Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » cant log into child domain
cant log into child domain [message #303241] Fri, 30 October 2009 10:06 Go to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
Hello all

I have a parent and child domain in the AD forest, the AD forest is at
Windows 2003 native. I am a member of the enterprise admins domain admins
and schema admins group. Using my account I cannot log onto one of the DC's
in the child domain when logging onto the child domain. I thought that if my
account was a member of the enterrpise admins group I could use my account
and log on to a DC in the child domain under the child domain?

Thanks
Re: cant log into child domain [message #303380 is a reply to message #303241] Fri, 30 October 2009 12:10 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
What's the error message you are getting when attempting to logon?

Marcin

"sawyer" <occompguy@cox.net> wrote in message
news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...
> Hello all
>
> I have a parent and child domain in the AD forest, the AD forest is at
> Windows 2003 native. I am a member of the enterprise admins domain admins
> and schema admins group. Using my account I cannot log onto one of the
> DC's in the child domain when logging onto the child domain. I thought
> that if my account was a member of the enterrpise admins group I could use
> my account and log on to a DC in the child domain under the child domain?
>
> Thanks
Re: cant log into child domain [message #303527 is a reply to message #303380] Fri, 30 October 2009 14:39 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
Is a "you don't have rights to log into this machine, you must be a member
of the local admin or RDP group"

"Marcin" <marcin@community.nospam> wrote in message
news:urKWHxYWKHA.4592@TK2MSFTNGP06.phx.gbl...
> What's the error message you are getting when attempting to logon?
>
> Marcin
>
> "sawyer" <occompguy@cox.net> wrote in message
> news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...
>> Hello all
>>
>> I have a parent and child domain in the AD forest, the AD forest is at
>> Windows 2003 native. I am a member of the enterprise admins domain
>> admins and schema admins group. Using my account I cannot log onto one of
>> the DC's in the child domain when logging onto the child domain. I
>> thought that if my account was a member of the enterrpise admins group I
>> could use my account and log on to a DC in the child domain under the
>> child domain?
>>
>> Thanks
>
>
Re: cant log into child domain [message #303653 is a reply to message #303527] Fri, 30 October 2009 17:17 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Verify that Enterpise Admins group is a member of local Administrators group
in the child domain...

hth
Marcin

"sawyer" <occompguy@cox.net> wrote in message
news:64D80AF7-59E0-4755-B0EC-D5666C5111A1@microsoft.com...
> Is a "you don't have rights to log into this machine, you must be a member
> of the local admin or RDP group"
>
> "Marcin" <marcin@community.nospam> wrote in message
> news:urKWHxYWKHA.4592@TK2MSFTNGP06.phx.gbl...
>> What's the error message you are getting when attempting to logon?
>>
>> Marcin
>>
>> "sawyer" <occompguy@cox.net> wrote in message
>> news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...
>>> Hello all
>>>
>>> I have a parent and child domain in the AD forest, the AD forest is at
>>> Windows 2003 native. I am a member of the enterprise admins domain
>>> admins and schema admins group. Using my account I cannot log onto one
>>> of the DC's in the child domain when logging onto the child domain. I
>>> thought that if my account was a member of the enterrpise admins group I
>>> could use my account and log on to a DC in the child domain under the
>>> child domain?
>>>
>>> Thanks
>>
>>
Re: cant log into child domain [message #303887 is a reply to message #303241] Sat, 31 October 2009 00:52 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...
> Hello all
>
> I have a parent and child domain in the AD forest, the AD forest is at
> Windows 2003 native. I am a member of the enterprise admins domain admins
> and schema admins group. Using my account I cannot log onto one of the
> DC's in the child domain when logging onto the child domain. I thought
> that if my account was a member of the enterrpise admins group I could use
> my account and log on to a DC in the child domain under the child domain?
>
> Thanks


Are there any Event log errors on any of the DCs?

How is DNS setup in the infrastructure? Is the child domain delegated the
child zone? If so, I assume the parent zone and child zone's replication
scope are Domain wide, and there is a fowarder from the child domain's DNS
to the parent domain's DNS, as well as that all child domain members are
only using the child domain's DNS servers.

