andrew_transparent
asked on
Unable to join Windows 7 computer to the domain
When trying to join a W7 computer to a Server 2008 domain, i get this error:
"The following error occurred attempting to join the domain "office.domain.com"
Cannot complete this function.
I can ping the domain fine
DNS of the computer is pointed to the correct server.
"The following error occurred attempting to join the domain "office.domain.com"
Cannot complete this function.
I can ping the domain fine
DNS of the computer is pointed to the correct server.
You might want to check your IP settings and make sure the gateway is correct. If this workstation is set up for a static IP address, try changing to DHCP to see if that helps.
Hello,
-What version of windows 7 is it? home edition will not join to domain.
-Is the issue with only one computer of multiple?
-What version of windows 7 is it? home edition will not join to domain.
-Is the issue with only one computer of multiple?
I've had this happen when I replaced a machine, and if you don't get a chance to remove the old machine gracefully from AD, you have to manually remove it.
What is your DC's event log saying?
What is your DC's event log saying?
ASKER
- IP settings are configured with the right gateway and DNS
- using Windows 7 Pro and this is the only computer with the issue so far, as we dont have others to try out.
- this is a brand new computer and haven't been join to the domain.
DC logs:
Source: DHCP-Server
ID: 1056
General Details:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiate by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool
- I've ran the command line and specified the credentials already
Source: NETLOGON
ID: 5781
Details:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.office.dom ain.com' failed. these records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers.
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
- using Windows 7 Pro and this is the only computer with the issue so far, as we dont have others to try out.
- this is a brand new computer and haven't been join to the domain.
DC logs:
Source: DHCP-Server
ID: 1056
General Details:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiate by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool
- I've ran the command line and specified the credentials already
Source: NETLOGON
ID: 5781
Details:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.office.dom
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers.
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
Can you do a DNS lookup via your domain controller? Sounds like this computer, since it's not on the domain, simply doesn't have the authority to grab a DHCP IP, or to update the DC's DNS server.
Not knowing exactly what is going on, a workaround may be to set this new machine up with a static IP temporarily (so it doesn't have to ask DHCP), join it to the domain, then set it back to using DHCP.
But, that doesn't fix what's wrong in the first place. Looks like either your domain DC's DNS server is not responding, or doesn't have credentials. When you are attempting to join it to the domain, are you getting prompted for the domains administrator user / pass? Or is it failing before that point?
Not knowing exactly what is going on, a workaround may be to set this new machine up with a static IP temporarily (so it doesn't have to ask DHCP), join it to the domain, then set it back to using DHCP.
But, that doesn't fix what's wrong in the first place. Looks like either your domain DC's DNS server is not responding, or doesn't have credentials. When you are attempting to join it to the domain, are you getting prompted for the domains administrator user / pass? Or is it failing before that point?
ASKER
I've tried giving the computer a static ip and joined it to the domain, but still got the same error.
Yes, i get a prompt for credentials once I enter the domain name and click OK, then I wait for about a minute and get the error.
Yes, i get a prompt for credentials once I enter the domain name and click OK, then I wait for about a minute and get the error.
Do you have NetBIOS over TCP/IP enabled? Do you have network discovery and file sharing turned on?
ASKER
this is on the server, correct?
Also check the firewall exceptions or turn off the firewall while you're attempting to join the domain.
On both the server and workstation.
Is the time/date on the computer in sync with the domain?
ASKER
yes, time/date is synchronized with the dc.
Any errors in the computers event log?
ASKER
1. turned off firewall, enabled netbios over tcp. network discovery and file sharing on both computers - still can't join
2. no weird errors on the workstation.
Here's another error from the server though:
Event ID: 4
Source: Security-Kerberos
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ARCHIVE_SERVERS. The target name used was cifs/server.office.domain. com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is fully qualified , and the target domain (OFFICE.DOMAIN.COM) is different from the client domain (OFFICE.DOMAIN.COM) , check if there are identically named server accounts in these two domains or use a fully qualifed name to identify the server.
