Child/Parent Domain sanity Check

[James Fabulous]

Having some issues that I'm trying to work through:
A user from parent domain A wants to RDP to server in Child domain B
The user from A doesn't have a user account in B - but his account is a
member of a universal group in A which is a member of a universal group by
the same name in B that is a member of the administrators group of the
target machine.

Error is: "the specified domain does not exist or could not be contacted" ot
"The system cannot log you on because the domain is not available"
tried: user, password, A
(e-mail address removed), password
A\user, password
A.com\user, password
all fail. Even when we test with a domain admin from A we get the same
error.

This has previously worked, and from what I can tell via NLtests netlogon is
working properly and the domains are replicating normally. The DC for B can
see the member group from A and enumerate it's users on the members tab.
Target machine is 2000 running terminal services in administration mode.

 

[Steven L Umbach]

This often indicates a dns problem or some sort of network connectivity
problem. What I would do is to run netdiag on both the client computer and
the server the user wants to remote into and run dcdiag /a and netdiag on
the pdc fsmo domain controller in each domain to see if any related problems
are found. You should also be able to use nslookup to resolve the full
qualified domain name of any domain computer in the forest from any domain
computer in the forest and I would start with the domain computer trying to
access the server in the other domain. Also make sure that there are NO ISP
dns servers listed as a preferred dns server for any domain computer in the
domain. If you have delegated the child dns zone to a the dns servers in the
child domain [probably domain controllers] you will need to create a
secondary dns zone for the parent domain on dns servers in the child domain
or if using Windows 2003 domain controllers you could use conditional
forwarding, stub zones, or configure dns to replicate to all dns
servers/domain controllers in the forest. The link below explains how to
configure DNS for Active Directory. Ipsec policies can also cause problems
if not configured correctly. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

 

[James Fabulous]

Steven,

First of all - Thank You. What you say is correct, and I had already
tested all of the points you mention below (I apologise if my query wasn't
specific enough (sometimes that scares people from replying). DNS-correct,
WINS (I know, I know - Symantec requires it)-correct, netdiag-correct,
dcdiag /a-correct, DNS servers-correct, IPsec-correct. This was a very
exhaustive process and you may be thinking so what the heck was it? The
target server lacked 1 running service - the computer browser was set to
automatic but had been stopped manually by one of the application
administrators.

I've been working with NT/AD for a good long time and never noticed this
issue before so FYI

This often indicates a dns problem or some sort of network connectivity
problem. What I would do is to run netdiag on both the client computer and
the server the user wants to remote into and run dcdiag /a and netdiag on
the pdc fsmo domain controller in each domain to see if any related problems
are found. You should also be able to use nslookup to resolve the full
qualified domain name of any domain computer in the forest from any domain
computer in the forest and I would start with the domain computer trying to
access the server in the other domain. Also make sure that there are NO ISP
dns servers listed as a preferred dns server for any domain computer in the
domain. If you have delegated the child dns zone to a the dns servers in the
child domain [probably domain controllers] you will need to create a
secondary dns zone for the parent domain on dns servers in the child domain
or if using Windows 2003 domain controllers you could use conditional
forwarding, stub zones, or configure dns to replicate to all dns
servers/domain controllers in the forest. The link below explains how to
configure DNS for Active Directory. Ipsec policies can also cause problems
if not configured correctly. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Having some issues that I'm trying to work through:
A user from parent domain A wants to RDP to server in Child domain B
The user from A doesn't have a user account in B - but his account is a
member of a universal group in A which is a member of a universal group by
the same name in B that is a member of the administrators group of the
target machine.

Error is: "the specified domain does not exist or could not be contacted"
ot
"The system cannot log you on because the domain is not available"
tried: user, password, A
(e-mail address removed), password
A\user, password
A.com\user, password
all fail. Even when we test with a domain admin from A we get the same
error.

This has previously worked, and from what I can tell via NLtests netlogon
is
working properly and the domains are replicating normally. The DC for B
can
see the member group from A and enumerate it's users on the members tab.
Target machine is 2000 running terminal services in administration mode.

 

[Steven L Umbach]

Thanks for reporting back what you found out as that is helpful information.
I am a bit surprised that computer browser service being stopped could cause
such a problem and all the usual tests did not indicate that it was a
problem. My assumption was that this server was not a domain controller. I
know that users sometimes disable the tcp/ip NetBIOS helper service thinking
it will improve security but it is an essential service. My understanding
was that the computer browser service would allow a computer to be a master
browser or backup browser but if disabled the computer should still be able
to find a master browser to find computer/shares for My Network Places
though a domain controller such as a pdc fsmo wants to be the domain master
browser always and should not have that service disabled. It would have
been interesting to see if you had the same problem trying to access the
server by it's IP address instead of name [again assuming it is not a domain
controller]. Anyhow I did look the Windows 2003 Server Security Guide and
they do recommend that the computer browser service be set to automatic for
baseline server even for high security situations so it maybe has some
importance other than allowing a computer to be master browser/backup
browser. It can be difficult to determine exactly what services need to be
running on a server based on it's role without referring to documentation
that is not always easy for everyone to find. When I do have a problem I do
find it useful to take a look at the services via services.msc set to start
automatically and see if any of them are not running. --- Steve

Steven,

First of all - Thank You. What you say is correct, and I had already
tested all of the points you mention below (I apologise if my query wasn't
specific enough (sometimes that scares people from replying).
DNS-correct,
WINS (I know, I know - Symantec requires it)-correct, netdiag-correct,
dcdiag /a-correct, DNS servers-correct, IPsec-correct. This was a very
exhaustive process and you may be thinking so what the heck was it? The
target server lacked 1 running service - the computer browser was set to
automatic but had been stopped manually by one of the application
administrators.

I've been working with NT/AD for a good long time and never noticed this
issue before so FYI

This often indicates a dns problem or some sort of network connectivity
problem. What I would do is to run netdiag on both the client computer
and
the server the user wants to remote into and run dcdiag /a and netdiag on
the pdc fsmo domain controller in each domain to see if any related problems
are found. You should also be able to use nslookup to resolve the full
qualified domain name of any domain computer in the forest from any
domain
computer in the forest and I would start with the domain computer trying to
access the server in the other domain. Also make sure that there are NO ISP
dns servers listed as a preferred dns server for any domain computer in the
domain. If you have delegated the child dns zone to a the dns servers in the
child domain [probably domain controllers] you will need to create a
secondary dns zone for the parent domain on dns servers in the child domain
or if using Windows 2003 domain controllers you could use conditional
forwarding, stub zones, or configure dns to replicate to all dns
servers/domain controllers in the forest. The link below explains how to
configure DNS for Active Directory. Ipsec policies can also cause
problems
if not configured correctly. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Having some issues that I'm trying to work through:
A user from parent domain A wants to RDP to server in Child domain B
The user from A doesn't have a user account in B - but his account is a
member of a universal group in A which is a member of a universal group by
the same name in B that is a member of the administrators group of the
target machine.

Error is: "the specified domain does not exist or could not be contacted"
ot
"The system cannot log you on because the domain is not available"
tried: user, password, A
(e-mail address removed), password
A\user, password
A.com\user, password
all fail. Even when we test with a domain admin from A we get the same
error.

This has previously worked, and from what I can tell via NLtests netlogon
is
working properly and the domains are replicating normally. The DC for
B
can
see the member group from A and enumerate it's users on the members
tab.
Target machine is 2000 running terminal services in administration
mode.