If not, can you elaborate on the setup? This could also contribute to your
Exchange issue you had posted earlier.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: cant log into child domain [message #305483 is a reply to message #303887] Mon, 02 November 2009 10:31 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
Hello Ace, thank very much for your assistance.

DNS in the forest is all AD integrated. The parent domain is
corp.mydomain.com and the zone for this domain is AD integrated. The child
domain is child.corp.mydomain.com and it's the zone for this domain is AD
integrated as well. All Domain controllers are DNS servers, and they all use
forwarders and they all point to the same ISP ip address.

I do not understand what you mean by "is the domain delegated the child
zone"? how can I confirm this?
The parent and child zone replication are forest wide ( I think) when I
right click on the zone both the parent and child zone go to properties and
the general tab, the replication says "All DNS servers in the forest"

Again the forwarder for the child zone is set to look at the ISP, should the
forwarder be the ip address of DNS server located in the parent zone?

Yes all child domain members are using the child domain for DNS

Thanks again for your assitance!

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ebqiIbfWKHA.844@TK2MSFTNGP05.phx.gbl...
> "sawyer" <occompguy@cox.net> wrote in message
> news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...
>> Hello all
>>
>> I have a parent and child domain in the AD forest, the AD forest is at
>> Windows 2003 native. I am a member of the enterprise admins domain
>> admins and schema admins group. Using my account I cannot log onto one of
>> the DC's in the child domain when logging onto the child domain. I
>> thought that if my account was a member of the enterrpise admins group I
>> could use my account and log on to a DC in the child domain under the
>> child domain?
>>
>> Thanks
>
>
> Are there any Event log errors on any of the DCs?
>
> How is DNS setup in the infrastructure? Is the child domain delegated the
> child zone? If so, I assume the parent zone and child zone's replication
> scope are Domain wide, and there is a fowarder from the child domain's DNS
> to the parent domain's DNS, as well as that all child domain members are
> only using the child domain's DNS servers.
>
> If not, can you elaborate on the setup? This could also contribute to your
> Exchange issue you had posted earlier.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
Re: cant log into child domain [message #305490 is a reply to message #303887] Mon, 02 November 2009 10:39 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
So just to confirm what I am experiencing is not normal behavior

My account is a member of the enterprise admins group. I can log onto one of
the child DC's with my corp account (corp is the parent domain) but I cant
log onto one of the child DC's using my corp account but under the child
domain. Example childdomain\myaccount fails.

When I try and log on to a DC on the child domain using
childdomain\myaccount I get a security event

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/2/2009 9:34:42 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC2.childdomain.corp.mydomain.com
Description:
An account failed to log on.


"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ebqiIbfWKHA.844@TK2MSFTNGP05.phx.gbl...
> "sawyer" <occompguy@cox.net> wrote in message
> news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...
>> Hello all
>>
>> I have a parent and child domain in the AD forest, the AD forest is at
>> Windows 2003 native. I am a member of the enterprise admins domain
>> admins and schema admins group. Using my account I cannot log onto one of
>> the DC's in the child domain when logging onto the child domain. I
>> thought that if my account was a member of the enterrpise admins group I
>> could use my account and log on to a DC in the child domain under the
>> child domain?
>>
>> Thanks
>
>
> Are there any Event log errors on any of the DCs?
>
> How is DNS setup in the infrastructure? Is the child domain delegated the
> child zone? If so, I assume the parent zone and child zone's replication
> scope are Domain wide, and there is a fowarder from the child domain's DNS
> to the parent domain's DNS, as well as that all child domain members are
> only using the child domain's DNS servers.
>
> If not, can you elaborate on the setup? This could also contribute to your
> Exchange issue you had posted earlier.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
Re: cant log into child domain [message #305680 is a reply to message #305483] Mon, 02 November 2009 13:46 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:A7C0FDBD-531C-422F-9631-B1E9B4B2C03B@microsoft.com...
> Hello Ace, thank very much for your assistance.
>
> DNS in the forest is all AD integrated. The parent domain is
> corp.mydomain.com and the zone for this domain is AD integrated. The child
> domain is child.corp.mydomain.com and it's the zone for this domain is AD
> integrated as well. All Domain controllers are DNS servers, and they all
> use forwarders and they all point to the same ISP ip address.
>
> I do not understand what you mean by "is the domain delegated the child
> zone"? how can I confirm this?
> The parent and child zone replication are forest wide ( I think) when I
> right click on the zone both the parent and child zone go to properties
> and the general tab, the replication says "All DNS servers in the forest"
>
> Again the forwarder for the child zone is set to look at the ISP, should
> the forwarder be the ip address of DNS server located in the parent zone?
>
> Yes all child domain members are using the child domain for DNS
>
> Thanks again for your assitance!
>

You are welcome, so far.

