Solved

Access Denied when trying to Authorize DHCP on a child domain Server

Posted on 2016-08-16
11
106 Views
Last Modified: 2016-09-15
Hello-
I am trying to setup a new dhcp server because my old dhcp server is having a lot of physical difficulties, I guess because it's super old. However, I get a access denied message because I am not part of the enterprise group of the parent domain. The thing is, I inherited this mess and now trying to clean it up while productions still happening each day. I want to know for the time being, is there a work-a-round to force a authorize of DHCP server on the child domain. I have access to the parent domain root server but it's not in use and hasn't been for over 2 years, but they kept it on. I don't want to mess anything up if I start going into Active Directory Domains and Trusts and start replications. These guys been primarily operating on the child domain without any issues until now with this access denied when authorizing a new dhcp server. Please assist and let me know if you need any further information. I would like to rectify this issue quickly and then worry about decommissioning the old root server and just making the child domain the parent domain.
0
Comment
Question by:rbonds
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 23

Expert Comment

by:Coralon
ID: 41758876
Is your DHCP server part of the root domain? and do you have Domain Admin access?
I'd think you'd want to just build your DHCP Server in the child domain, using the child Domain Admin access, and then you should be able to authorize it..

Coralon
0
 

Author Comment

by:rbonds
ID: 41759319
That's the thing, my new DHCP server is part of the root domain and it's also a file and print server as well. Anyway I can break loose of the root domain and still have my users connected? I get exactly what you are saying but if I disjoin this new DHCP/file/print server from the root domain, I will have to rejoin all my users to just the child domain and I have a lot of users. Thank you for your input.
0
 

Author Comment

by:rbonds
ID: 41759322
And yes I do have domain access.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41759839
Logon to DHCP server with account having enterprise and domain admins membership of parent domain (parent domain administrator mostly have these both rights) and authorize it.
Make sure the account you use is also member of local administrators group of DHCP server
This is one time task because to authorize DHCP, you must need enterprise admin and domain admin of root domain

After authorized, just use child domain admins / any other admin account to manage DHCP server which is part of local administrator of dhcp server
0
 
LVL 23

Expert Comment

by:Coralon
ID: 41759872
You absolutely break out your DHCP from the root domain.
Build a new one in parallel on your child domain, and duplicate the scope, along with any static records etc.  
You don't have to break the other services out of the root domain (at least at first..)  The various services all talk to each other, but they are not completely dependent..

But, you'll want to add the root suffix to the DHCP options to search for things.  You'll keep your DNS at the root domain for now.  

One important question -- are all your users in the root domain?  (and what's the qty of users?).

If you don't the option to bulid a new one.. then it gets tricky.. You will want to look at a disjoin & rejoin to the child domain.  If that happens, then you need to worry about how the drives & printers are mapped.. if they use an FQDN for the mappings... \\server.domain.local\share \\server.domain.local\printer, then it will have to be redone.  If they used the shortnames.. \\server\share and \\server\printers, then you should be able to move it pretty seamlessly.  This will also require you to make the migration when the users are offline.

If you are using login scripts to map it all, then it becomes very simple to adjust it. If it is manual mappings, then it gets a lot harder, but not impossible.  

Coralon
0
 

Author Comment

by:rbonds
ID: 41759964
My root domain controller is doing absolutely nothing but sitting there for the last 2 years (As I was told) but holding onto that root domain name (root.com). All services and roles are on the child domain servers already( i.e AD, DHCP, File, Print, etc....) My root domain server seems to have replication issues, SC errors when trying to configure in/out Domains and Trust, I cannot add my child Domain Admin access to the root server and vice versa. Active Directory on the root domain server is out-dated (hence, it's just been Powered on and sitting there for 2 years) I tried logging in to the root domain using my child domain admin credentials to no avail and I tried logging into my child domain server using the root domain credentials to no avail as well. In Active Directory domains and trusts on the root domain server, I cannot validate and reset passwords because of SC errors listed and the trust cannot be repaired because the parameters are incorrect...etc...It's a mess and the child domain server handling DHCP is having physically matters and my local techs has been just putting bandaids on it for the time being. Oh and none of the users are in the root domain server and I have around 250 users on the child domain controller, which I would like for DHCP to be authorized on that server.  One more thing, when trying to login to the child domain server with root domain credentials, I get this error message, "The security Database on the server does not have a computer account for this workstation trust relationship".....Thank you all for your input. Anything else I can do?
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 41761399
Wow.. that's much worse than I thought..

