Hello all

I have a parent and child domain in the AD forest, the AD forest is at
Windows 2003 native. I am a member of the enterprise admins domain admins
and schema admins group. Using my account I cannot log onto one of the DC's
in the child domain when logging onto the child domain. I thought that if my
account was a member of the enterrpise admins group I could use my account
and log on to a DC in the child domain under the child domain?

Thanks

What's the error message you are getting when attempting to logon?

Marcin

"sawyer" <occompguy@cox.net> wrote in message
news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...

Quote:

Hello all I have a parent and child domain in the AD forest, the AD forest is at Windows 2003 native. I am a member of the enterprise admins domain admins and schema admins group. Using my account I cannot log onto one of the DC's in the child domain when logging onto the child domain. I thought that if my account was a member of the enterrpise admins group I could use my account and log on to a DC in the child domain under the child domain? Thanks

Is a "you don't have rights to log into this machine, you must be a member
of the local admin or RDP group"

"Marcin" <marcin@community.nospam> wrote in message
news:urKWHxYWKHA.4592@TK2MSFTNGP06.phx.gbl...

Quote:

What's the error message you are getting when attempting to logon? Marcin "sawyer" <occompguy@cox.net> wrote in message news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com... Hello all I have a parent and child domain in the AD forest, the AD forest is at Windows 2003 native. I am a member of the enterprise admins domain admins and schema admins group. Using my account I cannot log onto one of the DC's in the child domain when logging onto the child domain. I thought that if my account was a member of the enterrpise admins group I could use my account and log on to a DC in the child domain under the child domain? Thanks

Verify that Enterpise Admins group is a member of local Administrators group
in the child domain...

hth
Marcin

"sawyer" <occompguy@cox.net> wrote in message
news:64D80AF7-59E0-4755-B0EC-D5666C5111A1@microsoft.com...

Quote:

Is a "you don't have rights to log into this machine, you must be a member of the local admin or RDP group" "Marcin" <marcin@community.nospam> wrote in message news:urKWHxYWKHA.4592@TK2MSFTNGP06.phx.gbl... What's the error message you are getting when attempting to logon? Marcin "sawyer" <occompguy@cox.net> wrote in message news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com... Hello all I have a parent and child domain in the AD forest, the AD forest is at Windows 2003 native. I am a member of the enterprise admins domain admins and schema admins group. Using my account I cannot log onto one of the DC's in the child domain when logging onto the child domain. I thought that if my account was a member of the enterrpise admins group I could use my account and log on to a DC in the child domain under the child domain? Thanks

"sawyer" <occompguy@cox.net> wrote in message
news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com...

Quote:

Hello all I have a parent and child domain in the AD forest, the AD forest is at Windows 2003 native. I am a member of the enterprise admins domain admins and schema admins group. Using my account I cannot log onto one of the DC's in the child domain when logging onto the child domain. I thought that if my account was a member of the enterrpise admins group I could use my account and log on to a DC in the child domain under the child domain? Thanks

Are there any Event log errors on any of the DCs?

How is DNS setup in the infrastructure? Is the child domain delegated the
child zone? If so, I assume the parent zone and child zone's replication
scope are Domain wide, and there is a fowarder from the child domain's DNS
to the parent domain's DNS, as well as that all child domain members are
only using the child domain's DNS servers.

If not, can you elaborate on the setup? This could also contribute to your
Exchange issue you had posted earlier.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hello Ace, thank very much for your assistance.

DNS in the forest is all AD integrated. The parent domain is
corp.mydomain.com and the zone for this domain is AD integrated. The child
domain is child.corp.mydomain.com and it's the zone for this domain is AD
integrated as well. All Domain controllers are DNS servers, and they all use
forwarders and they all point to the same ISP ip address.

I do not understand what you mean by "is the domain delegated the child
zone"? how can I confirm this?
The parent and child zone replication are forest wide ( I think) when I
right click on the zone both the parent and child zone go to properties and
the general tab, the replication says "All DNS servers in the forest"

Again the forwarder for the child zone is set to look at the ISP, should the
forwarder be the ip address of DNS server located in the parent zone?

Yes all child domain members are using the child domain for DNS

Thanks again for your assitance!

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ebqiIbfWKHA.844@TK2MSFTNGP05.phx.gbl...

Quote:

"sawyer" <occompguy@cox.net> wrote in message news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com... Hello all I have a parent and child domain in the AD forest, the AD forest is at Windows 2003 native. I am a member of the enterprise admins domain admins and schema admins group. Using my account I cannot log onto one of the DC's in the child domain when logging onto the child domain. I thought that if my account was a member of the enterrpise admins group I could use my account and log on to a DC in the child domain under the child domain? Thanks Are there any Event log errors on any of the DCs? How is DNS setup in the infrastructure? Is the child domain delegated the child zone? If so, I assume the parent zone and child zone's replication scope are Domain wide, and there is a fowarder from the child domain's DNS to the parent domain's DNS, as well as that all child domain members are only using the child domain's DNS servers. If not, can you elaborate on the setup? This could also contribute to your Exchange issue you had posted earlier. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

So just to confirm what I am experiencing is not normal behavior

My account is a member of the enterprise admins group. I can log onto one of
the child DC's with my corp account (corp is the parent domain) but I cant
log onto one of the child DC's using my corp account but under the child
domain. Example childdomain\myaccount fails.

