Child Domain problem

[Tejal]

HI....

i have problem after join child domain ?

i have my corporate office with main active directory
setup ..and i have one remote location branch office...i
setup child domain for my branch office to join corporate
active directory..every thing is fine but i have problem
that i can see any object when i am adding child domain
user to my corporate active directory excisting grups
but i can connect to brach office ative directory and then
i can see user but when i will go for adding any user from
my branch office i cannot see any object

pls help me


Thanks
Tejal

 

[Brian Desmond [MVP]]

Hi Tejal,.

I'm not sure I understand your question. Can you tell me if I've got it
right?

From your parent domain, you can see all the users in the child domain,
however in the child domain, you cannot see users in the parent domain?

Do you have a global catalog configured in the child domain? Why are you
using a child domain for a branch office? Save for political reasons, an OU
would be sufficient and more logical.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[Cary Shultz [A.D. MVP]]

Howdy! Howdy!

And Tejal *might* want to consider setting up Sites within the ADSS
MMC......

Cary

 

[Guest]

HI..

Thanks for Reply

I have exchange server setup for my parent domain and my
branch office is not as good wan link that can handle
traffic for my branch office. and also there are lot more
new config comming up with my parent domain like Roming
profile and DFS roots..
so i need to config child domain for handaling user at
branch office.

i have config site link and all but i don't understand
that global catalog config at at child domain , i have
check global catalog selected in site ling NTDS property
check for parent domain ...for global catalog...

also i had test on my test machine by making test parent
domain and test child domain and i notice difference is
that in DNS configuration that in parent dns server child
domain folder is grayed out and there is only one record
in that i think that could be the problem..

i tried by Stop Netlogon service and start again but it is
still same..

if you still have problem pls let me know


Thanks

Tejal

 

[Herb Martin]

HI....

i have problem after join child domain ?

i have my corporate office with main active directory
setup ..and i have one remote location branch office...i
setup child domain for my branch office to join corporate
active directory..every thing is fine but i have problem
that i can see any object when i am adding child domain
user to my corporate active directory excisting grups
but i can connect to brach office ative directory and then
i can see user but when i will go for adding any user from
my branch office i cannot see any object

As Cary says in another post, it might be related to sites.

My bet would be on your DNS setup or perhaps firewalls.

You don't say anything about "how" you are connected between
sites -- we don't need your machines or line speeds probably
but we do need to know about any restrictions or unusual
paths like FIREWALLS or VPNs used for the connection.

Is your DNS fully resovlable from the TOP DOWN, so that the
parent domain DNS delegates to the child DNS servers -- or
else holds a secondary (etc.) for the child DNS zones?

(You might also take this opportunity to ensure the child domains
can resolve all of the PARENT DNS too.)

 

[Herb Martin]

HI..

Thanks for Reply

I have exchange server setup for my parent domain and my
branch office is not as good wan link that can handle
traffic for my branch office. and also there are lot more
new config comming up with my parent domain like Roming
profile and DFS roots..

With poor WANS lines you should NOT be doing a LOT
of automatic replication across sites for DFS.

so i need to config child domain for handaling user at
branch office.

Not really, but you need you DNS and your GCs.

i have config site link and all but i don't understand
that global catalog config at at child domain , i have

No, "domains" have almost nothing to do with "GCs"

You NEED/REQUIRE a GC per or more per SITE.

Such GCs must be DCs (from some domain) but they can
be from any domain in your forest as long as they can
replicate with the other GC -- in other sites.

check global catalog selected in site ling NTDS property
check for parent domain ...for global catalog...

GCs are a DC setting (not a domain) and is FOREST WIDE
"job."

also i had test on my test machine by making test parent
domain and test child domain and i notice difference is
that in DNS configuration that in parent dns server child
domain folder is grayed out and there is only one record
in that i think that could be the problem..

i tried by Stop Netlogon service and start again but it is
still same..

Do you have the Parent DNS zone "delegating" to the child
zone DNS servers?

 

[Guest]

Hi...

