none
Issue with new Child Domain

    Question

  • We have created a new child domain under the same forest.

    Eg: Root domain = Costoso.com  Child Domain = child.local

    Exchange and SharePoint getting weird authentication errors when using AD users from the new domain.

    For example, adding child.local user to a Site Collection ACL was successful but we got authentication error as follow:

    No Authority could be contacted for authentication

    Looks like the DC in parent domain do have have authority to authenticate users from Child domain.

    Any idea?

    

    Tuesday, April 03, 2012 6:43 PM

Answers

  • MoMo,

    Let me start off with that AD Sites are not relevant with DNS infrastructure design. AD Site control two things: DC to DC replication traffic, and authentication/logon request. One thing I can tell you about your VPN configuration between locations, is that there must not be any firewall blocks, or that will exacerbate the problems.

    .

    DNS Delegations:

    Delegations are configured only from a parent zone to a sub or child zone, not the other way around. A delegation says, hey, if you want to resolve a child domain under MY zone called 'child1' please go to such and such DNS server.

    That's why you can't delegate from the child to a parent.

    If you do have a parent-child delegation, then by all means you MUST create either a Conditional Forwarder or a General Forwarder from the child to the parent. THis way the child can resolve parent data.

    Note - Parent-child DNS delegations can ONLY be used if the zone is not replicated forest wide. But at this point, I still don't know what your zone replication scopes are to provide a specific recommendation.

    .

    DNS Forest Design Options:

    DNS design is paramount is important for the complete forest infrastructure to be able to resolve everything in a forest, or you may experience major issues, especially if DCs can't resolve other DC partners (such as bridgheads between Sites), so that is why I offered my blog on your design options.

    Parent-Child DNS Delegation is one option, but you can't use that if your zones are being replicated forest wide.

    .

    That was why I asked those questions in the bulleted list to ascertain exactly what you have before making a concrete recommendation whether to configure a delegation or not.

    At this point, if you create a delegation with any of the domain zones forestwide, you are introducing trouble.

    From the looks of it, it appears you may not have taken a few moments to read the DNS Forest Design Options blog. It fully explains everything. Please read it to understand the differences between the differences and if delegation is appropriate based on your current design.

    .

    Sharepoint:

    THe problems you are seeing with Sharepoint is because it can't find a DC to authenticate. And how does it find a DC you may ask? It finds it by querying DNS. If the DNS design is misconfigured, then nothing in AD will work correctly.

    Sharepoint in your case, is only a symptom of a larger problem. If the design is not configured properly, then more things will go wrong, and depending on how long this has been going on, such as if it's been longer than the AD Tombstone value, then you may have DCs that have not communicated with other DCs resulting in orphaned DCs, lingering objects, journal wraps, and more, whcih is much more serious, than Sharepoint not authenticating.

    To understand what I'm talking about in this respect, please read the following, if you have a few minutes.

    Active Directory Lingering Objects, Journal Wraps, USN Rollbacks, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115, 2103, and more...
    http://msmvps.com/blogs/acefekay/archive/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx 

    .

    Please read the DNS Design Options link for your options to better understand what's involved.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by MoMo79 Wednesday, April 04, 2012 11:12 PM
    Wednesday, April 04, 2012 6:25 PM
  • MoMo,

    Here's the DNS design link:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    .

    With an additional "TREE" (not child domain), you will not see it show up as a subfolder. That's because a TREE is actually a separate, contingious namespace that's different than the forest root, yet is still in teh same AD forest sharing the Schema, Global Catalog, etc.

    .

    Moving forward, to better assist you with specifics for your exact scenario and eliminating any assumptions, guesswork, and amibguity, please post the following to allow us to understand exacty what you have:

    1. Unedited ipconfig /all from one of your DCs in the forest root domain.
    2. Unedited ipconfig /all from one of your DCs in the "child" or additional "tree" domain.
    3. Unedited ipconfig /all from any other domains that you may have other then requested in #1 or #2.
    4. Event log errors on any of the DCs.
    5. Are any of the DCs multihomed? (Multihomed means if it has more than one unteamed NIC, more than one IP, RRAS installed, or iSCSI interface installed)

    .