When I try and log on to a DC on the child domain using
childdomain\myaccount I get a security event

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/2/2009 9:34:42 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC2.childdomain.corp.mydomain.com
Description:
An account failed to log on.


"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:ebqiIbfWKHA.844@TK2MSFTNGP05.phx.gbl...

Quote:

"sawyer" <occompguy@cox.net> wrote in message news:4E66F598-14F4-4D4D-92CC-9C1056293D3B@microsoft.com... Hello all I have a parent and child domain in the AD forest, the AD forest is at Windows 2003 native. I am a member of the enterprise admins domain admins and schema admins group. Using my account I cannot log onto one of the DC's in the child domain when logging onto the child domain. I thought that if my account was a member of the enterrpise admins group I could use my account and log on to a DC in the child domain under the child domain? Thanks Are there any Event log errors on any of the DCs? How is DNS setup in the infrastructure? Is the child domain delegated the child zone? If so, I assume the parent zone and child zone's replication scope are Domain wide, and there is a fowarder from the child domain's DNS to the parent domain's DNS, as well as that all child domain members are only using the child domain's DNS servers. If not, can you elaborate on the setup? This could also contribute to your Exchange issue you had posted earlier. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

"sawyer" <occompguy@cox.net> wrote in message
news:A7C0FDBD-531C-422F-9631-B1E9B4B2C03B@microsoft.com...

Quote:

Hello Ace, thank very much for your assistance. DNS in the forest is all AD integrated. The parent domain is corp.mydomain.com and the zone for this domain is AD integrated. The child domain is child.corp.mydomain.com and it's the zone for this domain is AD integrated as well. All Domain controllers are DNS servers, and they all use forwarders and they all point to the same ISP ip address. I do not understand what you mean by "is the domain delegated the child zone"? how can I confirm this? The parent and child zone replication are forest wide ( I think) when I right click on the zone both the parent and child zone go to properties and the general tab, the replication says "All DNS servers in the forest" Again the forwarder for the child zone is set to look at the ISP, should the forwarder be the ip address of DNS server located in the parent zone? Yes all child domain members are using the child domain for DNS Thanks again for your assitance!

You are welcome, so far.

I think it is a resolution issue based on the DNS infrastructure. Regarding
DNS Parent to child delegation, I had responded to another one of your
threads explaining this. Apparently the two threads are related.

If you decide to delegate, the _msdcs zone stays in the Forest replication
scope. The other two will be put into their own respective domain scope (not
the Windows 2000 compatible one).

Forwarding with delegation is changed. It will go from child to parent, then
parent to ISP.

However, you can keep it the way it is, for simplicity, which may complicate
this diagnosis.

I believe you had already set the search suffixes? (trying to remember info
from this thread and the other one) If so, good.

I would also look at WINS.

Ace

"sawyer" <occompguy@cox.net> wrote in message
news:43B304EE-9757-45F6-85FD-DA8768CF1E5E@microsoft.com...

Quote:

So just to confirm what I am experiencing is not normal behavior My account is a member of the enterprise admins group. I can log onto one of the child DC's with my corp account (corp is the parent domain) but I cant log onto one of the child DC's using my corp account but under the child domain. Example childdomain\myaccount fails. When I try and log on to a DC on the child domain using childdomain\myaccount I get a security event Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/2/2009 9:34:42 AM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: DC2.childdomain.corp.mydomain.com Description: An account failed to log on.

Are there any event errors regarinding replication?

Ace

No, the child and parent domain are in the same AD site

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:#pWI22$WKHA.1280@TK2MSFTNGP04.phx.gbl...

Quote:

"sawyer" <occompguy@cox.net> wrote in message news:43B304EE-9757-45F6-85FD-DA8768CF1E5E@microsoft.com... So just to confirm what I am experiencing is not normal behavior My account is a member of the enterprise admins group. I can log onto one of the child DC's with my corp account (corp is the parent domain) but I cant log onto one of the child DC's using my corp account but under the child domain. Example childdomain\myaccount fails. When I try and log on to a DC on the child domain using childdomain\myaccount I get a security event Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/2/2009 9:34:42 AM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: DC2.childdomain.corp.mydomain.com Description: An account failed to log on. Are there any event errors regarinding replication? Ace

"sawyer" <occompguy@cox.net> wrote in message
news:0CE72AF0-DD9D-4A45-831B-553654E2792C@microsoft.com...

Quote:

No, the child and parent domain are in the same AD site

Replication runs between all DCs, whether in the same site or not.

So you are saying the only error or informational event log entry is the
Security entry you posted previously? Did you check all logs on the DCs?

Ace