asked on

Clients cannot connect to child domain

Hello all

I am trying to set up a child domain. Once this error (below) popped up first time i thought i'd made a mistake, un-dcpromo'd the child, wiped the server and started again using instructions from MS themselves and various other sites (which all basically say the same thing) word for word and set up everything as it should be. I have checked and double checked the forward and reverse lookup zones and all other DNS settings for both Parent and Child server and both look fine.

the child server is a brand new completely clean install of 2003 standard but i inherited the parent domain which is up and running nearly all day everyday, i probably have a 3 or 4 hour gap at night where testing / changing anything on the parent DC is possible.
The child domain itself is created with dcpromo without any problems or errors but whenever i try to join the domain with any client pc i get

'A domain controller for the domain XXX cannot be contacted. Ensure the domain name is typed correctly' (duh!) and in the details it says:

The domain name xxx might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain xxx:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.xxx

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS. <<<<-this definitely is not the case, i can do a screen dump to prove!

- One or more of the following zones do not include delegation to its child zone:

xxx
. (the root zone)

I have tried joining by xxx and by xxx.yyy.co.uk but both bring up the same error. The client PC is configured to point at the child domain for primary dns and parent for secondary. I have swapped the primary and secondary but still get the same error above.

Both servers are running 2003 standard and are fully up-to-date as are the client PCs (running XP SP3)
Clients all have static IPs

please ask if you need any more details

PLEASE HELP!!! all i seem to be doing is going round in circles checking the DNS and WINS on both servers.

any suggestions would be greatly appreciated

mrroonie

ASKER

i forgot to add i've already set up delegation in the parents DNS to the child

i have also made the child a GC

ASKER CERTIFIED SOLUTION

Henrik Johansson

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ChiefIT

Yah, Henjo is right. It looks like the SRV records are missing.

https://www.experts-exchange.com/questions/23356031/There-are-currently-no-logon-servers-available-to-service-the-logon-request.html

This should fix your issue.

mrroonie

ASKER

thanks for the replies guys

henjoh - >>>Use AD-integrated zone for the parent domain and let the child's DNS-name be created as sub-domain instead of a separate zone <<<< so delete the delegation in the parents DNS and then add a new A record for the child DC?

The plot thickens when running a netdiag /fix - it shows there is remnants of another child domain, i think the setup here before was zzz.yyy.co.uk when it should have just been yyy.co.uk in the first place so, in effect, there was an 'orphan' domain.

.....................................

Computer Name: MAIN-DC
DNS Host Name: MAIN-DC.yyy.co.uk
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 3 Stepping 3, GenuineIntel
List of installed hotfixes :
KB924667-v2
KB925398_WMP64
KB925876
KB925902
KB927891
KB929123
KB930178
KB931784
KB932168
KB933729
KB933854
KB935839
KB935840
KB936021
KB936357
KB936782
KB938127
KB938127-IE7
KB938464
KB941569
KB941693
KB943055
KB943460
KB943485
KB943729
KB944338-v2
KB944653
KB945553
KB946026
KB948496
KB948590
KB949014
KB950762
KB950974
KB951066
KB951072-v2
KB951698
KB951746
KB951748
KB952954
KB953838
KB953838-IE7
KB953839
Q147222

Netcard queries test . . . . . . . : Passed
[WARNING] The net card '1394 Net Adapter' may not be working because it has not received any packets.