Thanks for reply

ya we have two firewall but these sites are connected
with VPN and there is no ristriction on that..

i think there might be problem with DNS i can resolve all
computer from child domain to corporate but i cannot
resolve from my corporate office to my child domain

i checked with DNS on corporate and the child domain
folder is grayed out , i tried to re delegate to child
domain but it is still grayed out

pls help me..

Thanks

TEjal

 

[tejal]

Hi...

Thanks for reply

ya we have two firewall but these sites are connected
with VPN and there is no ristriction on that..

i think there might be problem with DNS i can resolve all
computer from child domain to corporate but i cannot
resolve from my corporate office to my child domain

i checked with DNS on corporate and the child domain
folder is grayed out , i tried to re delegate to child
domain but it is still grayed out

pls help me..

Thanks

TEjal

 

[Herb Martin]

ya we have two firewall but these sites are connected

with VPN and there is no ristriction on that..

i think there might be problem with DNS i can resolve all
computer from child domain to corporate but i cannot
resolve from my corporate office to my child domain

i checked with DNS on corporate and the child domain
folder is grayed out , i tried to re delegate to child
domain but it is still grayed out

Then you need to fix that.

But don't think the VPN gets you off the hook -- it is
extremely common for people to mess up the DNS
(or WINS) name resolution through a VPN or to mess
up the routing so that the next is not sufficiently routed.

Also note, if the SERVERS (DCs) are using the VPN then
typically the the DNS must be able to do that too -- without
having Name Resolution settings overridden as would
happen with a "client" machine.

You might need to delete the delegation and re-build it,
but greyed out sounds like you were on a SECONDARY
for the parent zone - -you must be on the Primary or on
an AD DNS server for the parent zone.

 

[Tejal]

HI

Thanks for reply

we have pix to pix firewall and there no ristriction
between two...

also i on parent DNS server and giving delegation to child
and it is active directory integareted Zone. not
secondory..
i set forwarder..also for outside dns query..

i found there cash lookup and under taht there "." root
folder, doe that affact to creating child domain
delegation ?

i tried to rebuild delegation by deleting old delegation
and creating new delegation..but every times it is
grayedout is there any way to correct this one? pls hel me

Thanks

Tejal

 

[Herb Martin]

HI

Thanks for reply

we have pix to pix firewall and there no ristriction
between two...

also i on parent DNS server and giving delegation to child
and it is active directory integareted Zone. not
secondory..

Don't make more than ONE AD Integrated DNS server until
you are certain that the Domain is replicating with both the
other DCs and with the forest in general.

i set forwarder..also for outside dns query..

How do the "child DNS servers" find the parent domain?
(A common mistake is for child DNS servers to fail to find
the parent -- forward to the Internet directly -- and thus are
unable to resolve anything internal that is not contained on
the child itself.)

i found there cash lookup and under taht there "." root
folder, doe that affact to creating child domain
delegation ?

That is irrelevant -- the cache is going to show whatever
has been resolved. Ace (another frequent poster) tells people
to "TURN OFF ADVANCED VIEW" but I would prefer you
understand what you are viewing.

You do NOT have a "." zone CONFIGURED on that server
if you can set a forwarder -- since the "." zone (not the one in
cache) disables using forwarders.

i tried to rebuild delegation by deleting old delegation
and creating new delegation..but every times it is
grayedout is there any way to correct this one? pls hel me

Does it work?

Can you query the parent and get back a (known) child resolution?

nslookup q=ns child.domain.com Parent.DNS.IP.address

Then for each child NS server listed, do this:
nslookup nsservername.child.domain.com Parent.DNS.IP.address

Then try it for other child records...

If these work, then you have delegation working -- if not, post the
cut and pasted results (don't type it in and introduce new errors.)

 

[tejal]

hi...

Thanks for reply

following are the result when i execute following command
in nslookup

#############################

type=ns pasadena.gkkcorp.com

Server: pasadena.gkkcorp.com
Address: 192.168.3.201

*** pasadena.gkkcorp.com can't find type=ns: Non-existent
domain
#########################

and

pasadena.gkkcorp.com 192.168.1.208

Server: [192.168.1.208]
Address: 192.168.1.208

Name: pasadena.gkkcorp.com
Address: 192.168.3.201

###############

can you give suggetion

Tejal