?
Solved

Unable to join domain from seperate subnet

Posted on 2007-10-15
36
Medium Priority
?
1,126 Views
Last Modified: 2012-08-13
I have a server that is currently unable to join the domain after it was reformatted. When I entered the old static IP info and tried joining it to the domain I received an error stating that  the domain controller for my domain could not be contacted. This was followed by a list of all the DCs in the query and it listed them as follows:

dc2.
dc1.domain
dc2.domain

Notice the 2 entries for the second DC. Is that normal?

This is a totally isolated SINGLE-LABEL domain if that helps. The domain was previously a 2000 domain and they built new DCs with 2003 and migrated all the roles.

The other weird factor is that if you input the static IP info and add a WINS server, any WINS server, it will then allow it to be joined to the domain. The only problem is that we don't run WINS on any of our servers, so why does adding a fake WINS server change anything?

I also can join the domain through DHCP. This leads me to believe it may be some sort of swtch/router config problem? Wrong VLAN, no available port?? The reg hack to allow single label domain names has already been performed to no avail.

Hopefully this is something obvious that we're missing.
0
Comment
Question by:goodman1210
  • 19
  • 14
  • 2
  • +1
36 Comments
 

Author Comment

by:goodman1210
ID: 20081989
Forgot to mention that the sever is currently on another subnet in the building next door. If you bring the server over here and try to join it to the domain it joins fine.
0
 
LVL 15

Expert Comment

by:Ian Meredith
ID: 20082540
IMHO this seems to me an issue with the rules configured on the comms (routers) equipment between the two locations.

As you say, your able to get it joined in so many other ways, just not the one you'd like to use.  I reckon you could troubleshoot this for some time to get the exact answer (Is it worth it??).

Hope this helps.
Ian


0
 
LVL 15

Expert Comment

by:Ian Meredith
ID: 20082545
Any chance your able to re-create this link to another subnet in your primary location??

Might help with troubleshooting....
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:goodman1210
ID: 20082700
We had some port blocking rules in place but we had them all disabled to troubleshoot. I may be able to recreate the link to another subnet in the morning.

I really want someone to explain the whole WINS fiasco.
0
 
LVL 5

Expert Comment

by:richy92
ID: 20084688
At a guess ypur DNS is not working correctly and when you move the server to the same subnet it finds the domain through a netbios broadcast - these dont usually cross routers so it wont work across subnets.
Setting a WINS server up will allow netbios resolution across subnets - adding a wins server also changes the way name resolution occurs and will work across routers - however if you dont have a wins server running im not sure how adding an address makes any difference (u sure theres no wins :) )
0
 

Author Comment

by:goodman1210
ID: 20085094
Our team is divided into engineers, admins and hardware guys, so anytime I need the switches or router worked on I have to get them over here. Any specific things I should ask them to check for?
0
 

Author Comment

by:goodman1210
ID: 20088318
UPDATE:

One of our guys created a new fully qualified domain this morning. He created the same domain name except he called it abc.domain The DC for this new domain resides in the same building as our current one. When we tried joining the problematic DC from the other building to the new domain, everything worked fine. Does this now sound like a simple hardware configuration problem? Something like the routers are setup to only accept certain broadcasts form our .240 subnet. This new domain was created in an entirely new segment and subnet. Any help?
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20098839
This still sounds like it may be either a routing issue or a DNS issue to me.  On the DNS server your problem server is using, does the DNS zone for your domain show with all the subnets and theiri reverse lookups correctly populated?  Can you ping the DCs by name and IP?  Did the abc.com domain servers use a different DNS server than you're using with your problem server?

My guess is that it's a DNS problem - failing that then I'm guessing you need to have your network guys check the routes for all your subnets and verify the ACLs allow traffic from your network across to the other subnets.  But honestly, look at DNS first.
0
 

Author Comment

by:goodman1210
ID: 20102593
OK SP2 has been determined as the culprit, now could someone please help me find the appropriate KB article/hotfix.

