AD - users and computers in child domain

Discussion:

(too old to reply)

Fyodor Yemelyanenko

2005-09-04 23:15:56 UTC

Hi, All!

Recently, I have created new child domain in the forest and locate it in
different site (Domain located in other city). I've successfully promoted
new dc there, made it gc and configured replication. All works fine (I've
checked it using repadmin /showreps, directory services event log and ldp).
But when I run AD users and computers and connect it to the child domain I
only see groups from child domain. If user is member of the group from
parent domain I don't see it. When I use ldp (I connect to gc port of child
domain's dc) to view memberOf attribute of user, I see groups from the
parent domain. Why ADUC don't use gc?

Thanks in advance.
Fyodor.

Ace Fekay [MVP]

2005-09-05 04:12:01 UTC

Permalink

Post by Fyodor Yemelyanenko
Hi, All!
Recently, I have created new child domain in the forest and locate it
in different site (Domain located in other city). I've successfully
promoted new dc there, made it gc and configured replication. All
works fine (I've checked it using repadmin /showreps, directory
services event log and ldp). But when I run AD users and computers
and connect it to the child domain I only see groups from child
domain. If user is member of the group from parent domain I don't see
it. When I use ldp (I connect to gc port of child domain's dc) to
view memberOf attribute of user, I see groups from the parent domain.
Why ADUC don't use gc?
Thanks in advance.
Fyodor.

This may be caused by different modes. What mode is the forest root domain
(the parent) and the child domain in? What mode is the forest in?

If not, maybe a clearer understanding of how your DNS infrastructure is
setup may help. Such as, does the child domain have a DNS server or is it
using the parent domains DNS? If the the child domain is using it's own DNS,
do you have a delegation to the child with a forwarder set back to the
parent DNS?
--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

Fyodor Yemelyanenko

2005-09-05 06:52:27 UTC

Permalink

Thank you for answer, Ace.

Both domains in my forest and forest itself in Windows 2003 mode. My DNS
infrastructure configured as follows. There are two domain controlers in the
root domain which is both DNS servers with AD - integrated zone (domain.ru).
For the child domain I've created delegation on both servers. Domain
controller from the child domain is the only DNS server for its dns zone
(child.domain.ru). Its also configured with forwarder set back to parent
domain's servers. I've cheked dns using nslookup. All works fine.

"Ace Fekay [MVP]"

Post by Ace Fekay [MVP]

This may be caused by different modes. What mode is the forest root domain
(the parent) and the child domain in? What mode is the forest in?
If not, maybe a clearer understanding of how your DNS infrastructure is
setup may help. Such as, does the child domain have a DNS server or is it
using the parent domains DNS? If the the child domain is using it's own
DNS, do you have a delegation to the child with a forwarder set back to
the parent DNS?
--
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

Ace Fekay [MVP]

2005-09-05 15:47:47 UTC

Permalink

Post by Fyodor Yemelyanenko
Thank you for answer, Ace.
Both domains in my forest and forest itself in Windows 2003 mode. My
DNS infrastructure configured as follows. There are two domain
controlers in the root domain which is both DNS servers with AD -
integrated zone (domain.ru). For the child domain I've created
delegation on both servers. Domain controller from the child domain
is the only DNS server for its dns zone (child.domain.ru). Its also
configured with forwarder set back to parent domain's servers. I've
cheked dns using nslookup. All works fine.

Ok, that sounds good. Now about the Infrastructure Master FSMO Role? Is that
on a GC?

Ace

Fyodor Yemelyanenko

2005-09-06 01:47:55 UTC

Permalink

About domains and roles.
Two DCs in the root domain have roles as follows
DC1 - Infrastructure, RID, Schema and Domain Naming roles
DC2 - PDC

DC in the child domain has Infrastructure, RID and PDC FSMO roles

All DCs are global catalog therefore as far as I know location of
Infrastructure role don't play any role.

My problem is mostly like that I don't use some command line switch or don't
select some option in ADUC...

"Ace Fekay [MVP]"

Post by Ace Fekay [MVP]

Ok, that sounds good. Now about the Infrastructure Master FSMO Role? Is
that on a GC?
Ace

Ace Fekay [MVP]

2005-09-06 05:07:08 UTC

Permalink

Post by Fyodor Yemelyanenko
About domains and roles.
Two DCs in the root domain have roles as follows
DC1 - Infrastructure, RID, Schema and Domain Naming roles
DC2 - PDC
DC in the child domain has Infrastructure, RID and PDC FSMO roles
All DCs are global catalog therefore as far as I know location of
Infrastructure role don't play any role.
My problem is mostly like that I don't use some command line switch
or don't select some option in ADUC...

AD101: If there are multiple domains in a forest, the GCs CANNOT be an IM
(Infrastructure Master), otherwise the IM will NOT ferret references for
objects in other domains, hence thwarting it's job. The GC has references to
specific limited types of objects, but not global or domain local groups,
etc, that are in other domains. But if the IM sees that stuff in the GC, it
will satisfy itself (in layman's terms!) that it already knows what's out
there, not knowing it's incorrect.

What the IM does:
http://support.microsoft.com/?id=197132#XSLTH3159121123120121120120

On DC1, uncheck the "This is a GC" box. Let replication happen and check it
out. Likewise with all other domains, since each domain has an IM.

