Solved

Clients cannot connect to child domain

Posted on 2008-10-01
11
1,018 Views
Last Modified: 2012-05-05
Hello all

I am trying to set up a child domain. Once this error (below) popped up first time i thought i'd made a mistake, un-dcpromo'd the child, wiped the server and started again using instructions from MS themselves and various other sites (which all basically say the same thing) word for word and set up everything as it should be. I have checked and double checked the forward and reverse lookup zones and all other DNS settings for both Parent and Child server and both look fine.

the child server is a brand new completely clean install of 2003 standard but i inherited the parent domain which is up and running nearly all day everyday, i probably have a 3 or 4 hour gap at night where testing / changing anything on the parent DC is possible.
The child domain itself is created with dcpromo without any problems or errors but whenever i try to join the domain with any client pc i get

'A domain controller for the domain XXX cannot be contacted. Ensure the domain name is typed correctly' (duh!) and in the details it says:

The domain name xxx might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain xxx:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.xxx

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.    <<<<-this definitely is not the case, i can do a screen dump to prove!

- One or more of the following zones do not include delegation to its child zone:

xxx
. (the root zone)


I have tried joining by xxx and by xxx.yyy.co.uk but both bring up the same error. The client PC is configured to point at the child domain for primary dns and parent for secondary. I have swapped the primary and secondary but still get the same error above.

Both servers are running 2003 standard and are fully up-to-date as are the client PCs (running XP SP3)
Clients all have static IPs

please ask if you need any more details


PLEASE HELP!!! all i seem to be doing is going round in circles checking the DNS and WINS on both servers.

any suggestions would be greatly appreciated
0
Comment
Question by:mrroonie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
11 Comments
 
LVL 13

Author Comment

by:mrroonie
ID: 22613294
i forgot to add i've already set up delegation in the parents DNS to the child

i have also made the child a GC
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
ID: 22620281
No nead to delegate the zone. Use AD-integrated zone for the parent domain and let the child's DNS-name be created as sub-domain instead of a separate zone. Shouldn't matter for the problem, but it will be cleaner in the DNS-structure to have one common zone with logical tree structure than alot of parallell zones in the GUI.

As the message indicates: Is the SRV-records created in the child DNS domain?
Logon to the DC and run netdiag/fix to let it re-register the SRV-records.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22621624
Yah, Henjo is right. It looks like the SRV records are missing.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23356031.html

This should fix your issue.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 13

Author Comment

by:mrroonie
ID: 22622795
thanks for the replies guys

henjoh - >>>Use AD-integrated zone for the parent domain and let the child's DNS-name be created as sub-domain instead of a separate zone  <<<< so delete the delegation in the parents DNS and then add a new A record for the child DC?

The plot thickens when running a netdiag /fix - it shows there is remnants of another child domain, i think the setup here before was zzz.yyy.co.uk when it should have just been yyy.co.uk in the first place so, in effect, there was an 'orphan' domain.

.....................................

    Computer Name: MAIN-DC
    DNS Host Name: MAIN-DC.yyy.co.uk
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 3 Stepping 3, GenuineIntel
    List of installed hotfixes :
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB927891
        KB929123
        KB930178
        KB931784
        KB932168
        KB933729
        KB933854
        KB935839
        KB935840
        KB936021
        KB936357
        KB936782
        KB938127
        KB938127-IE7
        KB938464
        KB941569
        KB941693
        KB943055
        KB943460
        KB943485
        KB943729
        KB944338-v2
        KB944653
        KB945553
        KB946026
        KB948496
        KB948590
        KB949014
        KB950762
        KB950974
        KB951066
        KB951072-v2
        KB951698
        KB951746
        KB951748
        KB952954
        KB953838
        KB953838-IE7
        KB953839
        Q147222


Netcard queries test . . . . . . . : Passed
    [WARNING] The net card '1394 Net Adapter' may not be working because it has not received any packets.



