Solved

Trying to join computer to domain returnrs error "cannot perform the requested operation"

Posted on 2007-11-13
25
470 Views
Last Modified: 2013-12-05
Hail!

Here is my environment:
10.1.1.x - Servers and support subnet (including DC and DNS)
10.1.2.x - Desktops
10.1.3.x - Desktops

All subnets uses 24bit netmask.

When I'm trying to join a XP client to the domain, I got the following message:  "cannot perform the requested operation".
I checked IP configurations and everything looks fine.

The thing is: When I plug the same client machine in the 10.1.1.x subnet, I'm able to join it to the domain.

Things to consider:
1- My domain FQDN is only MI. Not mi.com or mi.local... Only MI. Is this a problem?!
2- DC is running Windows Server 2000 SP4. I have 3 DCs running...
3- XP client have SP2 and all patches available installed.


Thanks!
0
Comment
Question by:rafaelbn
  • 14
  • 8
  • 3
25 Comments
 
LVL 13

Expert Comment

by:bluetab
ID: 20276391
Does the client have a static or dynamic IP?  Make sure the subnet is 255.255.0.0.  If the subnet and DNS servers are correct can you ping the server by name and IP.  If that is working and you are still having issues please post an IPCONFIG /ALL of the workstation and server.
0
 
LVL 4

Expert Comment

by:ncrones
ID: 20276599
hi there

a few things to check

1) do you have IP connectivity between the subnets? can you ping from the pc subnet to the server subnet? how are the subnets set up - what connects them - a router? is this filtering ports? may be blocking ports required to connect with AD? assuming all of this is ok see 2)

2) in AD sites and services - what have you got set up in terms of sites and subnets? have you set up 3 subnets - 1 for each range - and then associated them all with the default site that the DC(s) is in?

re domain name some single named domains can cause issues with replication and trusts etc but don't think that's relevant here for just adding a workstation
 
0
 

Author Comment

by:rafaelbn
ID: 20276876
Bluetab,
Client have dynamic IP. All subnets have 255.255.255.0 as netmasks. From the client, I can ping DC, DNS gateway and even open a share on a file server (providing correct credentials)


ncrones,
Yes... Connections between subnets are good. From the client I can ping the server, dns server, gateway. The subnets are connected by a firewall (checkpoint) BUT the firewall is configured for making all these subnets flat (no rules between them). I first thought it was that, but I sniffed the connection when I was trying to join that client to the domain and nothing was blocked.
I will answer number 2 tomorrow morning because i'm at home right now. What I can tell right now is that we have 3 other sub-domains, but i'm having this problem at the top-domain and thoose subnets are all local subnets.

Thank you all!
0
 
LVL 4

Expert Comment

by:ncrones
ID: 20277423
yes worth checking the sites and services set up and how subnets are mapped to the default site and dc server objects placement within these - if subnets not there manually add them in and then asociate with one or more sites - eg the default. a site can have 1 or more subnets associated. DC server objects should be placed in the appropriate site if not already.

another thought you mentioned you can ping the DC, gateway etc - are you pinging an IP address in this test and/or netbios (eg server1) and/or a FQDN? (fully qualified domain name eg server1.yourdomain.com)? just to confirm name res is working you need replies from all - if that isn't working you will have issues.

one more the user acct you are attempting to join with has sufficient rights/permissions?
0
 

Author Comment

by:rafaelbn
ID: 20279597
ncrones,

I have all the subnets associated with the correct site and all local DCs are associated too.
I'm trying to join the client with the administrator account...

Here the ipconfig from the server and the client.

SERVER
C:\WINNT\system32>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : rjadw2k02
        Primary DNS Suffix  . . . . . . . : mi
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : mi

Ethernet adapter Rede MI (10.1.1.4):

        Connection-specific DNS Suffix  . : mi
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Com
plete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-02-1B-F2-08-22
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.1.1.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.1.1.1
        DNS Servers . . . . . . . . . . . : 10.1.1.4
                                            10.1.1.6
        Primary WINS Server . . . . . . . : 10.1.1.6
        Secondary WINS Server . . . . . . : 10.1.1.4


