adding machine to domain with NATed IPs

---

• From: BlueIT <bijal.shah@xxxxxxxxxx>
• Date: Tue, 10 Feb 2009 07:22:10 -0800 (PST)

---

Within the domain, there are five DCs for three sites. Subnets are
specified within AD Site and Services accordingly. No forest within
the domain.

We have four remote machines that need to added to the domain. Due to
the cost/maintenance we went to a 3rd party hosted solution for
connectivity between the main site and remote. The third party is
NATing a list of given IPs we provided for within the same subnet
(172.31.244.x). Clients will communicate based on the NATed IPs,
clients will be accessible by actual IP.

The NATed IPs for the DC/DNS on the 172.31.244.x subnet:

SRV1 206.13.184.4
SRV2 206.13.184.5

On the remote clients, we specified these IPs as DNS server within TCP/
IP properties and the remote subnet within Sites and Services. When
attemping to add the machines to the domain, we get this initial
error:

Note: This information is intended for a network administrator. If
you are not your network's administrator, notify the administrator
that you received this information, which has been recorded in the
file C:\WINDOWS\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate a domain controller for
domain bluecapital.local:

The error was: "This operation returned because the timeout period
expired."
(error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for
_ldap._tcp.dc._msdcs.bluecapital.local

The DNS servers used by this computer for name resolution are not
responding. This computer is configured to use DNS servers with the
following IP addresses:

206.13.184.4
206.13.184.5

Verify that this computer is connected to the network, that these are
the correct DNS server IP addresses, and that at least one of the DNS
servers is running.

For more information on how to correct this problem, click Help.

In an effort to determine the issue, we ran a WireShark on the PDC
emulator and believe that all five DCs were responding back to the
request. And since all five DCs are not NATed, the client was failing
to join the domain. WireShark output below:

Queries
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)

Answers
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv5.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv5.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv3.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv3.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv4.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv4.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv1.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv1.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv2.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv2.mydomain.local

My first attempt was changing the priority for each of the _ldap(SRV)
within DNS and failed. Second attempt was to changed the client local
LMHOST file and failed. My searches are leading to a dead end. We
basically want only the two NATed DCs to respond back if that is the
problem.

Thanks in advance



.

---

• Follow-Ups:
  • Re: adding machine to domain with NATed IPs
    • From: Jorge Silva

• Prev by Date: Reasons for new domain
• Next by Date: Re: Adding a truted site through GPO
• Previous by thread: Reasons for new domain
• Next by thread: Re: adding machine to domain with NATed IPs
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: adding machine to domain with NATed IPs ... sounds that the DCs are not reaching the clients ... weight 100, port 389, target srv5.mydomain.local ... (microsoft.public.windows.server.active_directory) Re: adding machine to domain with NATed IPs ... sounds that the DCs are not reaching the clients or vice versa? ... weight 100, port 389, target srv5.mydomain.local ... (microsoft.public.windows.server.active_directory) Re: Best Plan of action for 2 forest....... ... PortQry reports the status of a port in one of the following ways: ... ..LISTENING This response indicates that a process is listening on the target ... (microsoft.public.windows.server.active_directory) RE: ICMP (Ping) ... Why do you assume that out of millions of Ips that respond, ... > almost) running a port scan those that reply. ... replies from a ping request. ... IP ranges with no target in mind, ... (Security-Basics) Re: Restricting access to a web server by IP ... > remote control clients (terminal services, telnet, etc), etc - we remotely ... > for all ports except port 80 ideally. ... > The argue for is that it secures us from hackers who specially target the ... (comp.security.firewalls)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-02