We help IT Professionals succeed at work.

Unable to join Windows 7 computer to the domain

When trying to join a W7 computer to a Server 2008 domain, i get this error:

"The following error occurred attempting to join the domain "office.domain.com"

Cannot complete this function.


I can ping the domain fine
DNS of the computer is pointed to the correct server.
Comment
Watch Question

Michael DyerSenior Systems Support Analyst
CERTIFIED EXPERT

Commented:
You might want to check your IP settings and make sure the gateway is correct.  If this workstation is set up for a static IP address, try changing to DHCP to see if that helps.
CERTIFIED EXPERT

Commented:
Hello,
-What version of windows 7 is it? home edition will not join to domain.
-Is the issue with only one computer of multiple?
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
I've had this happen when I replaced a machine, and if you don't get a chance to remove the old machine gracefully from AD, you have to manually remove it.
What is your DC's event log saying?

Author

Commented:
- IP settings are configured with the right gateway and DNS
- using Windows 7 Pro and this is the only computer with the issue so far, as we dont have others to try out.
- this is a brand new computer and haven't been join to the domain.
DC logs:

Source: DHCP-Server
ID: 1056
General Details:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiate by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool

 - I've ran the command line and specified the credentials already

Source: NETLOGON
ID: 5781
Details:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.office.domain.com' failed. these records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)

Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers.
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
Kent WSr. Network / Systems Admin
CERTIFIED EXPERT

Commented:
Can you do a DNS lookup via your domain controller?  Sounds like this computer, since it's not on the domain, simply doesn't have the authority to grab a DHCP IP, or to update the DC's DNS server.
Not knowing exactly what is going on, a workaround may be to set this new machine up with a static IP temporarily (so it doesn't have to ask DHCP), join it to the domain, then set it back to using DHCP.

But, that doesn't fix what's wrong in the first place.  Looks like either your domain DC's DNS server is not responding, or doesn't have credentials.  When you are attempting to join it to the domain, are you getting prompted for the domains administrator user / pass?  Or is it failing before that point?

Author

Commented:
I've tried giving the computer a static ip and joined it to the domain, but still got the same error.

Yes, i get a prompt for credentials once I enter the domain name and click OK, then I wait for about a minute and get the error.
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
Do you have NetBIOS over TCP/IP enabled? Do you have network discovery and file sharing turned on?

Author

Commented:
this is on the server, correct?
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
Also check the firewall exceptions or turn off the firewall while you're attempting to join the domain.
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
On both the server and workstation.
Is the time/date on the computer in sync with the domain?

Author

Commented:
yes, time/date is synchronized with the dc.
Any errors in the computers event log?

Author

Commented:
1. turned off firewall, enabled netbios over tcp. network discovery and file sharing on both computers  - still can't join
2. no weird errors on the workstation.

Here's another error from the server though:

Event ID: 4
Source: Security-Kerberos
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ARCHIVE_SERVERS. The target name used was cifs/server.office.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service using a different password for the target service  account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password.  If the server name is fully qualified , and the target domain (OFFICE.DOMAIN.COM) is different from the client domain (OFFICE.DOMAIN.COM) , check if there are identically named server accounts in these two domains or use a fully qualifed name to identify the server.

They used to have a Server 2000 as a DC, and now has been demoted as DC (not sure how they did it though, hopefully via dcpromo), but the server is still running as a file server. I dont see ADUC, etc.. installed on it, so i guess its been demoted properly by the previous IT.




You could check if there are traces left of it, and remove it if present.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Also check for stale DNS records in the _msdcs zone.
" you are trying to join to "office.domain.com", you want to join as "domain.com" or "domain.local", do not add the domain controller computer name to the domain field.

Author

Commented:
snusgubben - ok, i was thinking of that as well. i'll try it out tonight.

madhatterfounder - the actual domain is "office.domain.com".. "office" is not the server name. - it was originally setup like that before we took over.
Is it really a '.com" domain or? Internal AD Domains are typically .local or .private unless needed otherwise. It sounds like this is/was an edge server, Maybe from a previous sbs 2003 infa.converted incorrectly to 2008 but why speculate. Which means your SOA records are gonna be jacked too. But I still havent read most comments. But heres what you need to do while I read.