They used to have a Server 2000 as a DC, and now has been demoted as DC (not sure how they did it though, hopefully via dcpromo), but the server is still running as a file server. I dont see ADUC, etc.. installed on it, so i guess its been demoted properly by the previous IT.
2. no weird errors on the workstation.
Here's another error from the server though:
Event ID: 4
Source: Security-Kerberos
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ARCHIVE_SERVERS. The target name used was cifs/server.office.domain.
They used to have a Server 2000 as a DC, and now has been demoted as DC (not sure how they did it though, hopefully via dcpromo), but the server is still running as a file server. I dont see ADUC, etc.. installed on it, so i guess its been demoted properly by the previous IT.
You could check if there are traces left of it, and remove it if present.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Also check for stale DNS records in the _msdcs zone.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Also check for stale DNS records in the _msdcs zone.
" you are trying to join to "office.domain.com", you want to join as "domain.com" or "domain.local", do not add the domain controller computer name to the domain field.
ASKER
snusgubben - ok, i was thinking of that as well. i'll try it out tonight.
madhatterfounder - the actual domain is "office.domain.com".. "office" is not the server name. - it was originally setup like that before we took over.
madhatterfounder - the actual domain is "office.domain.com".. "office" is not the server name. - it was originally setup like that before we took over.
Is it really a '.com" domain or? Internal AD Domains are typically .local or .private unless needed otherwise. It sounds like this is/was an edge server, Maybe from a previous sbs 2003 infa.converted incorrectly to 2008 but why speculate. Which means your SOA records are gonna be jacked too. But I still havent read most comments. But heres what you need to do while I read.
First goto the manufacturers website and download the latest LAN/Network driver on your Windows 7 PC. Check to see if its integrated or a standalone network card or both. If both make sure your you disable one and uninstall it in device manager, then goto network connections to double check, if not delete Local Area Connection, then run the new download to reinstall.
DO NOT alter the default properties of the LAN adapter unless your confident dhcp doesnt work.
To Check run CMD, type ipconfig /all and see if the Default gateway and DNS IP values are correct and match similar computers already connected.
Then, delete the computer account from the domain controller if in active directory and from DNS.
**MOST IMPORTANT** Change the name of the computer (for DNS purposes) and join the Windows 7 computer to different workgroup (WORKGROUP, MSHOME, etc, just anything different and not a domain)
Goto the Domain Controller and add another Domain Admin account (TEST) and use this new account to join the computer to the domain. When you join it make sure you get the credentials and domain name in the right format. domain\admin or admin@domain.extension
Then try to rejoin domain.
If it doesnt work, download Softperfect netscan utility and run a scan of your entire network From .1-.255 example.192.168.1.1 to 192.168.1.255
I have been doing consulting work for small business for 5 years and have never seen a local domain that looked more like an FQDN.
First goto the manufacturers website and download the latest LAN/Network driver on your Windows 7 PC. Check to see if its integrated or a standalone network card or both. If both make sure your you disable one and uninstall it in device manager, then goto network connections to double check, if not delete Local Area Connection, then run the new download to reinstall.
DO NOT alter the default properties of the LAN adapter unless your confident dhcp doesnt work.
To Check run CMD, type ipconfig /all and see if the Default gateway and DNS IP values are correct and match similar computers already connected.
Then, delete the computer account from the domain controller if in active directory and from DNS.
**MOST IMPORTANT** Change the name of the computer (for DNS purposes) and join the Windows 7 computer to different workgroup (WORKGROUP, MSHOME, etc, just anything different and not a domain)
Goto the Domain Controller and add another Domain Admin account (TEST) and use this new account to join the computer to the domain. When you join it make sure you get the credentials and domain name in the right format. domain\admin or admin@domain.extension
Then try to rejoin domain.
If it doesnt work, download Softperfect netscan utility and run a scan of your entire network From .1-.255 example.192.168.1.1 to 192.168.1.255
I have been doing consulting work for small business for 5 years and have never seen a local domain that looked more like an FQDN.
