gangoo_nilc
asked on
Joining a server to AD over a VPN site to site link
Hello,
I am tying to connect a server to make it a member of Active Directory. However, it give me a message "The Network Path Cannot be Found". Everything seems fine until I enter the Username and Passord to join the server to the domain. I've try a wrong credential to make sure the issue is not the credentials, it still did not work giving the same message - so it not a credential issue. The main server is in LA and the remote office is in DC. It is connected using a site to site VPN. I am using eSoft router which host the VPN. All ports are open between the sites. LA is the site that have the AD server. I've try all combination of network card settings, but still no luck. I am aproaching a deadline so I will really apprecaite if someome can assist me with this ASAP. Much Thanks, Kris
I am tying to connect a server to make it a member of Active Directory. However, it give me a message "The Network Path Cannot be Found". Everything seems fine until I enter the Username and Passord to join the server to the domain. I've try a wrong credential to make sure the issue is not the credentials, it still did not work giving the same message - so it not a credential issue. The main server is in LA and the remote office is in DC. It is connected using a site to site VPN. I am using eSoft router which host the VPN. All ports are open between the sites. LA is the site that have the AD server. I've try all combination of network card settings, but still no luck. I am aproaching a deadline so I will really apprecaite if someome can assist me with this ASAP. Much Thanks, Kris
wolfcamel
set the DNS of the new server to the IP of the first server - not the router or your ISP.
ASKER
It that way already, not working
ASKER
we have tried all different combination of network configurations but still not luck - thanks
some questions please:
what is the DNS server you are using at the site your trying to join the server from? and if is it an active directory integrated server or not ? and if you do an nslookup of the server does it reply with the correct ip address, also if you ping -a the ip of the server does it return with the correct name of your DNS server? Do you have other PCs at this site which are joined to the domain? if yes compare their tcp\ip attributes with the server your trying to join to the domain.
what is the DNS server you are using at the site your trying to join the server from? and if is it an active directory integrated server or not ? and if you do an nslookup of the server does it reply with the correct ip address, also if you ping -a the ip of the server does it return with the correct name of your DNS server? Do you have other PCs at this site which are joined to the domain? if yes compare their tcp\ip attributes with the server your trying to join to the domain.
run the following command on the server you want to join into the AD.
This will confirm whether the DNS is the issue:
nslookup -q=SRV _kpasswd._udp.<AD_DOMAIN_N
nslookup -q=NS _msdcs.<AD_DOMAIN_NAME_GOE
nslookup -q=SRV _gc._tcp.Default-First-Sit
Similar queries exists for the _LDAP and other requests.
Are you able to access resources on the other side of the VPN. Are there systems at this location that are accessing the AD? Trying to see whether the VPN is limited/restricted such that it is blocking the requests to windows ports 445/139 etc.
This will confirm whether the DNS is the issue:
nslookup -q=SRV _kpasswd._udp.<AD_DOMAIN_N
nslookup -q=NS _msdcs.<AD_DOMAIN_NAME_GOE
nslookup -q=SRV _gc._tcp.Default-First-Sit
Similar queries exists for the _LDAP and other requests.
Are you able to access resources on the other side of the VPN. Are there systems at this location that are accessing the AD? Trying to see whether the VPN is limited/restricted such that it is blocking the requests to windows ports 445/139 etc.
ASKER
I cannot get to the server right now, tomorrow I will have someone log on see what is the problem, when I able to get on will write comments if/not the suggestion worked.
Arnold Qs: Yes able to access resources on the VPN. No, this is the first system, I tried other but same problem. All port are open, but will ckeck.
Elaward Qs: The DNS server is the AD server located at HQ. Not sure if it is intergrated or not it the defauld sbs setup. NSlookup works (will check tomorrow to make sure). No this is the first host, but I tried few other computers to connect but same problem.
thank you
Arnold Qs: Yes able to access resources on the VPN. No, this is the first system, I tried other but same problem. All port are open, but will ckeck.
