Jump to content



Photo

Domain Joining Issues

domain dns

  • Please log in to reply
18 replies to this topic

#1 Skiver

Skiver

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 10-October 05
  • Location: UK, Reading

Posted 10 February 2014 - 16:26

Hi Guys,

I need your experise as I certainly do not have any in this area. Long story short, someone was troubleshooting what he referred to as "communication issues between a server and a lab DC" and as part of this, removed the server from the domain and is now unable to rejoin. Unfortunately this task seems to have gone from one idiot who doesn't know what he is doing to another.

 

The DC in some form or another is fine as I have used a VM and joined to the lab domain absolutely fine.

When I attempt to join the domain, I am firstly prompted for a user/pass however I get the error shown below;

domain.png



Im struggling to come up with how this would be a DNS issue regarding the DC if another machine joined absolutely fine. I can ping the DC by IP and by hostname so its not something that silly.

As I mentioned above, this isnt my normal area of expertise so please be gentle :)

Thanks in advance




#2 tbarnett

tbarnett

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 10-January 06
  • Location: North Carolina

Posted 10 February 2014 - 16:46

use the IP of the DC



#3 +Chris123NT

Chris123NT

    Win8 Master

  • Joined: 01-November 01
  • Location: New York

Posted 10 February 2014 - 16:54

Hi Guys,

I need your experise as I certainly do not have any in this area. Long story short, someone was troubleshooting what he referred to as "communication issues between a server and a lab DC" and as part of this, removed the server from the domain and is now unable to rejoin. Unfortunately this task seems to have gone from one idiot who doesn't know what he is doing to another.

 

The DC in some form or another is fine as I have used a VM and joined to the lab domain absolutely fine.

When I attempt to join the domain, I am firstly prompted for a user/pass however I get the error shown below;

domain.png



Im struggling to come up with how this would be a DNS issue regarding the DC if another machine joined absolutely fine. I can ping the DC by IP and by hostname so its not something that silly.

As I mentioned above, this isnt my normal area of expertise so please be gentle :)

Thanks in advance

The client is using the DC as the primary DNS server correct?  As long as that's all okay and another client is ok I would double check the dns config, do an ipconfig /flushdns on the troublesome client and see if it succeeds.



#4 OP Skiver

Skiver

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 10-October 05
  • Location: UK, Reading

Posted 10 February 2014 - 16:58

The client is using the DC as the primary DNS server correct?  As long as that's all okay and another client is ok I would double check the dns config, do an ipconfig /flushdns on the troublesome client and see if it succeeds.

yep, preferred DNS is the IP of the DNS/DC (same server). I've done countless flushdns's and reboots and still nothing.

 

As for using the IP, are you referring to putting the IP instead of the domain name? I've given that a go but got a completely different error, and looking at it, I think it expects the actual domain name.



#5 KibosJ

KibosJ

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 27-January 09
  • Location: Darlington, United Kingdom
  • OS: OS X 10.10 & Windows 8.1 x64
  • Phone: Samsung Galaxy S4 (GT-I9505)

Posted 10 February 2014 - 17:39

Have you tried putting Domainname.local in?



#6 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 36
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 10 February 2014 - 17:49

This should be fairly simple, where is the dns on the computer pointing to for dns queries.  If it is anything else other than the domain controller (even as a secondary)...your problem exists with the way you have dns configured. 

 

in a command prompt, do a nslookup for your internal domain

 

nslookup mydoman.local

 

You should get a resolution of all of your domain controllers if you have more than one under the addresses portion.  if you get a cannot be found you have some other issues going on with dns.



#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 10 February 2014 - 18:27

"yep, preferred DNS is the IP"

 

so do you have other dns setup - a member of AD should ONLY Point to DNS that is for the AD, if you point have say google listed how is it suppose to know about your AD domain.  Just because you put dns on top, just does not mean that your client is not going to ask the other one.

 

AD members should ONLY point to AD - this is how they should be setup period, anything else and your asking for issues.

 

You then have your AD dns either forward and or roots to look up say www.google.com.

 

Pull anything other then your ad dns from the clients options, and then try it - if still having issues then run dcdiag on your AD to verify it..  If still good then need to figure out why the client can not find the DC..  Firewall rules?  Other problems - you can do the dns queries via nslookup or dig on the client to verify they work, etc.

