Active Directory – Child Domain Authentication Issues
Rob | July 30, 2011Okay, my new employer has a prexisting empty forest root with three child domains (North America, EMEA and Asia Pacific). Shortly after I started there was an issue where users in the Asia domain were unable to consume services being published on EMEA servers.
Whenever Asian users were trying to access anything, they’d get an unknown username/bad password message despite using the correct credentials.
Troubleshooting revealed that it was only users using credentials from other domains that were experiencing issues, this pointed to the trust between the EMEA domain and the empty forest root. To confirm this I checked the validity of the trust in AD Domains and Trusts which allows trust to be validated, this validation was successful on some domain controllers in the forest root, but not all. Further investigation revelaed that that password for the EMEA tree-root trust had been reset, but not replicated to all domain controllers in the forest root.
I was able to prove this by using ADSIEdit on each of the domain controllers in the forest root. By connecting to the domain context, navigating to the users container and finding the user account for the EMEA domain. This will be have the same name as the child domain with a $ suffix i.e. EMEADOMAIN$
If you review the properties of this account you will find the pwdLastSet value, displayed as a long integer:
You can convert this into a standard date/time format using w32tm /ntte as shown below:
Once I compared this on all DCs, I found that it wasn’t consistent. The new password had not replicated around all domain controllers (which will be the subject of a future post). Anyway, to resolve the issue, it was necessary to force another password reset. To do this, I used the netdom command from a domain controller in the forest root using the syntax below:
NetDom trust EMEADOMAIN.ForestRoot.com /domain:FORESTROOT.com /UserD:FORESTROOT\EnterpriseAdmin PasswordD:* /UserO:EMEADOMAIN\DomainAdmin PasswordO:* /reset
Once I’d entered the password for the respective accounts, I waited for replication to occur and services were restored. Phew!