smtp AD site Link versus IP AD Site Link

G

Guest

your help is greatly needed because i have a forest with several child
domains, as for site 1 & 2 they are connected with IP links & working fine
but site 1 & 3 they are connected with SMTP as when i used IP replication
failed as the network connection is not stable.

now with SMTP replication is OK but when i try logging in with enterprise
admin account i failed with an error stating that "Access is denied" thus
preventing me from changing any setting that need enterprise admin rights
like DNS, exchange, ....

i have another site to be added soon and it will be using the same network
connection thus i expect same problems, and that site is overseas, which make
even harder.

help is really apperciate but i hope i get some reply soon
 
P

ptwilliams

Assuming replication is fine, add the member that is an EA to the (child)
domain's Domain Admins group.

EA only gives you so many permissions; domain admins is what gives you
rights to administer machines, etc.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

your help is greatly needed because i have a forest with several child
domains, as for site 1 & 2 they are connected with IP links & working fine
but site 1 & 3 they are connected with SMTP as when i used IP replication
failed as the network connection is not stable.

now with SMTP replication is OK but when i try logging in with enterprise
admin account i failed with an error stating that "Access is denied" thus
preventing me from changing any setting that need enterprise admin rights
like DNS, exchange, ....

i have another site to be added soon and it will be using the same network
connection thus i expect same problems, and that site is overseas, which
make
even harder.

help is really apperciate but i hope i get some reply soon
 
R

Ryan Hanisco

And remember that SMTP does not replicate everything. Use IP if at all
possible. You get more scheduling flexibility and better error checking
this way.

While Child-domains should only be used in specific circumstances, you would
really want to consider this with foreign servers. Local laws can force
monitoring and permissions that you don't want at your core.
 
G

Guest

Thanks, i will have to bring the DC in site 3 back to site 1 to be able to do
that as both now don't authenticate accounts for the other domain.
i was thinking of it the other way around to have the dc3 admin member of
the Enterprise admin group, i will do both, also i am testing to increase the
bandwidth to see if this help relief the problem, could you give me an idea
about how to test if the network connection is suitable for AD replication
using IP site Links? any recommendation on min bandwidth?, our wan ping is
(500-2000 ms), is there any registery key that i could modify to increase the
min bandwidth required for AD?

nslookup, dcdiag, netdiag, nltest /dcget,...etc all run successfully on both
DCs

thanks for your reply
 
G

Guest

hi,

i used SMTP site link when i failed to getting working using IP site link, i
understand that not everything is being replicated as that what i was trying
to find a work around.

i created a child domain as this a subsdiary of our company and they have
everything independant from us, and also SMTP site Link is giving me no
choices.
 
P

ptwilliams

As they're different domains, SMTP replication will replicate everything
that is needed to be replicated (enterprise partitions and GC). The domains
will replicate using RPC/IP themselves.

I don't think lack of replication is your issue.

However, if the child domains aren't authenticating, etc. then this suggests
DNS problems. If you have poor lines, you should ensure that each physical
site is an AD site and that there's local resources on each site, especially
DNS. You will probably benefit from delegating the child domains to DNS
servers in the child domains.

As for minimum bandwidth, AD's pretty robust with slow links; it tends to
fall over, like most networking apps, with noisy or high-latency lines.
I've happily run AD over 64Kb ISDN with no issues -even pushed software,
etc. There's a free tool on MS' site called AD Sizer. Have a look for
this; it will indicate type of connectivity based on user, etc.

Herb probably has a lot of these facts burned into his brain from his MS
days...

There's some serious, and interesting info. available on how much traffic
replication, logon, etc. generates; as is there on NTDS sizes, etc.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

hi,

i used SMTP site link when i failed to getting working using IP site link, i
understand that not everything is being replicated as that what i was trying
to find a work around.

i created a child domain as this a subsdiary of our company and they have
everything independant from us, and also SMTP site Link is giving me no
choices.
 