 

also that is not a very good AD name - I assume your not using the fqdn of the domain - that can cause problems as well, depending on the what search suffix of the machine currently is while it might be able to resolve mrdlab.tld -- it might be doing a query for mrdlab.somethingelse, etc..  When joining a domain better to use the fqdn.



#8 OP Skiver

Skiver

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 10-October 05
  • Location: UK, Reading

Posted 11 February 2014 - 09:23

Have you tried putting Domainname.local in?

Yes, that produces a different error message, I can't recall at the moment.

 

This should be fairly simple, where is the dns on the computer pointing to for dns queries.  If it is anything else other than the domain controller (even as a secondary)...your problem exists with the way you have dns configured. 

 

in a command prompt, do a nslookup for your internal domain

 

nslookup mydoman.local

 

You should get a resolution of all of your domain controllers if you have more than one under the addresses portion.  if you get a cannot be found you have some other issues going on with dns.

Again, If this was the configuration of my DNS, why are other machines able to join?

Doing an NSLookup returned the correct FQDN of the DC
 

 

"yep, preferred DNS is the IP"

 

so do you have other dns setup - a member of AD should ONLY Point to DNS that is for the AD, if you point have say google listed how is it suppose to know about your AD domain.  Just because you put dns on top, just does not mean that your client is not going to ask the other one.

 

AD members should ONLY point to AD - this is how they should be setup period, anything else and your asking for issues.

 

You then have your AD dns either forward and or roots to look up say www.google.com.

 

Pull anything other then your ad dns from the clients options, and then try it - if still having issues then run dcdiag on your AD to verify it..  If still good then need to figure out why the client can not find the DC..  Firewall rules?  Other problems - you can do the dns queries via nslookup or dig on the client to verify they work, etc.

 

also that is not a very good AD name - I assume your not using the fqdn of the domain - that can cause problems as well, depending on the what search suffix of the machine currently is while it might be able to resolve mrdlab.tld -- it might be doing a query for mrdlab.somethingelse, etc..  When joining a domain better to use the fqdn.


Nope, I removed every other DNS entries and left only the single there. I have turned firewalls off on both client and AD as part of the troubleshooting. 

The actual FQDN is mrdlab.local however using that causes errors whereas using MRDLAB at least prompts for user/pass as well as other machines being able to join using just the mrdlab. Unfortunelty I have had pressure to "rebuild" this server as a form of resolution so this is still building at the moment. I am doubtful that this will resolve anything but I will update once it's built to see if this has done anything.

If it is still not working correctly then I will run the DCDiag command but I have to admit I am not familiar with it so I'm hoping the results will be pretty clear.



#9 riahc3

riahc3

    Neowin's most indecisive member

  • Tech Issues Solved: 11
  • Joined: 09-April 03
  • Location: Spain
  • OS: Windows 7
  • Phone: HTC Desire Z

Posted 11 February 2014 - 09:29

Hello,

use the IP of the DC

The central problem still remains if it cannot resolve the DC...
 
 

Have you tried putting Domainname.local in?

Once I had to do this for a PC that just choose not to find the DC for some reason.

Anyways BudMan is here so we can all step back, read and learn :p

#10 ]SK[

]SK[

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 12-October 04
  • Location: Nottingham, UK
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 11 February 2014 - 09:52

Rebuilding a DC just because one server won't connect is erm... nevermind.

 

Are these on the same subnet, switch, virtual switch, vlan etc? Can you ping "mrdlab.local"?



#11 OP Skiver

Skiver

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 10-October 05
  • Location: UK, Reading

Posted 11 February 2014 - 10:08

Rebuilding a DC just because one server won't connect is erm... nevermind.

 

Are these on the same subnet, switch, virtual switch, vlan etc? Can you ping "mrdlab.local"?

 

Sorry I wasn't rebuilding the DC, I was rebulding the server that was trying to reconnect. No I am certainly not that desperate... yet!

Yes, same subnet (255.255.255.0) Yes the same switch however one thing to note is that this server is a physical box whereas the DC is a VM on a seperate Hyper V cluster. Yes to VLAN (202) and finally yes, I can ping mrdlab.local.

So server is rebuilt and no suprises but it did not resolve the issue. I ran a DCdiag on the DC and it gave the following results which unless I am missing something looks good. 

