Unable to add to domain

ensure replication is working fine on the new DC and that DNS is functioning properly. Check your logs for replication and DNS related errors. Let us know the results


Mitch

also make sure that this new DC is registering its SRV records correctly. Restart the netlogon service and check for DNS errors

Do not find any DNS or replication errors on the DC. Also, tried restarting the netlogon service - no errors in the event logs.

This is the error that i find in the directory service log:

The checkpoint with the PDC was unsuccessful. The checkpointing process will be retried again in four hours. A full synchronization of the security database to downlevel domain controllers may take place if this machine is promoted to be the PDC before the next successful checkpoint. The error returned was: The RPC server is unavailable.

Maybe of help.

Hi damehta,

where abouts is the additional DC you installed   is it in the data centre

Cheers!

Both DC's were located at our corporate office, now the PDC is at the data center and the second DC is at the corporate office.

have you set up separate sites in AD now that the DC has been moved? can you ping the machine in the Data Centre?

I can ping the DC in the data centre just fine. I have 1 site setup on the DC. Do i need to add another site for the data center?

only out replication boudaries - i would myself

are the machines replicating?

I added a new site for the data center on the new PDC, and the other DC shows the setup. So i guess that is replicating fine. Any tools or tests that i can run?

DCDIAG and NETDIAG

try forcing a replication through the NTDS site links

I ran netdiag, initially it failed but i started the Remote Registry Service and it worked. All tests in netdiag passed, except DC list test. (Failed to enumerate DC's by browser)

Checked replication topology and that passed too

try running the netdiag tool with the /fix switch and see how you go

2k or 2k3 machines?

PDC 2K3, bdc 2k

try run DCDIAG on the 2k3 machine   much nicer tool

Ran dcdiag on the 2k3 machine, everything but the systemlog test passed.

good stuff   are both DC's DNS servers and does netdiag now pass all

Both DC's are DNS servers, netdiag passes for all on the 2K3 machine, and all but the DC List test pass on the 2K machine.

did you run with /fix switch?

Yes on the 2k machine, and the DC List test still fails.

hmm not so happy about that

DCs should be pointing at themselves only. No External DNS servers anywhere in the network configuration - except for DNS forwarders on the server

both DC's are DNS servers and have their own IP's in their configuration.

when you try and add a machine whats the error that you get

the network 'domainname' cannot be found

can you ping the DC's by name from the client

Cannot try that rite now, as i am not at the office, but if you are going to be online, i can go to the office real quick and try

hmm ill be here for a while   -  lunch time soonish but ill be around all day.. also check DNS suffix on the client machines and make sure there is no firewalla enabled on the clients

Sounds good, i will post what in find i about 60minutes then

no worries might not be at lunch for half hour yet

ok, i can ping the 2k DC which is local, but it does not resolve the 2K3 DC which is at the data center.

Also, when i try to add a client to the domain, it prompts me for a login. After the login, it comes up with the network name cannot be found.

use the domain\user   then password

also can you actually ping the 2k3 machine - not just resolve

Yes, i can ping the 2K3 machine with IP, does not resolve hostname.

i tried with domain\username, did not work either

theres your problem   can you resolve that 2k3 DC by name from the 2k machine?

Yes, the 2K3 machine resolves by name from the 2K DC.

what if you swap your clients prim DNS to that of the 2k3 server

I have set my client to have a single DNS entry which points to the 2K3 machine. Still will not resolve.

lunch    bac asap

Sounds good, this is also what i found, when i do a ping -a to the old IP address of the 2K3 machine, it resolves it to the machine name. This maybe the problem.

you will need to recreate that host record in DNS

Best way to do it?

Also, on the 2K3 machine, the 2K DNS does not show up in the DNS list. But both servers show up on the 2K machine under DNS

Also, on the 2K3 machine, i cannot add the 2K DNS by machine name. But i can add it by IP address.

netbios enabled on the 2k3 machine? - not that it should make a huge difference, locate the host record for the win2k3 server on the 2k DNS and add a new host record

run ipconfig /flushdns on the server

I can also add the DNS server on the 2k3 machine by servername.domainname.
Also, from the client i can ping 2K3 machine by servername.domainname

are you sure netbios is enabled?

In the network properties of the 2K3 machine, there is no NetBIOS. When i pick the install option, there is a NwLink NetBIOS compatible TCP/IP protocol option, does that need to be installed?

its under the actual TCPIP properties of the network properties and under the wins TAB

this needs to be set on the client and should be on the servers also

ok the NetBIOS setting is enabled on the 2K3 machine, it says use the NetBIOS setting from the DHCP server, if there is a static IP then enable NetBIOS over TCP/IP

yah thats the one    was that already enabled?

what does the host record for that 2k3 machine look like?

Yes that was already enabled on both the DNS servers. Also the DHCP server only gives out WINS and not NetBIOS to the clients. Does that need to be setup?
the host record on the 2K3 machine for the 2K machine looks like
machinename           Host               IP address

more interested in the 2k record for the 2k3 machine! :):)

WINS covers netbios

Similar on the 2K machine,
servername    Host   IP

nslookup
set type=srv
set type=srv
_ldap._tcp.dc._msdcs.YOURDOMAIN.COM
Server:  dnsserver.yourdomain.com
Address:  192.168.100.2

you should see something like this:

_ldap._tcp.dc._msdcs.YOURDOMAIN.COM       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = server1.YOURDOMAIN.COM
_ldap._tcp.dc._msdcs.YOURDOMAIN.COM       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = server2.YOURDOMAIN.COM
server1.YOURDOMAIN.COM       internet address = 1.1.1.2
server2.YOURDOMAIN.COM  nternet address = 1.1.1.1

When is run this on the 2K machine it give me a non-existent domain error

Nevermind, i tried it again and it worked fine.

XP client

I figured out the problem. The 2K DNS/DC was infected with a variant of the SPYBOT worm. Used the symantec article to clean it up:

http://www.symantec.com/avcenter/venc/data/w32.spybot.worm.html

On restart, the netdiag.exe tool passed all tests and i was able to add the client to the domain as well.

Thanks for all your help.

wow i didnt see that one coming! good to know though

glad all is well - seemed really odd that everything was setup right and nothing worked.....

cheers