First goto the manufacturers website and download the latest LAN/Network driver on your Windows 7 PC. Check to see if its integrated or a standalone network card or both. If both make sure your you disable one and uninstall it in device manager, then goto network connections to double check, if not delete Local Area Connection, then run the new download to reinstall.

DO NOT alter the default properties of the LAN adapter unless your confident dhcp doesnt work.
To Check run CMD, type    ipconfig /all   and see if the Default gateway and DNS IP values are correct and match similar computers already connected.

Then,  delete the computer account from the domain controller if in active directory and from DNS.

**MOST IMPORTANT**  Change the name of the computer (for DNS purposes) and join the Windows 7 computer to different workgroup (WORKGROUP, MSHOME, etc, just anything different and not a domain)

Goto the Domain Controller and add another Domain Admin account (TEST) and use this new account to join the computer to the domain. When you join it make sure you get the credentials and domain name in the right format. domain\admin or admin@domain.extension

Then try to rejoin domain.

If it doesnt work, download Softperfect netscan utility and run a scan of your entire network From .1-.255 example.192.168.1.1 to 192.168.1.255

I have been doing consulting work for small business for 5 years and have never seen a local domain that looked more like an FQDN.
Oh, also if that doesnt work reset defaults to your windows 7 firewall, disabling usually wont help if its bugged. Dont forget to restart PC. Also give me the latest event viewer errors from the server and pc.

Author

Commented:
yes, it is a '.com' for the internal domain (which was setup by the previous IT).

The previous DC was a 2000 server and we were informed that it was demoted properly (using dcpromo), but they might have left some things on the old server.
The old DC (ARCHIVE_SERVER), is just now being used as a file server.

1. I have downloaded the latest network drivers before and still didnt work.
2. I've tried both static and DHCP for the nic.
3. Computer account is NOT in the AD yet, nor DNS (FYI: its not SBS)
4. I have tried other Domain Admin accounts as well and still doesnt work.

yes, this is also our first time seeing this issue and with a domain that has 3 segments to it.
CERTIFIED EXPERT

Commented:
I doubt it is a client side issue. I would look deeper into your domain configuration. Make sure that your schema is to the highest possible mode. If you have any NT domain controler, that would explain it all.

With those errors, i'm sure that you cannot even join any machine to the domain like XP.

Author

Commented:
yeah. its most likely the old DC conflicting.

we'll see once i clean it up as snusgubben  suggested and go from there.
if it still doesnt work, then we'll calling Microsoft on this.

Disjoin another machine from the network and rejoin it, that way we can concentrate on one machine and I will finish this with you soon.

Author

Commented:
nah, i wouldn't do that.. they're too busy with their systems and don't want to risk another computer not on the domain and stop their productivity.
This computer that we're trying to join is a BRAND new, freshly installed Windows7 workstation.
OK, I found the fix. And although it might already be configured it needs to be reconfigured with new credentials because its whats causing kerberos ticket errors. Trust me

Goto your DC:

1.In the DHCP Server snap-in, which is located in the Administrative Tools folder, right-click the DHCP server that you want to configure, and then click Properties.
2.On the Advanced tab, click Credentials.
3.Type the username, domain and password of the account under which you want the DHCP Server service to run. You can use any valid existing user account for this, such as a Domain User account. The account should not be set to expire or have any other restrictions.
4.Click OK, and then OK again to exit the Properties dialog box.


let me know
or you could prolly just change the password in AD for the user configured, but would change both. Hive cleanup is builtin to 2008

Author

Commented:
I don't see any of the things you wanted me to check and change.

When i go to DHCP --> right-click the server name --> click Properties --> I see an Advanced tab, but I only see "Database path" and "Backup path" as the options to change.

