Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Ensure that the EA account is a member of the child domain - domain admins
group.
Also, please ensure that you've correctly configured the DNS client
settings - the DNS Suffix Search list.
--
Paul Williams
http://www.msresource.net
http://forums.msresource.net
"Int'l Aromatics" <IntlAromatics@discussions.microsoft.com> wrote in message
news:6D1AD0DF-2A2B-4DC6-8706-B47A0406C7F6@microsoft.com...
Hi again,
i didn't want to post anything until i gave everything time to replicate
though the weekend & unfortunatley i still have a problem child domain still
can't correctly authenticate with parent.
replication is working from child to parent with IP link, while from parent
to child IP fails and i use SMTP, i corrected DNS and now checking for
forest
root zone is OK, created delgations for child domain. have AD dns zones ,
replicated forest wide , with stub zones on each for the others.
when i brought child domain DC to main office and correct the problems, it
was working fine and it took 2 days to send it back and it was up again and
replicating but i still get access denied logging as EA on the child domain
and on parnet DC i get event 5805 netlogon "The session setup from the
computer [child DC] failed to authenticate. The following error occurred:
Access is denied. "
i used this procedure when we have to change the DC IP address (flush dns,
stop netlogon, start netlogon & register dns)
so it seems i am still missing something so please any other ideas are
apperciated
"ptwilliams" wrote:
> > thanks you very much paul for this info
>
> No problem at all!! Glad to help!!
>
>
> > yes it seems i have a problem with the DNS, it seems i was check in
> > wrong
> > way.
>
> You're not the first or the last to make this mistake. Don't worry about
> it...just remember the details ;-)
>
>
> > i hope you will be kind enough to help me out now, i know that childs
> > domain DNS must have something to point ot the parent domain so how to
> > set
> > it ??
>
> From this, I assume you've not configured a delegation. I'm going to
> assume
> then that the DNS servers are DCs (or just member servers) in the parent
> domain, and the child domain is just a sub-domain in the DNS zone. If
> this
> assumption is incorrect, please correct me and I'll rejig my answer(s)
> accordingly.
>
> In this instance, the child domains won't have an issue. By default, the
> DNS client is configured to append it's primary DNS suffix, and if that
> doesn't yield a result, it just appends the parent suffix. This means
> that
> DC01.child.domain-name.com will try and resolve DC02 like so:
>
> DC02.child.domain-name.com
> DC02.domain-name.com
>
>
> The parent domain, however, can't do this as the primary DNS suffix is
> just
> domain-name.com. Therefore you need to setup a DNS suffix search list.
> You
> do this by opening your NIC properties, selecting TCP/IP, Advanced, DNS.
> In
> the DNS tab you should select the "Append these DNS suffixes (in order"
> radio button, and add the primary DNS suffix and then the child-domain DNS
> suffix, e.g. domain-name.com; child.domain-name.com.
>
> You should also verify that the child DCs are configured with the default
> settings of "Append primary and connection specific DNS suffixes" and also
> "Append parent suffixes of the primary DNS suffix".
>
> If the namespaces are not contiguous, i.e. a separate tree, then both
> namespaces have to be added to both domains Suffix Search list -just like
> the example of the child domain being added to the parent.
>
> Once you've verified this, try replicating again.
>
> You may also need to reregister DNS records. In this case, point all DCs
> at
> the same DNS server and restart the netlogon service. Once registration
> is
> complete, you can change the DNS clients to point back to whatever they
> were
> (as long as they're pointing to internals systems).
>
> Note. All domain members running NT 5.x are DNS clients and MUST point to
> an internal DNS server.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Int'l Aromatics" <IntlAromatics@discussions.microsoft.com> wrote in
> message
> news:46337BD5-1819-4F0C-A932-62932DB7AC2C@microsoft.com...
> thanks you very much paul for this info, yes it seems i have a problem
> with
> the DNS, it seems i was check in wrong way.
> i hope you will be kind enough to help me out now, i know that childs
> domain
> DNS must have something to point ot the parent domain so how to set it ??
>
> also here i understand smtp have no relation with the problem i have so it
> doesn't matter if use IP or smtp all users will be able to authenticate
> and
> work fine.
>
> thanks again
>
> "ptwilliams" wrote:
>
> > > if i use SMTP link will i be able to create new users and have them
> > > user
> > > resources (Exchange,...etc) on the other domain?
> >
> > The Intersite replication transport has no bearing on normal useage,
> > e.g.
> > authetication, file acces, etc. If you have a user in one domain, and
> > you
> > wish for them to access resources in the parent domain, this isn't an
> > issue;
> > nor is it done via SMTP. In this case it would probably be SMB over IP
> > or
> > SMB over NetBT over IP (depending on which port responded quickest).
> >
> >
> > > i checked DNS using nslookup & it OK i have AD Zones, while users in
> > > DC3
> > > could easily log to resources in Site 1 & DC1, oppiste is not true.
> >
> > What kind of tests did you run? Normal name to IP resolution doesn't
> > cut
> > it. Try this:
> >
> > C:\>nslookup
> > >set type=srv
> > >_ldap._tcp.dc._msdcs.forest_root_domain.com
> >
> >
> > > as i said i ran dcdaig & netdiag, ..etc and all came successfully on
> > > both
> > > DCs
> >
> > Sounds good!
> >
> >
> > > i also see all records are in place both DNS AD zones, and DDNS is
> > > enabled
> > > using secure updates
> >
> > Looking promising...
> >
> >
> > > if its not SMTP what could be the problem to have have access to both
> > > DCs
> > > from both Sites while keeping AD replication reliable ?