    Thank you!

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT]MVP Saturday, April 14, 2012 2:43 PM
    • Marked as answer by MoMo79 Monday, April 16, 2012 6:37 PM
    Saturday, April 14, 2012 2:37 PM
  • Follow these articles -

    Create a zone delegation
    http://technet.microsoft.com/en-us/library/cc785881%28v=ws.10%29.aspx

    How to Configure Conditional Forwarders in Windows Server 2008
    https://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx


     Sachin Gadhave

    View Sachin Gadhave's profile on LinkedIn

    Wednesday, April 04, 2012 6:37 PM
  • In addition, I'm going to assume that your domain zones, the parent domain and the child domain, are replicated to "All Domain Controllers in the Domain" (meaning domain wide. This constitutes creating a delegation. if confused on how to create the parent-child delegation, here are some step by steps with videos:

    Step by Step to create a Parent-Child DNS Delegation:

    1. Open DNS on one of the DCs in the forest root domain.Expa
    2. nd your domain.com zone
    3. Right click the domain name, choose New Delegation
    4. Type in the child domain name, such as "child1" and not the FQDN (such as
      child1.domain.com)
    5. You will notice the bottom part of the window will now show the FQDN based
      on the child name you typed.
    6. Click Next
    7. Now type in two of the DNS servers IP addresses for the Nameservers of the
      child domain.
    8. Click through until done.
    9. Make sure the child domain DCs and all machines in the child domain, are
      only using the DC/DNS servers in that child domain and no other
      domains.

    Video tutorial to create a Parent-Child Delegation:
    http://www.youtube.com/watch?v=CoIQ8agsTpk

    How to create a zone delegation in a Windows 2008 DNS server:
    http://www.youtube.com/watch?v=CoIQ8agsTpk

    .

    Now create a Condition Forwarder on the child domain DNS to the Forest Root domain's DNS servers.

    Windows 2008: Create a Conditional Forwarder video:
    http://www.youtube.com/watch?v=BVxqpuB9y7o

    Windows 2003: Create Conditional Forwarder vide (scroll upto timeline 3:00,
    where he shows how to create a conditional forwarder)
    http://www.youtube.com/watch?v=w2a-0RPfKx4

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 04, 2012 7:23 PM

All replies

  • I presume Users in Child domain are able to login.

    By Defualt when you create child domain in a forest , automatic two way transitive trust will be created , so there is no extra configuration requried.

    Can you please let me know where your exchange and share point server are located ? (Is it in child domain or in parent domain)?

    How about users in child domain? Are they able to access exchange server?

    Refer below discussion which might be helpful.

    http://social.technet.microsoft.com/Forums/zh/exchangesvrgeneral/thread/f1e8ac7b-98b3-445e-9bbf-836ceebce380

    http://planetmoss.blogspot.in/2008/07/authority-could-be-contacted-for.html

    http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/30804abf-dc43-4448-8e14-97c7de5bc923/

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, April 04, 2012 3:26 AM
  • How did you configure DNS for hostname resolution from parent to child and vice versa. This must be a DNS look-up failure.

    I suggest you create conditional forwarder from parent to child and DNS delegation for child to parent name resolution to make this work correctly.

    HTH


     Sachin Gadhave

    View Sachin Gadhave's profile on LinkedIn

    Wednesday, April 04, 2012 4:19 AM
  • I agree with Sachin about it being a DNS resolution issue.

    • What zone replication scope is the forest root domain in?
    • What zone replication scope is the _mdscs.forestroot.com zone in?
    • What zone replication scope is the child domain in?

    If the forest root and _msdcs zones are forest wide, then that wouldn't require a forwarder from the child (conditional or general) to the parent.

    If the forest root and _msdcs zones are domain wide, then that means the child is domain wide, then you would need a forwarder (conditional or general) to the parent.

    .

    For specifics, please read the following:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx 

    .

    Note: I've seem some instances when the zones were incorrectly set, that duplicate zones may occur, which can cause or contribute to what you're seeing. You might want to take a peek at your AD database:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 04, 2012 4:43 AM
  • Hi ,

    You are correct. User from Child domain are able to connect. And we also think there is no extra configuration needed for the child domain within the same forest.

