Solved

Unable to add computers to the DOMAIN

Posted on 2006-07-11
11
2,659 Views
Last Modified: 2009-10-16
I am currently running Windows Server 2003, workstations are on XP/SP2. I was getting the error "Unable to logon due to domain controller could not be located". I have since taken workstation off of the domain and attempted to put it back on the domain with no success.

I am getting the error "DNS was successfully queried for the service location (SRV) resource reocrd used to locate a domain controller for domain <domain name removed>:

The query was for the SRV record for_ldap._tcp.dc._msdcs.<domain name removed>

The follwoing domain controllers were identified by the query.

msqnpdc.<domain name removed>
msqnsdc.<domain name removed>
ccpn-mail.<domain name removed>

Common causes of this error include
-Host A records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
  -- I have verified that the IP Addresses are correct.

-Domain controllers registered in DNS are not connected to the network or are not running.
  -- I have verified that that controllers are running.

Have still been unable to add computers to the domain.

0
Comment
Question by:flemingh
11 Comments
 
LVL 33

Expert Comment

by:NJComputerNetworks
Comment Utility
make sure DNS is setup similar to this:

Server DC 1
NAme:  ServerDC1
IP:  10.10.10.5
subnet: 255.255.255.0
Gateway: 10.10.10.1
DNS1:  10.10.10.5 or 127.0.0.1  <--- must point to itself and not to ISP DNS server
DNS 2: Some other internal DNS server in the internal domain ....recommended also to be in the same site if possible

Client IP settings
Name:  Clientworkstation1
IP:  10.10.10.25
subnet: 255.255.255.0
Gateway:  10.10.10.1
DNS1:  10.10.10.5  <--- do not point to ISP ,...must point to local DNS server of the windows domain
DNS2:  some other internal Windows 2003 DNS server....but not to domain.



Other things to check... make sure the the netlogon directory is being displayed on your DC's.  to check Start --> Run--> \\servername\

0
 

Author Comment

by:flemingh
Comment Utility
We have checked the above however we continue to get the same errors
0
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 400 total points
Comment Utility
run DCDIAG to check for errors...
0
 
LVL 1

Expert Comment

by:JEEGO
Comment Utility
Are the machines that you are attempting to join to the domain seperated from the Domain Controller by a VPN tunnel, by any chance?
If that is the case, then I suggest that you use the full domain name (pacomccp.jtf.pacom.mil) during the JOIN DOMAIN process.

Thanks

JEEGO
0
 

Author Comment

by:flemingh
Comment Utility
The machines are connected to the network via cable, I have typed in the fully qualified name, and still unable to join the domain.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 33

Expert Comment

by:NJComputerNetworks
Comment Utility
start --> run --> CMD

DCDIAG  <enter>


http://technet2.microsoft.com/WindowsServer/en/Library/5237db58-a1e8-40cd-ae8a-7f52848a90f21033.mspx?mfr=true


DO YOU SEE THE NETLOGON DIRCTORY ON YOUR DC's?????  Other things to check... make sure the the netlogon directory is being displayed on your DC's.  to check Start --> Run--> \\servername\


On your DC's check for Event log ERRORs!!!
0
 

Author Comment

by:flemingh
Comment Utility
Get time errors and also get the following error:
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down.

Warning: DcGetDcName(Time_Server) call failed, error 1355 A time server could not be located.

The server holding the PDC role is down.
Warning: DcGetDcName(good_time_server-preferred) CALL FAILED, ERROR 1355
A good time server could not be located.
0
 

Author Comment

by:flemingh
Comment Utility
Another error I have showing Kerberos does not have a ticket for host/msqnpdc.pacomccp.jtf.pacom.mil

The Security System detected an authentication error for the server cifs/PDC. The failure code from authentication protocol Kerberos was
" There are currently no logon servers available to service the logon request.

The description for Event ID in Source W32Time cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE=flag to retrieve this description.
0
 
LVL 13

Assisted Solution

by:ylandrum
ylandrum earned 100 total points
Comment Utility
First of all, make sure the workstation and the server are set to the same time and time zone. Kerberos won't work of they are more than 5 minutes apart. Remember that if the server is set to 5:00 PM Central time and the workstaion is set to 5:00 pm Pacific time, the machines are 2 hours out of sync and Kerberos will not allow the workstation to authenticate.

If everything looks good with the time, make sure that you have a valid active server holding the PDC role. Get onto a DC (or use an xp workstation that has admin tools on it), open a command prompt, and run ntdsutil. Enter the follwoing commands:

roles
connections
connect to server <main dc>
quit
select operation target
list roles for connected server

You should get a listing of roles; make sure they are all correct. In particular, look for the PDC role (yep, there is still a PDC despite what MS says) and make sure it is pointing to the correct machine. It should look something like this:

PDC - CN=NTDS Settings,CN=<Server_Name>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=<domain>,DC=<ext>

for example:

PDC - CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=experts-exchange,DC=com

For that matter, all roles should be correct. If the entry is not correct, continue with the following commands:

quit
transfer pdc

(click Yes when asked)

It will list the known roles again with the PDC listed correctly.

At this menu, you can enter Help to see how to transfer the other roles. One more thing; if any of the entries are pointing to a server that does not exist, you will have to seize those roles rather than transfer them.

0
 

Author Comment

by:flemingh
Comment Utility
We are back up online. Able to add computers to the domain.

Ran DC Diag
did a W32tm /register
and rebooted.

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now