Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Client unable to join domain/GPO not working/DNS issue

Posted on 2001-06-16
13
Medium Priority
?
432 Views
Last Modified: 2012-06-27
Greetings all,

I am having several issues that I believe are all related to DNS and /or GPOs on my Domain Controller.  1) I cannot join the domain  xxx.xxx.com from a client.  when I do I get the message: "the remote computer is not available".  Another variation is: Unable to contact remote network.  However, I can ping the DC by IP and by FQDN - everything is good there.  Also, nslookup returns: dc1.xxx.xxx.com just as it should.  2)When I go to the Group Policy tab I get a message: "DC for Group Policy operations is not available.  You can retry using one of the following dc choices:  One with Ops. Mast. token for PDC emulator, one used by AD snap-ins, or use any available domain controller."  All options return the error: "failed to find a domain controller.  there may be a policy that prevents you from selecting another domain controller - the network path was not found."
DNS is not producing any errors in event viewer.  However the application log is producing 2: 1) " The group policy client-side extension Security was passed flags (17) and retruned a failure status code of (3)"  and 2) Security policy cannot be propagated.  cannot access the template.  error code=3  \\xxx.xxx.com\sysvol\xxx.xxx.com\policies\{31b2f-340-016d-11d2-945f...etc\machine\microsoft\windows\nt\secedit\gpttmpl.inf.

BTW, a guy from microsoft spend a bunch of time here and said, "reload".  I did, I didn't help.  Everytime I rebuild I get this problem.

CaptainOber
0
Comment
Question by:captainober
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 6198551
-At the server... Is the AD DNS zone for the domain bound to the inside IP ?
-Is your client a DHCP client ?
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default ? (Register connection in DNS)..
-Can you verify that dhcp is registering the dns record in the zone for the client ?
-Are there more than one A records in the dns server zone for the client ?
-Any invalid A records in Dns zone? (host name with wrong IP etc) ?
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc with reference to the dns server that has invalid info ?
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins registraions or invaid wins records ?
-In the dns server allowing dynamic updates ?

-let me know..
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6198590
-At the server... Is the AD DNS zone for the domain bound to the inside IP ?
-Is your client a DHCP client ?
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default ? (Register connection in DNS)..
-Can you verify that dhcp is registering the dns record in the zone for the client ?
-Are there more than one A records in the dns server zone for the client ?
-Any invalid A records in Dns zone? (host name with wrong IP etc) ?
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc with reference to the dns server that has invalid info ?
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins registraions or invaid wins records ?
-In the dns server allowing dynamic updates ?

-let me know..
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6198633
listening..
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 1

Expert Comment

by:scwerntz
ID: 6199425
Are you running wins on any of the servers?  I found that I had problems getting machines to join the domain when it was an NT 4 domain with 2000 clients.  If the DHCP server wasn't giving out wins servers address as part of the assignment (sometimes even when it was).  What I would do is override the client's win's settings and manually enter a local wins server in the clients "Advanced TCP/IP" Settings, but let DHCP issue the rest of the settings.

Curious if this would help resolve adding the server or client to the domain in your case.
0
 

Expert Comment

by:Lab1
ID: 6199909
Housenet, could you please email me at
lab1@experts-exchange.com

Thank you
Lab1
CS Moderator
0
 

Author Comment

by:captainober
ID: 6200045
-At the server... Is the AD DNS zone for the domain bound to the inside IP ?  YES - CaptO
-Is your client a DHCP client ?  YES - CaptO
-Are the advanced tcp/ip properties for the the local area connection of the client setup as default YES - CaptO
? (Register connection in DNS).. YES, its Checked - CaptO
-Can you verify that dhcp is registering the dns record in the zone for the client ? Under scope - address leases the IP and DNS name for the client is present with the correct IP. -  CaptO
-Are there more than one A records in the dns server zone for the client ?  There is NO A record for the client!  CaptO
-Any invalid A records in Dns zone? (host name with wrong IP etc) ?  NO - CaptO
-Do you have any hosts or lmhosts files in winnt\system32\drivers\etc with reference to the dns server
that has invalid info ? No, there is nothing in there - CaptO
-Are you using options 44 -46 in dhcp & using hybrid resolution on clients & possibly have static wins
registraions or invaid wins records ? NO, No WINS at all -CaptO
-In the dns server allowing dynamic updates ?  Only secure updates.  CaptO
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6200092
-Are there more than one A records in the dns server zone for the client ?  There is NO A record for
the client!  CaptO

-Well that is a problem... I'll assume you were looking in the forward lookup zone root for these A records.