Just FYI again, this is a Server 2008 Standard.
althoug not mentioned I would restart the dhcp service. Its not as if someone is going to turn on the computer and try to log in within the 1-2 minutes you restart the service. I also restart servers even if its the only one and noone looses connection but cant login until it comes back up. However if they run active software and the database is on the server you might give a warning. If its just file sharing they wont even notice prolly.
you dont see "credentials" button on lower right of the advanced tab? Does your dhcp server have a green circle or red X?. lemme see if its different for 2008
Its ok, we are getting close, After you have created a dedicated user account, you can configure DHCP servers with the user account credentials and then we need to configure DNS dynamic update credentials

What members do you have under DnsUpdateProxy security group

If DHCP credentials were inherited from another computer/server when DHCP was initially setupptr and reverse records wont be created (from my understanding)

from previous post

To configure DNS dynamic update credentials 1.
Open DHCP.

2.
In the console tree, click the applicable DHCP server.

3.
On the Action menu, click Properties.

4.
In Server Properties, click the Advanced tab, and then click Credentials.

The DNS dynamic update credentials dialog box appears.

5.
In DNS dynamic update credentials, type the information required to provide credentials that will determine DNS record ownership, and then click OK.

Author

Commented:
nothing that says Credentials..

Under advanced tab.. i only see "Database path", "Backup path"
Using the DHCP manager
Start -- Administrative Tools -- DHCP
Right-click the IPv4 or IPv6 subheading
Select Properties
Select the Advanced tab
Select credentials
Put any user with domain user privileges
Click OK
Start -- type services.msc in the search box -- hit enter
Scroll down to DHCP
Right-click -- select restart
Should be good to go

if thats not available do it this way.

type netsh, and then press ENTER.

Type dhcp server ipaddress ENTER.
set dnscredentials username domain password
type quit, hit enter

You can also restart the DHCP server from the command-line with the following commands.
net stop dhcpserver

net start dhcpserver



******from the command prompt obviously, run as administrator


type netsh, and then press ENTER.

Type dhcp server ipaddress ENTER.
set dnscredentials username domain password
type quit, hit enter

You can also restart the DHCP server from the command-line with the following commands.
net stop dhcpserver

net start dhcpserver
Did you give up?

Author

Commented:
i didn't give up, i just had other things to do.
will update you asap.

Author

Commented:
ok i did that and tried to rejoin the computer to the domain.

got this error:

-------------------
An Active Directory Domain Controller (AD DC) for the domain 'OFFICE.DOMAIN.COM' could not be contacted.
Ensure the domain is typed in correctly.

If the name is correct, click Details troubleshooting information.

Details:
The following error ocurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain 'OFFICE.DOMAIN.COM'

The error was "DNS server failure"
(error code was 0x0000232A RCODE_SERVER_FAILURE)

The query for the SRV for _ldap._tcp.dc_msdcs.OFFICE.DOMAIN.COM

-------------

1. I can ping office.domain.com perfectly fine.
2. I can ping the servername (server2) fine

any idea?
ok, lets get some more info.

Open Command Prompt.


2. Type:

nslookup


3. After the previous command completes, at the nslookup (">") prompt type:

set q=rr_type


4. After the previous command completes, type:

_ldap._tcp.dc._msdcs.Active_Directory_domain_name


then tell me what the output is
so run cmd

nslookup

set q=srv

_ldap._tcp.dc._msdcs.office.domain.com

Author

Commented:
does it matter if its run from the server or workstation?
run from workstation


Author

Commented:
ok here's the result:

server: server2.office.domain.com
address: 10.1.1.252 (which is correct)

***server2.office.domain.com can't find _ldap._tcp.dc._msdcs.office.domain.com: server failed
wait, after reading all post I gotta ask. Is this a pdc? Active directory integrated right? no other servers?

Author

Commented:
yes, pdc.. AD is installed.. other server is just an ordinary member server acting as a file server.
ok I will have a good answer, but while I do, try something for me. instead of .com do .local when joining the domain, so office.domain.local, sounds crazy but just try it please
a couple more fundamentals before we go deeper as annoying as it might be

goto the domain controller, right click my computer, properties, and please verify it says

FCN: server.office.domain.com
domain: office.domain.com

also START, RUN,  services.msc

verify that net logon, DHCP and DNS are currently started and running

Also, on the DC, goto network connections, right click properties of tcpip 4, makes sure on the internal interface you have dns set to 127.0.0.1 and the other blank.