Let us know if that helped.

Ace

Fyodor Yemelyanenko

2005-09-06 22:41:49 UTC

Permalink

Yes, you are right. I know, that IM cannot be GC. But as written in article
you reccomend me
(http://support.microsoft.com/?id=197132#XSLTH3159121123120121120120) "If
all the domain controllers in a domain also host the global catalog, all the
domain controllers have the current data, and it is not important which
domain controller holds the infrastructure master role." This is my case.
All DCs in the forest are GCs.

"Ace Fekay [MVP]"

Post by Ace Fekay [MVP]

AD101: If there are multiple domains in a forest, the GCs CANNOT be an IM
(Infrastructure Master), otherwise the IM will NOT ferret references for
objects in other domains, hence thwarting it's job. The GC has references
to specific limited types of objects, but not global or domain local
groups, etc, that are in other domains. But if the IM sees that stuff in
the GC, it will satisfy itself (in layman's terms!) that it already knows
what's out there, not knowing it's incorrect.
http://support.microsoft.com/?id=197132#XSLTH3159121123120121120120
On DC1, uncheck the "This is a GC" box. Let replication happen and check
it out. Likewise with all other domains, since each domain has an IM.
Let us know if that helped.
Ace

Ulf B. Simon-Weidner [MVP]

2005-09-07 07:10:14 UTC

Permalink

Post by Fyodor Yemelyanenko
Yes, you are right. I know, that IM cannot be GC. But as written in
article you reccomend me
(http://support.microsoft.com/?id=197132#XSLTH3159121123120121120120) "If
all the domain controllers in a domain also host the global catalog, all
the domain controllers have the current data, and it is not important
which domain controller holds the infrastructure master role." This is my
case. All DCs in the forest are GCs.

Hi Fyodor,

I wrote this once for more clarification on that issue:
http://msmvps.com/ulfbsimonweidner/archive/2005/03/08/37975.aspx

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org

Ace Fekay [MVP]

2005-09-07 15:36:02 UTC

Permalink

Post by Ulf B. Simon-Weidner [MVP]
Hi Fyodor,
http://msmvps.com/ulfbsimonweidner/archive/2005/03/08/37975.aspx

Nice explanation.

:-)

Ace

Fyodor Yemelyanenko

2005-09-09 04:06:01 UTC

Permalink

I read article from Ulf B. Simon-Weidner's post and decided to conduct a
little experiment. I created third domain in my forest, installed only one
dc there and didn't promote it as GC.

Root domain (domain.ru)
DC1 GC IM
DC2 GC
Child domain1
DC1 IM GC
Child domain2 (test1.domain.ru)
DC1 IM (not GC)

Then I added ***@test1.domain.ru to Enterprise administrators from
domain.ru and ***@domain.ru to TestUniversalGroup from
test1.domail.ru. I waited for replication to occur. Then I checked Member Of
property page from both users properties. Neighter user was shown as member
of universal group from other domain! But when I looked at Members property
page from Enterprise administrators and TestUniversalGroup properties users
from other domains was shown there.

What do you think about it?
Fyodor

"Ace Fekay [MVP]"

Post by Ace Fekay [MVP]

Post by Ulf B. Simon-Weidner [MVP]
Hi Fyodor,
http://msmvps.com/ulfbsimonweidner/archive/2005/03/08/37975.aspx

Nice explanation.
:-)
Ace

Ace Fekay [MVP]

2005-09-09 15:29:12 UTC

Permalink

Post by Fyodor Yemelyanenko
I read article from Ulf B. Simon-Weidner's post and decided to
conduct a little experiment. I created third domain in my forest,
installed only one dc there and didn't promote it as GC.
Root domain (domain.ru)
DC1 GC IM
DC2 GC
Child domain1
DC1 IM GC
Child domain2 (test1.domain.ru)
DC1 IM (not GC)
TestUniversalGroup from test1.domail.ru. I waited for replication to
occur. Then I checked Member Of property page from both users
properties. Neighter user was shown as member of universal group from
other domain! But when I looked at Members property page from
Enterprise administrators and TestUniversalGroup properties users
from other domains was shown there.
What do you think about it?
Fyodor

Universal groups will show up because they exist and are stored in the GC,
not on any specific domain. If you are looking at a Universal Group
properties, sure, the Universal Group has info about what members are in it.
What the IM does is pull references for objects in other domains, such as
Global and Domain Local Groups, which exist in the specific domain they were
created in. So if they are not in a Universal group, then if you are looking
for references for such data, they *may* not display.

Ace

Ace Fekay [MVP]

2005-09-07 15:38:47 UTC

Permalink

Post by Fyodor Yemelyanenko
Yes, you are right. I know, that IM cannot be GC. But as written in
article you reccomend me
(http://support.microsoft.com/?id=197132#XSLTH3159121123120121120120)
"If all the domain controllers in a domain also host the global
catalog, all the domain controllers have the current data, and it is
not important which domain controller holds the infrastructure master
role." This is my case. All DCs in the forest are GCs.

"If all the domain controllers in a domain also host the global catalog, all
the domain controllers have the current data, and it is not important which
domain controller holds the infrastructure master role."

If you are referring to the passage above in that article, yes that is
correct, but ths is ONLY in a single domain environment. You have mutliple
domains.

Ace