 

C:\Users\Administrator>dcdiag
 
Directory Server Diagnosis
 
Performing initial setup:
   Trying to find home server...
   Home Server = UK-Citrix-DC01
   * Identified AD Forest.
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
      Starting test: Connectivity
         ......................... UK-CITRIX-DC01 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
      Starting test: Advertising
         ......................... UK-CITRIX-DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... UK-CITRIX-DC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... UK-CITRIX-DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... UK-CITRIX-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... UK-CITRIX-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... UK-CITRIX-DC01 passed test
         KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... UK-CITRIX-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... UK-CITRIX-DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... UK-CITRIX-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... UK-CITRIX-DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... UK-CITRIX-DC01 passed test Replications
      Starting test: RidManager
         ......................... UK-CITRIX-DC01 passed test RidManager
      Starting test: Services
         ......................... UK-CITRIX-DC01 passed test Services
      Starting test: SystemLog
         ......................... UK-CITRIX-DC01 passed test SystemLog
      Starting test: VerifyReferences
         ......................... UK-CITRIX-DC01 passed test VerifyReferences
 
 
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
 
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
 
   Running partition tests on : mrdlab
      Starting test: CheckSDRefDom
         ......................... mrdlab passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mrdlab passed test CrossRefValidation
 
   Running enterprise tests on : mrdlab.local
      Starting test: LocatorCheck
         ......................... mrdlab.local passed test LocatorCheck
      Starting test: Intersite
         ......................... mrdlab.local passed test Intersite
 
 
However I did run DCdiag /test:dns which although in some area's seems to suggest it "passed" there are errors;

C:\Users\Administrator>dcdiag /test:dns
 
Directory Server Diagnosis
 
Performing initial setup:
   Trying to find home server...
   Home Server = UK-Citrix-DC01
   * Identified AD Forest.
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
      Starting test: Connectivity
         ......................... UK-CITRIX-DC01 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
 
      Starting test: DNS
 
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... UK-CITRIX-DC01 passed test DNS
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : mrdlab
 
   Running enterprise tests on : mrdlab.local
      Starting test: DNS
         Summary of test results for DNS servers used by the above domain
         controllers:
 
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
            DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235
 
            DNS server: 2001:500:2d::d (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
 
            DNS server: 2001:500:2f::f (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
 
            DNS server: 2001:500:3::42 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42
 
            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
 
            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
 
            DNS server: 2001:7fd::1 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
 
            DNS server: 2001:7fe::53 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
 
            DNS server: 2001:dc3::35 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
 
         ......................... mrdlab.local passed test DNS
 
C:\Users\Administrator>
 
 
Apologies If I have missed any questions and thank you for your help so far!


#12 ]SK[

]SK[

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 12-October 04
  • Location: Nottingham, UK
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 11 February 2014 - 10:50

Just looks like the DC has no internet access? They can be ignored I guess.

 

Are all other working servers physical too?

Do your switches use ACL's to manage traffic? 



#13 OP Skiver

Skiver

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 10-October 05
  • Location: UK, Reading

Posted 11 February 2014 - 11:21

Ah ok, thanks.

No, this is the only physical server that is, or at least should be, part of this domain. This is a small lab setup so there are only 4 or 5 of them in total, everything else is part of a seperate Hyper V cluster.

I have to admit, the network is one area I have zero access to or knowledge on so I will have to ask that question to the guys that do. They have been involved to some degree and haven't came forward with anything so far.



#14 ]SK[

]SK[

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 12-October 04
  • Location: Nottingham, UK
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 11 February 2014 - 11:34

Would be worth getting your network guys involved to see if they can see ports being blocked. The fact you can ping your server suggests to me VLAN's are ok.  I guess they allow ICMP and DNS.

 

If they are anything like my network dept you have to prove it to them it's their config causing the issue.



#15 OP Skiver

Skiver

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 10-October 05
  • Location: UK, Reading

Posted 11 February 2014 - 11:40

Would be worth getting your network guys involved to see if they can see ports being blocked. The fact you can ping your server suggests to me VLAN's are ok.  I guess they allow ICMP and DNS.

 

If they are anything like my network dept you have to prove it to them it's their config causing the issue.

Thanks, I am just in the process of writing a nice long email showing all the tests I have done etc. They are normally quite good and my role involves working quite closesly with them at time, but as usual, snowed under with projects and issues. Again, I will post any progress and thanks for your help so far. I can take some relief that this hasn't been solved (yet) with something simple :)