Oh, also if that doesnt work reset defaults to your windows 7 firewall, disabling usually wont help if its bugged. Dont forget to restart PC. Also give me the latest event viewer errors from the server and pc.
ASKER
yes, it is a '.com' for the internal domain (which was setup by the previous IT).
The previous DC was a 2000 server and we were informed that it was demoted properly (using dcpromo), but they might have left some things on the old server.
The old DC (ARCHIVE_SERVER), is just now being used as a file server.
1. I have downloaded the latest network drivers before and still didnt work.
2. I've tried both static and DHCP for the nic.
3. Computer account is NOT in the AD yet, nor DNS (FYI: its not SBS)
4. I have tried other Domain Admin accounts as well and still doesnt work.
yes, this is also our first time seeing this issue and with a domain that has 3 segments to it.
The previous DC was a 2000 server and we were informed that it was demoted properly (using dcpromo), but they might have left some things on the old server.
The old DC (ARCHIVE_SERVER), is just now being used as a file server.
1. I have downloaded the latest network drivers before and still didnt work.
2. I've tried both static and DHCP for the nic.
3. Computer account is NOT in the AD yet, nor DNS (FYI: its not SBS)
4. I have tried other Domain Admin accounts as well and still doesnt work.
yes, this is also our first time seeing this issue and with a domain that has 3 segments to it.
I doubt it is a client side issue. I would look deeper into your domain configuration. Make sure that your schema is to the highest possible mode. If you have any NT domain controler, that would explain it all.
With those errors, i'm sure that you cannot even join any machine to the domain like XP.
With those errors, i'm sure that you cannot even join any machine to the domain like XP.
ASKER
yeah. its most likely the old DC conflicting.
we'll see once i clean it up as snusgubben suggested and go from there.
if it still doesnt work, then we'll calling Microsoft on this.
we'll see once i clean it up as snusgubben suggested and go from there.
if it still doesnt work, then we'll calling Microsoft on this.
Disjoin another machine from the network and rejoin it, that way we can concentrate on one machine and I will finish this with you soon.
ASKER
nah, i wouldn't do that.. they're too busy with their systems and don't want to risk another computer not on the domain and stop their productivity.
This computer that we're trying to join is a BRAND new, freshly installed Windows7 workstation.
This computer that we're trying to join is a BRAND new, freshly installed Windows7 workstation.
OK, I found the fix. And although it might already be configured it needs to be reconfigured with new credentials because its whats causing kerberos ticket errors. Trust me
Goto your DC:
1.In the DHCP Server snap-in, which is located in the Administrative Tools folder, right-click the DHCP server that you want to configure, and then click Properties.
2.On the Advanced tab, click Credentials.
3.Type the username, domain and password of the account under which you want the DHCP Server service to run. You can use any valid existing user account for this, such as a Domain User account. The account should not be set to expire or have any other restrictions.
4.Click OK, and then OK again to exit the Properties dialog box.
let me know
Goto your DC:
1.In the DHCP Server snap-in, which is located in the Administrative Tools folder, right-click the DHCP server that you want to configure, and then click Properties.
2.On the Advanced tab, click Credentials.
3.Type the username, domain and password of the account under which you want the DHCP Server service to run. You can use any valid existing user account for this, such as a Domain User account. The account should not be set to expire or have any other restrictions.
4.Click OK, and then OK again to exit the Properties dialog box.
let me know
or you could prolly just change the password in AD for the user configured, but would change both. Hive cleanup is builtin to 2008
ASKER
I don't see any of the things you wanted me to check and change.
When i go to DHCP --> right-click the server name --> click Properties --> I see an Advanced tab, but I only see "Database path" and "Backup path" as the options to change.
Just FYI again, this is a Server 2008 Standard.
When i go to DHCP --> right-click the server name --> click Properties --> I see an Advanced tab, but I only see "Database path" and "Backup path" as the options to change.
