Windows Server

Zeno · Guest

We've recently setup an AD Forest with the root domain name and then
child domains underneath.....

And we've seem to come across an Global Catalog error, when we try to
create accounts in the Child Domains it prompts with an error saying
the it cannot contact the Global Cataglog which hosts the root domain.

But then when we create the same acct at the root domain level, it
doesn't prompt with the error............

Whats likely the cause of the issue..... is it something to do with the
DNS configuration, DNS is only configured on the root GC's and not on
the child domains, furthermore we have two DC's in the child domain....

Whats the likely cause of the DNS? Anyone please help..........

Zeno

Zeno · Guest

The message I get when I actually try to create the accounts is
"cannot create account becasue cannot verfiy id is unique cannot
contact global catalog...... error: incorrect password...."

Zeno · Guest

Sime U,

I have created an additional zone in the primary DNS servers (root
level servers) and the childs use the point to the root/parent for DNS
resolution. I did an NSlookup on the child DC's and they all resolved
the root DC's so I can't figure out whats wrong and why its giving that
error............

Thanks

SIME U via WinServerKB.co · Guest

Hi

Misread your posts I see you have no child DNS servers only Child DCs

You "could" install DNS on the child DC's and as per my previous post
delegate and forward

Do you have a zone created on your primary DNS for the child DC's ie the AD
domain name of your child - child.parent.local or whatever

do the child DC's point to parent DC/DNS as their preferred DNS?

Regards

SIME U wrote:

SIME U via WinServerKB.co · Guest

Hi

Do you child DNS servers forward to the parent? you should delegate from
parent to child then forward from child to parent so names in the parent zone
can be resolved by machine connected to the child domain

What do the child DC's use as their DNS - themselves,the parent?

Setup a forwarder in DNS MMC on the child DC to point to the parent DC/DNS
root server, then disable recursion on the child DNS - NOT IN ADVANCED though
as this will diable forwarders too...

Regards

Si

Zeno wrote:

SIME U via WinServerKB.co · Guest

Hi

I assume the root DC "is" configured as the GC (in AD sites snd services) -
you can have all your DC's as GC's in most cases.

Run DCDIAG and NETDIAG on the child DC's ,from the support tools see if that
throws anything up

If I get this right it happens when you add a user account in ADUC? same if
you use command line to add a user - just out of curiosity?

Regards

Simon

Zeno wrote:

Zeno · Guest

e above only happens if I create acconts in the child domain,
everything works fine if I use the GC to create an acct in the child
domain............ similarly I think the child domain OUs GPO's arent'
getting applied properly as well ie. Childs Domain Policy - password
settings........... it looks find in GPMC the resultant GPO but they
don't seem to work ie. password policy, i removed password compleity
but still requires complex password...........

SIME U via WinServerKB.co · Guest

Hi

I got it now

did you run those tools, have you tried making all DC's GCs? this includes
the child DC's

Is there any reason not to install DNS on the child DC's? have the zone
supporting the child domain AD integrated and delegate that child namepace
from the parent DNS server(to the child).Then forward unresolved requests in
the child domain to the parent DNS server(which would then forward to ISP or
use root hints) This has always worked for me

MSKB shows how to setup a child DC/DNS and do the delegation

http://support.microsoft.com/default.aspx?scid=kb;en-us;255248

Regards

S

Zeno wrote:

	Windows Server Forum Index -> DNS	All times are GMT
Page 1 of 1