G

Guest

it seems i am missing something here
if i use SMTP link will i be able to create new users and have them user
resources (Exchange,...etc) on the other domain?
i checked DNS using nslookup & it OK i have AD Zones, while users in DC3
could easily log to resources in Site 1 & DC1, oppiste is not true.

as i said i ran dcdaig & netdiag, ..etc and all came successfully on both DCs

i also see all records are in place both DNS AD zones, and DDNS is enabled
using secure updates

if its not SMTP what could be the problem to have have access to both DCs
from both Sites while keeping AD replication reliable ?

PS: i tried AD Sizer its nice but didn't give the data i need like what
latency would be accpeted, Bandwidth,.....
 
P

ptwilliams

if i use SMTP link will i be able to create new users and have them user
resources (Exchange,...etc) on the other domain?

The Intersite replication transport has no bearing on normal useage, e.g.
authetication, file acces, etc. If you have a user in one domain, and you
wish for them to access resources in the parent domain, this isn't an issue;
nor is it done via SMTP. In this case it would probably be SMB over IP or
SMB over NetBT over IP (depending on which port responded quickest).

i checked DNS using nslookup & it OK i have AD Zones, while users in DC3
could easily log to resources in Site 1 & DC1, oppiste is not true.

What kind of tests did you run? Normal name to IP resolution doesn't cut
it. Try this:

C:\>nslookup
set type=srv
_ldap._tcp.dc._msdcs.forest_root_domain.com

as i said i ran dcdaig & netdiag, ..etc and all came successfully on both
DCs

Sounds good!

i also see all records are in place both DNS AD zones, and DDNS is enabled
using secure updates

Looking promising...

if its not SMTP what could be the problem to have have access to both DCs
from both Sites while keeping AD replication reliable ?

Err...not quite sure what you mean here. SMTP is fine for enterprise
replication (forest replication). If you are having problems accessing
resources in one domain, and name resolution *is* fine from the server side,
then have you enabled multiple DNS suffixes for the parent domain?
Remember, that by default, the parent will not try appending domain-name.com
and then child.domain-name.com without manual intervention.

Also, firewalls and the like will seriously disrupt services.

PS: i tried AD Sizer its nice but didn't give the data i need like what
latency would be accpeted,
Bandwidth,.....

Ah well...you can't win 'em all ;-)


The issue that you are discussing now is a bit different to that of the
original post. This is why I'm focusing on DNS...

Can you re-clarify the exact problems you are having now that I've hopefully
explained SMTP's role in all this?


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

it seems i am missing something here
if i use SMTP link will i be able to create new users and have them user
resources (Exchange,...etc) on the other domain?
i checked DNS using nslookup & it OK i have AD Zones, while users in DC3
could easily log to resources in Site 1 & DC1, oppiste is not true.

as i said i ran dcdaig & netdiag, ..etc and all came successfully on both
DCs

i also see all records are in place both DNS AD zones, and DDNS is enabled
using secure updates

if its not SMTP what could be the problem to have have access to both DCs
from both Sites while keeping AD replication reliable ?

PS: i tried AD Sizer its nice but didn't give the data i need like what
latency would be accpeted, Bandwidth,.....
 
G

Guest

thanks you very much paul for this info, yes it seems i have a problem with
the DNS, it seems i was check in wrong way.
i hope you will be kind enough to help me out now, i know that childs domain
DNS must have something to point ot the parent domain so how to set it ??

also here i understand smtp have no relation with the problem i have so it
doesn't matter if use IP or smtp all users will be able to authenticate and
work fine.

thanks again
 
P

ptwilliams

thanks you very much paul for this info

No problem at all!! Glad to help!!

yes it seems i have a problem with the DNS, it seems i was check in wrong
way.

You're not the first or the last to make this mistake. Don't worry about
it...just remember the details ;-)

i hope you will be kind enough to help me out now, i know that childs
domain DNS must have something to point ot the parent domain so how to set
it ??

From this, I assume you've not configured a delegation. I'm going to assume
then that the DNS servers are DCs (or just member servers) in the parent
domain, and the child domain is just a sub-domain in the DNS zone. If this
assumption is incorrect, please correct me and I'll rejig my answer(s)
accordingly.