Just FYI again, this is a Server 2008 Standard.
althoug not mentioned I would restart the dhcp service. Its not as if someone is going to turn on the computer and try to log in within the 1-2 minutes you restart the service. I also restart servers even if its the only one and noone looses connection but cant login until it comes back up. However if they run active software and the database is on the server you might give a warning. If its just file sharing they wont even notice prolly.
you dont see "credentials" button on lower right of the advanced tab? Does your dhcp server have a green circle or red X?. lemme see if its different for 2008
Its ok, we are getting close, After you have created a dedicated user account, you can configure DHCP servers with the user account credentials and then we need to configure DNS dynamic update credentials
What members do you have under DnsUpdateProxy security group
If DHCP credentials were inherited from another computer/server when DHCP was initially setupptr and reverse records wont be created (from my understanding)
from previous post
To configure DNS dynamic update credentials 1.
Open DHCP.
2.
In the console tree, click the applicable DHCP server.
3.
On the Action menu, click Properties.
4.
In Server Properties, click the Advanced tab, and then click Credentials.
The DNS dynamic update credentials dialog box appears.
5.
In DNS dynamic update credentials, type the information required to provide credentials that will determine DNS record ownership, and then click OK.
What members do you have under DnsUpdateProxy security group
If DHCP credentials were inherited from another computer/server when DHCP was initially setupptr and reverse records wont be created (from my understanding)
from previous post
To configure DNS dynamic update credentials 1.
Open DHCP.
2.
In the console tree, click the applicable DHCP server.
3.
On the Action menu, click Properties.
4.
In Server Properties, click the Advanced tab, and then click Credentials.
The DNS dynamic update credentials dialog box appears.
5.
In DNS dynamic update credentials, type the information required to provide credentials that will determine DNS record ownership, and then click OK.
ASKER
nothing that says Credentials..
Under advanced tab.. i only see "Database path", "Backup path"
Under advanced tab.. i only see "Database path", "Backup path"
Using the DHCP manager
Start -- Administrative Tools -- DHCP
Right-click the IPv4 or IPv6 subheading
Select Properties
Select the Advanced tab
Select credentials
Put any user with domain user privileges
Click OK
Start -- type services.msc in the search box -- hit enter
Scroll down to DHCP
Right-click -- select restart
Should be good to go
Start -- Administrative Tools -- DHCP
Right-click the IPv4 or IPv6 subheading
Select Properties
Select the Advanced tab
Select credentials
Put any user with domain user privileges
Click OK
Start -- type services.msc in the search box -- hit enter
Scroll down to DHCP
Right-click -- select restart
Should be good to go
if thats not available do it this way.
type netsh, and then press ENTER.
Type dhcp server ipaddress ENTER.
set dnscredentials username domain password
type quit, hit enter
You can also restart the DHCP server from the command-line with the following commands.
net stop dhcpserver
net start dhcpserver
type netsh, and then press ENTER.
Type dhcp server ipaddress ENTER.
set dnscredentials username domain password
type quit, hit enter
You can also restart the DHCP server from the command-line with the following commands.
net stop dhcpserver
net start dhcpserver
******from the command prompt obviously, run as administrator
type netsh, and then press ENTER.
Type dhcp server ipaddress ENTER.
set dnscredentials username domain password
type quit, hit enter
You can also restart the DHCP server from the command-line with the following commands.
net stop dhcpserver
net start dhcpserver
Did you give up?
ASKER
i didn't give up, i just had other things to do.
will update you asap.
will update you asap.
ASKER
ok i did that and tried to rejoin the computer to the domain.
got this error:
-------------------
An Active Directory Domain Controller (AD DC) for the domain 'OFFICE.DOMAIN.COM' could not be contacted.
Ensure the domain is typed in correctly.
If the name is correct, click Details troubleshooting information.
Details:
The following error ocurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain 'OFFICE.DOMAIN.COM'
The error was "DNS server failure"
(error code was 0x0000232A RCODE_SERVER_FAILURE)
The query for the SRV for _ldap._tcp.dc_msdcs.OFFICE .DOMAIN.CO M
-------------
1. I can ping office.domain.com perfectly fine.
2. I can ping the servername (server2) fine
any idea?
got this error:
-------------------
An Active Directory Domain Controller (AD DC) for the domain 'OFFICE.DOMAIN.COM' could not be contacted.
Ensure the domain is typed in correctly.
If the name is correct, click Details troubleshooting information.
Details:
The following error ocurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain 'OFFICE.DOMAIN.COM'
The error was "DNS server failure"
(error code was 0x0000232A RCODE_SERVER_FAILURE)
The query for the SRV for _ldap._tcp.dc_msdcs.OFFICE
-------------
1. I can ping office.domain.com perfectly fine.
2. I can ping the servername (server2) fine
any idea?
ok, lets get some more info.
Open Command Prompt.
2. Type:
nslookup
3. After the previous command completes, at the nslookup (">") prompt type:
set q=rr_type
4. After the previous command completes, type:
_ldap._tcp.dc._msdcs.Activ e_Director y_domain_n ame
then tell me what the output is
Open Command Prompt.
2. Type:
nslookup
3. After the previous command completes, at the nslookup (">") prompt type:
set q=rr_type
4. After the previous command completes, type:
_ldap._tcp.dc._msdcs.Activ
then tell me what the output is
so run cmd
nslookup
set q=srv
_ldap._tcp.dc._msdcs.offic e.domain.c om
nslookup
set q=srv
_ldap._tcp.dc._msdcs.offic
ASKER
does it matter if its run from the server or workstation?
run from workstation
ASKER
ok here's the result:
server: server2.office.domain.com
address: 10.1.1.252 (which is correct)
***server2.office.domain.c om can't find _ldap._tcp.dc._msdcs.offic e.domain.c om: server failed
server: server2.office.domain.com
address: 10.1.1.252 (which is correct)
***server2.office.domain.c
wait, after reading all post I gotta ask. Is this a pdc? Active directory integrated right? no other servers?
ASKER
yes, pdc.. AD is installed.. other server is just an ordinary member server acting as a file server.
ok I will have a good answer, but while I do, try something for me. instead of .com do .local when joining the domain, so office.domain.local, sounds crazy but just try it please
a couple more fundamentals before we go deeper as annoying as it might be
goto the domain controller, right click my computer, properties, and please verify it says
FCN: server.office.domain.com
domain: office.domain.com
also START, RUN, services.msc
verify that net logon, DHCP and DNS are currently started and running
Also, on the DC, goto network connections, right click properties of tcpip 4, makes sure on the internal interface you have dns set to 127.0.0.1 and the other blank.
Also goto w7 pc and disable tcp ipv6. uncheck it.
goto the domain controller, right click my computer, properties, and please verify it says
FCN: server.office.domain.com
domain: office.domain.com
also START, RUN, services.msc
verify that net logon, DHCP and DNS are currently started and running
Also, on the DC, goto network connections, right click properties of tcpip 4, makes sure on the internal interface you have dns set to 127.0.0.1 and the other blank.
Also goto w7 pc and disable tcp ipv6. uncheck it.
then try again. .com and .local.
sorry that i have to go back on a few question here. i have the feeling that the w2k8r2 server was not promoted correctly. Have you ever been able to add computer to the domain on that segment since the server is a DC? did you upgraded the forest schema to AD2008 in mix mode? is there any NT legacy DC in your forest?
At this point, one thing is sure is that the issue is NOT on the client side. So lets focun on the DC.
At this point, one thing is sure is that the issue is NOT on the client side. So lets focun on the DC.
also ping server ip:389
example 192.168.1.1:389
then goto dns, expand forward lookup, expand msdcs.office.domain.com, open pdc, open tcp and open SRV record verify pdc._msdcs.office.domain.c om, port 389, then click security tab and make sure domain admin has full control.
example 192.168.1.1:389
then goto dns, expand forward lookup, expand msdcs.office.domain.com, open pdc, open tcp and open SRV record verify pdc._msdcs.office.domain.c
Yea its a 90% server side, but there have been alot of windows 7 2008r2 issues reported similar to this.
