DNS issue in child domain


I have a test setup which includes the following:

1 DC server 2012 in Parent domain - running DNS and DHCP - network
1 DC server 2012 in Child domain - running DNS and a separate DHCP scope

Parent domain is parent_test.local
Child domain is child_test.local

Clients on the child domain show the correct DNS suffix of child_test.local in IPCONFIG - however, if I hover over the network connection, or look in network and sharing centre, I see the connection listed as parent_test.local

Additionally, when I do a repadmin /syncall , I'm getting the error 'Replication error 8453 Replication access was denied' although if I go into AD sites and services and choose replicate from or to this DC, it doesn't give me any errors

Are the two related?


Jason MurphyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You're seeing the info where in ipconfig?  Primary DNS suffix, or connection-specific DNS suffix?  If I recall correctly, the suffix for the connection is what you see in the GUI.

When running your repadmin command, are you at an elevated command prompt?
Jason MurphyAuthor Commented:

I see Primary and connection specific is correct for the child domain

I realised that I didn't have my subnets in AD Sites and Services - I also had both Parent and Child DC in the same default site - so I added a new site and added my subnets to their respective sites (and added my parent and child DC's to their correct sites also)

I ran nltest /DSGETDC: on one of the clients on my child domain and I see now it is getting authenticated by the correct DC which I realised wasn't happening before

I now have "the security database on the server does not have a computer account for this workstation trust relationship" on one of my clients when I realised it was on the wrong domain and put in a workgroup and added it to the child domain

I noticed in the computer object attributes that DNS was missing which I've added but that hasn't fixed the security database issue, so things have moved away from my intial query!

Jason MurphyAuthor Commented:
Actually I think this is expected behaviour - I just checked our Production environment and hopped onto our USA (child) domain VC to check some clients over there and I see the same - primary DNS is of the child domain, I see the client is authenticated to the DC in the child domain, yet the connection in network and sharing centre says its the parent domain

The only issue I now have to resolve is the security database trust relationship error with one of my child domain clients

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

You are getting access denied when you logged on child dc and replicating from child domain to parent domain because child domain admins don,t have authority to replicate changes to parent domain, that authority goes to parent domain
If you logon to parent domain dc with parent domain admins, you should get all replication success
In case of parent child domain relationship, it always show root domain name only in network properties
Trust relationship error is not very big issue in ur case and simply rejoining machine to domain would solve the issue

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason MurphyAuthor Commented:


I've tried rejoining machine to domain which hasn't worked

I deleted computer object in AD in both parent and child domain to see if that made a difference but I'm still not able to log in from my domain admin account to the client, still receiving the workstation trust error

Interestingly I also get the error 'Changing the Primary Domain DNS name of this computer to "" failed.' when adding the client to the child domain and have gone through the steps listed here with no change - although if I cancel the error message the client has actually joined the domain - https://support.microsoft.com/en-gb/help/2018583/windows-7-or-windows-server-2008-r2-domain-join-displays-error-changin

Make sure you don,t alter advanced dns properties of dns in TCP/ip setting of client network from default to search dns suffix list in order where client is unable to locate dc if set wrongly
The behaviour you experienced is there since Windows 7, but eventually client joins finally
Jason MurphyAuthor Commented:
will continue to troubleshoot client/domain issue but main question regards  DNS in child domain is answered
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.