Domain Joining Issues

By Skiver
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Skiver Veteran

Posted
  • Veteran
Posted

Hi Guys,

I need your experise as I certainly do not have any in this area. Long story short, someone was troubleshooting what he referred to as "communication issues between a server and a lab DC" and as part of this, removed the server from the domain and is now unable to rejoin. Unfortunately this task seems to have gone from one idiot who doesn't know what he is doing to another.

 

The DC in some form or another is fine as I have used a VM and joined to the lab domain absolutely fine.

When I attempt to join the domain, I am firstly prompted for a user/pass however I get the error shown below;

domain.png



Im struggling to come up with how this would be a DNS issue regarding the DC if another machine joined absolutely fine. I can ping the DC by IP and by hostname so its not something that silly.

As I mentioned above, this isnt my normal area of expertise so please be gentle :)

Thanks in advance

Link to comment
Share on other sites
Grand Master

Chris123NT

Posted
Posted

Hi Guys,

I need your experise as I certainly do not have any in this area. Long story short, someone was troubleshooting what he referred to as "communication issues between a server and a lab DC" and as part of this, removed the server from the domain and is now unable to rejoin. Unfortunately this task seems to have gone from one idiot who doesn't know what he is doing to another.

 

The DC in some form or another is fine as I have used a VM and joined to the lab domain absolutely fine.

When I attempt to join the domain, I am firstly prompted for a user/pass however I get the error shown below;

domain.png

Im struggling to come up with how this would be a DNS issue regarding the DC if another machine joined absolutely fine. I can ping the DC by IP and by hostname so its not something that silly.

As I mentioned above, this isnt my normal area of expertise so please be gentle :)

Thanks in advance

The client is using the DC as the primary DNS server correct?  As long as that's all okay and another client is ok I would double check the dns config, do an ipconfig /flushdns on the troublesome client and see if it succeeds.

Link to comment
Share on other sites
Grand Master

Skiver Veteran

Posted
  • Author
  • Veteran
Posted

The client is using the DC as the primary DNS server correct?  As long as that's all okay and another client is ok I would double check the dns config, do an ipconfig /flushdns on the troublesome client and see if it succeeds.

yep, preferred DNS is the IP of the DNS/DC (same server). I've done countless flushdns's and reboots and still nothing.

 

As for using the IP, are you referring to putting the IP instead of the domain name? I've given that a go but got a completely different error, and looking at it, I think it expects the actual domain name.

Link to comment
Share on other sites
Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

This should be fairly simple, where is the dns on the computer pointing to for dns queries.  If it is anything else other than the domain controller (even as a secondary)...your problem exists with the way you have dns configured. 

 

in a command prompt, do a nslookup for your internal domain

 

nslookup mydoman.local

 

You should get a resolution of all of your domain controllers if you have more than one under the addresses portion.  if you get a cannot be found you have some other issues going on with dns.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"yep, preferred DNS is the IP"

 

so do you have other dns setup - a member of AD should ONLY Point to DNS that is for the AD, if you point have say google listed how is it suppose to know about your AD domain.  Just because you put dns on top, just does not mean that your client is not going to ask the other one.

 

AD members should ONLY point to AD - this is how they should be setup period, anything else and your asking for issues.

 

You then have your AD dns either forward and or roots to look up say www.google.com.

 

Pull anything other then your ad dns from the clients options, and then try it - if still having issues then run dcdiag on your AD to verify it..  If still good then need to figure out why the client can not find the DC..  Firewall rules?  Other problems - you can do the dns queries via nslookup or dig on the client to verify they work, etc.

 

also that is not a very good AD name - I assume your not using the fqdn of the domain - that can cause problems as well, depending on the what search suffix of the machine currently is while it might be able to resolve mrdlab.tld -- it might be doing a query for mrdlab.somethingelse, etc..  When joining a domain better to use the fqdn.

Link to comment
Share on other sites
Grand Master

Skiver Veteran

Posted
  • Author
  • Veteran
Posted

Have you tried putting Domainname.local in?

Yes, that produces a different error message, I can't recall at the moment.

 

This should be fairly simple, where is the dns on the computer pointing to for dns queries.  If it is anything else other than the domain controller (even as a secondary)...your problem exists with the way you have dns configured. 