In this instance, the child domains won't have an issue. By default, the
DNS client is configured to append it's primary DNS suffix, and if that
doesn't yield a result, it just appends the parent suffix. This means that
DC01.child.domain-name.com will try and resolve DC02 like so:

DC02.child.domain-name.com
DC02.domain-name.com


The parent domain, however, can't do this as the primary DNS suffix is just
domain-name.com. Therefore you need to setup a DNS suffix search list. You
do this by opening your NIC properties, selecting TCP/IP, Advanced, DNS. In
the DNS tab you should select the "Append these DNS suffixes (in order"
radio button, and add the primary DNS suffix and then the child-domain DNS
suffix, e.g. domain-name.com; child.domain-name.com.

You should also verify that the child DCs are configured with the default
settings of "Append primary and connection specific DNS suffixes" and also
"Append parent suffixes of the primary DNS suffix".

If the namespaces are not contiguous, i.e. a separate tree, then both
namespaces have to be added to both domains Suffix Search list -just like
the example of the child domain being added to the parent.

Once you've verified this, try replicating again.

You may also need to reregister DNS records. In this case, point all DCs at
the same DNS server and restart the netlogon service. Once registration is
complete, you can change the DNS clients to point back to whatever they were
(as long as they're pointing to internals systems).

Note. All domain members running NT 5.x are DNS clients and MUST point to
an internal DNS server.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

thanks you very much paul for this info, yes it seems i have a problem with
the DNS, it seems i was check in wrong way.
i hope you will be kind enough to help me out now, i know that childs domain
DNS must have something to point ot the parent domain so how to set it ??

also here i understand smtp have no relation with the problem i have so it
doesn't matter if use IP or smtp all users will be able to authenticate and
work fine.

thanks again
 
G

Guest

Hi again,

i didn't want to post anything until i gave everything time to replicate
though the weekend & unfortunatley i still have a problem child domain still
can't correctly authenticate with parent.

replication is working from child to parent with IP link, while from parent
to child IP fails and i use SMTP, i corrected DNS and now checking for forest
root zone is OK, created delgations for child domain. have AD dns zones ,
replicated forest wide , with stub zones on each for the others.

when i brought child domain DC to main office and correct the problems, it
was working fine and it took 2 days to send it back and it was up again and
replicating but i still get access denied logging as EA on the child domain
and on parnet DC i get event 5805 netlogon "The session setup from the
computer [child DC] failed to authenticate. The following error occurred:
Access is denied. "

i used this procedure when we have to change the DC IP address (flush dns,
stop netlogon, start netlogon & register dns)

so it seems i am still missing something so please any other ideas are
apperciated
 
G

Guest

sorry also forgot to say that as for netdiag /fix everything was ok but for
DCdiag /fix it failed on the knowsOfRoleHolders
parent is schema owner but not responding. also parnet is domain owner but
not responding to (DC RPC bind / LDAP bind ).
 
P

ptwilliams

Ensure that the EA account is a member of the child domain - domain admins
group.

Also, please ensure that you've correctly configured the DNS client
settings - the DNS Suffix Search list.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi again,

i didn't want to post anything until i gave everything time to replicate
though the weekend & unfortunatley i still have a problem child domain still
can't correctly authenticate with parent.

replication is working from child to parent with IP link, while from parent
to child IP fails and i use SMTP, i corrected DNS and now checking for
forest
root zone is OK, created delgations for child domain. have AD dns zones ,
replicated forest wide , with stub zones on each for the others.

when i brought child domain DC to main office and correct the problems, it
was working fine and it took 2 days to send it back and it was up again and
replicating but i still get access denied logging as EA on the child domain
and on parnet DC i get event 5805 netlogon "The session setup from the
computer [child DC] failed to authenticate. The following error occurred:
Access is denied. "

i used this procedure when we have to change the DC IP address (flush dns,
stop netlogon, start netlogon & register dns)

so it seems i am still missing something so please any other ideas are
apperciated
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top