No announcement yet.

Authentication issues with child domain

  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication issues with child domain

    Hi all

    Background first: We have an AD2003 forest consisting of one parent domain, and one child domain. Parent domain (let's call it company.local) has two DC's, and the child domain ( had one DC.

    As we needed to free up the hardware that the child DC was running on, I tried to import it into VMWare using P2V, but stumbled across two problems - it was no longer seen as the same DC, and also it kept generating BSOD's.

    No worries I thought, will just fire up the original child DC again for time being, but that now won't replicate to the parent DC's either, and the DNS zone is empty. Most obvious symptom was that machines on the child domain couldn't authenticate against the parent domain.

    So I built a fresh DC in VMWare, joined it to the demoroom child domain, dcpromo'd it, and set it as a DNS server by creating a Primary AD zone called

    All seemed ok for the most part, as machines in the child domain can now log into the parent domain if required. However I noticed that the new child DC hasn't appeared as a replication partner in AD Sites & Services in the parent domain.

    When I investigated further, I realised that while I can authenticate from the child to the parent domain, I can't authenticate the other way. (e.g. if I use the 'Connect to Domain' option in AD on one of the parent DC's, and connect to Demoroom, it just says bad username or password).

    I also found that SRV (ldap & kerberos) records for the new child DC weren't created in the child DNS zone, so have created them manually. However I realise that I shouldn't need to do this if everything is working correctly and, unsurprisingly, it hasn't fixed my problem.

    I'm not quite sure where to go from here, but basically I need to get the VMWare child DC working fully so that the equipment in our showroom all works correctly. FWIW, I can ping correctly from both domains by IP, name and FQDN, so DNS is working correctly in that respect.

    Any suggestions would be greatly appreciated, I'm wondering whether to just delete the child DNS zone and recreate it?


  • #2
    Re: Authentication issues with child domain

    When you brought the physical DC back online you screwed things up even more.

    Look at the even logs, anything that mentions USN rollback?


    • #3
      Re: Authentication issues with child domain

      Tell me about it. Bit of a comedy of errors really, all things considered

      Regarding the event logs on the new DC:

      Directory Service: looks pretty clean, no errors


      Event ID 4514 appearing frequently - The DNS server detected that it is not enlisted in the replication scope of the directory partition etc (This is why I manually populated DNS with the SRV records for the new DC, but it didn't make any difference.)


      Event ID 4015 appearing with the above error - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152392, #1:

      File Replication: Same as DS log, looks clean and no recent errors.

      System Log: Event ID 5807 - During the past 4.22 hours there have been 17 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients

      Application Log: Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.

      I've been googling these errors since Friday but can't really find a definitive answer of the best way forward to get DNS working properly.


      • #4
        Re: Authentication issues with child domain

        I'm guessing this is the crux of the matter,

        Originally posted by Dannyboy75 View Post
        Application Log: Event ID 13 - Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
        so I did some more digging and found lots of suggestions to add the Child domain's DC group to the CERTSVC_DCOM_ACCESS group on our Certificate Server, which I've done. Still no luck though, every time I reboot the child DC it still gives the above error.

        any suggestions would be very welcome. I'm starting to think about binning this child domain completely and creating a new one.



        • #5
          Re: Authentication issues with child domain


          If there's no information in your child domain that's required, and reading your posts I'm working on that assumption, I would completely destroy your child domain, do a metadata cleanup on your parent domain and start again.

          See here for info on removing a child domain from AD

          Be sure to follow the above document all the way down as it instructs you on how to remove the trust as it's the last DC in the child domain.

          Once that's done I would suggest building a new virtual server and DCPROMO selecting a new domain in an exisitng forest.

          Hope this helps.


          Last edited by Hanley; 3rd November 2009, 15:03.


          • #6
            Re: Authentication issues with child domain

            Thanks Hanley, there's only a handful of PC's and other devices on the child domain, which could easily be moved to a new child domain. I think it's time to bite the bullet, had enough of going round in circles and trawling through event logs. Thanks for the link