 

in a command prompt, do a nslookup for your internal domain

 

nslookup mydoman.local

 

You should get a resolution of all of your domain controllers if you have more than one under the addresses portion.  if you get a cannot be found you have some other issues going on with dns.

Again, If this was the configuration of my DNS, why are other machines able to join?

Doing an NSLookup returned the correct FQDN of the DC

 

 

"yep, preferred DNS is the IP"

 

so do you have other dns setup - a member of AD should ONLY Point to DNS that is for the AD, if you point have say google listed how is it suppose to know about your AD domain.  Just because you put dns on top, just does not mean that your client is not going to ask the other one.

 

AD members should ONLY point to AD - this is how they should be setup period, anything else and your asking for issues.

 

You then have your AD dns either forward and or roots to look up say www.google.com.

 

Pull anything other then your ad dns from the clients options, and then try it - if still having issues then run dcdiag on your AD to verify it..  If still good then need to figure out why the client can not find the DC..  Firewall rules?  Other problems - you can do the dns queries via nslookup or dig on the client to verify they work, etc.

 

also that is not a very good AD name - I assume your not using the fqdn of the domain - that can cause problems as well, depending on the what search suffix of the machine currently is while it might be able to resolve mrdlab.tld -- it might be doing a query for mrdlab.somethingelse, etc..  When joining a domain better to use the fqdn.

Nope, I removed every other DNS entries and left only the single there. I have turned firewalls off on both client and AD as part of the troubleshooting. 

The actual FQDN is mrdlab.local however using that causes errors whereas using MRDLAB at least prompts for user/pass as well as other machines being able to join using just the mrdlab. Unfortunelty I have had pressure to "rebuild" this server as a form of resolution so this is still building at the moment. I am doubtful that this will resolve anything but I will update once it's built to see if this has done anything.

If it is still not working correctly then I will run the DCDiag command but I have to admit I am not familiar with it so I'm hoping the results will be pretty clear.

Link to comment
Share on other sites
Grand Master

riahc3

Posted
Posted

Hello,

use the IP of the DC

The central problem still remains if it cannot resolve the DC...

 

 

Have you tried putting Domainname.local in?

Once I had to do this for a PC that just choose not to find the DC for some reason.

Anyways BudMan is here so we can all step back, read and learn :p

Link to comment
Share on other sites
Grand Master

Skiver Veteran

Posted
  • Author
  • Veteran
Posted

Rebuilding a DC just because one server won't connect is erm... nevermind.

 

Are these on the same subnet, switch, virtual switch, vlan etc? Can you ping "mrdlab.local"?

 

Sorry I wasn't rebuilding the DC, I was rebulding the server that was trying to reconnect. No I am certainly not that desperate... yet!

Yes, same subnet (255.255.255.0) Yes the same switch however one thing to note is that this server is a physical box whereas the DC is a VM on a seperate Hyper V cluster. Yes to VLAN (202) and finally yes, I can ping mrdlab.local.

So server is rebuilt and no suprises but it did not resolve the issue. I ran a DCdiag on the DC and it gave the following results which unless I am missing something looks good. 

 

C:\Users\Administrator>dcdiag
 
Directory Server Diagnosis
 
Performing initial setup:
   Trying to find home server...
   Home Server = UK-Citrix-DC01
   * Identified AD Forest.
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
      Starting test: Connectivity
         ......................... UK-CITRIX-DC01 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
      Starting test: Advertising
         ......................... UK-CITRIX-DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... UK-CITRIX-DC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... UK-CITRIX-DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... UK-CITRIX-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... UK-CITRIX-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... UK-CITRIX-DC01 passed test
         KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... UK-CITRIX-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... UK-CITRIX-DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... UK-CITRIX-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... UK-CITRIX-DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... UK-CITRIX-DC01 passed test Replications
      Starting test: RidManager
         ......................... UK-CITRIX-DC01 passed test RidManager
      Starting test: Services
         ......................... UK-CITRIX-DC01 passed test Services
      Starting test: SystemLog
         ......................... UK-CITRIX-DC01 passed test SystemLog
      Starting test: VerifyReferences
         ......................... UK-CITRIX-DC01 passed test VerifyReferences
 
