Disconnected AD.

[Guest]

Well, where do I start? I have a Windows 2003 + SP1 AD. I have an empty root
(domain.net) and a child domain hanging off of it (domain.com). My problem
is this, i have a laptop which is joined onto the domain.com, and i log onto
the domain.net domain. When i have logged onto the .com domain, i am able to
manage the .com domain, but unable to connect to the .net domain. The error
i get is "The domain domain.net cannot be found because: The specified domain
either does not exist or could not be contacted." I am to ping domain
controller is either domains, and DNS is setup as AD Integrated. Using
netdom /query fsmo it resolves the roles properly. When using AD Sites and
Services i can replicate anything within the .com domain, but i receive the
following error on the .net domain: "The system detected a possible attempt
to compromise security." All GPO's seem to work.

 

[Danny Sanders]

Well, where do I start? I have a Windows 2003 + SP1 AD. I have an empty

root
(domain.net) and a child domain hanging off of it (domain.com).

If I'm following you right you have two trees not a parent child
relationship.

Parent, child would look like this: internal.mydomain.com, mydomain.com
would be the parent and internal would be the child.

You would then set up DNS like so:
How to Create a Child domain in Active Directory and Delegate the DNS name
space to the Child domain

http://support.microsoft.com/default.aspx?scid=kb;en-us;255248



hth

DDS W 2k MVP MCSE

 

[Guest]

Danny, nope we definitely have only one forest (.net), and a child domain
(.com)hanging off of it. i know what you're refering to in your response, but
our design was specific to have an "empty root" (.net) and an actual
"production" child domain (.com). Hope this sheds some light. it's been
working fine, i think somehow somewhere DNS has changed and i need to find it
and fix it.

 

[Ace Fekay [MVP]]

In

Danny, nope we definitely have only one forest (.net), and a child
domain (.com)hanging off of it. i know what you're refering to in
your response, but our design was specific to have an "empty root"
(.net) and an actual "production" child domain (.com). Hope this
sheds some light. it's been working fine, i think somehow somewhere
DNS has changed and i need to find it and fix it.

Honestly, there is no way you can have a parent domain called domain.net
with a child domain called domain.com in an AD design. Remember, AD domains
are based on the DNS hierarchy, and therefore MUST follow the DNS hierarchal
tree under a contiguous namespace.

Do you mean you have a separate tree called domain.net and the forest root
is called domain.com? In this case there is no parent/child relationship and
therefore would be a separate tree in the forest. In this scenario, each
tree is it's own contiguous namespace.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

 

[Ace Fekay [MVP]]

In

Danny, nope we definitely have only one forest (.net), and a child
domain (.com)hanging off of it. i know what you're refering to in
your response, but our design was specific to have an "empty root"
(.net) and an actual "production" child domain (.com). Hope this
sheds some light. it's been working fine, i think somehow somewhere
DNS has changed and i need to find it and fix it.

Just to add, if these domains are separate trees, DNS would need info for
each namespace on the same DNS server or with the use of forwarding. Since
you mention domain.net is the root, the _msdcs.domain.net folder would have
the info for the root that domain.com MUST have reference to.

Also, I am assuming that we all know that we cannot use an ISP's or any
other outside DNS server that does not host the AD zone namespaces or that
doesn';t have some sort of reference to get to it or numerous issues will
occur, such as what you're experiencing, to say the least. But I am of
course assuming you already know this and there are no outsiders in your
inside network.

Ace

 

[Herb Martin]

Danny, nope we definitely have only one forest (.net), and a child domain
(.com)hanging off of it. i know what you're refering to in your response,
but
our design was specific to have an "empty root" (.net) and an actual
"production" child domain (.com). Hope this sheds some light.

Yes, it indicates you haven't fully understood (or learned) the terminology
that Danny was using (correctly):

He indicated that you have two trees which you confirm above;
and you are claiming a parent-child domain when you do not
have that according to your description.

There are three major "design elements" in Forest design:

1) Domains
2) Trees
3) Forests

Parent and child always share the same (full) DNS base name,
or more accurately, the child must use the Parent DNS name as
it's suffix.

When the suffixes are different (e.g., .net/.com or .domain.com
and .example.com) you have in fact TWO TREES, but no
parent child relationship.

it's been
working fine, i think somehow somewhere DNS has changed and i need to find
it
and fix it.

In such cases, each "Tree" must be able to resolve the 'other'
tree -- there are a variety of ways when using Win2003 but
the simplest to explain is through "conditional forwarding":

Have each DNS server conditionally forward to the other
zone.

Other methods include:

1) Holding "cross secondaries" for each other
(DNS on A-servers holds secondary for B and
vice versa) This is the general method for Win2000.

2) Holding "cross stub zones" -- same idea but using stub
zones to elimate the transfering of the entire (if large)
zone(s).

3) AD Integrated DNS using the (new to Win2003) option
to replicate to ALL-Forest-DNS-DCs (or perhaps to a
custom application partition.)

Run DCDiag on all DCs until you have eliminated all errors.

The general case (with no serious discussion of multiple trees
follows):

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.