email it. You can also implement monitoring script or use scom
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hibernate on windows 10 18 156
Group policy not applying 5 100
robocopy vs xcopy vs copy 8 130
Upgrading System Center Configuration Manager 4 23
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question