Solved

Unable to add a Windows Server 2008 R2 to the domain as a member server

Posted on 2011-03-04
8
2,085 Views
Last Modified: 2012-05-11
I have just installed Windows Server 2008 R2 into a virtual session using VMWare vSphere v 4.1.0 and I can not get it to join the domain.

The server is on the 10.0.10.0 network at fixed IP 10.0.10.13. The gateway is 10.0.10.1 and is a Watchguard X750e. DNS is provided by the domain controller at 172.16.10.10.  The domain controller is Windows Server 2003 R2 with 2 nics; IP addr 10.0.10.10 and 172.16.10.10.

The VM is setup as follows: IP 10.0.10.20, GW 10.0.10.1, DNS 172.16.10.10

I am able to ping both the IPs & FQDN's on both networks. I am able to access all shares on all computers on the 172.16.10.x network. Had to create a rule on the Watchguard to specifically allow SMB to get the shares to work.

I get the following error message when I try and add the 2008 server to the domain - The following error occurred attempting to join the domain "DOMAIN". The specified network name is no longer available. The Watchguard shows a deny error on microsoft-ds/tcp with a "tcp syn checking failed"

If I specify the account login info as SERVER NAME\administrator then I get "The specified username is invalid". The Watchguard does not show an error.

Considered that it might be a security issue as I had had a similar problem with Windows 7 computers accessing a Linus Samba share and changed the following in the local security policy:(Made no difference)

Network security: LAN Manager authentication level
Send LM & NTLM responses

Minimum session security for NTLM SSP
Disable Require 128-bit encryption

I am at a complete loss as to what to try next as I have added other Windows 2003 servers to different subnets and not had a problem adding them to the domain. Any suggestions would be appreciated.

Dawn
0
Comment
Question by:dawncam
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
you should correct your WatchGuard issue first with the "microsoft-ds/tcp".
if your server cannot bind to directory services, then the integration should fails.
i suggest you to set a rule on your firewall to allow everything from the 172.16.10 network to 10.0.10 network (in order to troubleshoot first). If you have more than one firewall between your client and the dc, then create the rules on each.
you should reverse the security changes you made on "Network security: LAN Manager authentication level" as you lower security, and you could have more issues than resolving this case.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
First why do you have two NICs enabled on the Domain Controller? You should not have two NICs enabled on a DC which could be causing the overall issue.  Disable NIC in DC run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix

The error states you are having a DNS issue the DNS issues is because your SRV records and DNS records are seeing two IP addresses for one Domain Controller which is confusing DNS and AD.

What you can do if you want to keep both NICs is to make DNS listen on one IP address

http://technet.microsoft.com/en-us/library/cc740071(WS.10).aspx

Second you need to go into your TCP\IP properties uncheck the option to register with DNS on one of the interfaces.

Third go to Network Connections click advance menu then advance settings make sure your primary NIC is listed first this is the NIC you used to listen on
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
Don't forget in the Microsoft world, there is many process that use RPC (ie a protocol without a fixed port number), so the usage of firewall between clients and dc is not really recommanded. the Microsoft recommendation is to deploy IPsec everywhere if you really need firewall inside your network.
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
More explanation of your network design is desired.  I assume the WatchGuard is doing the routing between the 10.0.10.0 network and the 172.16.10.0 network.  Are these networks on seperate VLANs?  What switching is involved?  1 switch ?  Why does the AD have NIC's assigned to each network?  
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:dawncam
Comment Utility
Tasmant,

The Watchguard is setup to pass all traffic on any trusted and any optional network to anywhere.

I have a Windows 2003 Web Server on a 192.168.100.x network which I was able to add to the domain and am able to map drives to shares on the 172.16.10.x network. The Watchguard gives me a tcp syn error on this as well. I do have the option to turn off tcp syn error checking on the Watchguard and did so yesterday to see if that made a difference and it did not.

dariusq,

DNS only listens on the 172.16.10.10 network. The second nic in the DC has an IP address and a mask and that's it.

DewFreak,
The network consists of 2 trusted networks and 1 optional (untrusted) network routed through the Watchguard device. The 10.0 network is on a GB switch and was put in to facilitate backups to both a tape and online storage. All of my windows servers are connected to it and the only traffic on it up to this point was backup traffic. The 172.16 network is the internal trusted network which is serviced by 2 10MB switches and is connected to most of the Windows servers, a Linux server, the workstations, and the printers. The 192.168.100 network is served by a 10MB switch and contains the Windows web server and a Linux FTP server.
I did make an attempt yesterday to change the VM server and Windows 2008 server to the 172.16 network but had the same problem. I can try it again by changing the IPs on the first NIC in the VM server. Yesterday I added a second nic to the VM server.

I can ping the Linux server on the 172.16 network by name from the Windows 2008 server on the 10.0 network so it would appear that DNS works just fine.
0
 
LVL 6

Accepted Solution

by:
DewFreak earned 500 total points
Comment Utility
So if the 10.x network is for backup why is that assigned on your VM with a gateway address?  For simplicity, do away with the 10.x network since DNS is only listening on the 172.16.x network and try to join the domain.  
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
So, you have checked the configurations I asked about?
0
 

Author Comment

by:dawncam
Comment Utility
Changed the VM over to the 172.16 network and changed the IP on the Windows 2008 box to the 172.16 network and that solved all my problems as I was then able to join the domain.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now