Created a child domain and dns and now issue?

[pscyime]

Hi

All knowing ones, please spend a little time to check out my issue, I am greatful for your efforts

This is the scenrio, I have been playing with my home LAN in prep for MCSE exams and have hit a little snag, I HAD two DC's both with AD int DNS and everything thing was working perfectly

So I decided I would like to play with creating a child domain and DNS instead of having the 2 DC's run the domain. Both DC's were GC's as well, I made sure all FSMO roles were being held by DC1 then DCPROMO'd out DC2 - all good so far

DCPROMO'd DC2 again and this time made it a child in the existing domain, delegated the from parent DNS to child and forwarded back to parent

AD domain.......mydomain.local..........child domain.......sub.mydomain.local

Everything seems to work with name resolution, internet access,NSlookUP etc, The only issue I have is that when I run DCDIAG or is it NETDIAG on the child DC it reports a problem when running the FSMOcheck - cant remember exactly what the error is - will post when I get home from work , but its along the lines of it cant find the roleholder(s)

Yet in replmon when checking the FSMO roles they are all owned by server01(DC1) as they were before the demotion and promotion of DC2 which can be pinged by name and resolves to correct IP

my main questions are

1. whats going on (with this issue not just in general!!!)
2. is it a problem, what impact will it have?
3. why did it happen, what did I do wrong?
4. How do I fix it

Again I must thank anyone who spent the time reading this and can offer any insight, like i said I will post the exact snippet of the diag tools when I get home but any ideas for now?

Best regards

Simon

 

[pscyime]

as per my previous post here are the netdiag and dcdiag results - the error bits anyway if anyway can help it is greatly appreciated as I am out of my depth here!!

just to clarify 10.0.0.2 is the original DC 10.0.0.3 was its replication partner which i demoted and recreated as a child dc sub.mydomain.local

now i get these errors

DCDIAG

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.0.0.3' an
d other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '10.0.0.2'. Please wait for 30 minutes for DNS server replication.


NETDIAG

Running enterprise tests on : mydomain.local
Starting test: Intersite
......................... mydomain.local passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135
5
A Good Time Server could not be located.
......................... mydomain.local failed test FsmoCheck

this is a netdom query fsmo from the dhild dc

C:\PROGRA~1\SUPPOR~1>netdom query fsmo
Schema owner server01.mydomain.local

Domain role owner server01.mydomain.local

PDC role server02.sub.mydomain.local

RID pool manager server02.sub.mydomain.local

Infrastructure owner server02.sub.mydomain.local

The command completed successfully.

this is the same from the parent dc

C:\Program Files\Support Tools>netdom query fsmo
Schema owner server01.mydomain.local

Domain role owner server01.mydomain.local

PDC role server01.mydomain.local

RID pool manager server01.mydomain.local

Infrastructure owner server01.mydomain.local

The command completed successfully.





regards

S

 

[Kevin D. Goodknecht Sr. [MVP]]

In

as per my previous post here are the netdiag and dcdiag results - the
error bits anyway if anyway can help it is greatly appreciated as I am
out of my depth here!!


DCDIAG

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'10.0.0.3' an
d other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly
on DNS se
rver '10.0.0.2'. Please wait for 30 minutes for DNS server
replication.


NETDIAG

Running enterprise tests on : mydomain.local
Starting test: Intersite
........................ mydomain.local passed test
Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 135
5
A Good Time Server could not be located.
........................ mydomain.local failed test
FsmoCheck

Is the Windows Time Service running on all DCs?
Error Messages Occur When Active Directory Users and Computers Snap-in Is
Opened
http://support.microsoft.com/default.aspx?scid=kb;en-us;272686

 

[pscyime]

Hi Kevin

Yep time service running on both, anyway more to the saga...

when logged into the root domain (mydomain.local)or the child domain (sub.mydomain.local) and i run dcdaig from the child DC I get this DNS issue

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.0.0.3' an
d other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC cannot be verified right now on DNS
server 10.0.0.2, ERROR_TIMEOUT.

when I run this same test on the parent DC i dont get the error? Now I have setup forwarder from chld to parent and can access the internet etc no probs

The FSMO issue seems to have disappeared?? but i am not complaining!!

just as an aside should both child and parent domains be listed in the "log on to" dialogue on both DC's after you hit C-A-D?

the dns client and serveer service are both running too so why is the request to dc1 dns server timeing out?


your time is appreciated


regards

S

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Kevin

Yep time service running on both, anyway more to the saga...

when logged into the root domain (mydomain.local) and i run dcdaig
from the child DC I get this DNS issue

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'10.0.0.3' an
d other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC cannot be verified right
now on DNS
server 10.0.0.2, ERROR_TIMEOUT.

Does the 10.0.0.2 DNS have the zone?

when I run this same test on the parent DC i dont get the error? Now I
have setup forwarder from chld to parent and can access the internet
etc no probs

In addition to forwarding from the child to the parent, you should check the
box "Do not use recursion" on the Forwarders tab of the child DNS.

just as an aside should both child and parent domains be listed in the
"log on to" dialogue on both DC's after you hit C-A-D?

