AD forest Top lvl domain and child domain communication

Question

Hello,

Scenario: 2 top lvl DC's in single forest, 4 child domain DC's. mix of 2016 and 2019.

Applied some of the CIS lvl 1 to one of the Root DCs and 2 of the child DC's.

We attempted to update our hybrid exchange box and in attempting to do schema update it would not work. Seemed like a permissions issue. Also note that our new CIS lvl 1 top lvl DC is the schema master. This is by running the update commands noted for exchange CU installer for updating schema etc. This was also attempted to be run on the Top lvl DC and it also failed.

Another interesting note is I can login with child domain admin into our Root DC that is not using CISlvl 1 and on 2016 as well as with my root admin creds. But I am not able to login to the schema master top lvl DC with child domain admin creds. I don't know if when we stood up the new DC's with CIS lvl 1 that we needed to do something special since we had an on prem hybrid exchange box? It either seems like a permissions issue or some config issue somewhere.

Also note, when running repadmin/replsum and repadmin /showrepl as elevated command prompt on every DC, there are no issues showing up and everything is in sync all showing succeeded.

Any assistance in what to check here? I'm a bit lost.

Thank you!

Answer 1

Hi Prezidentj33,

Thank you for posting in the Microsoft Community Forum.

It sounds like you're facing several challenges with your Active Directory environment, particularly related to schema updates for Exchange and potential permission/configuration issues after applying CIS level 1 settings to your domain controllers.

Here are some steps you can take to troubleshoot and potentially resolve these issues:

1. **Schema Update Failure**: Since the schema update for Exchange failed, start by reviewing the Exchange setup logs for any specific error messages or warnings that might indicate the cause of the failure. Ensure that the account used for the schema update has the necessary permissions to extend the schema. You may need to use an account with Schema Admin and Enterprise Admin rights.
2. **Permissions Issue**: Given that you're unable to log in to the schema master top-level DC with child domain admin credentials, review the permissions and security settings on the schema master DC. Ensure that appropriate permissions are granted to the child domain admin accounts to access and administer the schema.
3. **Configuration Check**: Verify that all domain controllers, including the schema master, are functioning correctly and are properly configured. Check event logs on the schema master DC and other relevant DCs for any errors or warnings that might indicate underlying configuration issues.
4. **CIS Level 1 Implementation**: Review the changes applied as part of the CIS level 1 settings on your domain controllers. Ensure that these settings are compatible with your Exchange environment and that they haven't inadvertently restricted permissions required for Exchange schema updates.
5. **Hybrid Exchange Considerations**: If you have an on-premises hybrid Exchange setup, consider any specific requirements or configurations that might be necessary to ensure compatibility with your Active Directory environment. Check Exchange documentation or consult with Exchange administrators for guidance on integrating with a CIS-compliant Active Directory environment.
6. **Replication and AD Health**: While replication tests show no issues, it's still important to verify the overall health of your Active Directory environment. Use tools like DCDiag and Active Directory Replication Status Tool to perform comprehensive checks on AD replication, health, and integrity.
7. **Review Recent Changes**: Identify any recent changes or updates applied to your Active Directory environment, including changes related to CIS level 1 settings, domain controller configurations, or Exchange updates. Roll back any recent changes that might have introduced compatibility issues.

By systematically reviewing and addressing these areas, you should be able to identify the root cause of the issues you're experiencing and take appropriate steps to resolve them. Remember to document any changes or troubleshooting steps taken for future reference.

Best regards

Neuvi Jiang

Answer 2

Hello,

So, on one of our Forest level DC's that has some CIS1 settings on it. When running dcdiag the only thing that sticks out is this as all other tests show passed.

Systemlog failed. And its essentially failing auths from the other 2 child domain DC's into it.

Netlogon has failed an authentication request of account DC1$ in domain (insert child domain). The request timed out before it could be sent to domain controller DC1$.childdomain.forestdomain.local. This is the first failure. If the problem continues consolidated events will be logged about every 30 minutes.

Netlogon has failed an authentication request of account DC2$ in domain (insert child domain). The request timed out before it could be sent to domain controller DC2$.childdomain.forestdomain.local. This is the first failure. If the problem continues consolidated events will be logged about every 30 minutes.

This shows for each child DC in this site (2) total. and there are just a bunch of these events.

This may explain why I am not able to remote into this particular Root forest DC using child domain admin creds but I can into the other Root Forest DC? Does this look like it really has to do with the maxconcurrent API? These are all 2019 Domain controllers where the other ones we have that seem to not have this issue are the 2016 ones.

Says to look at this support KB https://support.microsoft.com/en-us/topic/new-event-log-entries-that-track-ntlm-authentication-delays-and-failures-in-windows-server-2008-r2-are-available-f72c93de-cabd-f23f-c0ac-e4d6643163d4 

Are there any CISlvl 1 settings that would affect this MaxConcurrentAPI issue or attribute to this?

I'm not exactly sure what the issue is here but maybe its because they are 2019 or some of CIS 1 settings may be affecting this?

Thank you for any input or answers!

Answer 3

Dear Prezidentj33,

good afternoon.

Sounds to me someone did some half job. Taken that he is not dead, might be fired or moved on. You hire him back to tackle this issue. Learn from what he did and why o why he not did it throuhgout the whole forest.

Yours sincerely,

Bjarne Petersen.