-Open dhcp server admin... right-clcik & verify that the server is authorized for the domain.
-Right click properties for the server name & verify that in the DNS tab the options set are..
"automatically update dhcp client info in dns"
"always update dns"
-Check the scope properties for the same options..

-Verify that permissions for DNS server root (right click the server name in DNS admin) are "authenticated users=add child objects... Everyone=read.

-On the client station issue an ipconfig /release ipconfig /renew.... Check DNS (refresh) for the A record.

-If it does not happen at this point... Manually create the A record for the client station to see if it solves the original problem & we can work on what settings are preventing the automatic record creation by dhcp for the cleint...

0
 

Author Comment

by:captainober
ID: 6202306
Everything was good or I changed it to comply.  
1) Looking in forward lookup zone root.  Is that . or xxx.xxx.com?  I'm looking in xxx.xxx.com. that is were the A record(s) is.  Nothing is in .  My instincts tell me xxx.xxx.com is were I should be.
2) Permissions - "users=add child objects"  I'm assuming you mean "create all child objects" ?  everyone was not given read.  I added that later.
3) I added an A record to domain for client1.  No luck.
I really think that the error messages about the policies may be key. ultimately I think they revolve around dns.  The errors are being generated every 5 mins.  the sources are Userenv and SceCli.  They were described in the first post.

thanks for all the help.  let me know what more info you need.

captO
0
 

Author Comment

by:captainober
ID: 6202343
Everything was good or I changed it to comply.  
1) Looking in forward lookup zone root.  Is that . or xxx.xxx.com?  I'm looking in xxx.xxx.com. that is were the A record(s) is.  Nothing is in .  My instincts tell me xxx.xxx.com is were I should be.
2) Permissions - "users=add child objects"  I'm assuming you mean "create all child objects" ?  everyone was not given read.  I added that later.
3) I added an A record to domain for client1.  No luck.
I really think that the error messages about the policies may be key. ultimately I think they revolve around dns.  The errors are being generated every 5 mins.  the sources are Userenv and SceCli.  They were described in the first post.

thanks for all the help.  let me know what more info you need.

captO
0
 
LVL 12

Accepted Solution

by:
Housenet earned 1200 total points
ID: 6203836
The reason I havent focused on the "Userenv and SceCli " errors that generate every 5 mins is because I have seen these errors before but never seen them actually be the source of a problem.
-For thoes errors, verify that file & printer sharing is bound to your NICS...
-Check that in winnt\sysvol\sysvol\domain.name\policies\{31b2f-340-016d-11d2-945f...etc (whichever one it describes.. actually exists)..
-Find out which policy it is... Local, domain controller,domain, site or, OU.. If you check the properties of these items to see which policy its refering to.. (Example.. for domain policy.. right click the domain name in ADU&C.. Click the group policy tab, Click the properties button, & under the general tab you should see the unique name {4534534534534534} etc...
-This will tell you at least which policy its having a problem with..

-Do you have more than One DC ?
-Can you verify that all 5 FSMO roles are held by DC's in the domain.
-Would you conscider loading up WINS just to see if it allows you to temporarily overcome this resolution problem ?

-Can you describe anthing you did before any of this happened ?..Like removed the first DC in the domain, added other DC's.. Created a site, fooled with advanced settings in TCP/ip ?
0
 

Author Comment

by:captainober
ID: 6206260
-For thoes errors, verify that file & printer sharing is bound to your NICS..." It wasn't. Didn't know that it was a must. Now everything is good!!!  Such a simple issue.
Thanks so much.  Points on the way

the (greatful)captain

0
 
LVL 12

Expert Comment

by:Housenet
ID: 6208469
-That solved your original problem also ? Maybe I should have mentioned it earlier. :) Thanks B.t.w...
0
 

Author Comment

by:captainober
ID: 6209952
Yes, all problems are solved.  Didn't know that F&P services were needed by AD like that.  What gives?

CaptO
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question