captainober
asked on
Client unable to join domain/GPO not working/DNS issue
Greetings all,
I am having several issues that I believe are all related to DNS and /or GPOs on my Domain Controller. 1) I cannot join the domain xxx.xxx.com from a client. when I do I get the message: "the remote computer is not available". Another variation is: Unable to contact remote network. However, I can ping the DC by IP and by FQDN - everything is good there. Also, nslookup returns: dc1.xxx.xxx.com just as it should. 2)When I go to the Group Policy tab I get a message: "DC for Group Policy operations is not available. You can retry using one of the following dc choices: One with Ops. Mast. token for PDC emulator, one used by AD snap-ins, or use any available domain controller." All options return the error: "failed to find a domain controller. there may be a policy that prevents you from selecting another domain controller - the network path was not found."
DNS is not producing any errors in event viewer. However the application log is producing 2: 1) " The group policy client-side extension Security was passed flags (17) and retruned a failure status code of (3)" and 2) Security policy cannot be propagated. cannot access the template. error code=3 \\xxx.xxx.com\sysvol\xxx.x
BTW, a guy from microsoft spend a bunch of time here and said, "reload". I did, I didn't help. Everytime I rebuild I get this problem.
CaptainOber
I am having several issues that I believe are all related to DNS and /or GPOs on my Domain Controller. 1) I cannot join the domain xxx.xxx.com from a client. when I do I get the message: "the remote computer is not available". Another variation is: Unable to contact remote network. However, I can ping the DC by IP and by FQDN - everything is good there. Also, nslookup returns: dc1.xxx.xxx.com just as it should. 2)When I go to the Group Policy tab I get a message: "DC for Group Policy operations is not available. You can retry using one of the following dc choices: One with Ops. Mast. token for PDC emulator, one used by AD snap-ins, or use any available domain controller." All options return the error: "failed to find a domain controller. there may be a policy that prevents you from selecting another domain controller - the network path was not found."
DNS is not producing any errors in event viewer. However the application log is producing 2: 1) " The group policy client-side extension Security was passed flags (17) and retruned a failure status code of (3)" and 2) Security policy cannot be propagated. cannot access the template. error code=3 \\xxx.xxx.com\sysvol\xxx.x
BTW, a guy from microsoft spend a bunch of time here and said, "reload". I did, I didn't help. Everytime I rebuild I get this problem.
CaptainOber
-At the server... Is the AD DNS zone for the domain bound to the inside IP ?
-Is your client a DHCP client ?
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default ? (Register connection in DNS)..
-Can you verify that dhcp is registering the dns record in the zone for the client ?
-Are there more than one A records in the dns server zone for the client ?
-Any invalid A records in Dns zone? (host name with wrong IP etc) ?
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins registraions or invaid wins records ?
-In the dns server allowing dynamic updates ?
-let me know..
-Is your client a DHCP client ?
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default ? (Register connection in DNS)..
-Can you verify that dhcp is registering the dns record in the zone for the client ?
-Are there more than one A records in the dns server zone for the client ?
-Any invalid A records in Dns zone? (host name with wrong IP etc) ?
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins registraions or invaid wins records ?
-In the dns server allowing dynamic updates ?
-let me know..
listening..
Are you running wins on any of the servers? I found that I had problems getting machines to join the domain when it was an NT 4 domain with 2000 clients. If the DHCP server wasn't giving out wins servers address as part of the assignment (sometimes even when it was). What I would do is override the client's win's settings and manually enter a local wins server in the clients "Advanced TCP/IP" Settings, but let DHCP issue the rest of the settings.
Curious if this would help resolve adding the server or client to the domain in your case.
Curious if this would help resolve adding the server or client to the domain in your case.
Housenet, could you please email me at
lab1@experts-exchange.com
Thank you
Lab1
CS Moderator
lab1@experts-exchange.com
Thank you
Lab1
CS Moderator
ASKER
-At the server... Is the AD DNS zone for the domain bound to the inside IP ? YES - CaptO
-Is your client a DHCP client ? YES - CaptO
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default YES - CaptO
? (Register connection in DNS).. YES, its Checked - CaptO
-Can you verify that dhcp is registering the dns record in the zone for the client ? Under scope - address leases the IP and DNS name for the client is present with the correct IP. - CaptO
-Are there more than one A records in the dns server zone for the client ? There is NO A record for the client! CaptO
-Any invalid A records in Dns zone? (host name with wrong IP etc) ? NO - CaptO
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc
that has invalid info ? No, there is nothing in there - CaptO
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins
registraions or invaid wins records ? NO, No WINS at all -CaptO
-In the dns server allowing dynamic updates ? Only secure updates. CaptO
-Is your client a DHCP client ? YES - CaptO
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default YES - CaptO
? (Register connection in DNS).. YES, its Checked - CaptO
-Can you verify that dhcp is registering the dns record in the zone for the client ? Under scope - address leases the IP and DNS name for the client is present with the correct IP. - CaptO
-Are there more than one A records in the dns server zone for the client ? There is NO A record for the client! CaptO
-Any invalid A records in Dns zone? (host name with wrong IP etc) ? NO - CaptO
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc
that has invalid info ? No, there is nothing in there - CaptO
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins
registraions or invaid wins records ? NO, No WINS at all -CaptO
-In the dns server allowing dynamic updates ? Only secure updates. CaptO
-Are there more than one A records in the dns server zone for the client ? There is NO A record for
the client! CaptO
-Well that is a problem... I'll assume you were looking in the forward lookup zone root for these A records.
