Cannot browse parent domain's AD objects from child domain

Discussion in 'Active Directory' started by bambooyip, Aug 13, 2007.

  1. bambooyip

    bambooyip Guest

    Hello all,

    I'm a little bit confused in this situation:
    Domain structure:
    - parent domain: parent.com
    - child domain: child.parent.com
    Settings:
    - each domain has 2 DC running as AD-integrated DNS ==> DNS part working fine
    - all ntds and sysvol are located on d:\ (intentionally installed to a
    seperate location other that the system c:\) with enterprise admins and
    domain admins - full control
    - member server-P joined parent.com
    - member server-C joined child.parent.com

    Problem:
    1 - when logging on to member server-C with parentdomain\administrator (who
    is also member of Enterprise Admins group), it takes quite long
    2 - parentdomain\administrator is not in local administrators group which
    stops the installation of Exchange 2007
    3 - trying to put enterprise admins group to local admins group, but cannot
    browse AD objects from parent.com

    Any idea or suggestion or direction to tackle this problems.

    Thank you in advance.

    Bamboo
     
    bambooyip, Aug 13, 2007
    #1
    1. Advertisements

  2. bambooyip

    Steve B Guest

    Few questions:

    1) Where are your GCs
    2) Where are all these DC's located?
    3) What is the network links between sites?
     
    Steve B, Aug 13, 2007
    #2
    1. Advertisements

  3. bambooyip

    bambooyip Guest

    Thank you for your reply Steve B ... ;-)

    Here is the additional information:
    For discussion purpose, I simplified my situation in my last post. To be
    exact, there are 2 DCs in each domain (parent.com and child.parent.com) The 2
    pairs of DC are identical except for GC and FSMO roles. And I double-check
    that they are correct as follows:
    DC1.parent.com and ChildDC1.child.parent.com
    PDC emulator
    RID Master
    Infrasturcture Master

    DC2.parent.com and ChildDC2.child.parent.com
    GC
    Schema Master
    Domain Naming Master

    All 4 DCs are in the same site (same subnet - at least for now; but we are
    planning to relocate it on other subnet next year)

    Thank you in advance.
    Bamboo
     
    bambooyip, Aug 13, 2007
    #3
  4. bambooyip

    Jorge Silva Guest

    Hi

    Start by running dcdiag and netdiag on the both DCs and search for output
    errors and solve them first.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Aug 13, 2007
    #4
  5. bambooyip

    bambooyip Guest

    Thank you very much Jorge for your reply.

    I've done both dcdiag and netdiag on both DCs; but could not find any error.
    All tests were passed.

    Any idea ...

    I've restarted both DCs before I left my office. Let's see what's going on
    tomorrow.

    Anyway, thank you so much for both Steve and Jorge.

    Bamboo
     
    bambooyip, Aug 14, 2007
    #5
  6. bambooyip

    Jorge Silva Guest

    ok

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Aug 14, 2007
    #6
  7. bambooyip

    bambooyip Guest

    Hello,

    The problem was still there after reboot all DCs. After a lengthy
    troubleshooting, I realized the cause of the problem:

    eTrust 8.0 Antivirus installed on all DCs !!!!!!!!!!!!!!!!!!!!!!!!!

    Funny thing was. From AD point of view, everything is working fine
    apparently that explained why I got dcdiag and netdiag all passed as I posted
    earlier. However, challenges came in when I tried to browser through the AD
    on objects other than the local domain (i.e. from anything on parent.com from
    child.parent.com). After 'detective' trace, I uninstalled eTrust 8.0 on all
    DCs. Things happened I got a whole bunch of event logs:
    - Event ID: 1394 Service Control: All problems preventing updated to the
    Active Directory Database have been cleared. New updates to the Active
    Directory Database are succeedomg. The Net Logon Service has started.
    - Event ID: 1869 Global Catalog: Active Directory has located a global
    catalog in thye following site. Global catalog: \\childdc2.child.parent.com
    Site: siteA-siteB

    What a big relief!!! For my past 2 days ....

    Please clarify my concept in this scenairo:
    Logon to a memberserver joining child.parent.com as domain administrator of
    child.parent.com. Can I add Enterprise Admins global group (of parent.com) to
    the local admins group of this memberserver??

    Nice to share those concept and experience with anyone interested in this
    topic.

    Thanks

    Bamboo
    P.S. My boss just gave me the newer version of eTrust 8.1 ;-( He should
    have given my 2 days ago. What can I say ;-|
     
    bambooyip, Aug 14, 2007
    #7
  8. bambooyip

    bambooyip Guest

    First of all, thank you very much for providing valuable information.

    Regarding my past post, I've re-confirmed the answer on my lab already.

    Bamboo
     
    bambooyip, Aug 15, 2007
    #8
  9. bambooyip

    Jorge Silva Guest

    Glad you solved....
    ;)
    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Aug 15, 2007
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.