 
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
 
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
 
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
 
   Running partition tests on : mrdlab
      Starting test: CheckSDRefDom
         ......................... mrdlab passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... mrdlab passed test CrossRefValidation
 
   Running enterprise tests on : mrdlab.local
      Starting test: LocatorCheck
         ......................... mrdlab.local passed test LocatorCheck
      Starting test: Intersite
         ......................... mrdlab.local passed test Intersite
 
 
However I did run DCdiag /test:dns which although in some area's seems to suggest it "passed" there are errors;

C:\Users\Administrator>dcdiag /test:dns
 
Directory Server Diagnosis
 
Performing initial setup:
   Trying to find home server...
   Home Server = UK-Citrix-DC01
   * Identified AD Forest.
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
      Starting test: Connectivity
         ......................... UK-CITRIX-DC01 passed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\UK-CITRIX-DC01
 
      Starting test: DNS
 
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... UK-CITRIX-DC01 passed test DNS
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : mrdlab
 
   Running enterprise tests on : mrdlab.local
      Starting test: DNS
         Summary of test results for DNS servers used by the above domain
         controllers:
 
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
            DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235
 
            DNS server: 2001:500:2d::d (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
 
            DNS server: 2001:500:2f::f (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
 
            DNS server: 2001:500:3::42 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42
 
            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
 
            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
 
            DNS server: 2001:7fd::1 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
 
            DNS server: 2001:7fe::53 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
 
            DNS server: 2001:dc3::35 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
 
         ......................... mrdlab.local passed test DNS
 
C:\Users\Administrator>
 
 
Apologies If I have missed any questions and thank you for your help so far!
Link to comment
Share on other sites
Grand Master

Skiver Veteran

Posted
  • Author
  • Veteran
Posted

Ah ok, thanks.

No, this is the only physical server that is, or at least should be, part of this domain. This is a small lab setup so there are only 4 or 5 of them in total, everything else is part of a seperate Hyper V cluster.

I have to admit, the network is one area I have zero access to or knowledge on so I will have to ask that question to the guys that do. They have been involved to some degree and haven't came forward with anything so far.

Link to comment
Share on other sites
Veteran

]SK[

Posted
Posted

Would be worth getting your network guys involved to see if they can see ports being blocked. The fact you can ping your server suggests to me VLAN's are ok.  I guess they allow ICMP and DNS.

 

If they are anything like my network dept you have to prove it to them it's their config causing the issue.

Link to comment
Share on other sites
Grand Master

Skiver Veteran

Posted
  • Author
  • Veteran
Posted

Would be worth getting your network guys involved to see if they can see ports being blocked. The fact you can ping your server suggests to me VLAN's are ok.  I guess they allow ICMP and DNS.

 

If they are anything like my network dept you have to prove it to them it's their config causing the issue.

Thanks, I am just in the process of writing a nice long email showing all the tests I have done etc. They are normally quite good and my role involves working quite closesly with them at time, but as usual, snowed under with projects and issues. Again, I will post any progress and thanks for your help so far. I can take some relief that this hasn't been solved (yet) with something simple :)

Link to comment
Share on other sites
Grand Master

Skiver Veteran

Posted
  • Author
  • Veteran
Posted

So IT Checked and double checked the switches and could not find anything... then came a stroke of random genius, sort of.

Basically the Virtual DC is on a Hyper V cluster made up of 5 servers, the DC was on node 004... I moved it to 001 and suddenly the server joined the domain. I guess this kind of explains why it was working and then has stopped however this obviously shouldn't be an issue so that will need to be looked into seperatly.

It's also the reason the other machines were connecting fine first time, through freak coincedence they were all on the same node. When I moved the DC to another, one of my test clients could no longer ping. 

Thanks for helping, not sure anyone would have really figured out our virtual clusters failings as it is probably the last place you would think to look during all of this.

Link to comment
Share on other sites
Grand Master

Skiver Veteran

Posted
  • Author
  • Veteran
Posted

Knowing your entire environment setup on this side of the board is almost impossible to understand without complete documentation.

Oh I know that, but when I first posted that, I thought this was perhaps down to my lack of knowledge on domains/DNS and it was something that I hadn't looked at or understood correctly.

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing