Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » child and parent domain in the same AD site
child and parent domain in the same AD site [message #302362] Thu, 29 October 2009 13:15 Go to next message
Sawyer  is currently offline Sawyer  United States
Messages: 315
Registered: July 2009
Senior Member
I am running exchange 2007 sp2, the exchange server is a member of the
corp.mydomain.com and is located in AD siteA. The AD forest consist of a
parent domain (corp.mydomain.com) and a child or subdomain
(pqa.corp.kbb.com) AD site A encompasses both domains, meaning both pqa and
corp are in AD siteA. I am noticing that the Exchange 2007 server is looking
at a DC in the child domain, especially when it wants to build OAB.
am noticing from the looking at the event logs that the exchange server is
building the OAB using a DC in the child domain (pqa). This DC is a GC, but
I would rather have the exchange server look to a DC that is in the same AD
domain as itself. How can I correct this?


Also there are no user accounts in the child domain that have mailboxes, all
mailboxes are located in the parent domain (corp)

If the user has an account in the parent domain, is it possible for a DC in
the child domain to authenticate the user? Also what happens if a server is
joined to the child domain, and both domains are in the same AD site, will
the computer look to one of the parent domain DC's for authentication?

Thanks
Re: child and parent domain in the same AD site [message #302569 is a reply to message #302362] Thu, 29 October 2009 16:10 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

sawyer schrieb:
> am noticing from the looking at the event logs that the exchange server is
> building the OAB using a DC in the child domain (pqa). This DC is a GC, but
> I would rather have the exchange server look to a DC that is in the same AD
> domain as itself. How can I correct this?

Is the DC of the parent domain a GC, too? If not, making it a GC could
solve the problem - Exchange loves GCs.

> (1) If the user has an account in the parent domain, is it possible for a DC
> in the child domain to authenticate the user? (2) Also what happens if a
> server is joined to the child domain, and both domains are in the same
> AD site, will the computer look to one of the parent domain DC's for
> authentication?

I've added a (1) and (2) to separate the questions. As for (1), it
basically is possible but would involve connectivity between the
authenticating DC and the "home domain" DC the user belongs to.

The same is true for (2) but if I remember correctly, there's a
difference between what domain the machine belongs to. It also depends
on how the machine is configured with DNS -- what DNS/DC it uses for
authentication.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: child and parent domain in the same AD site [message #302836 is a reply to message #302362] Thu, 29 October 2009 23:34 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:79F20C81-384A-437D-88F1-28DAD5D2CA3C@microsoft.com...
>I am running exchange 2007 sp2, the exchange server is a member of the
> corp.mydomain.com and is located in AD siteA. The AD forest consist of a
> parent domain (corp.mydomain.com) and a child or subdomain
> (pqa.corp.kbb.com) AD site A encompasses both domains, meaning both pqa
> and
> corp are in AD siteA. I am noticing that the Exchange 2007 server is
> looking at a DC in the child domain, especially when it wants to build
> OAB.
> am noticing from the looking at the event logs that the exchange server is
> building the OAB using a DC in the child domain (pqa). This DC is a GC,
> but
> I would rather have the exchange server look to a DC that is in the same
> AD
> domain as itself. How can I correct this?
>
>
> Also there are no user accounts in the child domain that have mailboxes,
> all mailboxes are located in the parent domain (corp)
>
> If the user has an account in the parent domain, is it possible for a DC
> in the child domain to authenticate the user? Also what happens if a
> server is joined to the child domain, and both domains are in the same AD
> site, will the computer look to one of the parent domain DC's for
> authentication?
>
> Thanks


As Florian, said, Exchange requires a GC. If under the Exchange server's
Directory Services tab, you are seeing child domain DCs, the Exchange server
is picking that up from DCs in its own site. If there are child domain DCs
in your site, change the settings in the tab to Manual by unchecking the
"Automactically Discover Servers" checkbox under each drop-down list (GCs,
DCs & Config DCs) and remove the child domain DCs and GCs out of the list.

Curious, when you go into your ESM, Recipients container, Offline Address
Lists, then right-click the Default Offline Address List and choose
Properties, what Exchange server is the Offline Address List server?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: child and parent domain in the same AD site [message #302841 is a reply to message #302362] Thu, 29 October 2009 23:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:79F20C81-384A-437D-88F1-28DAD5D2CA3C@microsoft.com...
>
>I am running exchange 2007 sp2, the exchange server is a member of the...

<snipped>

Sorry, after re-reading, you have Exchange 2007. I gave you the steps for Ex
2003.

When you go into your ECM, Server Config, click your servername, on the
right, click Modify COnfiguration Domain Controller, what DC does it show?

Ace
Re: child and parent domain in the same AD site [message #303239 is a reply to message #302841] Fri, 30 October 2009 09:59 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
In Exchange 2007 management console it shows the DC from the parent domain,
but again the Exchange server is looking to a DC in the child domain to
build the OAB. How do I know this? the child FQDN is child.corp.mydomain.com
the Exchange 2007 server being a member of corp.mydomain.com did not have a
dns suffix for "child.corp" so when it would try and build the OAB, it would
make a call to childDC1 (notice no dns suffix) and this call would fail, and
the oab would not get built. After adding in the dns suffix fore the child
domain to the exchange tcp/ip settings the server was able to build the oab

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:O6$A7NSWKHA.4484@TK2MSFTNGP02.phx.gbl...
> "sawyer" <occompguy@cox.net> wrote in message
> news:79F20C81-384A-437D-88F1-28DAD5D2CA3C@microsoft.com...
>>
>>I am running exchange 2007 sp2, the exchange server is a member of the...
>
> <snipped>
>
> Sorry, after re-reading, you have Exchange 2007. I gave you the steps for
> Ex 2003.
>
> When you go into your ECM, Server Config, click your servername, on the
> right, click Modify COnfiguration Domain Controller, what DC does it show?
>
> Ace
>
Re: child and parent domain in the same AD site [message #303240 is a reply to message #302841] Fri, 30 October 2009 10:03 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
and to answer one of the questions "YES" both DC's in the parent domain are
GCI and one is the PDC role

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:O6$A7NSWKHA.4484@TK2MSFTNGP02.phx.gbl...
> "sawyer" <occompguy@cox.net> wrote in message
> news:79F20C81-384A-437D-88F1-28DAD5D2CA3C@microsoft.com...
>>
>>I am running exchange 2007 sp2, the exchange server is a member of the...
>
> <snipped>
>
> Sorry, after re-reading, you have Exchange 2007. I gave you the steps for
> Ex 2003.
>
> When you go into your ECM, Server Config, click your servername, on the
> right, click Modify COnfiguration Domain Controller, what DC does it show?
>
> Ace
>'s and
Re: child and parent domain in the same AD site [message #303884 is a reply to message #303239] Sat, 31 October 2009 00:49 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:5DD1F0BC-3961-4D39-99DF-AAA73DEC7571@microsoft.com...
> In Exchange 2007 management console it shows the DC from the parent
> domain, but again the Exchange server is looking to a DC in the child
> domain to build the OAB. How do I know this? the child FQDN is
> child.corp.mydomain.com the Exchange 2007 server being a member of
> corp.mydomain.com did not have a dns suffix for "child.corp" so when it
> would try and build the OAB, it would make a call to childDC1 (notice no
> dns suffix) and this call would fail, and the oab would not get built.
> After adding in the dns suffix fore the child domain to the exchange
> tcp/ip settings the server was able to build the oab
>

I see. Interesting. So this was dependent on resolution. I assume you are
not using WINS, or it would have found it.

Also, apparently there is a child domain DC in the same AD Site that the
Exchange server is in, otherwise if the child domain was in another Site, it
would not have chosen it.

On another note, Exchange still requires NetBIOS resolution for some
functionality.