I rebuilt the problematic DC and joined it to the domain prior to installing SP2. As a test I took the DC out of the domain, restarted and tried rejoining it and it wouldn't. I'm getting this message:

"The following error occurred attempting to join the domain"
"The network connection was aborted by the local system."

I then decided to uninstall SP2 and it rejoined fine. A co worker was building a server in the other building and he installed SP2 and could join/unjoin just fine with SP2 installed.

All of our servers run SP2 but they were built at the beginning of this year and connected to Windows Update prior to being put in their current, isolated LAN. This lets me think that they may have picked up a hotfix or something during those updates that prevented them from having the same problems.

Does this shed any light on my original problem? I've been trying to find a KB article but most of them deal with SMS servers. I'm not receiving any error events on the problematic DC or my primary DC. The only event ID that looked suspicious was 10016 but it only ocurred once.

I can't hook this server up to the internet at all. So suggestions will need to keep that in mind.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20108888
I know SP2 did some hardening on the TCP/IP stack that caused me some problems with NIC drivers/software that are out of date.  Are you up to date on your software?  I"ll look around and see if I can find other info for you.
0
 

Author Comment

by:goodman1210
ID: 20108913
All drivers for pretty much everything were updated to their latest versions.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20116944
Hum....I haven't turned anything else up yet.  Did you install the post SP2 Windows updates?  I've typically done this on my servers before adding them to the domain so I wonder if one of these updates fixed the issue introduced with SP2.  There shouldn't be too many if you have to download them on another machine and transfer them over.
0
 

Author Comment

by:goodman1210
ID: 20119488
That's what I was thinking as well. I rejoined it to the domain after removing SP2 and I'm going to reinstall SP2 tomm morning. ThenI'll check to see if everything is resolving fine after SP2 is back on there. But I like your idea of getting the post SP2 updates.
0
 

Author Comment

by:goodman1210
ID: 20123072
OK.......

I reinstalled SP2 this morning and as expected I was immediately hit with 1030 and 1006 event IDs. They're happening every few minutes.

 So what's in SP2 that is causing all this?  I'm scouring eventID.net as we speak, but this should be an easy one for one of you. And keep in mind that this is a single label domain.
0
 

Author Comment

by:goodman1210
ID: 20124254
I'm on suggestion 20 from eventid.net and still nothing. I currently havel SP2 and  Windows updates installed. I installed the exact updates that are on the print server that is on the same subnet in the same building. It's in the same rack as a matter of fact, and I'm not having any problems with it. No event IDs at all. I've got to be missing something........
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20136129
What's the source on the two events?  There are many different sources that may throw those errors and I want to be sure I'm focusing on the right ones.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20136139
Also, just to be sure....this is simply a DC on a physical server correct?  This isn't an Exchange server of any sort, or running in a VM environment?  What network services are running on this machine (DNS, DHCP, WINS, etc etc)?
0
 

Author Comment

by:goodman1210
ID: 20137528
Yes its simply a DC. It's running DNS and AD only.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20174359
What was the source of the two events you mentioned?  Those event ID numbers can be thrown by a number of different services.
0
 

Author Comment

by:goodman1210
ID: 20175683
Userenv.

After the rebuild and rejoining it to the domain prior to reinstalling SP2 all is well. But I still need to know why it was doing it in the first place because every new server I put over ther eis going to do the same thing. I'm really getting tired of all these single label domain name related problems. I'm seriously considering renaming the domain and adding .local
0
 
LVL 8

Accepted Solution

by:
JjcampNR earned 1500 total points
ID: 20198341
Is the server multi-homed (does it have two network cards in it with each on a different subnet)?  Also, please check the following things and let me know:

If this happens to be a virtual server (which I believe you said above it is not) the problem is likely the network drivers on the HOST server (not your virtual DC which is a client server) which need to be updated.