Given all of that, I'd be strongly tempted to put together a complete domain rebuild plan and build it from the ground up.

Are you a 24x7 shop? can you afford any kind of downtime?  and do you have any kind of budget for this..

In an ideal world, I would start with building a new DC for a new domain in a new forest.. no communication with the previous domains.  
1. Build a new DC, new Domain, new Forest
2. Export users from the old domain and reimport them into the new domain
3. Replicate the files from the old server(s) - you will need to export the permissions for the files, and you will have to reimport them by name to the new fileserver(s)
4. Keep the files in sync.. probably by setting up a robocopy service using nssm https://nssm.cc/.  (I've set this up a few times, and nssm is fantastic
5. Build up a new DHCP server on the new DC, along with the scopes & reservations (if any).
6. Build up a new print server with the same printers & printer names and have them shared out as appropriate
7. Create a script to disjoin from the old domain and join the new domain -- TEST IT! :-)
8. Create a list of the users and their new passwords and get them distributed to all of them.  Make sure their new accounts are flagged with the must change at next logon.
9. At your next big available downtime, you'll issue your disjoin & rejoin domain script to all the workstations.
10. Your users will come in the next day and login to the newly updated workstations with the new accounts.

The hardest part of this is if you have roaming profiles, or if the users have a lot of stuff stored in their old profiles.  If they do, you may need to spend some time with the ADMT (https://www.microsoft.com/en-us/download/details.aspx?id=19188) and you can use that to migrate many of their settings & profile entries to the new profiles.

This is usually the most painful way to do this, but it is like ripping off a bandaid -- a lot of pain right up front, but your environment will be much more stable & dependable, and you will know *exactly* where everything is in it, and you get the time to rebuild it.

If you don't have that option - then I would look at breaking the domain trusts, and removing the root domain from the picture.  That has a lot of potential issues, and over the long haul will likely cause you more trouble than just the domain rebuild.

Without these.. I don't know of any way you could force the DHCP authorization.  Absolute worst case, you could try building a DHCP server that is *not* part of the domain, and set the options to register with the AD when those addresses are handed out.  It is also a good time to get the IP's & MAC addresses from the old domain so that you can set them up with static reservations.  Those reservations make the migration much easier, since there wouldn't be any chance of accidentally giving out the same ip more than 1x.


Coralon
0
 

Author Comment

by:rbonds
ID: 41761557
Thank you Coralon and I'm going to discuss these options with my Local tech guys at my remote location. And Yes the company is a  24/7 operation....That's why I've been scratching my head with this whole situation. I'm going to also talk to the General Manager to see if there is some kind of window of downtime they can provide and for how long. Thanks again and I'll let you know how the conversation goes before I implement one of these methods mentioned above.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41793190
Buildiing new forest just becase you can't authorize DHCP server ?
this sounds not a professional / logical solution
The issue can be fixed by troubleshooting active directory and AD consultant can be hired for that
even you can build DHCP server on workgroup machine for that matter
1
 

Author Comment

by:rbonds
ID: 41798084
I am working with a AD specialist with this matter....There is no time to build a new forest currently and during production, my company is 24/7 with next to zero downtime even on the weekends. We are also looking into Virtualizing that problematic DHCP server being that it's main problem is a physical one, so if we can image the DHCP server and Virtualize it that can be a solution and buy us time to resolve issues with replication from the ROOT Server to the Child Servers.

Thank you all
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 41799406
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Coralon (https:#a41761399)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Synchronize a new Active Directory domain with an existing Office 365 tenant
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now