electricdad
asked on
2008r2 joining domain issues
I have been banging my head on this one for a couple of days. Here it goes:
I am in charge of trying to remove an old 2000 DC and use a new 2008r2 as a DC with the same computer name. This was an instruction by the client.
But get this setup:
There are 5 sites. There are a mixture of 2000 and 2008r2 domain controllers. Somehow last year Microsoft came in and got all the systems including the 2008r2 DCs to run in 2000 Native Mode domain function level.
I demoted the DC in this site and removed the box. I cleaned up the metadata and deleted any reference to the server name WEWSA
I have a VMWare ESXi 5.0 installed and a 2008r2 VM machine on it. The DNS settings are pointing to the Primary DC over another site.
When I joined that machine to the domain with the same name WEWSA everthing seemed to go through but when I try to logon with a domain account I get "The security database on the server does not have a computer account for this workstation trust relationship" error message. But I can login with the local Admin account. I see the computer account in AD and the object in ADSI Edit. The SPN in ADSI edit is set correctly. HOST/FQDN, HOST/Computername, etc.
I unjoin it and rejoin it with the same problem even if I cleanup AD before rejoining.
And another problem to note. When I join it to the domain with another computername like REPWEWSA it gives me an error "Changing the Primary DNS name of this computer to "" failed. The name will remain (domainname) Error was No Mapping between account names and security IDs was done.) but it seems to join no problem and I can browse all shares on other servers in the domain. But the computer account is missing in ADUC.
Sometimes with the "Changing the Primary DNS name...." error at other sites I got another error message stating that the The specified server cannot perform the requested operation instead of no mapping between account names and security ids was done. But these systems seemed to join and work.
But joining to the domain with that old name WEWSA (which I am under strict orders to use) works, but will not let me logon with a domain account where I would get the "___computer account does not have trusted relationship" error.
I have cleaned metadata, set SPNs, disabled Windows firewalls. unjoined--rejoined, deleted computer accounts unjoined rejoined. I am out of options here. Any help and may you be repaid a thousand fold. thanks
I am in charge of trying to remove an old 2000 DC and use a new 2008r2 as a DC with the same computer name. This was an instruction by the client.
But get this setup:
There are 5 sites. There are a mixture of 2000 and 2008r2 domain controllers. Somehow last year Microsoft came in and got all the systems including the 2008r2 DCs to run in 2000 Native Mode domain function level.
I demoted the DC in this site and removed the box. I cleaned up the metadata and deleted any reference to the server name WEWSA
I have a VMWare ESXi 5.0 installed and a 2008r2 VM machine on it. The DNS settings are pointing to the Primary DC over another site.
When I joined that machine to the domain with the same name WEWSA everthing seemed to go through but when I try to logon with a domain account I get "The security database on the server does not have a computer account for this workstation trust relationship" error message. But I can login with the local Admin account. I see the computer account in AD and the object in ADSI Edit. The SPN in ADSI edit is set correctly. HOST/FQDN, HOST/Computername, etc.
I unjoin it and rejoin it with the same problem even if I cleanup AD before rejoining.
And another problem to note. When I join it to the domain with another computername like REPWEWSA it gives me an error "Changing the Primary DNS name of this computer to "" failed. The name will remain (domainname) Error was No Mapping between account names and security IDs was done.) but it seems to join no problem and I can browse all shares on other servers in the domain. But the computer account is missing in ADUC.
Sometimes with the "Changing the Primary DNS name...." error at other sites I got another error message stating that the The specified server cannot perform the requested operation instead of no mapping between account names and security ids was done. But these systems seemed to join and work.
But joining to the domain with that old name WEWSA (which I am under strict orders to use) works, but will not let me logon with a domain account where I would get the "___computer account does not have trusted relationship" error.
I have cleaned metadata, set SPNs, disabled Windows firewalls. unjoined--rejoined, deleted computer accounts unjoined rejoined. I am out of options here. Any help and may you be repaid a thousand fold. thanks
Neil Russell
Can you check that ALL 5 FSMO roles exist on current contactable servers? Ensure that the server you demoted and removed did not hold any roles.
ASKER
It seems only one Domain controller holds those roles. And I was pointing to that domain controller for Primary DNS at first. I changed the primary dns to other domain controllers but with the same results.
So that DC has all 5 roles now?
Are there any events around the time when you attempt to add the new DC?
Are there any events around the time when you attempt to add the new DC?
I would start now with running a "DCDIAG /e" on your 2008R2 server.
This will run dcdiag against ALL DC's in the entire enterprise and give you a detailed report. Look for and fix any errors there before continuing.
This will run dcdiag against ALL DC's in the entire enterprise and give you a detailed report. Look for and fix any errors there before continuing.
ASKER
I have found a resolution but still need to know something.
It seems the computer name was set to computername.domain.prv instead of just the computername and then the domain being domain.prv. A dns suffix was added and I had to go to renaming the computer-- More-- and I found the dns suffix was set to domain.prv. I deleted it and logged on to the domain just fine. Thing is, there is no group policy that I know adding the dns suffix. I checked rsop. Nothing that I know of. There is only the default domain policy and there was no setting for DNSclient suffix. And any other system I join does not seem to have this issue. Thing is there used to be a DC with this computername. So only when I was joining with that old computername I was getting this issue. But I had to use this name for the migrated shares according to the Admin at the site.Well all is working and replicating as far as I can tell for now. Anyone know why this system was getting that DNS suffix. I glad its working but I am lost on how this happened in the first place.
It seems the computer name was set to computername.domain.prv instead of just the computername and then the domain being domain.prv. A dns suffix was added and I had to go to renaming the computer-- More-- and I found the dns suffix was set to domain.prv. I deleted it and logged on to the domain just fine. Thing is, there is no group policy that I know adding the dns suffix. I checked rsop. Nothing that I know of. There is only the default domain policy and there was no setting for DNSclient suffix. And any other system I join does not seem to have this issue. Thing is there used to be a DC with this computername. So only when I was joining with that old computername I was getting this issue. But I had to use this name for the migrated shares according to the Admin at the site.Well all is working and replicating as far as I can tell for now. Anyone know why this system was getting that DNS suffix. I glad its working but I am lost on how this happened in the first place.
ASKER
Now another situation. I had to promote this server to a domain controller and then remove that dns suffix in the computer name more button again. Then I could logon. And any system in this site that uses this domain controller can join the domain. But no record is recorded in DNS on this dc. But this system is on the domain and gets a computer account in Active Directory. I will run dcdiag and post it in a few
ASKER
That earlier situation with taking away the DNS suffix of course was not the solution. We found a duplicate SPN because this machine was a domain member under another computername earlier. That duplicate SPN in ADSI Edit for the computer object was the culprit.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
DNS suffix on Primary DC was missing.