Check that:
- DFS service on all DCs is started and set to "Automatic"
- There are no FRS issues (run "replmon" and make sure everything looks OK)
- TCP/IP Netbios Helper service is started and set to "Automatic"
- The "Everyone" group has the "bypass traverse checking" user right on the default DC policy.
- Antivirus is not scanning the SYSVOL directory or any of its subdirectories, if it is exclude it.
- Make sure the antivirus program on your server is the SERVER version not the client version.   Running the client version of certain antivirus apps can cause these errors.
- Make sure no users have stored credentials on that server, this can cause the errors you're seeing if the user has changed their password and their old info is stored.  To check, log on to EACH user account and go to:  Go to Start -> Control Panel -> User Accounts -> Advanced tab -> Manage Passwords.  Clear anything that's saved in there.  You cannot view this info for a different usre account even if logged in as administrator.

Run a "dcdiag" from that server while it's experiencing the problem and see if everything comes up clean or if you see the error referenced here:  http://support.microsoft.com/kb/244474/en-us

If all that doesn't turn something up, your TCP/IP stack may be damaged.  Not sure why SP2 would be the cause of this, but try looking here and resetting it: http://support.microsoft.com/kb/325356
That shouldn't cause you any problems, but resetting the TCP/IP stack does tend to fix a ton of seemingly random and hard to track down network issues.

Other suggestions if none of the above works (sorry, these are REALLY generic errors and the source is generic as well):
http://support.microsoft.com/kb/555651

If ALL of that doesn't provide any additional info, let me know what you've found out by checking all this and the output of your dcdiag, etc and we'll get to the bottom of this.
0
 

Author Comment

by:goodman1210
ID: 20199248
I forgot to tell you that I ended up rebuilding the stack a week or so ago, and it ended up fixing it. I decided to do that based on common sense. I've had to rebuild the stack on a few other servers to fox some DNS and other similar problems.

My only error in dcdiag is:

event ID: 0x00000457
event string could not be retrieved
...................................DC2 failed test system log

My 2nd and 3rd DCs both fail with the same error. The primary DC is fine. Any ideas on that?

To me this is what seems to be happening: All is fine when SP2 is not installed. You install SP2 and the stack gets corrupted.....somehow. I'm not sure if this is a result our environment or what. You rebuild the stack and all seems well. It's been up for a week or so and running/replicating fine. I thought I mentioned that in a previous post, but it looks like I didn't.  

Thanks for all the above suggestions. And how do you set the "bypass traverse checking" user right in  the default policy?  I'm sure it's easy, but for some reason I didn't see it.

And you're right about rebuilding the stack. That has been my go to solution lately. It fixes a lot of stuff.
0
 
LVL 8

Assisted Solution

by:JjcampNR
JjcampNR earned 1500 total points
ID: 20209704
This typically happens if you're only pointing the DC's (DC2 and DC3) at itself for DNS.  Try setting DC1 as the primary DNS server and then which ever server you're configuring to act as the secondary (so if you're doing this on DC2, set DC2 as the secondary).  If this doesn't resolve the issue, we may want to try and get more output from dcdiag....try running it as follows and post the output:

dcdiag /v /test:systemlog

As for the "bypass traverse checking" setting, I wouldn't worry about it now, it's really just a troubleshooting step.  If you're still interested in knowing where to find it, it's located here:

1. Control Panel, Administrative Tools, Local Security Policy (or Domain Security Policy on a domain controller).
2. Security Settings, open either Local Policies or Domain Policies, then click User Rights Assignment.
3. In the details pane, right-click Bypass traverse checking, and then click Properties.
4.  Click Add User or Group.
5.  In the Select Users, Computers, or Groups dialog box, type Anonymous Logon in the Enter the object names to select list box.
6.  Click Check names to verify that your entry is valid, and then click OK.

This is the link to the TechNet article from MS that describes this setting and it's where the wonderful directions on how to navigate there were copy/pasted from:
http://technet2.microsoft.com/windowsserver/en/library/7c2373bd-b2c2-4392-ad26-ffdd89ef8c741033.mspx?mfr=true

Let me know how it goes!

