Re: Can't join domain server
From: 'puter-rooter (puterrooter_at_discussions.microsoft.com)
Date: 03/20/05
- Next message: DHauser: "RAS Doesn't Start - Unable to Load IPrtrmgr.dll"
- Previous message: Bill Grant: "Re: Can't join domain server"
- In reply to: Todd J Heron: "Re: Can't join domain server"
- Next in thread: Todd J Heron: "Re: Can't join domain server"
- Reply: Todd J Heron: "Re: Can't join domain server"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 19 Mar 2005 20:31:02 -0800
This happened a couple days ago, but still isn't resolved. I won't have an
answer until next Monday or Wednesday. It's a new network setup, so spyware
isn't really an issue. As for your list:
> 1) Is the network cable plugged in and fully seated?
Yes
> 2) Can you ping the DC by IP? By name?
IP - Yes: Name - No
> 3) In the network adapter TCP/IP properties, is the client configured with a
> 'Preferred DNS Server' of a DNS server supporting the Active Directory
> domain?
Yes - but also the ISP (will change this)
> 4) In the network adapter TCP/IP properties, is the client configured with a
> 'Primay DNS Suffix' matching that of the Active Directory DNS domain name?
No - is this needed before you can join the domain or a helpful precaution?
> 5) Do SRV records for the DC exist in DNS? Conduct the following test and
> examine the result (determines if internal AD DC's are properly listed in
> DNS):
>
> a) Open a DM prompt
> b) Enter nslookup
> c) Enter set q=srv
> d) Enter _ldap._tcp.<domain name>
> (replace <domain name> above with your fully-qualified domain name)
I'll see next week.
> 6) Ensure the Internet Connection Firewall is *not* enabled on the DC and no
> other host-based firewall running on it.
Firewall is enabled, but I also changed the settings to 'permit / allow'
most of what was in the firewalls default list. Also have installed
Symantec's firewall, but it's not enabled. There is no anti-virus on the
server (client decision).
> 7) Run an adware/spyware scan on the client computer.
New Dell computers - straight out of the box, only updated OS / McAfee /
Office.
> 8) Ensure the domain is not a single-label domain name.
No - it's NLS.DNS1
> 9) Verify you do not have a disjointed namespace. This can cause they same
> sort of issues that a single-label name can cause.
Not a problem
I also need to verify that the time settings are identical on the clients /
server.
"Todd J Heron" wrote:
> "Server has a static IP (192.168.1.100), Primary DNS is pointing to itself
> (secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes both
> tests, able to ping the server from the client. Initially client was setup
> with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
> Entered static address on client, pointing the primary DNS to the server
> (secondary to ISP).
>
> That's the first problem. All internal Active Directory domain clients
> should be configured to use only an internal DNS Server hosting the zone
> name for the Active Directory domain. This means that all workstations and
> servers on the domain, to include all DCs and DNS servers, should never be
> configured external DNS servers in any position on any network interface.
> This means internal DNS server listed as the 'Preferred DNS Server' and
> internal DNS server listed as the alternate, or leave that field blank. Do
> not put an ISP DNS servers as alternate on the network interface of an AD
> domain client.
>
> "Users were created directly in an organizational unit instead of the
> default user groups (not sure that matters), after AD was setup. "
>
> Correct, it doesn't matter..
>
> "nslookup:
> C:\Documents and Settings\tria>nslookup
> DNS request timed out.
> timeout was 2 seconds.
> *** Can't find server name for address 192.168.1.100: Timed out
> Default Server: (ISP)
> Address: (ISP)"
>
> Not really a problem, Active Directory does not require a reverse lookup
> zone in order to function.
>
> "When trying to join the client to the domain, using the DNS name (NLS.DNS1)
> I get the following error.
>
> Error message:
> The following error occurred when DNS was queried for the service location
> (SRV) resource record used to locate a domain controller for domain
> NLC.DNS1:
>
> The error was: "DNS name does not exist."
> (error code 0x0000232B RCODE_NAME_ERROR)
>
> The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1
>
> Common causes of this error include the following:
> - The DNS SRV record is not registered in DNS.
> - One or more of the following zones do not include delegation to its child
> zone:
> NLC.DNS1
> DNS1
> .. (the root zone)
>
> I have a few things to check / try, but wonder if there's anything simple
> I'm overlooking?"
>
> Try this 9-point check and report back the results.
>
> 1) Is the network cable plugged in and fully seated?
> 2) Can you ping the DC by IP? By name?
> 3) In the network adapter TCP/IP properties, is the client configured with a
> 'Preferred DNS Server' of a DNS server supporting the Active Directory
> domain?
> 4) In the network adapter TCP/IP properties, is the client configured with a
> 'Primay DNS Suffix' matching that of the Active Directory DNS domain name?
> 5) Do SRV records for the DC exist in DNS? Conduct the following test and
> examine the result (determines if internal AD DC's are properly listed in
> DNS):
>
> a) Open a DM prompt
> b) Enter nslookup
> c) Enter set q=srv
> d) Enter _ldap._tcp.<domain name>
>
> (replace <domain name> above with your fully-qualified domain name)
>
> (replace <domain name> above with your fully-qualified domain name)
> 6) Ensure the Internet Connection Firewall is *not* enabled on the DC and no
> other host-based firewall running on it.
> 7) Run an adware/spyware scan on the client computer.
> 8) Ensure the domain is not a single-label domain name.
> 9) Verify you do not have a disjointed namespace. This can cause they same
> sort of issues that a single-label name can cause.
>
> Best practices for DNS client settings in Windows 2000 Server and in Windows
> Server 2003:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;825036
>
> HOW TO: Configure DNS for Internet Access in Windows Server 2003:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323380
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>
>
- Next message: DHauser: "RAS Doesn't Start - Unable to Load IPrtrmgr.dll"
- Previous message: Bill Grant: "Re: Can't join domain server"
- In reply to: Todd J Heron: "Re: Can't join domain server"
- Next in thread: Todd J Heron: "Re: Can't join domain server"
- Reply: Todd J Heron: "Re: Can't join domain server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