Also goto w7 pc and disable tcp ipv6. uncheck it.





then try again. .com and .local.
CERTIFIED EXPERT

Commented:
sorry that i have to go back on a few question here. i have the feeling that the w2k8r2 server was not promoted correctly. Have you ever been able to add computer to the domain on that segment since the server is a DC? did you upgraded the forest schema to AD2008 in mix mode? is there any NT legacy DC in your forest?

At this point, one thing is sure is that the issue is NOT on the client side. So lets focun on the DC.
also ping server ip:389

example 192.168.1.1:389

then goto dns, expand forward lookup, expand msdcs.office.domain.com, open pdc, open tcp and open SRV record verify pdc._msdcs.office.domain.com, port 389, then click security tab and make sure domain admin has full control.
Yea its a 90% server side, but there have been alot of windows 7 2008r2 issues reported similar to this.

Author

Commented:
i'll have to try those things tomorrow. i restarted the server but it didn't come back online. most likely its trying to boot up to one of our hard drives connected to it.. (another thing in the todo list to change in the bios.. :P )

I doubt the bios is afftecting anything, also you might check the duplex setting of the internal LAN interface properties.
^^set to auto

Author

Commented:
using .local doesnt work - error with office.domain.local does not exist
dhcp and dns on the server is running
dns of server is set to itself

ummm, which SRV record do you want me to check?
i see _gc, _kerberos, _kpasswd, _ldap
ldap has the port 389 pointing to server2.office.domain.com
firstly, run ipconfig /registerdns and restart netlogon on each DC you have (wont affect users)

bak2004 is your pdc and passed its fsmo roles, but

run dcdiag /v /s:server2 /test:advertising
(to see what roles are being advertised)

and post output
^^disregard bak2004 line but follow the rest
Sounds like ldap isnt configured or you didnt look right... You need ldap to bind (authenticate users) to AD.

lets verify its policies.

start command prompt from the system32 dir.

1.At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
2.At the LDAP policy command prompt, type connections, and then press ENTER.
3.At the server connection command prompt, type connect to server DNS name of server, and then press ENTER. You want to connect to the server that your are currently working with.
4.At the server connection command prompt, type q, and then press ENTER to return to the previous menu.
5.At the LDAP policy command prompt, type Show Values, and then press ENTER.

A display of the policies as they exist appears.
^^^1, run Ntdsutil.exe from the command prompt then type  LDAP policies  and then press enter

Author

Commented:
dcdiag results:
C:\Users\tron.DOMAIN>dcdiag /v /s:server2 /test:advertising

Directory Server Diagnosis

Performing initial setup:
   * Connecting to directory service on server server2.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=office,DC=domain,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=office,DC=domain,DC=com
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=office,DC=domain,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=office,DC=domain,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host
         882e7190-a863-4e40-b984-7d8ee8cbf2d2._msdcs.office.domain.com could
         not be resolved to an IP address. Check the DNS server, DHCP, server
         name, etc.
         ......................... SERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2
      Skipping all tests, because server SERVER2 is not responding to directory
      service requests.
      Test omitted by user request: Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Test omitted by user request: RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : DomainDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Schema
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Configuration
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : office
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running enterprise tests on : office.domain.com
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite
dont forget to post ldap config

Author

Commented:
ldap policy results:

Policy                          Current(New)

axPoolThreads                  4
axDatagramRecv                 1024
axReceiveBuffer                        10485760
nitRecvTimeout                 120
axConnections                  5000
axConnIdleTime                 900
axPageSize                     1000
axQueryDuration                        120
axTempTableSize                        10000
axResultSetSize                        262144
axNotificationPerConn                  5
axValRange                     0
yea continue on, ldap issues, prolly dns

Author

Commented:
that's it.. no other results.. anything you want me to check?

Author

Commented:
i also noticed (by comparing from other servers) that the _msdcs.server.domain.local ZONE under Forward Lookup zone is missing.. any idea how to create it again?

Author

Commented:
**** i meant _msdcs.office.domain.local

Author

Commented:
sorry... _msdcs.office.domain.com

... i wish EE had an edit button for posts.. lol
yea, create an SRV record
do you have the pdc folder, tcp folder under forward lookup?

