I recently installed updates and service packs on our domain controllers and shortly after I noticed this issue which I believe may have been due to the updates. Used to be when I was in Active Directory Users and Computers on the primary parent DC I could see our 2 child domains as objects in the forest, and I could look at users/groups in them from there. Now they have vanished. Also it used to be when I was adding security groups to members in the child domains in AD Users and Computers, and I clicked on Locate, I would get the entire forest tree and child domains and I could search for and add any group to a user in there, now it limits me to the tree for the child domain only. Also when I look at group memberships of users on the child domains that I know are a part of security groups from the parent domain, it doesn't display that they are. I have been searching high and low for a fix for this for 2 weeks now and not having much luck. I don't believe it's a trust issue as I ran trust verifications on all of them and they all passed, and dcdiag and netdiag looks clean and no eventlog errors being logged on them. That's why I think something with a Windows Update must of changed the way that was working somehow. Anybody ever run into this?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
AD Users and Computers: Unable to Browse Entire Forest Anymore
- Thread starter darkonex
- Start date
this sounds to me like a DNS resolution failure between the child and forest root.
The groups in the child from the forest root...are they showing as unresolved SIDs?
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
The groups in the child from the forest root...are they showing as unresolved SIDs?
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
- Thread starter
- #3
That's what I was being led to believe on Experts-Exchange, being a DNS issue and maybe it still is. However for your question, no they aren't showing as unresolved SID's, I can do a search for groups/users in the child domain from AD Users & Computers in the parent domain and it returns all the users and groups with their names. Problem is I can't search for any users or groups from the child domain, as the tree I can browse is now limited to just the child domain only.
ok so let me see if i got this right:
from forest root domain DC, you can see all user and computers in the child domain(s)
from child domain DC, you cannot see the forest root domain users and computers
is that right?
if you attempt to ACL a folder on a server in the child domain, does the forest root show up in the list of domains when you use the object picker? if so, what error do you get when you click on it? if no error and you can click on it, add it to the ACL, apply and ok out of properties of folder, then go back in to see if its a name or SID.
if the forest root isnt showing up at all, what does domain.msc say as far as the trusts in place?
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
from forest root domain DC, you can see all user and computers in the child domain(s)
from child domain DC, you cannot see the forest root domain users and computers
is that right?
if you attempt to ACL a folder on a server in the child domain, does the forest root show up in the list of domains when you use the object picker? if so, what error do you get when you click on it? if no error and you can click on it, add it to the ACL, apply and ok out of properties of folder, then go back in to see if its a name or SID.
if the forest root isnt showing up at all, what does domain.msc say as far as the trusts in place?
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
- Thread starter
- #5
Actually this is where it's really weird. From the root domain, I used to show the child domain in the tree in AD Users and Computers but it's missing. However if I do a search in the entire forest for a person in the child domain, it finds them. It's just that the child domain doesn't show as an object in the tree like it used to in AD Users and Computers.
From the child domain, what's strange is like last night I setup a new user on it, and I was able to view the entire forest when adding the user to groups. However I find that if I right click on one of the users, then go to Properties, then click the Member Of tab, it doesn't show the groups from the root domain that they are a member of even though I know they are a member of a root domain group. It's not that it's showing as an SID instead, it's just like it's invisible, so say I try to add them to a group in the root domain that I know they are a member of but it's not showing they are, it will tell me "This user is already a member of this group". Also if I click on Add on that tab to add them to one, and then click on Location, it only shows me the child domain tree so I can't select a group from the root domain to assign them to.
However, say on the child domain I want to give a user from the root domain access to a folder somewhere, if I go to that folder and right click it and go to the Security tab, then search for a user in there, it DOES show me the whole forest to select a user from. So it seems to me that the only thing that's actually affected here is the Member Of tab not showing the whole forest tree like it used to, however giving permissions of folders or doing a search in the entire forest DOES show the entire forest.
From the child domain, what's strange is like last night I setup a new user on it, and I was able to view the entire forest when adding the user to groups. However I find that if I right click on one of the users, then go to Properties, then click the Member Of tab, it doesn't show the groups from the root domain that they are a member of even though I know they are a member of a root domain group. It's not that it's showing as an SID instead, it's just like it's invisible, so say I try to add them to a group in the root domain that I know they are a member of but it's not showing they are, it will tell me "This user is already a member of this group". Also if I click on Add on that tab to add them to one, and then click on Location, it only shows me the child domain tree so I can't select a group from the root domain to assign them to.
However, say on the child domain I want to give a user from the root domain access to a folder somewhere, if I go to that folder and right click it and go to the Security tab, then search for a user in there, it DOES show me the whole forest to select a user from. So it seems to me that the only thing that's actually affected here is the Member Of tab not showing the whole forest tree like it used to, however giving permissions of folders or doing a search in the entire forest DOES show the entire forest.
that is very strange
may try resetting the tdo, then double checking to ensure sid filtering is off (it should be off by default in your situation with parent/child if i rmember right)
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
may try resetting the tdo, then double checking to ensure sid filtering is off (it should be off by default in your situation with parent/child if i rmember right)
-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+
- Status
Similar threads
- Locked
- Question