Per interface results:

Adapter : Local Area Connection 2

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : main-dc
IP Address . . . . . . . . : 111.111.111.111
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 111.111.111.100
Dns Servers. . . . . . . . : 111.111.111.111

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{F162D9F1-CF52-44C8-B061-B584A644831A}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.zzz.yyy.cam.ac.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.42d1d66e-791c-4797-b702-06c46de43e40.domains._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry 467b01aa-31e8-4dc2-bf28-27212de60cbc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._sites.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _gc._tcp.Default-First-Site-Name._sites.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.zzz.yyy.co.uk. re-registeration on DNS server '111.111.111.111' failed.
DNS Error code: DNS_ERROR_RCODE_REFUSED
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for this DC on DNS server '111.111.111.111'.
[FATAL] No DNS servers have the DNS records for this DC registered.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{F162D9F1-CF52-44C8-B061-B584A644831A}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{F162D9F1-CF52-44C8-B061-B584A644831A}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

chiefIT - sorry i forgot to mention i had already flushed the DNS numerous times, i've been on this thing for a while now and i can't remember everything i've tried with it, but i'll let you know as i remember them

Henrik Johansson

Delegation is as said not necessary in same AD-forest and can be deleted from yyy.co.uk.
Delete the zzz.yyy.co.uk zone from DCs. If having records in it that you want to keep, take a backup first by using command 'dnscmd /zoneexport zzz.yyy.co.uk filename.dns'
To create domain in parent DNS-zone, right-click on zone-name (yyy.co.uk) and choose 'New Domain'. As value enter the sub-domain name (zzz).
Configure DNS-zone yyy.co.uk to be stored in AD to get it replicated between DCs.
Also configure zone to allow dynamic updates. If setting dynamic updates to secure only, clients will be required to be AD-members.

Configure DC in child domain to use parent DC as primary DNS and itself as secondary DNS to get redundancy and avoid errors when restarting DC.
When that is done, re-run netdiag/fix

Just a thaught: Is it necessary to create child domain, or can you instead create OU-structure in parent domain?
Only requirement for having multiple domains is the nead of having multiple password policies in AD 2000/2003. AD 2008, that isn't necessary anymore as multiple password policies can be used in same domain.

mrroonie

ASKER

hi henjoh, i think we're getting somewhere now, i deleted zzz.yyy... and created the new sub domain in the yyy zone

all zones were already configured to allow dynamic updates from both secure and unsecure.

running a netdiag /fix after that gives exactly the same failures as my previous post but now when i try to join a client to the domain it sees the srv record but still doesn't join -

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain xxx.yyy.uk:

The query was for the SRV record for _ldap._tcp.dc._msdcs.xxx.yyy.uk

The following domain controllers were identified by the query:

sub-dc.xxx.yyy.uk

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

the A record is present though! and is the correct address!

i've tried joining the domain with the primary dns pointing to the main dc and the child dc, both bring up the above error

Sadly we do need the child domain for p/w policies as we are running 2003 otherwise i wouldn't have even bothered trying to fix this.
i think its the previous 'orphan' domain thats causing the issues but i've cleared everything i can find on it out of DNS
when i create new users in AD some of them are created as user@yyy.co.uk and some of them are still created as user@zzz.yyy.co.uk - zzz is the 'orphan' i'm trying to get rid of. it is completely random whether a user is @yyy.co.uk or @zzz.yyy.co.uk

mrroonie

ASKER

just to add - clients can ping the child server by IP, not by FQDN of the new sub domain. but if i ping using the old orphaned FQDN i get a reply. i think i need to get the pointer out of the reverse lookup zone but it will not let me delete the record

mrroonie

ASKER

i have tried the dnscmd /RecordDelete to delete the pointer but i get DNS_ERROR_ZONE_DOES_NOT_EXIST

Henrik Johansson

Is firewall enabled on DC preventing clients from joining domain?
It can be turned on, but nead to have the necessary ports opened. Try to turn it off temporary to see if it helps.

mrroonie

ASKER

Firewall was on but hasn't made a difference turning it off. i have just found there was an xxx folder under the main (yyy) domain as well as an integrated primary. Think i just needed a fresh pair of eyes on it after being bogged down with it for so long. i deleted the xxx folder and the clients could join. henjoh gets the points for the pointer to create it as AD-integrated primary

mrroonie

ASKER

thanks for racking your brain on this one, i was stumped