Per interface results:

    Adapter : Local Area Connection 2

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : main-dc
        IP Address . . . . . . . . : 111.111.111.111
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 111.111.111.100
        Dns Servers. . . . . . . . : 111.111.111.111


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{F162D9F1-CF52-44C8-B061-B584A644831A}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.zzz.yyy.cam.ac.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.42d1d66e-791c-4797-b702-06c46de43e40.domains._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry 467b01aa-31e8-4dc2-bf28-27212de60cbc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _kerberos._udp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
    [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for this DC on DNS server '111.111.111.111'.
    [FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{F162D9F1-CF52-44C8-B061-B584A644831A}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{F162D9F1-CF52-44C8-B061-B584A644831A}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully


chiefIT - sorry i forgot to mention i had already flushed the DNS numerous times, i've been on this thing for a while now and i can't remember everything i've tried with it, but i'll let you know as i remember them
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22627169
Delegation is as said not necessary in same AD-forest and can be deleted from yyy.co.uk.
Delete the zzz.yyy.co.uk zone from DCs. If having records in it that you want to keep, take a backup first by using command 'dnscmd /zoneexport zzz.yyy.co.uk filename.dns'
To create domain in parent DNS-zone, right-click on zone-name (yyy.co.uk) and choose 'New Domain'. As value enter the sub-domain name (zzz).
Configure DNS-zone yyy.co.uk to be stored in AD to get it replicated between DCs.
Also configure zone to allow dynamic updates. If setting dynamic updates to secure only, clients will be required to be AD-members.

Configure DC in child domain to use parent DC as primary DNS and itself as secondary DNS to get redundancy and avoid errors when restarting DC.
When that is done, re-run netdiag/fix

Just a thaught: Is it necessary to create child domain, or can you instead create OU-structure in parent domain?
Only requirement for having multiple domains is the nead of having multiple password policies in AD 2000/2003. AD 2008, that isn't necessary anymore as multiple password policies can be used in same domain.
0
 
LVL 13

Author Comment

by:mrroonie
ID: 22632762
hi henjoh, i think we're getting somewhere now, i deleted zzz.yyy... and created the new sub domain in the yyy zone

all zones were already configured to allow dynamic updates from both secure and unsecure.

running a netdiag /fix after that gives exactly the same failures as my previous post but now when i try to join a client to the domain it sees the srv record but still doesn't join -

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain xxx.yyy.uk:

The query was for the SRV record for _ldap._tcp.dc._msdcs.xxx.yyy.uk

The following domain controllers were identified by the query:

sub-dc.xxx.yyy.uk

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

the A record is present though! and is the correct address!

i've tried joining the domain with the primary dns pointing to the main dc and the child dc, both bring up the above error

Sadly we do need the child domain for p/w policies as we are running 2003 otherwise i wouldn't have even bothered trying to fix this.
i think its the previous 'orphan' domain thats causing the issues but i've cleared everything i can find on it out of DNS
when i create new users in AD some of them are created as user@yyy.co.uk and some of them are still created as user@zzz.yyy.co.uk - zzz is the 'orphan' i'm trying to get rid of. it is completely random whether a user is @yyy.co.uk or @zzz.yyy.co.uk

0
 
LVL 13

Author Comment

by:mrroonie
ID: 22634400
just to add - clients can ping the child server by IP, not by FQDN of the new sub domain. but if i ping using the old orphaned FQDN i get a reply. i think i need to get the pointer out of the reverse lookup zone but it will not let me delete the record
0
 
LVL 13

Author Comment

by:mrroonie
ID: 22634567
i have tried the dnscmd /RecordDelete to delete the pointer but i get DNS_ERROR_ZONE_DOES_NOT_EXIST
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22639195
Is firewall enabled on DC preventing clients from joining domain?
It can be turned on, but nead to have the necessary ports opened. Try to turn it off temporary to see if it helps.
0
 
LVL 13

Author Comment

by:mrroonie
ID: 22647956
Firewall was on but hasn't made a difference turning it off. i have just found there was an xxx folder under the main (yyy) domain as well as an integrated primary. Think i just needed a fresh pair of eyes on it after being bogged down with it for so long. i deleted the xxx folder and the clients could join. henjoh gets the points for the pointer to create it as AD-integrated primary
0
 
LVL 13

Author Closing Comment

by:mrroonie
ID: 31501924
thanks for racking your brain on this one, i was stumped
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question