> >
> > Err...not quite sure what you mean here. SMTP is fine for enterprise
> > replication (forest replication). If you are having problems accessing
> > resources in one domain, and name resolution *is* fine from the server
> > side,
> > then have you enabled multiple DNS suffixes for the parent domain?
> > Remember, that by default, the parent will not try appending
> > domain-name.com
> > and then child.domain-name.com without manual intervention.
> >
> > Also, firewalls and the like will seriously disrupt services.
> >
> >
> > > PS: i tried AD Sizer its nice but didn't give the data i need like
> > > what
> > > latency would be accpeted,
> > Bandwidth,.....
> >
> > Ah well...you can't win 'em all ;-)
> >
> >
> > The issue that you are discussing now is a bit different to that of the
> > original post. This is why I'm focusing on DNS...
> >
> > Can you re-clarify the exact problems you are having now that I've
> > hopefully
> > explained SMTP's role in all this?
> >
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "Int'l Aromatics" <IntlAromatics@discussions.microsoft.com> wrote in
> > message
> > news:AD3A01B7-2FCE-4502-AA46-C14D29619056@microsoft.com...
> > it seems i am missing something here
> > if i use SMTP link will i be able to create new users and have them user
> > resources (Exchange,...etc) on the other domain?
> > i checked DNS using nslookup & it OK i have AD Zones, while users in DC3
> > could easily log to resources in Site 1 & DC1, oppiste is not true.
> >
> > as i said i ran dcdaig & netdiag, ..etc and all came successfully on
> > both
> > DCs
> >
> > i also see all records are in place both DNS AD zones, and DDNS is
> > enabled
> > using secure updates
> >
> > if its not SMTP what could be the problem to have have access to both
> > DCs
> > from both Sites while keeping AD replication reliable ?
> >
> > PS: i tried AD Sizer its nice but didn't give the data i need like what
> > latency would be accpeted, Bandwidth,.....
> >
> > "ptwilliams" wrote:
> >
> > > As they're different domains, SMTP replication will replicate
> > > everything
> > > that is needed to be replicated (enterprise partitions and GC). The
> > > domains
> > > will replicate using RPC/IP themselves.
> > >
> > > I don't think lack of replication is your issue.
> > >
> > > However, if the child domains aren't authenticating, etc. then this
> > > suggests
> > > DNS problems. If you have poor lines, you should ensure that each
> > > physical
> > > site is an AD site and that there's local resources on each site,
> > > especially
> > > DNS. You will probably benefit from delegating the child domains to
> > > DNS
> > > servers in the child domains.
> > >
> > > As for minimum bandwidth, AD's pretty robust with slow links; it tends
> > > to
> > > fall over, like most networking apps, with noisy or high-latency
> > > lines.
> > > I've happily run AD over 64Kb ISDN with no issues -even pushed
> > > software,
> > > etc. There's a free tool on MS' site called AD Sizer. Have a look
> > > for
> > > this; it will indicate type of connectivity based on user, etc.
> > >
> > > Herb probably has a lot of these facts burned into his brain from his
> > > MS
> > > days...
> > >
> > > There's some serious, and interesting info. available on how much
> > > traffic
> > > replication, logon, etc. generates; as is there on NTDS sizes, etc.
> > >
> > > --
> > >
> > > Paul Williams
> > >
> > > http://www.msresource.net/
> > > http://forums.msresource.net/
> > >
> > > "Int'l Aromatics" <IntlAromatics@discussions.microsoft.com> wrote in
> > > message
> > > news:5A2C3996-A82C-4EE7-8A78-7EAC30FB942E@microsoft.com...
> > > hi,
> > >
> > > i used SMTP site link when i failed to getting working using IP site
> > > link,
> > > i
> > > understand that not everything is being replicated as that what i was
> > > trying
> > > to find a work around.
> > >
> > > i created a child domain as this a subsdiary of our company and they
> > > have
> > > everything independant from us, and also SMTP site Link is giving me
> > > no
> > > choices.
> > >
> > > "Ryan Hanisco" wrote:
> > >
> > > > And remember that SMTP does not replicate everything. Use IP if at
> > > > all
> > > > possible. You get more scheduling flexibility and better error
> > > > checking
> > > > this way.
> > > >
> > > > While Child-domains should only be used in specific circumstances,
> > > > you
> > > > would
> > > > really want to consider this with foreign servers. Local laws can
> > > > force
> > > > monitoring and permissions that you don't want at your core.
> > > >
> > > > --
> > > > Ryan Hanisco
> > > > MCSE, MCDBA
> > > > FlagShip Integration Services
> > > >
> > > > "Int'l Aromatics" <IntlAromatics@discussions.microsoft.com> wrote in
> > > > message
> > > > news:69254B85-043F-46E4-A1AA-82791F24851B@microsoft.com...
> > > > > your help is greatly needed because i have a forest with several
> > > > > child
> > > > > domains, as for site 1 & 2 they are connected with IP links &
> > > > > working
> > > > > fine
> > > > > but site 1 & 3 they are connected with SMTP as when i used IP
> > > > > replication
> > > > > failed as the network connection is not stable.
> > > > >
> > > > > now with SMTP replication is OK but when i try logging in with
> > > > > enterprise
> > > > > admin account i failed with an error stating that "Access is
> > > > > denied"
> > > > > thus
> > > > > preventing me from changing any setting that need enterprise admin
> > > > > rights
> > > > > like DNS, exchange, ....
> > > > >
> > > > > i have another site to be added soon and it will be using the same
> > > > > network
> > > > > connection thus i expect same problems, and that site is overseas,
> > > > > which
> > > > > make
> > > > > even harder.
> > > > >
> > > > > help is really apperciate but i hope i get some reply soon
> > > > >
> > > > > --
> > > > > Eng. M William
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>