Elaward Qs: The DNS server is the AD server located at HQ. Not sure if it is intergrated or not it the defauld sbs setup. NSlookup works (will check tomorrow to make sure). No this is the first host, but I tried few other computers to connect but same problem.
thank you
ASKER
Arnold, when I tried the commands you give this is what I get:
The server that i am running the commands are DC1, LA1 is the DC and the internal domail name is dname.local
dc1.dname.local cant find the _kpasswd.udp.la1:none existing domain
dc1.dname.local cant find the __msdcs.la1: none exixting domain
dc1.dname.local cant find the_gc.tcp.Defoult-First-S
Elawad
NSlookup and Ping -a works
The server that i am running the commands are DC1, LA1 is the DC and the internal domail name is dname.local
dc1.dname.local cant find the _kpasswd.udp.la1:none existing domain
dc1.dname.local cant find the __msdcs.la1: none exixting domain
dc1.dname.local cant find the_gc.tcp.Defoult-First-S
Elawad
NSlookup and Ping -a works
You should be looking for
_kpasswd.udp.dname.local
AD domain name is not the same as the DC that serves up the domain.
_kpasswd.udp.dname.local
AD domain name is not the same as the DC that serves up the domain.
ASKER
LA1 is the server name fqdn name is la1.dname.local. So the name of the domain itself is dname.local.
Not too sure about what you saying, can you please explain again/thanks
Not too sure about what you saying, can you please explain again/thanks
ASKER
LA1 is the server name fqdn name is la1.dname.local. So the name of the domain itself is dname.local.
Not too sure about what you saying, can you please explain again/thanks
Not too sure about what you saying, can you please explain again/thanks
nslookup -q=srv _kpasswd.udp.dname.local
nslookup -q=ns __msdcs.dname.local
etc.
I.e. you used the example of records to look up and replaced the <AD_DOMAIN_NAME_GOES_HERE>
nslookup -q=ns __msdcs.dname.local
etc.
I.e. you used the example of records to look up and replaced the <AD_DOMAIN_NAME_GOES_HERE>
ASKER
The first 2 worked last command came back with error - nslookup -q=SRV _gc._tcp.Default-First-Sit
Error:
dame.local can't find _gc._tcp.Default-First-Sit
Error:
dame.local can't find _gc._tcp.Default-First-Sit
sorry, type should be nslookup gc._msdcs.dname.local should return A records for All GC servers in the domain.
nslookup -q=srv _ldap._tcp.Default-First-S
Actually, this confirms that your system can get the DNS records needed to join the domain. The problem I suspect is the restriction within the VPN that is preventing access to the DCs' to actually complete the transaction.
Get wireshark (formerly Ethereal a network monitoring utility) wireshark.net and setup on the system you want to join into the domain.
Go through the joining the domain process while wireshark is running monitoring/capturing network traffic. See whether you see responses from the remote DC's.
try connecting to the remote DC using telnet REMOTE_DC_IP 445.
nslookup -q=srv _ldap._tcp.Default-First-S
Actually, this confirms that your system can get the DNS records needed to join the domain. The problem I suspect is the restriction within the VPN that is preventing access to the DCs' to actually complete the transaction.
Get wireshark (formerly Ethereal a network monitoring utility) wireshark.net and setup on the system you want to join into the domain.
Go through the joining the domain process while wireshark is running monitoring/capturing network traffic. See whether you see responses from the remote DC's.
try connecting to the remote DC using telnet REMOTE_DC_IP 445.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Arnold, that solved the problem. It was the VPN link being block by the intrusion protection. I added the IP range of the the remote site as a "protected site" and that solved it. The Intrusion blocks certain DNS requests as in this case. I called the router company a few months ago and they told me that everything looks okay with the configuration but this time they pinpointed what was blocking this port. Not able to telnet 445 was the key to them helping me with this. I Appreciated it