Ace
Re: child and parent domain in the same AD site [message #305469 is a reply to message #303884] Mon, 02 November 2009 10:08 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
yes interesting indeed, Yes there is no WINS in the environment, and hasn't
been for a year now, and yes the child and parent domain are in the same AD
site. I am thinking of creating a new AD site just for this child domain,
although the child and parent domain are located in the same physical
datacenter, so I don't know how much sense this would make from a logical AD
sites perspective ?

DC's in the parent domain are 10.0.130.X
DC's in the child domain are 10.0.134.X
The DC's from both domains are located in AD site, the AD site's subnet is
10.0.0.0/16 this to me seems like the subnet encompasses to many networks
ID's your thoughts on this?

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ORnABZfWKHA.4780@TK2MSFTNGP05.phx.gbl...
> "sawyer" <occompguy@cox.net> wrote in message
> news:5DD1F0BC-3961-4D39-99DF-AAA73DEC7571@microsoft.com...
>> In Exchange 2007 management console it shows the DC from the parent
>> domain, but again the Exchange server is looking to a DC in the child
>> domain to build the OAB. How do I know this? the child FQDN is
>> child.corp.mydomain.com the Exchange 2007 server being a member of
>> corp.mydomain.com did not have a dns suffix for "child.corp" so when it
>> would try and build the OAB, it would make a call to childDC1 (notice no
>> dns suffix) and this call would fail, and the oab would not get built.
>> After adding in the dns suffix fore the child domain to the exchange
>> tcp/ip settings the server was able to build the oab
>>
>
> I see. Interesting. So this was dependent on resolution. I assume you are
> not using WINS, or it would have found it.
>
> Also, apparently there is a child domain DC in the same AD Site that the
> Exchange server is in, otherwise if the child domain was in another Site,
> it would not have chosen it.
>
> On another note, Exchange still requires NetBIOS resolution for some
> functionality.
>
> Ace
>
>
>
Re: child and parent domain in the same AD site [message #305655 is a reply to message #305469] Mon, 02 November 2009 13:07 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:12E860F4-BDB1-4989-9F98-88267E008F0E@microsoft.com...
> yes interesting indeed, Yes there is no WINS in the environment, and
> hasn't been for a year now, and yes the child and parent domain are in the
> same AD site. I am thinking of creating a new AD site just for this child
> domain, although the child and parent domain are located in the same
> physical datacenter, so I don't know how much sense this would make from a
> logical AD sites perspective ?
>
> DC's in the parent domain are 10.0.130.X
> DC's in the child domain are 10.0.134.X
> The DC's from both domains are located in AD site, the AD site's subnet is
> 10.0.0.0/16 this to me seems like the subnet encompasses to many networks
> ID's your thoughts on this?
>

Exactly. Actually to elaborate, it's not that they encompass too many
subnets, rather the 255.255.0.0 (or also called /16) encompasses both the
10.0.130.0
and 10.0.134.0 subnets. This means you do not need a router between them.
Simply plug them all into a switch and they can communicate.

If you want to break them up into their own subnets, go with a /24
(255.255.255.0). But then you will need a router between them, and configure
static routes from your edge firewall to be aware of the subnets.

To better address the resolution issue, I would first definitely use WINS,
especially with Exchange. Second, I would also use a parent-child DNS
delegation. But this can become a little complicated, however it may work
for you. Follow the link below with instructions on how to create a DNS
delegation. Also, don't forget to set a forwarder from the child DC DNS
server to the parent domain DNS servers, and a forwarder from the parent to
the ISP.

How To Create a Child Domain in Active Directory and Delegate the DNS
Namespace to the Child Domain:
http://support.microsoft.com/kb/255248

Ace
Previous Topic:pso
Next Topic:USN - DNS - Failed PDC
Goto Forum:
  


Current Time: Fri Jan 19 00:38:34 MST 2018

Total time taken to generate the page: 0.05577 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software