We help IT Professionals succeed at work.

Errors after joining domain and / or promoting remote server to a DC

We have two sites linked by a permanent VPN (using Cisco Pix firewalls).  All traffic is allowed between the two sites over the VPN.
At Site1, we have a SBS2003 and an additional DC.  No problems at that site.
At Site2, we want to add a DC.  The server can join the domain fine, but on reboot and logon the server hangs for a long time on "Applying your personal settings".  Removing the network cable allows the server to complete the logon, and can then be reconnected.

The server has a fixed IP and has its primary DNS set to be that of one of the servers in Site1 (have tried each one - same problem).  Also set the WINS to point to the DC at Site1 that runs WINS, same problem.

I have run DCDIAG and NETDIAG on both DCs at Site1, all tests pass.

This seems to be a DNS error, but everything looks fine.  Any help appreciated.

Additional error messages below - I'm pretty sure that they are all symptoms of the same problem though. Every few minutes, this error message pops up:
Naming information cannot be located because:
The system detected a possible attempt to compromise security.  Please ensure that you can contact the server that authenticated you.
Contact your system administrator to verify that your domain is properly configured and is currently online.

If we try to run DCPROMO, it gets so far then fails with:
The operation failed because:
CN=NTDS Settings,CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local on the remote domain controller DC02.DOMAIN.local. Ensure the provided network credentials have sufficient permissions.
"Could not find the domain controller for this domain."

There is also an error in the system log as follows (event ID 40960) which occurs after bootup:
The Security System detected an authentication error for the server cifs/serverho.FOCSA.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
Watch Question

Well jeez you didn't leave much wiggle room did you?   Lol.

Sounds like you have ruled out network ports via VPN, basic DNS configuration....

Is RRAS or ISA configured on the SBS server?

Perhaps you can download port query from MS and try to hit ports: 88, 389, 445 on the site 1 DC from the site 2 DC you are trying to join.

If its a domain controller is it running DNS?
If it is a domain controller should always point to itself for DNS then have a forwarder set in DNS for external queries not another internal server.
David HaycoxConsultant Engineer


PlaceboC6: not much wiggle room no!  I like to think I've tried all the "obvious" stuff.  There's no ISA, RRAS is not configured either.  I will try the port query...

ryansoto: It IS running DNS, but I've only just installed it, haven't configured it yet.  I will try setting up the zone and pointing DNS back at itself, and let you know what happens.
It sounds like you have definitely tried the basics.

The port query will test Kerberos (88), Ldap (389), and smb (445).
David HaycoxConsultant Engineer


The ports all respond ok on both servers at Site1 - which confirms the VPN connection is fully open.

DNS is now configured with a copy of the domain zone, server pointing at itself for queries.

Same problem still I'm afraid... any more thoughts?

Are you able to ping the other machine?  Also did you copy the forward lookup zone?
David HaycoxConsultant Engineer


Yes, ping is fine, also browse for files, view the internal website, connect to Exchange, etc.
Yes, I did copy the forward lookup zone.  Didn't bother with the reverse one.

I assume your using the full domain name when trying to join...?

company.local if you use .local?
David HaycoxConsultant Engineer


Yes, absolutely.

Is the other DC running any sort of firewall software?  

The main site - you have one sbs box what about the other is that also sbs or 2k3?

Try adding the machine from the domain controller vs joining from the remote site. Let it replicate.
Remove it from original domain controller then try adding it the same way you are doing.
If you are able to browse file shares,  it is likely the ports will come back and respond.

David HaycoxConsultant Engineer


There's no software firewall running on any of the servers involved (I've had that problem before though).
The other DC is running Server 2003 SP2 R2.
We already ran ADPREP for R2 before we were able to join that DC to the domain.
How do I go about adding it from the domain controller?  Do you mean add the computer account in manually first, before joining the new DC?
Thanks for the help so far.

Add the machine in ADUC under the domain controllers OU
There is no reason to pre-stage a DC's computer account.  If SMB traffic is passis as it should and DNS is set up right,  there is no reason it can't create the account on its own.

I've never prestaged a DC,  and honestly have never looked to see if you can.  I would have to try it in my VM's to see.

I'm set up 100's of domains in my role.  Lots of practice.

One of the errors said to make sure the account has sufficient permissions.
I am curious.  Which account are you using?

How about you try creating a test user account.  Only put it in Enterprise and Domain administrators groups.  Then use those credentials and see what is happening.  

Want to rule out a problem with the build in admin being in either too many groups or a group that has a deny in the security policy somewhere.  Domain Guests and Remote Operators are two groups in particular you never want to slap an admin account in.

I have seen where you add a machine then remove it (from the existing DC) then add it normally (from the new server) it then take which I why I suggested it. :)
Let me ask you this also.

Have you checked the system log on the second domain controller at the primary site for kerberos errors.

Also check the FRS and Directory service logs for any failures.

I see that it is trying to talk to DC02 during the promotion.

The two domain controllers at the primary site.  Are they pointing at only DC's for DNS and not a third party?

Lastly,  in DNS configuration on your good DC's.  Do you have an _msdcs forward lookup zone present?
David HaycoxConsultant Engineer


I'll start with the last question first:

Kerberos errors: none
FRS and Directory logs:  clean (couple of errors on the SBS box though, but they relate to a use object so I  don't think they're relevant)
DCs are only pointing at DCs for DNS, no third parties.
_msdcs forward lookup zone is present.

I was using "administrator" - I'll try a new account that's just in Enterprise and Domain Admin groups: good heavens it works!
Domain joined normally, as far as I can tell so far.  Not sure what exactly is wrong with the "administrator" account though.

Result though, thanks very much!
The account may either be in too many groups,  or a group that it is in has a deny somewhere where it shouldn't in a security policy.

Glad I was able to help.