0
 

Author Comment

by:goodman1210
ID: 20216653
I have DC1 as the primary on all 3 DCs. I ran the verbose systemlog query and got the same results as I posted before for systemlog. But then again all this troubleshooting might not be practical now since the stack is repaired. Should I just wait until I install another box over there and see how it goes?

 I would like to know why the systemlog is still failing though.

We have Administrators, Authenticated users, and Everyone groups under bypass traverse checking.

One of my coworkers rebuilt an old server over on the same segment with Server 2008 RC3 on Friday and it joined the domain without any problems. No reg hacks, stack rebuilds or anything. That has to let us know something. Only thing I can think of that's different is  that I promoted a 3rd DC for the subnet in the other building where we're having problems. Maybe since the broadcasts don't have to go accross segments anymore things are working properly. I realize that shouldn't matter unless we we're blocking certain things on the routers/switches, which we're not.  

dead end---->dead end---->dead end  :(
0
 
LVL 8

Assisted Solution

by:JjcampNR
JjcampNR earned 1500 total points
ID: 20253491
Hey, I just ran across this today and thought of your question:
http://support.microsoft.com/kb/936594

Give that a shot, it's fixed a lot of my odd little network issues post SP2.  Let me know how it worked for you.
0
 

Author Comment

by:goodman1210
ID: 20270964
Thanks for the link.

They had 3 different NIC driver versions on the servers when I got here. All of the NICs are Broadcom Net Extreme II's. Those NICs incorporate the TCP/IP offload engone through their driver suite. And after reading that article it seems that maybe the differences in NIC drivers could be the culprit. Some of the servers had the Broadcom software suite installed while others only had the driver version that didn't incorporate the suite.

I now have all servers updated with the latest Broadcom driver suite and I'll build a few boxes on the suspect subnet and see if they join any easier.

Also, do you think that the differences in NIC drivers between the DC and member server could have been the entire problem? The TCP/IP offload engine is not installed by default in some of the versions.  
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20277088
I'd be surprised if the version differences alone would be the problem; however I'd be less surprised if the differences in the way the versions of the drivers were working triggered a problem with the way that Windows was handling the TCP/IP stack.  Regardless, it's definitely a good idea to get all servers on a standard driver level, and with the same utility software installed - that way you know that your production environment is standardized so if issues like this do come up, there's less you have to sift through in order to track down the problem.

I hope this does it for you, but if you're still having trouble let me know and I'll do what I can to dig up more info.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20325307
Any luck with the patch?
0
 

Author Comment

by:goodman1210
ID: 20536748
I got tired of all this mess and rebuilt most of them and updated EVERYTHING to the lastest versions. All seems to be fine now. I still really don't know what was wrong and it bugs me.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20546901
You and I are a lot alike - I haven't stopped wondering what was causing your issue since I first took a look at your post.  Glad to hear you're up and running, but it's too bad you had to rebuild everything to get things to work as they should've originally.
0
 

Author Comment

by:goodman1210
ID: 20549356
I still want to know why it does it, but I imagine it'll be hard to figure out. Thanks for your help before.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20570965
Without a machine experiencing the issue that we could test with, it'll be nearly impossible to figure out what was going on.  If you had a spare machine, you could always try downgrading drivers one by one and see if the issue pops back up.  Besides that, I think this is likely to stay a mystery.
0
 

Author Comment

by:goodman1210
ID: 20572063
When I have time I may rebuild one of the old servers and recreate the steps above.  I'm pretty sure I can recreate the problem. I'll let you know.
0
 

Author Comment

by:goodman1210
ID: 20618497
Awarding points since you mentioned the most probable fixes for this problem.
0
 

Author Closing Comment

by:goodman1210
ID: 31408178
Thanks for trying. Hopefully I'll get time to try it out again. I've made a ton of changes to our network and it'll be nice to see what happens.
0
 
LVL 8

Expert Comment

by:JjcampNR
ID: 20624874
Good luck!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question