    In general, we have 3 sites. The first 2 sites (site1, site2) are under same root domain but different subnet. The child domain is located under another sites (Site 3) and we established a VPN tunnels between Child DCs to Parents DCs (sites 1 only).

    SharePoint servers are all located at Site 2. There is also another SharePoint site in Site 3.

    nslookup for Site2 SharePoint URL have "Non Authoritative answer". So, I assume it can be fixed by taking Sachin recommendation....do a delegation wizard of Zones from Child to Parent. But I don't understand how it prevent child domain users from authentication.....

    Test Authentication

    Root domain users were added to Site 3 SharePoint ACL and able to authenticate without issue.

    Child Domain users were added to Site 2 SharePoint ACL but getting

    Accessing SharePoint Site using Child Domain credentials from Site 3 or Site 1 are getting " No Authority could be contacted for Authentication "

    Wednesday, April 04, 2012 5:59 PM
  • We created a Secondary Zones on 1 Parents DC and it seems no replication being setup yet between DCs.

    It was previously setup by other SA. I wonder if I still need to do the DNS delegation for the Child zone to Parent.
    Wednesday, April 04, 2012 6:24 PM
  • MoMo,

    Let me start off with that AD Sites are not relevant with DNS infrastructure design. AD Site control two things: DC to DC replication traffic, and authentication/logon request. One thing I can tell you about your VPN configuration between locations, is that there must not be any firewall blocks, or that will exacerbate the problems.

    .

    DNS Delegations:

    Delegations are configured only from a parent zone to a sub or child zone, not the other way around. A delegation says, hey, if you want to resolve a child domain under MY zone called 'child1' please go to such and such DNS server.

    That's why you can't delegate from the child to a parent.

    If you do have a parent-child delegation, then by all means you MUST create either a Conditional Forwarder or a General Forwarder from the child to the parent. THis way the child can resolve parent data.

    Note - Parent-child DNS delegations can ONLY be used if the zone is not replicated forest wide. But at this point, I still don't know what your zone replication scopes are to provide a specific recommendation.

    .

    DNS Forest Design Options:

    DNS design is paramount is important for the complete forest infrastructure to be able to resolve everything in a forest, or you may experience major issues, especially if DCs can't resolve other DC partners (such as bridgheads between Sites), so that is why I offered my blog on your design options.

    Parent-Child DNS Delegation is one option, but you can't use that if your zones are being replicated forest wide.

    .

    That was why I asked those questions in the bulleted list to ascertain exactly what you have before making a concrete recommendation whether to configure a delegation or not.

    At this point, if you create a delegation with any of the domain zones forestwide, you are introducing trouble.

    From the looks of it, it appears you may not have taken a few moments to read the DNS Forest Design Options blog. It fully explains everything. Please read it to understand the differences between the differences and if delegation is appropriate based on your current design.

    .

    Sharepoint:

    THe problems you are seeing with Sharepoint is because it can't find a DC to authenticate. And how does it find a DC you may ask? It finds it by querying DNS. If the DNS design is misconfigured, then nothing in AD will work correctly.

    Sharepoint in your case, is only a symptom of a larger problem. If the design is not configured properly, then more things will go wrong, and depending on how long this has been going on, such as if it's been longer than the AD Tombstone value, then you may have DCs that have not communicated with other DCs resulting in orphaned DCs, lingering objects, journal wraps, and more, whcih is much more serious, than Sharepoint not authenticating.

    To understand what I'm talking about in this respect, please read the following, if you have a few minutes.

    Active Directory Lingering Objects, Journal Wraps, USN Rollbacks, Tombstone Lifetime, and Event IDs 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115, 2103, and more...
    http://msmvps.com/blogs/acefekay/archive/2011/12/27/active-directory-lingering-objects-journal-wraps-tombstone-lifetime-and-event-ids-13568-13508-1388-1988-2042-2023.aspx 

    .

