Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 3, 2011 4:18 PM
Hello all,
I have a small domain lets call it abc.com. Th DC in abc.com has both forward and reveres look up records for the server im trying to add. This server that i am trying to add is, lets call it server-4 (server-4 is currently in a work group). Then i try to add server-4 to the domain i get the error message in the title.
When i run nslookup on the abc.com server i get the correct name and ip address for server-4 both forward and reverse. What could be causing this issue when trying to add server-4 to the domain.
Thanks.
All replies (14)
Friday, February 11, 2011 3:59 AM ✅Answered
The steps I provided should have done the trick. I'm truly surprised that it didn't work. Does the new serer you are trying to add is set to ONLY use the DC for it's DNS entry? If not, then there's apparently something else going on, or something blocking the DNS registration process.
If you are getting an error saying that it can't find _ldap._tcp.dc._msdcs.abc.com, have you physically looked for that record in DNS under the _msdcs.abc.com zone? If so, do you see it?
Have both zones, _msdcs.abc.com and the abc.com zone, been configured to allow Updates? If not, please allow updates. Set it to Secure and Unsecure until we get this working, then re-run that procedure with the netlogon service and files.
- Is the DNS Server service running?
- Is there a third part security app or firewall running on the servers, such as Symantec or McAfee, or any other? If you disable it, will it "find" the domain?
- Is the DHCP CLIENT SERVICE running (note, this is a necessary service on all machines for registration to work)
- Are the firewalls on both servers disabled?
- Expand the _msdcs.abc.com and abc.com zones, screenshot it for us, and post it to WIndows Skydrive so we can see if there's anything missing.
Please run the following and post the results to Windows Skydrive. THis will help us evaluate this further.
- Re-run and provide an updated: ipconfig /all > c:\ipconfig.txt (open the text file for the results)
- dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
- repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repadmin.txt
- dnslint /ad /s "The DC's IP Address" (http://support.microsoft.com/kb/321045)
- nltest /dsgetdc:domainname /force > c:\nltest.txt
When you say you do not have internet access, which is somewhat vague, does that mean you can't resolve internet names, or you can't directly ping an public IP address, such as 4.2.2.2? Internet name resolution would be accomplished by the Root hints. You can configure a Forwarder as I mentioned. Did you configure a forwarder?
Have you tried using nslookup to query internet names? Try this:
======
Internet resolution:
C:\nslookup
Default Server: YourServerName.abc.com
Address: 192.168.10.20
Then type in the following and hit enter:
> www.microsoft.com
Server: YourServerName.abc.com
Address: 192.168.10.20
Non-authoritative answer:
Name: lb1.www.ms.akadns.net
Addresses: 207.46.170.10
207.46.170.123
Aliases: www.microsoft.com
toggle.www.ms.akadns.net
g.www.ms.akadns.net
>
**Did that provide you the response you see above?
**======
Let's use nslookup to determine what SRV records are returned:
In a command prompt, type in the following and hit enter:
c:\nslookup (hit enter)
Then type in the following and hit enter:
> _msdcs.yourdomain.com (This should just show "_msdcs.yourdomain.com")
Then type in the following and hit enter:
> gc._msdcs.yourdomain.com (This should show you the IP addresses of all of your GCs)
Then change the query type to SRV records with the next command:
> set q=srv
Now type in the following and hit enter:
> _ldap._tcp.dc._msdcs.yourdomain.com (This test should show you your domain controllers)
Server: dc-01.yourdomain.com
Address: 10.10.10.10
_ldap._tcp.dc._msdcs.yourdomain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc-01.yourdomain.com
_ldap._tcp.dc._msdcs.yourdomain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc-02.yourdomain.com
dc01.yourdomain.com internet address = 10.10.10.10
dc-02.yourdomain.com internet address = 10.10.10.5
>
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, February 3, 2011 11:03 PM
Hi Naiops
From server-4 if you run nslookup can you translate abc.com? if not then there are no records from the DNS serer in abc.com on server-4
i think m not sure bout this, others can help out.. if you can ping the server hosting DNS in abc.com then try changing the DNS pref server on server-4 ip address settings to the DNS server in abc.com and try to join the domain.
hope this helps :)
tech-nique
Friday, February 4, 2011 6:27 AM
Hi,
In addition:
Does it fail both with NetBIOS and FQDN?