I think it is a resolution issue based on the DNS infrastructure. Regarding
DNS Parent to child delegation, I had responded to another one of your
threads explaining this. Apparently the two threads are related.

If you decide to delegate, the _msdcs zone stays in the Forest replication
scope. The other two will be put into their own respective domain scope (not
the Windows 2000 compatible one).

Forwarding with delegation is changed. It will go from child to parent, then
parent to ISP.

However, you can keep it the way it is, for simplicity, which may complicate
this diagnosis.

I believe you had already set the search suffixes? (trying to remember info
from this thread and the other one) If so, good.

I would also look at WINS.

Ace
Re: cant log into child domain [message #305681 is a reply to message #305490] Mon, 02 November 2009 13:47 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:43B304EE-9757-45F6-85FD-DA8768CF1E5E@microsoft.com...
> So just to confirm what I am experiencing is not normal behavior
>
> My account is a member of the enterprise admins group. I can log onto one
> of the child DC's with my corp account (corp is the parent domain) but I
> cant log onto one of the child DC's using my corp account but under the
> child domain. Example childdomain\myaccount fails.
>
> When I try and log on to a DC on the child domain using
> childdomain\myaccount I get a security event
>
> Log Name: Security
> Source: Microsoft-Windows-Security-Auditing
> Date: 11/2/2009 9:34:42 AM
> Event ID: 4625
> Task Category: Logon
> Level: Information
> Keywords: Audit Failure
> User: N/A
> Computer: DC2.childdomain.corp.mydomain.com
> Description:
> An account failed to log on.
>


Are there any event errors regarinding replication?

Ace
Re: cant log into child domain [message #306401 is a reply to message #305681] Tue, 03 November 2009 07:37 Go to previous messageGo to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
No, the child and parent domain are in the same AD site

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:#pWI22$WKHA.1280@TK2MSFTNGP04.phx.gbl...
> "sawyer" <occompguy@cox.net> wrote in message
> news:43B304EE-9757-45F6-85FD-DA8768CF1E5E@microsoft.com...
>> So just to confirm what I am experiencing is not normal behavior
>>
>> My account is a member of the enterprise admins group. I can log onto one
>> of the child DC's with my corp account (corp is the parent domain) but I
>> cant log onto one of the child DC's using my corp account but under the
>> child domain. Example childdomain\myaccount fails.
>>
>> When I try and log on to a DC on the child domain using
>> childdomain\myaccount I get a security event
>>
>> Log Name: Security
>> Source: Microsoft-Windows-Security-Auditing
>> Date: 11/2/2009 9:34:42 AM
>> Event ID: 4625
>> Task Category: Logon
>> Level: Information
>> Keywords: Audit Failure
>> User: N/A
>> Computer: DC2.childdomain.corp.mydomain.com
>> Description:
>> An account failed to log on.
>>
>
>
> Are there any event errors regarinding replication?
>
> Ace
>
Re: cant log into child domain [message #306470 is a reply to message #306401] Tue, 03 November 2009 08:46 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"sawyer" <occompguy@cox.net> wrote in message
news:0CE72AF0-DD9D-4A45-831B-553654E2792C@microsoft.com...
> No, the child and parent domain are in the same AD site
>

Replication runs between all DCs, whether in the same site or not.

So you are saying the only error or informational event log entry is the
Security entry you posted previously? Did you check all logs on the DCs?

Ace
Previous Topic:Urgent help!
Next Topic:Strange Issue
Goto Forum:
  


Current Time: Tue Jan 23 16:40:52 MST 2018

Total time taken to generate the page: 0.09602 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software