    Please read the DNS Design Options link for your options to better understand what's involved.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by MoMo79 Wednesday, April 04, 2012 11:12 PM
    Wednesday, April 04, 2012 6:25 PM
  • We created a Secondary Zones on 1 Parents DC and it seems no replication being setup yet between DCs.

    It was previously setup by other SA. I wonder if I still need to do the DNS delegation for the Child zone to Parent.

    I wouldn't create any seconaries on a DC, especially if the zone is AD integrated, because it will automatically delete it.

    Please read my blog for specifics.


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 04, 2012 6:26 PM
  • Follow these articles -

    Create a zone delegation
    http://technet.microsoft.com/en-us/library/cc785881%28v=ws.10%29.aspx

    How to Configure Conditional Forwarders in Windows Server 2008
    https://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx


     Sachin Gadhave

    View Sachin Gadhave's profile on LinkedIn

    Wednesday, April 04, 2012 6:37 PM
  • In addition, I'm going to assume that your domain zones, the parent domain and the child domain, are replicated to "All Domain Controllers in the Domain" (meaning domain wide. This constitutes creating a delegation. if confused on how to create the parent-child delegation, here are some step by steps with videos:

    Step by Step to create a Parent-Child DNS Delegation:

    1. Open DNS on one of the DCs in the forest root domain.Expa
    2. nd your domain.com zone
    3. Right click the domain name, choose New Delegation
    4. Type in the child domain name, such as "child1" and not the FQDN (such as
      child1.domain.com)
    5. You will notice the bottom part of the window will now show the FQDN based
      on the child name you typed.
    6. Click Next
    7. Now type in two of the DNS servers IP addresses for the Nameservers of the
      child domain.
    8. Click through until done.
    9. Make sure the child domain DCs and all machines in the child domain, are
      only using the DC/DNS servers in that child domain and no other
      domains.

    Video tutorial to create a Parent-Child Delegation:
    http://www.youtube.com/watch?v=CoIQ8agsTpk

    How to create a zone delegation in a Windows 2008 DNS server:
    http://www.youtube.com/watch?v=CoIQ8agsTpk

    .

    Now create a Condition Forwarder on the child domain DNS to the Forest Root domain's DNS servers.

    Windows 2008: Create a Conditional Forwarder video:
    http://www.youtube.com/watch?v=BVxqpuB9y7o

    Windows 2003: Create Conditional Forwarder vide (scroll upto timeline 3:00,
    where he shows how to create a conditional forwarder)
    http://www.youtube.com/watch?v=w2a-0RPfKx4

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 04, 2012 7:23 PM
  • Thanks Ace.

    It seems like there was no delegation being done from either side. Only a Secondary zone of Child zone was setup at root domain and only to 1 single DC...

    Replication Scope: Our parent domain was set to replicate to all existing DNS server within the forest, AD integrated.

    For child domain, all its DC set to AD integrated but only replicated to DCs within in Domain. No wonder why our SharePoint Server at Child domain able to authenticate parent domain users but not the other way around....

    In order to fix all the issues, I believe I have to do the following:

    1) Delete the Secondary zone of the child at parent DNS server

    2) Enable replication to all DNS servers in the forest for Child domain

    3) Create a conditional forwarder at Child Domain for resolving Parent zones.

    I believe I don't need to do Parent-Child delegation....and it should able to resolve "Parent -> Child" or "Child -> Parent

    Does it sound make sense to you?

    Wednesday, April 04, 2012 8:56 PM
  • If I choose to use Forest Wide Replication, I assume there is no need to add Conditional Forwarder from both end, correct ?

    If yes, I assume any DC in the forest should be able to resolve Child domain and Root domain without issues. In this case, there is no need to open up ports between Sites 2 (DC under same root domain but different subnet, SharePoint server located)   and Site3 (Child Domain). right ?

    (At this point, we only have ports open between Site 1 and 2.)

    Cheers,

    Mo

    Wednesday, April 04, 2012 11:11 PM
  • Ahh, so the parent root zone is forest-wide? Cool.


    .

    In order to fix all the issues, I believe I have to do the following:

    1) Delete the Secondary zone of the child at parent DNS server

    1): Yes, delete the Secondary zone. No need for it. It will cause problems.

    .