What is the error ID of system prompt that the client received when trying to join the domain? You can acquire it form event log on client side .
Is this happening for all clients or only particular client workstations?
Please diagnose domain controller by using dcdiag utility and post any unpassed massage here:
Domain Controller Diagnostics Tool (dcdiag.exe)
http://technet.microsoft.com/en-us/library/cc776854(WS.10).aspx
Here are some suggestions:
Make Sure DNS resolution is working by using nslookup and ping to test resolving the domain name.
Make sure client for Microsoft Networks is enabled on the clients Network Card.
Clean boot the client machine by using MSConfig. Also try disabling the Windows Firewall on the client.
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Friday, February 4, 2011 7:59 AM
Hello,
please post an unedited ipconfig /all from the DC/DNS server and the workgroup machine. Why did you add the records manual? If a machine is joined to the domain they are created automatically.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Monday, February 7, 2011 4:54 PM
from the dc at abc.com, nslookup works both forward and reverse on server-4. when i run a nslookup on server-4 for server1.abc.com i get the ip address but the dns request times out. and when i run a nslookup on server-4 for the ip address of the dns server, i dont get the netbios or fqdn name and dns also times out.
When i ran dcdiag everything passed and the dns server service is running on the DC
The error codes i saw in the event log were 1006 ans 1014.
Now on DC, there are two forward lookup zones. abc.com and one that says _msdcs.abc.com. Could this be causing an issue.
Also when i ping the dns sever i get replys back but its not the ipaddress of the server its the ip address of the gateway?
Monday, February 7, 2011 9:15 PM
Hello,
please post the ipconfig's as requested.
"...on DC, there are two forward lookup zones. abc.com and one that says _msdcs.abc.com."
This is complete correct and don't mess with it.
"The error codes i saw in the event log were 1006 ans 1014."
Please post the complete event viewer entry, there are too many sources for this number available.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Tuesday, February 8, 2011 6:46 AM
Hello all,
I have a small domain lets call it abc.com. Th DC in abc.com has both forward and reveres look up records for the server im trying to add. This server that i am trying to add is, lets call it server-4 (server-4 is currently in a work group). Then i try to add server-4 to the domain i get the error message in the title.
When i run nslookup on the abc.com server i get the correct name and ip address for server-4 both forward and reverse. What could be causing this issue when trying to add server-4 to the domain.
Thanks.
What operating system are the DCs, and what operating system is the server you're trying to add?
How many DCs?
Is the server you're tyring to add in the same site as the DC or in a different location?
I assume you have only the DC as the DNS address in the machine (as all domain should be set).
Is there a firewall between that server and the local DC? How about the local firewalls, are they all disabled?
It could also be an RSS issue. Read the following for more info on the EventID 1014.
http://eventid.net/display.asp?eventid=1014&eventno=10623&source=DNS Client Events&phase=1
You didn't post the whole event error, which as Meinolf asked, is necessary to help use. For example, EventID 1014 has 18 different Source names that can cause the event error. Therefore, looking through the list, I *assume* the Source Name is "DNS Client Events" which prompted me to post the above link.
As requested, can you post a complete ipconfig /all from the server and from two of your DCs, please? The info will help us evaluate and diagnose any possible misconfigurations, and eliminate any guess work on our part.
Thank you,
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, February 8, 2011 4:05 PM
The DC is windows 2008 server, the server i am trying to add is also 2008 server. In the event viewer it has two entries,
event 1006, dns client events- the client was unable to validate the following as an active dns server that can service this client. The server may be temporarily unavailable or improperly configure.
event 1014 dns client events- name resolution for the name microsoft.com timed out after none of the configured dns servers responded.
event 1202 DFSR- the dfs replication service failed to contact domain controller to access configuration information. Replication is stopped. This service will try again during the next configuration polling cycle. Additional information error:1355(the specified domain either does not exist or could not be contacted)
on the server im trying to add to the domain the ipconfig is:
ipv4 address 192.168.10.7
mask 255.255.255.0
default gateway 192.168.10.1
dns servers, 192.168.10.20 and 71.250.0.12
netbios over tcpip is enabled.
