Shockwave’s Blog

Just another geeky blog…
  • Home
  • About

Active Directory – Child Domain Authentication Issues

Rob | July 30, 2011

Okay, my new employer has a prexisting empty forest root with three child domains (North America, EMEA and Asia Pacific). Shortly after I started there was an issue where users in the Asia domain were unable to consume services being published on EMEA servers.

Whenever Asian users were trying to access anything, they’d get an unknown username/bad password message despite using the correct credentials.

Troubleshooting revealed that it was only users using credentials from other domains that were experiencing issues, this pointed to the trust between the EMEA domain and the empty forest root. To confirm this I checked the validity of the trust in AD Domains and Trusts which allows trust to be validated, this validation was successful on some domain controllers in the forest root, but not all. Further investigation revelaed that that password for the EMEA tree-root trust had been reset, but not replicated to all domain controllers in the forest root.

I was able to prove this by using ADSIEdit on each of the domain controllers in the forest root. By connecting to the domain context, navigating to the users container and finding the user account for the EMEA domain. This will be have the same name as the child domain with a $ suffix i.e. EMEADOMAIN$

If you review the properties of this account you will find the pwdLastSet value, displayed as a long integer:

Account Properties

Account Properties

You can convert this into a standard date/time format using w32tm /ntte as shown below:

w32tm /ntte

w32tm /ntte

Once I compared this on all DCs, I found that it wasn’t consistent. The new password had not replicated around all domain controllers (which will be the subject of a future post). Anyway, to resolve the issue, it was necessary to force another password reset. To do this, I used the netdom command from a domain controller in the forest root using the syntax below:

NetDom trust EMEADOMAIN.ForestRoot.com /domain:FORESTROOT.com /UserD:FORESTROOT\EnterpriseAdmin PasswordD:* /UserO:EMEADOMAIN\DomainAdmin PasswordO:* /reset

Once I’d entered the password for the respective accounts, I waited for replication to occur and services were restored. Phew!

Categories
Tech
Tags
AD, SysAdmin
Comments rss
Comments rss
Trackback
Trackback

« Active Directory – Documentation When was a DNS Zone created? »

Leave a Reply

Click here to cancel reply.

Blogroll

  • Ops Man Jam
  • Petri
  • Server Chronicle
  • System Centre Forum

Tags

AD BES ByteNight Charity Exchange FundRaising How-To HP ITIL Mac Mail Management Monitoring Openview OSX Patching Photography Powershell Problem Problem Management Reboot Restart SCOM SCW Security Server SIM Snow Leopard SysAdmin Virtualisation Windows 7 Work WSUS
rss Comments rss valid xhtml 1.1 design by jide powered by Wordpress get firefox