    2) Enable replication to all DNS servers in the forest for Child domain

    2): NOOOO, DO NOT enable replication of the child domain to the forest. You will cause problems if you do that, namely it may create duplicate zones, which is another blog you have to read on how to use ADSI Edit to fix it! :-) Because the parent root zone is forest wide, the child zone shows up as a folder under the parent root zone. And since everything's forest wide, it will show up automatically, without anything else you have to do to get it to show up. That's the beauty of forest wide replication! 

    .


    3) Create a conditional forwarder at Child Domain for resolving Parent zones.

    3): NOOO, there's no need for a forwarder!!! Forest wide, remember? :-)   If you did create a delegation, remove it, please.

    Also definitely delete the Secondary zone.

    .


    I believe I don't need to do Parent-Child delegation....and it should able to resolve "Parent -> Child" or "Child -> Parent

    Does it sound make sense to you?

    Yes, it makes total sense. Actually choosing forest wide is the easiest way to design it, as long as you want Centralized Administration and control.

    .

    Let's also do the following to straighten it out and get replication kicked off:

    1.As mentioned above, delete the Secondary zone
    2.Remove any delegations if you've created any.
    3.Make sure the forest root DCs are only using themselves as DNS. If you have more than two DCs (assuming), point DC1 to DC2 as first, and vice versa.
    4.Point the child domain DCs' NIC DNS addresses to only the DCs in the forest root domain for this procedure.
    5.On the child DCs, run an ipconfig /registerdns, then restart the Netlogon service.
    6.Let it sit this way for at least one day.
    7.Looking at the DNS console of a child DNS server, you should now see the whole forest zone data show up under the forest root domain zone.
    8.The next day, change the child DCs to use themselves for DNS.
    9.On the Forest root domain machines (all of them), create a

    .

    Firewall Ports:

    The following quote is from your other post:


     

    If I choose to use Forest Wide Replication, I assume there is no need to add Conditional Forwarder from both end, correct ?

    If yes, I assume any DC in the forest should be able to resolve Child domain and Root domain without issues. In this case, there is no need to open up ports between Sites 2 (DC under same root domain but different subnet, SharePoint server located)   and Site3 (Child Domain). right ?

    (At this point, we only have ports open between Site 1 and 2.)

    Cheers,
    Mo
     

    As for ports, they must still be WIDE opened. I don't suggest to pick and choose ports with AD. I have a blog on ports, but I won't post it. It pretty much says that just about every port, TCP 1-65535 & UDP 1-65535 need to be opened.

    .

    AD Site Design vs Physical WAN Physical Connectivity:

    The two should be designed directly related to the other, or expect AD replication problems. Based on your above post, I'm not sure how you have it designed.

    And this is not related to how DNS data is stored, but it is related to AD replication of all AD data, including AD integrated zone data. The way this is designed will affect more than just zone data.

    Therefore, depending on your AD Site logical design and physical WAN network connectivity, you may need to make adjustments in your AD Site design.

    For example, if you have 3 Sites, 1, 2 & 3, and 1 is headquarters, and 2 and 3 are satellite offices, and 2 & 3 do not have physical communications, you must disable an AD feature called AutoSiteLInkBridging, otherwise DCs in 1 wil try to partner with DCs in 2, and vice versa, but there is no physical connectivity, therefore the replication attempt will fail. This will also cause a DC to not replicate beyond the AD Tombstone time limit.

    I can post more info on this, if you need it.

    .

    Any DCs past the replication tombstone?

    I have a feeling at this point that may have already actually occured. And if it has, you have two choices:
    •Renanimate the DC, or
    •Forcedemote it and run a metadata cleanup to remove its old reference from the AD database, then repromote the DC. If there are apps or services on it, they will definitely complicate the matter

    Let's hope this is not the case. To find out, let's first look at your Event logs, next section. But what would really help are additional information, but you haven't posted any config or other data, therefore this is speculation and conjecture at this time.

    .

    Event log errors?

    Also, check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.

    .