Author

Commented:
i'm missing that whole Forward lookup zone _msdcs... folder that contains all the dc, domains, gc, pdc subfolders
service ldap, protocol tcp, and 0, 100, 389
host offerring is server2.office.domain.com
open command prompt, run netdiag /fix

Author

Commented:
what?

Author

Commented:
would running netdiag /fix recreate the msdcs zone??
do all this and I will continue until complete, might be easier to export settings and dcpromo all over again but lets see..trying to figure out how far back you are,

OK, i know you done some of this already but it only takes a second

 verify C:\Windows\SYSVOL exists

make sure under your internal LAN tcpvip4 properties has static configured with the DNS set to its static ip and other left blank

also, run services.msc from startmenu, make sure dhcp, dns and net logon are started and running.

goto computer management "to do list" and tell me what needs to be completed, complete the obvious.

 Also, its very important you goto event viewer, under windows, get 30 latest critical errors for dhcp, dns, and dhcp, u can filter, export as text.

no it wont, but wanted to know what it says, and it will also create an event for me to look at in the post requested above

Author

Commented:
i'm pretty sure the missing _msdcs is our problem here, if you read closely from the logs..


Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host
         882e7190-a863-4e40-b984-7d8ee8cbf2d2._msdcs.office.domain.com could
         not be resolved to an IP address. Check the DNS server, DHCP, server
         name, etc.
         ......................... SERVER2 failed test Connectivity


is there a way to recreate this zone?
Working on it, please work on my post...
I need error codes and specific error messages in order to help you. One symptom can be caused by hundreds of causes. So if I post something, im doing it to get information so we can move along.
The first thing I do when I egt to a clients site is goto event viewer and log errors. Then I run tests from cmd, but without your reply I cant help. Trust me, we could have finished yesterday ;)

Author

Commented:
sysvol exists
ipv4 has static ip configured
dhcp, dns and netlogon are running
i dont see a to do list in the computer management


Here's one of the errors from eventvwr:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'office.pjlovick.com.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

USER ACTION  
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.
tomorrow I have to upgrade sbs 2003 to sbs 2008 on the same box/ 32bit-64bit. Trying to think of a way to make an image of 2003, create a compatible vm,. If it works after the 64bit harware upgrade I will install 2008. Shrinking and expanding partitions, Installing a second nic card. installing 2008 on what was the 2003 server, and migrate over LAN.
Are you sure clients are using this? there is no way. You have a forward lookup zone though right? And reverse? Do you see these records from its previous domain? Unfortunatley computername is to SID as DNS is to ip, but in the registry.But go ahead and run nltest, follow thier directions But first.have you looked under local net tcpipv4 properties-advanced, DNS suffix? register in dns checked, set the default gateway and static dns on the next tabs? Also open dns and look at forward and reverse records for stale records?

after that run


 ipconfig /registerdns

. How did you get this server and who managed it?
try to run dcpromo from the command prompt and see what it says
If you are missing the _msdcs zone on a DNS server, recreate it.

From the DNS management consol:

Right click the "office.domain.com" zone and choose "New Domain". Call it "_msdcs". Restart the Netlogon service and the zone should be populated.

First make sure the MSDTC service is running. I mean yea I could tell you how to" restore" the msdtc zone but its gonna be incorrect records from the wrong domain most likely pointing root records to thier isp., if the previous doesnt work we just need to create it.



Go to the properties of your forward looup zone under the DNS manager: Make the forward lookup zone 'not active directory intergrated' and apply, then make it 'active directory intergrated' and apply!

 2 Then restart DNS service en reload the zone in DNS manager, no error should occur!

In system:

You might see: Event ID 5781

 Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.DOMAINNAME.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Restart netlogon service

 In application : MSDTC Errors
 You might see the following MSDTC errors:

 Event with source MSDTC, ID 53258: MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

Event with source MSDTC, ID 4439: Failed to verify MS DTC service account information. Internal Information : msdtc_trace : File: d:\srvrtm\com\complus\dtc\dtc\adme\uiname.cpp, Line: 9390, VerifyAccountInfo: CService::Create failed, hr=0x80070005

 To get rid of the first event, do the following:

 From Administrative Tools, start Component Services.

