Re: adding machine to domain with NATed IPs

---

• From: BlueIT <bijal.shah@xxxxxxxxxx>
• Date: Fri, 13 Feb 2009 11:36:23 -0800 (PST)

---

On Feb 12, 3:39 pm, "Jorge Silva" <jorgesilva...@xxxxxxxxxxx> wrote:

-What error did you get?
-Did you choose a DC that ISN'T using those NAT address?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights."BlueIT" <bijal.s...@xxxxxxxxxx> wrote in message

news:e12407da-d541-4e61-be0a-2b50b811d118@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 11, 12:25 pm, "Jorge Silva" <jorgesilva...@xxxxxxxxxxx> wrote:

Yes, do the following from cmd (install support tools first, can download
from MS web site):

Netdom Join %computername% /Domain:mydomain.local\DCName
/UserD:Mydomain\Administrator /PasswordD:*

Let me know the results :)
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights."BlueIT" <bijal.s...@xxxxxxxxxx> wrote in message

news:2dbbe660-3c66-49f8-ba5f-003f8062a28c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 10, 5:38 pm, "Jorge Silva" <jorgesilva...@xxxxxxxxxxx> wrote:

Hi
Hum... Time out errors, sounds that the DCs are not reaching the clients
or
vice versa? Any errors on the logs for the NAT devices? Any FW
configured
between them? Can you ping back the clients and servers? Can you ping
the
domain by its FQDN? can the servers pint the clients by IP and Name?
Since
that the clients are simulated within the same subnet, will the
broadcast
request pass the NAT device?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights."BlueIT" <bijal.s...@xxxxxxxxxx> wrote in message

news:0160003b-2f78-4aab-8c39-4d48ee0aab49@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Within the domain, there are five DCs for three sites. Subnets are
specified within AD Site and Services accordingly. No forest within
the domain.

We have four remote machines that need to added to the domain. Due to
the cost/maintenance we went to a 3rd party hosted solution for
connectivity between the main site and remote. The third party is
NATing a list of given IPs we provided for within the same subnet
(172.31.244.x). Clients will communicate based on the NATed IPs,
clients will be accessible by actual IP.

The NATed IPs for the DC/DNS on the 172.31.244.x subnet:

SRV1 206.13.184.4
SRV2 206.13.184.5

On the remote clients, we specified these IPs as DNS server within
TCP/
IP properties and the remote subnet within Sites and Services. When
attemping to add the machines to the domain, we get this initial
error:

Note: This information is intended for a network administrator. If
you are not your network's administrator, notify the administrator
that you received this information, which has been recorded in the
file C:\WINDOWS\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate a domain controller for
domain bluecapital.local:

The error was: "This operation returned because the timeout period
expired."
(error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for
_ldap._tcp.dc._msdcs.bluecapital.local

The DNS servers used by this computer for name resolution are not
responding. This computer is configured to use DNS servers with the
following IP addresses:

206.13.184.4
206.13.184.5

Verify that this computer is connected to the network, that these are
the correct DNS server IP addresses, and that at least one of the DNS
servers is running.

For more information on how to correct this problem, click Help.

In an effort to determine the issue, we ran a WireShark on the PDC
emulator and believe that all five DCs were responding back to the
request. And since all five DCs are not NATed, the client was failing
to join the domain. WireShark output below:

Queries
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)

Answers
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv5.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv5.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv3.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv3.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv4.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv4.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv1.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv1.mydomain.local
_ldap._tcp.dc._msdcs.mydomain.local: type SRV, class IN, priority 0,
weight 100, port 389, target srv2.mydomain.local
Name: _ldap._tcp.dc._msdcs.mydomain.local
Type: SRV (Service location)
Class: IN (0x0001)
Time to live: 10 minutes
Data length: 33
Priority: 0
Weight: 100
Port: 389
Target: srv2.mydomain.local

My first attempt was changing the priority for each of the _ldap(SRV)
within DNS and failed. Second attempt was to changed the client local
LMHOST file and failed. My searches are leading to a dead end. We
basically want only the two NATed DCs to respond back if that is the
problem.

Thanks in advance- Hide quoted text -

- Show quoted text -

I failed to mentioned that PING is being blocked by the 3rd party
hosted solution for connectivity. I am able to telnet to open ports
on the remote DCs. I enter the NATed IP of the two DCs within the
client TCP/IP properities. The machines do register within DNS
(forward and reverse) as well and when I do a nslookup, one of the two
NATed servers displays as a result with the NATed IP:

c:\>nslookup
Default Server: srv1.mydomain.com
Address: 206.13.184.5

Looking at Event Viewer, there are no obvious errors found. All we
can really tell is when a request by the client is being made, all our
DCs seem to replying based on our WireShark findings. Although SRV3,
SRV4, SRV5 are on different subnets and associated with different
sites they seem to be answering request. And since they are not NATes
as SRV1 and SRV2, I believe that is causing the failure on the client
portion.

Is there a way to specify what DCs answer request for when a machine
is added to the domain?- Hide quoted text -

- Show quoted text -

I attempted NETDOM, but it failed.  Viewing the result with WireShark
state the same.  All DCs are anwsering the query for
_ldap._tcp.dc._msdcs.mydomain.com

net join clienthostname /domain:mydomain.com\srv1 /userd:mydomain.com
\administrator /password:password.- Hide quoted text -

- Show quoted text -

Error:
The command failed to complete successfully.

I get the results when specifying both NATed DCs.
.

---

• Follow-Ups:
  • Re: adding machine to domain with NATed IPs
    • From: Jorge Silva

• References:
  • adding machine to domain with NATed IPs
    • From: BlueIT
  • Re: adding machine to domain with NATed IPs
    • From: Jorge Silva
  • Re: adding machine to domain with NATed IPs
    • From: BlueIT
  • Re: adding machine to domain with NATed IPs
    • From: Jorge Silva
  • Re: adding machine to domain with NATed IPs
    • From: BlueIT
  • Re: adding machine to domain with NATed IPs
    • From: Jorge Silva

• Prev by Date: Re: List all services on servers by login as
• Next by Date: Re: TS Gateway joing a domain with no DNS server
• Previous by thread: Re: adding machine to domain with NATed IPs
• Next by thread: Re: adding machine to domain with NATed IPs
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: adding machine to domain with NATed IPs ... sounds that the DCs are not reaching the clients ... weight 100, port 389, target srv5.mydomain.local ... (microsoft.public.windows.server.active_directory) Re: adding machine to domain with NATed IPs ... sounds that the DCs are not reaching the clients or vice versa? ... weight 100, port 389, target srv5.mydomain.local ... (microsoft.public.windows.server.active_directory) Re: adding machine to domain with NATed IPs ... Can you ping back the clients and servers? ... emulator and believe that all five DCs were responding back to the ... weight 100, port 389, target srv5.mydomain.local ... (microsoft.public.windows.server.active_directory) Re: adding machine to domain with NATed IPs ... sounds that the DCs are not reaching the clients ... can the servers pint the clients by IP and Name? ... >> Type: SRV (Service location) ... (microsoft.public.windows.server.active_directory) Re: adding machine to domain with NATed IPs ... Can you ping back the clients and servers? ... can the servers pint the clients by IP and Name? ... there are five DCs for three sites. ... > Type: SRV (Service location) ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-02