    AD Tombstone Value:

    Run the following and let us know what your AD Tombstone time is. It will be either 60 days or 180 days, depending on what version operating system the very very first DC was installed in the forest:

    Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domain,DC=com" -attr tombstoneLifetime

    If it's 60 days, go ahead and change it to 180:

    Use ADSI Edit to find and change it:
    Double-click Configuration
    CN=Configuration
    ForestRootDomainName
    Services
    Windows NT
    Right-click CN=Directory Service, and then click Propertie
    In the Attribute column, click tombstoneLifetime.
    Note the value in the Value column. If the value is <not set>, the default value is 60 days.
    Change it to 180 days
    Close ADSI Edit
    Allow replication to occur.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, April 05, 2012 12:30 AM
  • Hi Ace,

    Try to digest what we had discussed. I have the following questions:

    1) We turned on the Forest wide replication for the Parent root domain after the child domain created. In this case, will child zone able to replicate to all available DNS server in the forest successfully?

    2) Regarding AD Sites with no physical connectivity:

    Before the 3rd site, the Child domain being implemented, we have 2 Sites connected via VPN tunnel and replication between 1,2 seems work fine.

    Now the 3rd site in place, we only have tunnel between 3rd and 1st but no direct link between 2nd and 3rd.

    Can we rely on replication between 1,2 to replicate zones from 3 over to 2 ? If not, I assume another tunnel has to be in place between 2,3.

    Regards,

    Moses

    

    Wednesday, April 11, 2012 6:47 PM
  • Moses,

    1.  There will be NO NEED FOR CHILD DOMAIN ZONES on the child DC/DNS servers. This is because the child zone will show up as a FOLDER under the parent root zone. The child zones currently on the child domain DC DNS servers MUST BE DELETED,or it will cause a duplicate zone scenario.

    .

    2.  You would have to disable AutoSiteLinkBridging. Otherwise, the KCC will try to partner up DCs whether they can communicate or not, which is not a desired feature in your case.

    For AD Site Link Bridging info: Creating a Site Link Bridge Design
    http://technet.microsoft.com/en-us/library/cc753638(WS.10).aspx

    How to optimize Active Directory replication in a large network
    Mar 2, 2007 – "Automatic site-link bridging is enabled for both the IP and Simple Mail Transport Protocol (SMTP) inter-site transports by default."
    http://support.microsoft.com/kb/244368

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 11, 2012 7:04 PM
  • Hi Ace,

    Thanks for the solution you had provided. You are absolutely correct.

    Event log shows DC under Parent root domain was trying to establish a connection to other sites automatically where there is no VPN tunnel exist. I have disabled the Auto bridge site link box under Inter-site transport and clean up invalid site link objects.

    AD tombstone value, the query did not come up with anything. I tried it via ADSI edit. The current value = "not set"
    How is this value related to my replication issue?

    After apply the steps we had discussed, I found the following:

    I did the steps you had recommended. From the remote site where the child domain reside, DNS manager shows all forest wide zone being replicated successfully. I also force start a site replication between DC from both side. Unfortunately, I cannot see the Child zone show up from Parent site DNS manager.

    Like you said, if I have _mstsc_forestroot.com and forestroot.com zone set to forest wide replication, child zone was created at remote site DC and current set at domain wide replication only......child zone should also show up under Parent site DNS manager. I wonder if I miss anything....


    1 Delete 2nd zone of Child previously created at Forest root domain site DCs
    2 Delete Parent-Child delegation (if any)
    3 Delete conditional forwarder from remote Site DCs [Child domain]
    4 update DNS NICs for Child DOmain DC and point to Forest root domain's DCs
    5 Disabled Auto Bridge Site links and cleaned up invalid connection objects [under NTDS for each sites]
    6 Force replication to start

    Thanks again,
    Saturday, April 14, 2012 12:04 AM
  • AD tombstone value, the query did not come up with anything. I tried it via ADSI edit. The current value = "not set"
    How is this value related to my replication issue?

    No, if it's "Not Set" that means the setting is 60 days. That means the original very first domain was created with a copy of Windows 2000 to Windows 2003 RTM.

    If the original installation was Windows 2003 SP1 or newer, it would have been 180 days. You can actually change it in ADSI Edit to 180 days, which is recommended.

    I was concerned that if any DCs didn't replicate beyond this value, they would have needed to be trashed or fixed. The partner DCs would show an Event ID 13568, 13508, 1388, 1988, 2042, 2023, 2095, 1113, 1115, 2103, or others (as I mentioned earlier on in this thread with my link explaining this stuff).

    .

    After apply the steps we had discussed, I found the following:

    I did the steps you had recommended. From the remote site where the child domain reside, DNS manager shows all forest wide zone being replicated successfully. I also force start a site replication between DC from both side. Unfortunately, I cannot see the Child zone show up from Parent site DNS manager.

    Like you said, if I have _mstsc_forestroot.com and forestroot.com zone set to forest wide replication, child zone was created at remote site DC and current set at domain wide replication only......child zone should also show up under Parent site DNS manager. I wonder if I miss anything....

    Interesting that based on Step 4 (insures all child domains will properly register into the forest root domain's zones),  you pointed the child domain DCs to only the forest root DC/DNS servers (assuming you removed their own IP addresses out of the NIC), and you're seeing replication at the child side, but you're not seeing the child domain folders showing up under the zone at the parent DNS.

    They actually should show up, especially if you're seeing the child folders under the parent zone at the child DNS servers.

    I assume you refreshed the DNS console on the parent DNS servers, or even closed and re-opened the console?

    .

    Just to eliminate the possibility of duplicate zones that may cause what you are seeing (or rather not seeing!), please use ADSI Edit to check all partitions, the ForestDnsZones, DomainDnsZones of EACH domain (parent and all child domains), and the DomainNC partition of EACH domain (parent and all child domains):

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .

    Please report what you've found in ADSI Edit. Screenshots would be nice, too. Remember, you must check EACH domain!!!!!

    .

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, April 14, 2012 1:25 AM
  • Hi Ace,

    After a quick review, I believe there is no Duplication happening.

    To my understanding, if the Forest wide replication really work and the Child zone created under the parent root domain successfully. I should able to see it though ForestDNSZone partition via ADSI edit, correct ?

    I checked the trust relationship using AD domain and trust MMC, on the Parent Root domain, it has transitive 2 ways trust with the Child Domain (Tree Root type)

    Also, based on the DNS Manager console from the child domain (ABC.local), replication of the zone set to "TO ALL DNS SERVER RUNNING  on DC  in this DOMAIN ABC.LOCAL). Does it still explain why ABC.LOCAL zone not show up in Parent root domain DNS servers?  [Although the idea is, let the forest wide replication do the job....]

    Last but no least, even I uncheck the "Bridge all site link" option under Inter-site Transports and clean up those links betweeb sites has No VPN / physical connection, they will still recreate after a refresh.....

    Thanks again

    Saturday, April 14, 2012 8:00 AM
  • If your CHILD domain is called abc.local, and the forest root is possibly calles xyz.local, the you do not have a child domain. You have an additional TREE. 

    This changes everything!! Please read my DNS Design Options blog for specifics.


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, April 14, 2012 1:14 PM
  • MoMo,

    Here's the DNS design link:

    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx

    .

    With an additional "TREE" (not child domain), you will not see it show up as a subfolder. That's because a TREE is actually a separate, contingious namespace that's different than the forest root, yet is still in teh same AD forest sharing the Schema, Global Catalog, etc.

    .

    Moving forward, to better assist you with specifics for your exact scenario and eliminating any assumptions, guesswork, and amibguity, please post the following to allow us to understand exacty what you have:

    1. Unedited ipconfig /all from one of your DCs in the forest root domain.
    2. Unedited ipconfig /all from one of your DCs in the "child" or additional "tree" domain.
    3. Unedited ipconfig /all from any other domains that you may have other then requested in #1 or #2.
    4. Event log errors on any of the DCs.
    5. Are any of the DCs multihomed? (Multihomed means if it has more than one unteamed NIC, more than one IP, RRAS installed, or iSCSI interface installed)

    .

    Thank you!

