Unable to add a Windows Server 2008 R2 to the domain as a member server

Posted on 2011-03-04
Medium Priority
Last Modified: 2012-05-11
I have just installed Windows Server 2008 R2 into a virtual session using VMWare vSphere v 4.1.0 and I can not get it to join the domain.

The server is on the network at fixed IP The gateway is and is a Watchguard X750e. DNS is provided by the domain controller at  The domain controller is Windows Server 2003 R2 with 2 nics; IP addr and

The VM is setup as follows: IP, GW, DNS

I am able to ping both the IPs & FQDN's on both networks. I am able to access all shares on all computers on the 172.16.10.x network. Had to create a rule on the Watchguard to specifically allow SMB to get the shares to work.

I get the following error message when I try and add the 2008 server to the domain - The following error occurred attempting to join the domain "DOMAIN". The specified network name is no longer available. The Watchguard shows a deny error on microsoft-ds/tcp with a "tcp syn checking failed"

If I specify the account login info as SERVER NAME\administrator then I get "The specified username is invalid". The Watchguard does not show an error.

Considered that it might be a security issue as I had had a similar problem with Windows 7 computers accessing a Linus Samba share and changed the following in the local security policy:(Made no difference)

Network security: LAN Manager authentication level
Send LM & NTLM responses

Minimum session security for NTLM SSP
Disable Require 128-bit encryption

I am at a complete loss as to what to try next as I have added other Windows 2003 servers to different subnets and not had a problem adding them to the domain. Any suggestions would be appreciated.

Question by:dawncam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 11

Expert Comment

ID: 35037684
you should correct your WatchGuard issue first with the "microsoft-ds/tcp".
if your server cannot bind to directory services, then the integration should fails.
i suggest you to set a rule on your firewall to allow everything from the 172.16.10 network to 10.0.10 network (in order to troubleshoot first). If you have more than one firewall between your client and the dc, then create the rules on each.
you should reverse the security changes you made on "Network security: LAN Manager authentication level" as you lower security, and you could have more issues than resolving this case.
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35037697
First why do you have two NICs enabled on the Domain Controller? You should not have two NICs enabled on a DC which could be causing the overall issue.  Disable NIC in DC run ipconfig /flushdns, ipconfig /registerdns, and dcdiag /fix

The error states you are having a DNS issue the DNS issues is because your SRV records and DNS records are seeing two IP addresses for one Domain Controller which is confusing DNS and AD.

What you can do if you want to keep both NICs is to make DNS listen on one IP address


Second you need to go into your TCP\IP properties uncheck the option to register with DNS on one of the interfaces.

Third go to Network Connections click advance menu then advance settings make sure your primary NIC is listed first this is the NIC you used to listen on
LVL 11

Expert Comment

ID: 35037717
Don't forget in the Microsoft world, there is many process that use RPC (ie a protocol without a fixed port number), so the usage of firewall between clients and dc is not really recommanded. the Microsoft recommendation is to deploy IPsec everywhere if you really need firewall inside your network.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 35037729
More explanation of your network design is desired.  I assume the WatchGuard is doing the routing between the network and the network.  Are these networks on seperate VLANs?  What switching is involved?  1 switch ?  Why does the AD have NIC's assigned to each network?  

Author Comment

ID: 35038270

The Watchguard is setup to pass all traffic on any trusted and any optional network to anywhere.

I have a Windows 2003 Web Server on a 192.168.100.x network which I was able to add to the domain and am able to map drives to shares on the 172.16.10.x network. The Watchguard gives me a tcp syn error on this as well. I do have the option to turn off tcp syn error checking on the Watchguard and did so yesterday to see if that made a difference and it did not.


DNS only listens on the network. The second nic in the DC has an IP address and a mask and that's it.

The network consists of 2 trusted networks and 1 optional (untrusted) network routed through the Watchguard device. The 10.0 network is on a GB switch and was put in to facilitate backups to both a tape and online storage. All of my windows servers are connected to it and the only traffic on it up to this point was backup traffic. The 172.16 network is the internal trusted network which is serviced by 2 10MB switches and is connected to most of the Windows servers, a Linux server, the workstations, and the printers. The 192.168.100 network is served by a 10MB switch and contains the Windows web server and a Linux FTP server.
I did make an attempt yesterday to change the VM server and Windows 2008 server to the 172.16 network but had the same problem. I can try it again by changing the IPs on the first NIC in the VM server. Yesterday I added a second nic to the VM server.

I can ping the Linux server on the 172.16 network by name from the Windows 2008 server on the 10.0 network so it would appear that DNS works just fine.

Accepted Solution

DewFreak earned 2000 total points
ID: 35038327
So if the 10.x network is for backup why is that assigned on your VM with a gateway address?  For simplicity, do away with the 10.x network since DNS is only listening on the 172.16.x network and try to join the domain.  
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038517
So, you have checked the configurations I asked about?

Author Comment

ID: 35039544
Changed the VM over to the 172.16 network and changed the IP on the Windows 2008 box to the 172.16 network and that solved all my problems as I was then able to join the domain.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question