On the DC of our domain wich is configured as a dns server, the ip config is
ipv4: 192.168.10.20 and 192.168.10.31 ( the 10.31 address is for apache so im told)
mask 255.255.255.0
gateway 192.168.10.1
hostname server1
primary dns suffix abc.com
dns suffix searchlist abc.com
dns sevrers 192.168.10.20, 71.250.0.12, and 192.168.10.31
the nslookup on the DC works for the server i am adding both forward and reverse but the nslookup on the server i want to add does not give the right info as it says dns request time out.
There is no hardware firewall but i have made sure that the execptions are set on both machines.
We only have one DC on abc.com and that is configures as the dns server.
when i ping the DC netbios name from the client i want to add, i get a reply but there in hex not the ip address
when i ping the DC's fqdn i get a reply from its ip address.
finally, the window that pops up when i try to add the client to the domain says:
An AC DC for the domain "abc.com" could not be contacted.
DNS was sucessfully queried for the service location (SRV) resource record used to locate a DC for the domian abc.com
The querey was for the SRV record for _ldap._tcp.dc._msdcs.abc.com
The following DC's were identified by the querey: server1.abc.com however no DC's could be contacted.
Tuesday, February 8, 2011 9:28 PM
is there any more information that you need?
Tuesday, February 8, 2011 10:30 PM
Naiops,
THank you for posting the information.
The first thing that I see that really stands out clearly, is Verizon's DNS Address. Unfortunately, Verizon's DNS does not hold any information about your internal, private AD information. This will cause numerous problems with AD, internal DC name resolution, client machines to logon, authenticate, etc.
Please remove the DNS address 71.250.0.12 from ALL MACHINES (DC, workstations, etc). If that address is in your DHCP scope Option 006, please remove it, too. If you are using your router/firewall as a DHCP server, I highly recommend to disable it and use your WIndows DHCP server in order to take advantage of more finite options and its increased security features.
If the Apache server on 192.168.10.31 does not hold the AD zone name called abc.com, you MUST remove that, too. Apache is a web server, and they don't run a DNS service, as far as I understand, therefore assuming such, that should be removed, too.
The only DNS server that should be in any AD infrastructure are the DNS servers that hold the AD zone. If you have two DCs, then the two DCs' IP addresses are the only ones that must be used.
For efficient internet name resolution, you can configure a forwarder to 71.250.0.12. That's done in DNS console, right-click the server name, properties, Forwarders tab.
The lack of ability to contact a DC is because it's more than likely asking the Verizon or the Apache server to resolve names in the abc.com zone, and those servers do not have that answer. This will cause numerous problems with AD, NTFRS, logons, authentication, users accessing mapped drives, printers, and numerous other issues.
Here's more info to explain what I mean:
Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx
Once you've removed the Apache IP and the Verizon IP on the server, please perform the following on each DC:
- Open Windows Explorer to windows\system32\config
- Rename netlogon.dns to netlogon.dns.old
- Rename netlogon.dnb to netlogon.dnb.old
- Open a command prompt and run ipconfig /registerdns
- In the same command prompt, run net stop netlogon && net start netlogon
Check event viewer after 10 minutes for any event log errors.
Make sure you change your DHCP scope options to remove those addresses so they are not given to your client workstations and laptops.
I hope that helps.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, February 10, 2011 6:13 PM
ok ive done all the stops mention and now ther server im trying to add to the domian does not have internet access. The only dns server listed on it is the DC for abc.com 192.168.10.20. nslookup works fine on the DC for the server im adding, but i cant connect to anything from the server being added.
the error message im getting now is "this operation returned because the timeout period expired"
(error code 0x000005b4 ERROR_TIMEOUT)
The query was for the srv record for _ldap._tcp.dc._msdcs.abc.com
Thursday, February 10, 2011 6:20 PM
This server im adding is going to be a lync server if thats any help.
Wednesday, February 16, 2011 7:20 PM
That did the trick, thank you very much for the help!
Wednesday, February 16, 2011 7:28 PM
Good to hear it helped. :-)
You are welcome!
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.