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT]MVP Saturday, April 14, 2012 2:43 PM
    • Marked as answer by MoMo79 Monday, April 16, 2012 6:37 PM
    Saturday, April 14, 2012 2:37 PM
  • Hi Ace,

    I believe you are right. That's a separate tree. I followed your instruction from the blog for "Centralized design with additional tree" now replication kick off. I can see the zone for the additional tree being replicated to all DC without issues. That's very good news and thanks for your help.

    I have few more question and hopefully you are able to assist....

    1) AD Sites and services. I checked the Inter-sites Transports > IP. I found the defaultsitelink. And I disabled "AutoBridgeAllSiteLinks" from properties menu by unchecked "Bridge all site links" boxes. Also, I reviewed and removed all the connection object under each site under NTDS settings. For some reason after a refresh, the deleted object came back.

    Do you have more detail information about the impact of invalid connection objects ? I would like to do more understand how it will timeout the replication while other connection objects still in place.

    2) I tested SharePoint AD access using ID from Additional Tree. I have created a test user from the additional tree, the name of the test user is same as the test user from parent root domain. SharePoint was able to query both from AD:

    contoso.local\mluk

    abc.local\mluk

    When I tried to submit my changes, system response " No exact match was found for abc.local\mluk, abc.local\mluk : multiple match was found, please resolve"

    looks like it mixed up with the parent root domain user with the same name.....I haven't added the search suffix to all machine yet....but I believe it is not related

    3) I have read your blog about adding DNS search suffix for the additional tree to all machine in Parent root domain. The procedure seems pretty straight forward, I wonder what's the potential impact if we are not setting up the search suffix [I don't have it setup yet...], will that prevent additional tree users from authenticating Parent root resources ?

    See my configuration below as requested:

    The servers are not Multihomed.

    IP Config all from Forest root domain
    Windows IP Configuration

       Host Name . . . . . . . . . . . . : DOMAIN1
       Primary Dns Suffix  . . . . . . . : contoso.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : contoso.local

    Ethernet adapter Front End:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
       Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . :
       IPv4 Address. . . . . . . . . . . : 10.15.4.39(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.15.4.254
       DHCPv6 IAID . . . . . . . . . . . :
       DHCPv6 Client DUID. . . . . . . . :
       DNS Servers . . . . . . . . . . . : 10.15.4.39
                                           10.15.4.154
                                           172.27.18.1
       NetBIOS over Tcpip. . . . . . . . : Enabled


    IP Config all from additional tree domain within the same forest
    Windows IP Configuration

       Host Name . . . . . . . . . . . . : REMOTE-DOMAIN1
       Primary Dns Suffix  . . . . . . . : abc.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : abc.local

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . :
       IPv4 Address. . . . . . . . . . . : 10.65.4.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.65.4.254
       DHCPv6 IAID . . . . . . . . . . . :
       DHCPv6 Client DUID. . . . . . . . :
       DNS Servers . . . . . . . . . . . : ::1
                                           10.15.4.39
                                           10.15.4.154
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Much appreciated,

    Moses

    Monday, April 16, 2012 4:28 PM
  • Please disregard my 2nd question. I resolved it by doing a ipconfig /flushdns on the SharePoint server.

    Thanks again.

    Monday, April 16, 2012 6:37 PM
  • Please disregard my 2nd question. I resolved it by doing a ipconfig /flushdns on the SharePoint server.

    Thanks again.

    Good to hear.

    As for suffixes, you absolutely need them so tree1 resources can resolve tree2's resources, and vice versa. This way when you enter a single name, the DNS client side resolver will "SUFFIX" the available Search Suffixes attempting to properly resolve the name to a record in either zone. Otherwise, it will only check the zone of the configured suffix and never the other. DNS is not that smart...

    .

    The ipconfigs look good, other than the missing search suffixes. Double check resolution with nslookup from each tree to the other to make sure everything's resolvable.

    Double check for any Event log errors (check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs).

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, April 17, 2012 1:48 AM
  • https://www.youtube.com/watch?v=cD7MPz8CufQ&feature=youtu.be
    Thursday, July 12, 2018 6:14 AM
  • follow the below link to solve the child domain issues

    https://www.youtube.com/watch?v=cD7MPz8CufQ&feature=youtu.be

    Thursday, July 12, 2018 6:16 AM