Unable to add a Windows Server 2008 R2 to the domain as a member server

Posted on 2011-03-04
Medium Priority
Last Modified: 2012-05-11
I have just installed Windows Server 2008 R2 into a virtual session using VMWare vSphere v 4.1.0 and I can not get it to join the domain.

The server is on the network at fixed IP The gateway is and is a Watchguard X750e. DNS is provided by the domain controller at  The domain controller is Windows Server 2003 R2 with 2 nics; IP addr and

The VM is setup as follows: IP, GW, DNS

I am able to ping both the IPs & FQDN's on both networks. I am able to access all shares on all computers on the 172.16.10.x network. Had to create a rule on the Watchguard to specifically allow SMB to get the shares to work.

I get the following error message when I try and add the 2008 server to the domain - The following error occurred attempting to join the domain "DOMAIN". The specified network name is no longer available. The Watchguard shows a deny error on microsoft-ds/tcp with a "tcp syn checking failed"

If I specify the account login info as SERVER NAME\administrator then I get "The specified username is invalid". The Watchguard does not show an error.

Considered that it might be a security issue as I had had a similar problem with Windows 7 computers accessing a Linus Samba share and changed the following in the local security policy:(Made no difference)

Network security: LAN Manager authentication level
Send LM & NTLM responses

Minimum session security for NTLM SSP
Disable Require 128-bit encryption

I am at a complete loss as to what to try next as I have added other Windows 2003 servers to different subnets and not had a problem adding them to the domain. Any suggestions would be appreciated.

Question by:dawncam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 11

Expert Comment

ID: 35037684
you should correct your WatchGuard issue first with the "microsoft-ds/tcp".
if your server cannot bind to directory services, then the integration should fails.
i suggest you to set a rule on your firewall to allow everything from the 172.16.10 network to 10.0.10 network (in order to troubleshoot first). If you have more than one firewall between your client and the dc, then create the rules on each.
you should reverse the security changes you made on "Network security: LAN Manager authentication level" as you lower security, and you could have more issues than resolving this case.
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35037697
First why do you have two NICs enabled on the Domain Controller? You should not have two NICs enabled on a DC which could be causing the overall issue.  Disable NIC in DC run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix

The error states you are having a DNS issue the DNS issues is because your SRV records and DNS records are seeing two IP addresses for one Domain Controller which is confusing DNS and AD.

What you can do if you want to keep both NICs is to make DNS listen on one IP address


Second you need to go into your TCP\IP properties uncheck the option to register with DNS on one of the interfaces.

Third go to Network Connections click advance menu then advance settings make sure your primary NIC is listed first this is the NIC you used to listen on
LVL 11

Expert Comment

ID: 35037717
Don't forget in the Microsoft world, there is many process that use RPC (ie a protocol without a fixed port number), so the usage of firewall between clients and dc is not really recommanded. the Microsoft recommendation is to deploy IPsec everywhere if you really need firewall inside your network.
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.


Expert Comment

ID: 35037729
More explanation of your network design is desired.  I assume the WatchGuard is doing the routing between the network and the network.  Are these networks on seperate VLANs?  What switching is involved?  1 switch ?  Why does the AD have NIC's assigned to each network?  

Author Comment

ID: 35038270

The Watchguard is setup to pass all traffic on any trusted and any optional network to anywhere.

I have a Windows 2003 Web Server on a 192.168.100.x network which I was able to add to the domain and am able to map drives to shares on the 172.16.10.x network. The Watchguard gives me a tcp syn error on this as well. I do have the option to turn off tcp syn error checking on the Watchguard and did so yesterday to see if that made a difference and it did not.


DNS only listens on the network. The second nic in the DC has an IP address and a mask and that's it.

The network consists of 2 trusted networks and 1 optional (untrusted) network routed through the Watchguard device. The 10.0 network is on a GB switch and was put in to facilitate backups to both a tape and online storage. All of my windows servers are connected to it and the only traffic on it up to this point was backup traffic. The 172.16 network is the internal trusted network which is serviced by 2 10MB switches and is connected to most of the Windows servers, a Linux server, the workstations, and the printers. The 192.168.100 network is served by a 10MB switch and contains the Windows web server and a Linux FTP server.
I did make an attempt yesterday to change the VM server and Windows 2008 server to the 172.16 network but had the same problem. I can try it again by changing the IPs on the first NIC in the VM server. Yesterday I added a second nic to the VM server.

I can ping the Linux server on the 172.16 network by name from the Windows 2008 server on the 10.0 network so it would appear that DNS works just fine.

Accepted Solution

DewFreak earned 2000 total points
ID: 35038327
So if the 10.x network is for backup why is that assigned on your VM with a gateway address?  For simplicity, do away with the 10.x network since DNS is only listening on the 172.16.x network and try to join the domain.  
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038517
So, you have checked the configurations I asked about?

Author Comment

ID: 35039544
Changed the VM over to the 172.16 network and changed the IP on the Windows 2008 box to the 172.16 network and that solved all my problems as I was then able to join the domain.

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question