Yes, All trusted domains should appear in the logon dialog.

 

[pscyime]

Hi Kevin

Thx for your time,

Yes the 10.0.0.2 does hold the zone(which I have delegated to 10.0.0.3) however I have not selected "do not use recursion" on the child zone so will give that a try, also can you confirm for me what should appear in a delegated zone - is it just the NS record for the child DNS server because I am unable to add any other records to that zone(like an A record for instance,when right clicking on the zone it doesnt give the "new" option for records). I assume because the zone doesnt exist on the parent DNS and is on the child

parent DNS 10.0.0.2 hold mydomain.local, under this there is a zone called "sub" for sub.mydomain.local which is delegated to the child DNS 10.0.0.3, this zone on the parent hold only an NS record for server02.sub.mydomain.local

the child DNS server hold sub.mydomain.local which has as far as I can see all the right records (should it SOA point to server02.sub.mydoamin.local OR to the parent zone ie server01.mydomain.local? There are A records and NS records in the child DNS server

Regards

S

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Kev

Yes the 10.0.0.2 does hold the zone however I have not selected "do
not use recursion" on the child zone so will give that a try, also
can you confirm for me what should appear in a delegated zone - is it
just the NS record for the child DNS server because I am unable to
add any other records to that zone(like an A record for instance,when
right clicking on the zone it doesnt give the "new" option for
records). I assume because the zone doesnt exist on the parent DNS
and is on the child

All that is supposed to be in a delegated sub domain is the NS record for
the DNS server that has the full zone.

 

[pscyime]

Hi Kevin

Just to let you kow net diag appears to now work after disabling recursion on the child server, the only issue I have is that user account created in the parent AD domain which are domain admin AND enterprise admin cannot logon i the child domain?? - says incorrect username/password - if I explicity create the user in the child AD domain it works but should an enterprise or domain admin be able to logon anywhare in the domain/forest?

I have checked AD replication and it appears to be OK - in replmon there are no replication errors

Any ideas?

Again you assisstance and time in this matter are greatly appreciated, an it is good to know only the NS record should appear in the delegated sub domain on the parent as that is what I have

Apologies for any confusion over the X post too

regards

S

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Kevin

Just to let you kow net diag appears to now work after disabling
recursion on the child server,

Did you disable recursion on the advanced tab or do not use recursion on the
forwarders tab?

the only issue I have is that user

account created in the parent AD domain which are domain admin AND
enterprise admin cannot logon i the child domain?? - says incorrect
username/password - if I explicity create the user in the child AD
domain it works but should an enterprise or domain admin be able to
logon anywhare in the domain/forest?

Can you clarify, "Cannot logon in the child domain"?
Are you saying you cannot logon to computers joined to the child domain?
Or are you trying to authenticate these accounts to the child domain?
Try using (e-mail address removed) you should be able to authenticate with the
parent domain on a member of a child domain, if the child DNS can resolve
the parent domain.

If you used disabled recursion on the advanced tab it would explain this, if
the child's members are using only the child DNS.

 

[pscyime]

Hi Kevin

I used the do not use recursion on the forwarders tab.so the child can forward to parent

The issue about me not being able to login to the child domain was a misunderstaing on my part about authentication and AD - I have that straight now! thanks Mike and Paul

I have another issue now!- all the DNS issues are gone , AD is replicating OK - no errors in parent DC eventlog However....

On the child I have this issue, it is the only error in the system log and the dns,directory service , application logs are all fine

https://www.pcreview.co.uk/forums/showthread.php?p=5646937#post5646937

and too have tried.....

http://support.microsoft.com/?id=321044

and too couldn't find the dulicated SPN ....but am willing to admit I am not to sure on the syntax - the error is

----------------------------------------------------------------------------------------------------------------------------
Event ID 11. Source KDC

There are multiple accounts with name cifs/SERVER02 of type DS_SERVICE_PRINCIPAL_NAME.

----------------------------------------------------------------------------------------------------------------------------

Now I am assuming this is because there is a reference to the old "peer server " i demoted and promoted again(as the child domain). but i cant find it to remove it

there are several things which are not clear to me !!

1. that article references "DC=YourDomain,DC=com" I have also tried DC=sub,DC=mydomain,DC=local for a subdomain ......clutching at straws..i know

2. the command "type serviceprincipalname=HOST/mycomputer.mydomain.com " isnt clear to me as to what i should be typing........it may be clear in the morning....lol.Anyway I am gonna keep looking, I tried ADSIedit cant find it with that either!but all the KB art says is

Quote...

ADSIEdit
In most cases, the computers have unique names, for example: machine1 and machine2.

The SPN that is reported as duplicate may be HOST/machine1.mydomain.com. With ADSIEdit, you can edit the SPN list on machine2 to delete the duplicate SPN (HOST/machine1.mydomain.com), add the correct SPN (HOST/machine2.mydomain.com), and then allow it to replicate to your other domain controllers.

Note sure where to look from that

Anyway, thanks for any insight - its all a learning curve.....lol

Best regards

Simon