• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2381
  • Last Modified:

Unable to add a Windows Server 2008 R2 to the domain as a member server

I have just installed Windows Server 2008 R2 into a virtual session using VMWare vSphere v 4.1.0 and I can not get it to join the domain.

The server is on the 10.0.10.0 network at fixed IP 10.0.10.13. The gateway is 10.0.10.1 and is a Watchguard X750e. DNS is provided by the domain controller at 172.16.10.10.  The domain controller is Windows Server 2003 R2 with 2 nics; IP addr 10.0.10.10 and 172.16.10.10.

The VM is setup as follows: IP 10.0.10.20, GW 10.0.10.1, DNS 172.16.10.10

I am able to ping both the IPs & FQDN's on both networks. I am able to access all shares on all computers on the 172.16.10.x network. Had to create a rule on the Watchguard to specifically allow SMB to get the shares to work.

I get the following error message when I try and add the 2008 server to the domain - The following error occurred attempting to join the domain "DOMAIN". The specified network name is no longer available. The Watchguard shows a deny error on microsoft-ds/tcp with a "tcp syn checking failed"

If I specify the account login info as SERVER NAME\administrator then I get "The specified username is invalid". The Watchguard does not show an error.

Considered that it might be a security issue as I had had a similar problem with Windows 7 computers accessing a Linus Samba share and changed the following in the local security policy:(Made no difference)

Network security: LAN Manager authentication level
Send LM & NTLM responses

Minimum session security for NTLM SSP
Disable Require 128-bit encryption

I am at a complete loss as to what to try next as I have added other Windows 2003 servers to different subnets and not had a problem adding them to the domain. Any suggestions would be appreciated.

Dawn
0
dawncam
Asked:
dawncam
  • 2
  • 2
  • 2
  • +1
1 Solution
 
TasmantCommented:
you should correct your WatchGuard issue first with the "microsoft-ds/tcp".
if your server cannot bind to directory services, then the integration should fails.
i suggest you to set a rule on your firewall to allow everything from the 172.16.10 network to 10.0.10 network (in order to troubleshoot first). If you have more than one firewall between your client and the dc, then create the rules on each.
you should reverse the security changes you made on "Network security: LAN Manager authentication level" as you lower security, and you could have more issues than resolving this case.
0
 
Darius GhassemCommented:
First why do you have two NICs enabled on the Domain Controller? You should not have two NICs enabled on a DC which could be causing the overall issue.  Disable NIC in DC run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix

The error states you are having a DNS issue the DNS issues is because your SRV records and DNS records are seeing two IP addresses for one Domain Controller which is confusing DNS and AD.

What you can do if you want to keep both NICs is to make DNS listen on one IP address

http://technet.microsoft.com/en-us/library/cc740071(WS.10).aspx

Second you need to go into your TCP\IP properties uncheck the option to register with DNS on one of the interfaces.

Third go to Network Connections click advance menu then advance settings make sure your primary NIC is listed first this is the NIC you used to listen on
0
 
TasmantCommented:
Don't forget in the Microsoft world, there is many process that use RPC (ie a protocol without a fixed port number), so the usage of firewall between clients and dc is not really recommanded. the Microsoft recommendation is to deploy IPsec everywhere if you really need firewall inside your network.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
DewFreakCommented:
More explanation of your network design is desired.  I assume the WatchGuard is doing the routing between the 10.0.10.0 network and the 172.16.10.0 network.  Are these networks on seperate VLANs?  What switching is involved?  1 switch ?  Why does the AD have NIC's assigned to each network?  
0
 
dawncamAuthor Commented:
Tasmant,

The Watchguard is setup to pass all traffic on any trusted and any optional network to anywhere.

I have a Windows 2003 Web Server on a 192.168.100.x network which I was able to add to the domain and am able to map drives to shares on the 172.16.10.x network. The Watchguard gives me a tcp syn error on this as well. I do have the option to turn off tcp syn error checking on the Watchguard and did so yesterday to see if that made a difference and it did not.

dariusq,

DNS only listens on the 172.16.10.10 network. The second nic in the DC has an IP address and a mask and that's it.

DewFreak,
The network consists of 2 trusted networks and 1 optional (untrusted) network routed through the Watchguard device. The 10.0 network is on a GB switch and was put in to facilitate backups to both a tape and online storage. All of my windows servers are connected to it and the only traffic on it up to this point was backup traffic. The 172.16 network is the internal trusted network which is serviced by 2 10MB switches and is connected to most of the Windows servers, a Linux server, the workstations, and the printers. The 192.168.100 network is served by a 10MB switch and contains the Windows web server and a Linux FTP server.
I did make an attempt yesterday to change the VM server and Windows 2008 server to the 172.16 network but had the same problem. I can try it again by changing the IPs on the first NIC in the VM server. Yesterday I added a second nic to the VM server.

I can ping the Linux server on the 172.16 network by name from the Windows 2008 server on the 10.0 network so it would appear that DNS works just fine.
0
 
DewFreakCommented:
So if the 10.x network is for backup why is that assigned on your VM with a gateway address?  For simplicity, do away with the 10.x network since DNS is only listening on the 172.16.x network and try to join the domain.  
0
 
Darius GhassemCommented:
So, you have checked the configurations I asked about?
0
 
dawncamAuthor Commented:
Changed the VM over to the 172.16 network and changed the IP on the Windows 2008 box to the 172.16 network and that solved all my problems as I was then able to join the domain.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now