CLIENT
C:\Documents and Settings\Administrador>ipconfig /all

Configuração de IP do Windows

        Nome do host . . . . . . . . . . . : rjfsoft-04733
        Sufixo DNS primário. . . . . . . . : mi
        Tipo de nó . . . . . . . . . . . . : híbrido
        Roteamento de IP ativado . . . . . : não
        Proxy WINS ativado . . . . . . . . : não
        Lista de pesquisa de sufixo DNS. . : mi
                                            mi

Adaptador Ethernet Conexão local:

        Sufixo DNS específico de conexão  . : mi
        Descrição . . . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Et
hernet NIC
        Endereço físico . . . . . . . . . . : 00-17-31-50-5C-FA
        DHCP ativado. . . . . . . . . . . . : Sim
        Configuração automática ativada . . : Sim
        Endereço IP . . . . . . . . . . . . : 10.1.2.90
        Máscara de sub-rede . . . . . . . . : 255.255.255.0
        Gateway padrão. . . . . . . . . . . : 10.1.2.1
        Servidor DHCP . . . . . . . . . . . : 10.1.2.50
        Servidores DNS. . . . . . . . . . . : 10.1.1.4
                                            10.1.1.6
        Servidor WINS primário. . . . . . . : 10.1.1.6
        Concessão obtida. . . . . . . . . . : quarta-feira, 14 de novembro de 20
07 11:07:06
        Concessão expira. . . . . . . . . . : segunda-feira, 19 de novembro de 2
007 11:07:06

And yes... I can ping the server from client using netbios, fqdn and ip.

Thanks!
0
 
LVL 4

Expert Comment

by:ncrones
ID: 20279960
hmm another few things to check

have you got a reverse lookup zone(s) set in your internal DNS ?

another thing you could try is prestage the computer in AD - ie add the computer object in AD Users and Computers interface and then try joining again with the same name - because it is already there in AD it may make a difference...
0
 

Author Comment

by:rafaelbn
ID: 20281125
ncrones,

Yes... reverse lookup zones are configured.
I have already done that. Manually created that account, but same error agian...


Look what i've tried...
The client was on that 10.1.2.x subnet. I changed the computer name to something else, restarted the computer.. And... same error...
So, I moved the computer to the 10.1.1.x subnet and reversed the name to what it was... restarted and them it worked like magic...

Any idea?!

Many thanks!
0
 
LVL 13

Expert Comment

by:bluetab
ID: 20282225
I found a solution that may help you out.  Verify that your routers are passing UDP ports 137 & 138.
UDP 137: Used for browsing, logon sequence, pass-thru validations, printing support, trust support, WinNT Secure Channel, and WINS registration.UDP 138: NETBIOS Datagram Service. A principle rqmt for NetBIOS services on MS hosts (Win9x/ME/NT/Win2000).

Very bottom of this thread.
http://www.computing.net/windows2003/wwwboard/forum/5652.html
0
 

Author Comment

by:rafaelbn
ID: 20282588
bluetab,

Actually the router is a firewall (checkpoint one) that is configured to treat 10.1.1.0 and 10.1.2.0 as flat networks (no filtering rules...)

I'm doing some tests and as soon as i finish, i'll post here.

Thank you all again!
0
 

Author Comment

by:rafaelbn
ID: 20283295
Ok... This is what I tried....

The domain that i'm having problems is MI.
But I have a subdomain, called RJ.MI
When I try to join that same xp client, no matter what subnet it is, I can successfully join to that domain using the same account credentials...

This one is hairy....
0
 
LVL 13

Expert Comment

by:bluetab
ID: 20283411
What domain can you join to and which can you not?  
0
 

Author Comment

by:rafaelbn
ID: 20283592
bluetab,

I can join to RJ.MI (subdomain)
I can't join to MI (top-level domain)
0
 

Author Comment

by:rafaelbn
ID: 20285953
Just some more info...

In my workstation, I executed nslookup and found something really strange...
Here's the output of the command


C:\Documents and Settings\rafael>nslookup
Default Server:  rjadw2k02.mi
Address:  10.1.1.4

> mi
Server:  rjadw2k02.mi
Address:  10.1.1.4

*** rjadw2k02.mi can't find mi: Non-existent domain
> rj.mi
Server:  rjadw2k02.mi
Address:  10.1.1.4

Name:    rj.mi
Address:  10.1.1.19

Did not like that non-existent domain...
Googloing for it!
0
 
LVL 4

Expert Comment

by:ncrones
ID: 20287815
heh again

right i finally found that kbase article i have been searching for for agews about single DNS named ADs - see this and let me know if it resolves the issues

http://support.microsoft.com/kb/300684

you are basically having isses with authenticating to the root MI domain? this hopefully will solve it - i had a client years ago who had one of these configurations caused all sorts of problems!