In the MMC snap-in, go to Component Services, Computers, My Computer.

Open the properties of My Computer and click the MSDTC tab.

Click the button Security Configuration.

Do not change anything, just click OK (silly, I know).
(This thanks to an other IT nerd )
 Click OK again and then close the MMC

 Stop and start MSDTC. (net stop/net start in dos) The event with ID 53258 should not appear anymore.

 To get rid of the 4439 event, do the same as for the Windows Time Service. In the Sytem Services section of the server’s policy in AD, give the account SERVICE read/start/stop rights. Refresh group policy with gpupdate /force and then restart MSTDC. The error should disappear.

 Hope this helps…
He has bigger issues than root zones, moving forward could be a waste of time...
I would demote the server and run dcpromo all over again because you have previous domain names and ip addressess riddled in the registry.
seriously, step by step, lets see how bad it is, post back

click Start, click Administrative Tools, and then Server Manager. Double-click Roles, and click Active Directory Domain Services. In the Best Practices Analyzer section, click Scan this role.
I took over a client that had an IT guy who used his own money, he had integrated several edge DC's and was moving across the U.S. I removed his servers associations with ours as did he, but our servers were still trying to communicate across the U.S. Of coarse that was win2k3. But we had a good laugh.

Author

Commented:
@snusgubben

- i did that, but how about the other folders inside it? (i.e, pdc, etc..)
i'm trying to compare other servers with their folders, how would i create those folders inside msdcs?
You should not manually create all the "subfolder/zones" within the _msdcs zone. The Netlogon service should do that.

Did you try restarting the Netlogon service after creating the _msdcs zone?

Btw. on the other DC/DNS, is the _msdcs zone delegated? (you will see it as a greyed out folder if that is the case)

Author

Commented:
i'll try it out again and let you know.


there is no other DC in the environment.. i'm just saying that i compare those msdcs settings from the other servers we manage.
ok, i finally got the computer to join the domain.
i manually created the zone and its subfolders..

msdcs.office.domain.com
 - dc
    - _sites
        - Default-First-Site-
           - _tcp
                - contains _kerberos and _ldap SRV records
    - _tcp
          - contains _kerberos and _ldap SRV records
- domains
    - I'm missing a "domain" for this which I think contains the SID of something.. ANY IDEAS?

- gc
    - _sites
          - Default-First-Site-Name
             - _tcp
                   - contains _ldap SRV record
- pdc
   - _tcp
        - contains _ldap SRV record

once all were created, I restarted netlogon and tried joining the computer to the domain. It went without any errors and quickly.


Now i just need to find what entry I need to create under the "Domains"

reboot the pc.. then try again :)
Commented:
Your process doesn't seem all together correct!!

If this is the only Domain within the forest, you don't need the Forward lookup zone for MSDCS... That is used for quick zone transfers between DCs. You see, the first DC in the forest will create a MSDCS forward lookup zone for quick zone transfers to other DCs within the forest.

What you had as a problem was an expired delegation record. This record resides within your forward lookup zone as an MSDCS file folder. Within this file folder you will see a CNAME delgation record that points to the MSDCS forward lookup zone.

A picture is worth a thousand words, so pleas look here:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

That greyed out folder IS the delegation record. It was expired, an no longer pointing to the forest SRV records (MSDCS forward lookup zone). By deleting both the MSDCS forward lookup zone, then deleting the delegation records, you clean both. THEN, restarting the Netlogon service will populate the MSDCS SRV records WITHIN your domain's forward lookup zone (where the delegation record once was). Then, typing DCdiag /fix:DNS resolves any other metadata problems.

You didn't see the Forward lookup zone called MSDCS. This means you didn't have any SRV records. Manually creating them is a bad idea. The netlogon service to fix this.

Author

Commented:
I've already tried restarting netlogon service to recreate the records but didnt seem to fix anything.

Commented:
OK:

I didn't see your reply within email..

Now, go to the command prompt of the DC and type DCdiag /fix:DNS
turn off anti virus.  Same issue Anti Virus was preventing the change on the local PC