Solved

Cannot Join Domain

Posted on 2004-04-14
8
322 Views
Last Modified: 2010-04-13
Greetings,

We have a 20 workstation network. All the workstations are WIN2K pro
computers and the server is a WIN 2K server with active directory/DHCP/DNS.  

Most of the computers login to the domain, 'xxx.net', but four of the workstations
access a workgroup.  The problem is that I cannot get these computers to
join the domain.  Whether I use control panel/system or netdom, the error
message I get is 'The specified domain either does not exist or it could not
be contacted.'

If I go up to a computer which can log into the domain and change it it to
workstation access, restart the computer and then try to change it back to a
domain, it cannot make the switch back.

We can use the internet, ping everything, map network drives, but not get workstations to join the domain.

Other details.

- Server has active directory runnning.
- DHCP / DNS is running on the server.
- There are no routers.
- All workstations are cabled into a switch.
- All computers already members of the domain work fine.

Any ideas will be appreciated.

Thanks.

Stephen Simpson
0
Comment
Question by:StephenSimpsonx
8 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 10826443
StephenSimpsonx
This is almost always DNS

Make sure that the workstations are pointing to the same INTERNAL DNS server as your AD Server
Use the DNS MMC Snapin to check that the _MSDCS entries are there for your domain in the forward lookup zones, if not run this at the command line of your DC and check the event logs after 15 minutes for errors:

IPCONFIG /REGISTERDNS

Let me know how it goes

Cheers

JamesDS
0
 
LVL 1

Expert Comment

by:James Hilloya
ID: 10836675
I had this same problem rhis is what u need to do:

Lets say your domain name is abc.com
first make one of the trouble computers a member of the "workgroup" abc (make the worgroup name "abc"....)...then reboot
After that trouble computer is a member of the workgroup "abc" try to join the computer to the domain "abc" then it should work.

In other words make the workgroup name the same as the domain name then aftet the computer belongs to that workgroup join the computer to the domain.
0
 

Expert Comment

by:joederion
ID: 10903031
do you use a host file for your workstations?
are the workstations getting ip from dhcp server?
if not is your ip address sceam correct?
coolmarine24 is right it should join the domain.
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 10903554
Folks

>>first make one of the trouble computers a member of the "workgroup"

What exactly is this supposed to achieve, apart from creating spurious 20h, 1bh and 1ch entries in the NetBIOS namespace?

The error message "The specified domain either does not exist or it could not be contacted" is ALWAYS either DNS or network connectivity.
Simply joining a machine to a workgroup with the same name is not a technical solution - whether or not it might have worked once in the past.

We must address the fact that DNS is not working correctly if the domain cannot be addressed correctly from inside the LAN.

The DNS Server must allow the _MSDCS records to be created and the Domain Controller(s) and the clients must all point to the same DNS server, or one with a full copy the forward lookup zone for the AD domain.

Please try my original comment and let us know how you got on.


JamesDS



0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Expert Comment

by:averyb
ID: 10933566
As the post above mentioned, make sure your DC is using itself as its primary DNS server.  All client machines should use yuor DC as their primary DNS server.  Make sure the clients don't have any hosts or lmhosts files in use.

Did you install a new DC and shut down the original one without running dcpromo?  If so, then your FSMO roles are out-of-whack.  See the following MS Knowledge Base Articles for more information:
http://support.microsoft.com/default.aspx?scid=kb;en-us;223787&Product=win2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504&Product=win2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690&Product=win2000

Given the simplicity of your network, I would suggest changing to Active Directory Integrated Zones.
Go to DNS Admin | Select the Domain Controller | Forward Lookup Zones | Select your domain name | Right-Click and Choose Properties | Change Type to AD Integrated.  In this same area you can do some testing on the DNS server to see if it can resolve names properly.  Try them out and post the results.

You could also try creating new machine accounts in AD for your client machines.  You're just eliminating the possibility of a corrupt Machine Account in AD.  it might be part of the problem, but DNS is the probably culprit.

Part of me is thinking that this might be a SID problem, but hopefully the DNS changes will take care of it.  The SID could be the culprit if you installed a DC and gave it the same domain name as the original domain.

Are there any errors in the Event Viewer on the DC?

Averyb
0
 
LVL 4

Expert Comment

by:averyb
ID: 10933578
Two more things:
Make sure the proper IP address for the DNS server (i.e. the one on the DC) is specified in your DHCP options.

Also make sure that there are not any statically configured DNS servers on the clients.
0
 

Author Comment

by:StephenSimpsonx
ID: 11061666
Ok, we finally were able to make this problem go away.  

To review, the problem showed itself when you attempted to join the domain.  You got the message 'The specified domain either does not exist or it could not be contacted.'  Further, from time to time, a workstation which was a member of the domain would no longer be able to login.  An additional problem, which we later determned to be related was that the login and browsing process was very slow.

Now, any computer can join the domain and the login is lightning fast.

What did we do?

We accessed the dns server and noticed that there was no reverse lookup zone and the dns lookup zone for the domain was misconfigured.  There were certain 'subfolder' items that where missing and that dns zone was not being updated automatically as information was gathered and requested.  i.e., machine names were not added to the list.  We decided to delete the dns lookup record for the domain and add it again.  We set it to automatically update dns records when a request is made.  We also added a record for the server.  We also created a reverse lookup dns record and set up up to work.  Finally, we sorted the order of dns lookup addresses so it would use the internal dns before the external one (the internet)

(In short we deleted the dns configuration information and added it in again.)

0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11062007
StephenSimpsonx

You did not need a reverse lookup zone to make the AD work, although RLZ is best practice when configuring DNS and it does make troubleshooting easier using NSLOOKUP.

The _MSDCS entries would have been put back correctly into a zone that allows dynamic updates with the command IPCONFIG /REGISTERDNS on the DC. This command would also have put in the proper A and PTR records, but would not have fixed a missing SOA records, which it sound like you had as well.

It also sounds like the original zone wasn't allowing dynamic update, which it is now.

Given that you had more than one issue, a nuke it and start again approach was probably the best thing to do :)

Anyhow, glad you got it fixed, and thank you for the points

Cheers

JamesDS
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Marketing can be an uncomfortable undertaking, especially if your material is technology based. Luckily, we’ve compiled some simple and (relatively) painless tips to put an end to your trepidation and start your path to success.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now