0
 

Author Comment

by:rafaelbn
ID: 20297369
ncrones,

I will follow the instructions on that article and as soon as possible i'll post again!

Thank you very much!
0
 

Author Comment

by:rafaelbn
ID: 20311317
Ok...

I'll put this problem on hold because our Exchange database just crashed...
As soon as I put it back up, i'll post again...

Many thanks!
0
 

Author Comment

by:rafaelbn
ID: 20364872
Ok!
Exchange is up again and I can now carry on...

I was looking at my WINS enviroment and found this:

WINS server 1 (preferred server) 10.1.1.6 (also a DC)
I have a static entry called MI, Type [1Ch] Domain Controller / IP 10.1.1.4 / Active / Static / Owner 10.1.1.6

WINS server 2 (secondary server) 10.1.1.4 (also a DC, Main server)
I have a static entry called MI, Type[1Ch] Domain Controller / IP 10.1.1.4 / Active / Static / Owner 10.1.1.4

Funny thing is that this entry didn't replicate to each server, and they are configured as push/pull partners.

My question: Do I need to list all DCs on Wins? Just the main server? Just the server that holds PDC emulator?

Thanks again!
0
 
LVL 4

Accepted Solution

by:
ncrones earned 400 total points
ID: 20367529
lol if it isn't one thing it's another!

re WINS static entry for 10.1.1.4 - did you create this once on one server and it replicated across or did you create it manually on both servers seperately?

All DCs should be listed on all name servers - sometimes exceptions to this rule - don't know enough about your environment to comment properly. given you are using push/pull wins replication on both best practice is to set each wins server as its own primary wins server in IP properties and then the other as secondary - i spotted in your server ip details above you have it pointed to the other server (ie .4 points to .6 as primary). also re how clients get WINS server details i take it these come down via DHCP? do you have a DHCP server in each subnet? is each set to push the local WINS server IP down in its additional details?
0
 
LVL 4

Expert Comment

by:ncrones
ID: 20367746
another way to test if it is a wins issue is to manually create a static entry for the DC in the affected workstation's LMhosts file and then do a netstat -RR to clear the local name cache and reregister with the wins server. try again after that.

lmhosts.sam file lives in %SystemRoot%\System32\Drivers\Etc
you need to delete the .sam part so it is just lmhosts and follow the syntax egs to enter server name and IP address.
0
 

Author Comment

by:rafaelbn
ID: 20376273
ncrones,

I can't answer if this static entry on 10.1.1.4 was created or replicated, because i'm new in th company.
Yes... Clients get WINS configs through DHCP. Here we have a DHCP server with 4 NICs, one in each network. Both WINS are in the same network 10.1.1.x, and DHCP for all subnets is configured to give 10.1.1.6 as the primary WINS and 10.1.1.4 as secondary.

So I should manually create static for all DCs on the primary server and let it replicate right?

Thank you so much!!
0
 

Author Comment

by:rafaelbn
ID: 20376383
ncrones,

Just checked...

10.1.1.4 had 10.1.1.6 as its first WINS server. Corrected that...
10.1.1.6 was right...

I'll create static entrys on 10.1.1.6 for all DCs and let it replicate and see if it help me...
0
 
LVL 4

Expert Comment

by:ncrones
ID: 20376517
ahh a multihomed (ie more than one NIC/network card) name server and dhcp server adds complexity as traffic and requests can pass to different cards.

before we look at that did you do the lmhosts test from the affected client pc(s)? if not hard code the DCs and wins server details into the lmhosts file and flush name cache on pc and try connecting again.

cheers
Nick
0
 

Author Comment

by:rafaelbn
ID: 20376547
ncrones,

Only my DHCP server have more than one NIC. My name server have only one...
0
 
LVL 4

Expert Comment

by:ncrones
ID: 20378465
did u try the lmhosts tesf?
0
 

Author Closing Comment

by:rafaelbn
ID: 31409117
ncrones,

After I corrected that problem on my WINS server, I created a domain entry containig the IP address of all DCs and that is it!
Thank you very much!!
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now