-Open dhcp server admin... right-clcik & verify that the server is authorized for the domain.
-Right click properties for the server name & verify that in the DNS tab the options set are..
"automatically update dhcp client info in dns"
"always update dns"
-Check the scope properties for the same options..
-Verify that permissions for DNS server root (right click the server name in DNS admin) are "authenticated users=add child objects... Everyone=read.
-On the client station issue an ipconfig /release ipconfig /renew.... Check DNS (refresh) for the A record.
-If it does not happen at this point... Manually create the A record for the client station to see if it solves the original problem & we can work on what settings are preventing the automatic record creation by dhcp for the cleint...
the client! CaptO
-Well that is a problem... I'll assume you were looking in the forward lookup zone root for these A records.
-Open dhcp server admin... right-clcik & verify that the server is authorized for the domain.
-Right click properties for the server name & verify that in the DNS tab the options set are..
"automatically update dhcp client info in dns"
"always update dns"
-Check the scope properties for the same options..
-Verify that permissions for DNS server root (right click the server name in DNS admin) are "authenticated users=add child objects... Everyone=read.
-On the client station issue an ipconfig /release ipconfig /renew.... Check DNS (refresh) for the A record.
-If it does not happen at this point... Manually create the A record for the client station to see if it solves the original problem & we can work on what settings are preventing the automatic record creation by dhcp for the cleint...
ASKER
Everything was good or I changed it to comply.
1) Looking in forward lookup zone root. Is that . or xxx.xxx.com? I'm looking in xxx.xxx.com. that is were the A record(s) is. Nothing is in . My instincts tell me xxx.xxx.com is were I should be.
2) Permissions - "users=add child objects" I'm assuming you mean "create all child objects" ? everyone was not given read. I added that later.
3) I added an A record to domain for client1. No luck.
I really think that the error messages about the policies may be key. ultimately I think they revolve around dns. The errors are being generated every 5 mins. the sources are Userenv and SceCli. They were described in the first post.
thanks for all the help. let me know what more info you need.
captO
1) Looking in forward lookup zone root. Is that . or xxx.xxx.com? I'm looking in xxx.xxx.com. that is were the A record(s) is. Nothing is in . My instincts tell me xxx.xxx.com is were I should be.
2) Permissions - "users=add child objects" I'm assuming you mean "create all child objects" ? everyone was not given read. I added that later.
3) I added an A record to domain for client1. No luck.
I really think that the error messages about the policies may be key. ultimately I think they revolve around dns. The errors are being generated every 5 mins. the sources are Userenv and SceCli. They were described in the first post.
thanks for all the help. let me know what more info you need.
captO
ASKER
Everything was good or I changed it to comply.
1) Looking in forward lookup zone root. Is that . or xxx.xxx.com? I'm looking in xxx.xxx.com. that is were the A record(s) is. Nothing is in . My instincts tell me xxx.xxx.com is were I should be.
2) Permissions - "users=add child objects" I'm assuming you mean "create all child objects" ? everyone was not given read. I added that later.
3) I added an A record to domain for client1. No luck.
I really think that the error messages about the policies may be key. ultimately I think they revolve around dns. The errors are being generated every 5 mins. the sources are Userenv and SceCli. They were described in the first post.
thanks for all the help. let me know what more info you need.
captO
1) Looking in forward lookup zone root. Is that . or xxx.xxx.com? I'm looking in xxx.xxx.com. that is were the A record(s) is. Nothing is in . My instincts tell me xxx.xxx.com is were I should be.
2) Permissions - "users=add child objects" I'm assuming you mean "create all child objects" ? everyone was not given read. I added that later.
3) I added an A record to domain for client1. No luck.
I really think that the error messages about the policies may be key. ultimately I think they revolve around dns. The errors are being generated every 5 mins. the sources are Userenv and SceCli. They were described in the first post.
thanks for all the help. let me know what more info you need.
captO
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
-For thoes errors, verify that file & printer sharing is bound to your NICS..." It wasn't. Didn't know that it was a must. Now everything is good!!! Such a simple issue.
Thanks so much. Points on the way
the (greatful)captain
Thanks so much. Points on the way
the (greatful)captain
-That solved your original problem also ? Maybe I should have mentioned it earlier. :) Thanks B.t.w...
ASKER
Yes, all problems are solved. Didn't know that F&P services were needed by AD like that. What gives?
CaptO
CaptO
-Is your client a DHCP client ?
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default ? (Register connection in DNS)..
-Can you verify that dhcp is registering the dns record in the zone for the client ?
-Are there more than one A records in the dns server zone for the client ?
-Any invalid A records in Dns zone? (host name with wrong IP etc) ?
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins registraions or invaid wins records ?
-In the dns server allowing dynamic updates ?
-let me know..