Solved

Unable to add a Windows Server 2008 R2 to the domain as a member server

Posted on 2011-03-04
8
2,131 Views
Last Modified: 2012-05-11
I have just installed Windows Server 2008 R2 into a virtual session using VMWare vSphere v 4.1.0 and I can not get it to join the domain.

The server is on the 10.0.10.0 network at fixed IP 10.0.10.13. The gateway is 10.0.10.1 and is a Watchguard X750e. DNS is provided by the domain controller at 172.16.10.10.  The domain controller is Windows Server 2003 R2 with 2 nics; IP addr 10.0.10.10 and 172.16.10.10.

The VM is setup as follows: IP 10.0.10.20, GW 10.0.10.1, DNS 172.16.10.10

I am able to ping both the IPs & FQDN's on both networks. I am able to access all shares on all computers on the 172.16.10.x network. Had to create a rule on the Watchguard to specifically allow SMB to get the shares to work.

I get the following error message when I try and add the 2008 server to the domain - The following error occurred attempting to join the domain "DOMAIN". The specified network name is no longer available. The Watchguard shows a deny error on microsoft-ds/tcp with a "tcp syn checking failed"

If I specify the account login info as SERVER NAME\administrator then I get "The specified username is invalid". The Watchguard does not show an error.

Considered that it might be a security issue as I had had a similar problem with Windows 7 computers accessing a Linus Samba share and changed the following in the local security policy:(Made no difference)

Network security: LAN Manager authentication level
Send LM & NTLM responses

Minimum session security for NTLM SSP
Disable Require 128-bit encryption

I am at a complete loss as to what to try next as I have added other Windows 2003 servers to different subnets and not had a problem adding them to the domain. Any suggestions would be appreciated.

Dawn
0
Comment
Question by:dawncam
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35037684
you should correct your WatchGuard issue first with the "microsoft-ds/tcp".
if your server cannot bind to directory services, then the integration should fails.
i suggest you to set a rule on your firewall to allow everything from the 172.16.10 network to 10.0.10 network (in order to troubleshoot first). If you have more than one firewall between your client and the dc, then create the rules on each.
you should reverse the security changes you made on "Network security: LAN Manager authentication level" as you lower security, and you could have more issues than resolving this case.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35037697
First why do you have two NICs enabled on the Domain Controller? You should not have two NICs enabled on a DC which could be causing the overall issue.  Disable NIC in DC run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix

The error states you are having a DNS issue the DNS issues is because your SRV records and DNS records are seeing two IP addresses for one Domain Controller which is confusing DNS and AD.

What you can do if you want to keep both NICs is to make DNS listen on one IP address

http://technet.microsoft.com/en-us/library/cc740071(WS.10).aspx

Second you need to go into your TCP\IP properties uncheck the option to register with DNS on one of the interfaces.

Third go to Network Connections click advance menu then advance settings make sure your primary NIC is listed first this is the NIC you used to listen on
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35037717
Don't forget in the Microsoft world, there is many process that use RPC (ie a protocol without a fixed port number), so the usage of firewall between clients and dc is not really recommanded. the Microsoft recommendation is to deploy IPsec everywhere if you really need firewall inside your network.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 6

Expert Comment

by:DewFreak
ID: 35037729
More explanation of your network design is desired.  I assume the WatchGuard is doing the routing between the 10.0.10.0 network and the 172.16.10.0 network.  Are these networks on seperate VLANs?  What switching is involved?  1 switch ?  Why does the AD have NIC's assigned to each network?  
0
 

Author Comment

by:dawncam
ID: 35038270
Tasmant,

The Watchguard is setup to pass all traffic on any trusted and any optional network to anywhere.

I have a Windows 2003 Web Server on a 192.168.100.x network which I was able to add to the domain and am able to map drives to shares on the 172.16.10.x network. The Watchguard gives me a tcp syn error on this as well. I do have the option to turn off tcp syn error checking on the Watchguard and did so yesterday to see if that made a difference and it did not.

dariusq,

DNS only listens on the 172.16.10.10 network. The second nic in the DC has an IP address and a mask and that's it.

DewFreak,
The network consists of 2 trusted networks and 1 optional (untrusted) network routed through the Watchguard device. The 10.0 network is on a GB switch and was put in to facilitate backups to both a tape and online storage. All of my windows servers are connected to it and the only traffic on it up to this point was backup traffic. The 172.16 network is the internal trusted network which is serviced by 2 10MB switches and is connected to most of the Windows servers, a Linux server, the workstations, and the printers. The 192.168.100 network is served by a 10MB switch and contains the Windows web server and a Linux FTP server.
I did make an attempt yesterday to change the VM server and Windows 2008 server to the 172.16 network but had the same problem. I can try it again by changing the IPs on the first NIC in the VM server. Yesterday I added a second nic to the VM server.

I can ping the Linux server on the 172.16 network by name from the Windows 2008 server on the 10.0 network so it would appear that DNS works just fine.
0
 
LVL 6

Accepted Solution

by:
DewFreak earned 500 total points
ID: 35038327
So if the 10.x network is for backup why is that assigned on your VM with a gateway address?  For simplicity, do away with the 10.x network since DNS is only listening on the 172.16.x network and try to join the domain.  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038517
So, you have checked the configurations I asked about?
0
 

Author Comment

by:dawncam
ID: 35039544
Changed the VM over to the 172.16 network and changed the IP on the Windows 2008 box to the 172.16 network and that solved all my problems as I was then able to join the domain.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question