ASKER
i'll have to try those things tomorrow. i restarted the server but it didn't come back online. most likely its trying to boot up to one of our hard drives connected to it.. (another thing in the todo list to change in the bios.. :P )
I doubt the bios is afftecting anything, also you might check the duplex setting of the internal LAN interface properties.
^^set to auto
ASKER
using .local doesnt work - error with office.domain.local does not exist
dhcp and dns on the server is running
dns of server is set to itself
ummm, which SRV record do you want me to check?
i see _gc, _kerberos, _kpasswd, _ldap
ldap has the port 389 pointing to server2.office.domain.com
dhcp and dns on the server is running
dns of server is set to itself
ummm, which SRV record do you want me to check?
i see _gc, _kerberos, _kpasswd, _ldap
ldap has the port 389 pointing to server2.office.domain.com
firstly, run ipconfig /registerdns and restart netlogon on each DC you have (wont affect users)
bak2004 is your pdc and passed its fsmo roles, but
run dcdiag /v /s:server2 /test:advertising
(to see what roles are being advertised)
and post output
bak2004 is your pdc and passed its fsmo roles, but
run dcdiag /v /s:server2 /test:advertising
(to see what roles are being advertised)
and post output
^^disregard bak2004 line but follow the rest
Sounds like ldap isnt configured or you didnt look right... You need ldap to bind (authenticate users) to AD.
lets verify its policies.
start command prompt from the system32 dir.
1.At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
2.At the LDAP policy command prompt, type connections, and then press ENTER.
3.At the server connection command prompt, type connect to server DNS name of server, and then press ENTER. You want to connect to the server that your are currently working with.
4.At the server connection command prompt, type q, and then press ENTER to return to the previous menu.
5.At the LDAP policy command prompt, type Show Values, and then press ENTER.
A display of the policies as they exist appears.
lets verify its policies.
start command prompt from the system32 dir.
1.At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
2.At the LDAP policy command prompt, type connections, and then press ENTER.
3.At the server connection command prompt, type connect to server DNS name of server, and then press ENTER. You want to connect to the server that your are currently working with.
4.At the server connection command prompt, type q, and then press ENTER to return to the previous menu.
5.At the LDAP policy command prompt, type Show Values, and then press ENTER.
A display of the policies as they exist appears.
^^^1, run Ntdsutil.exe from the command prompt then type LDAP policies and then press enter
ASKER
dcdiag results:
C:\Users\tron.DOMAIN>dcdia g /v /s:server2 /test:advertising
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server server2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld, CN=Sites,C N=Configur ation,DC=o ffice,DC=d omain,DC=c om,LDAP_SC OPE_SUBTRE E,(objectC ategory=nt DSSiteSett ings),.... ...
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First- Site-Name
,CN=Sites,CN=Configuration ,DC=office ,DC=domain ,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld, CN=Sites,C N=Configur ation,DC=o ffice,DC=d omain,DC=c om,LDAP_SC OPE_SUBTRE E,(objectC lass=ntDSD sa),...... .
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=SERVER2,CN=Ser vers,CN=
Default-First-Site-Name,CN =Sites,CN= Configurat ion,DC=off ice,DC=dom ain,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE RVER2
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
882e7190-a863-4e40-b984-7d 8ee8cbf2d2 ._msdcs.of fice.domai n.com could
not be resolved to an IP address. Check the DNS server, DHCP, server
name, etc.
......................... SERVER2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE RVER2
Skipping all tests, because server SERVER2 is not responding to directory
service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : office
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : office.domain.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\tron.DOMAIN>dcdia
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server server2.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-
,CN=Sites,CN=Configuration
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=SERVER2,CN=Ser
Default-First-Site-Name,CN
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
882e7190-a863-4e40-b984-7d
not be resolved to an IP address. Check the DNS server, DHCP, server
name, etc.
......................... SERVER2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Skipping all tests, because server SERVER2 is not responding to directory
service requests.
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : office
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : office.domain.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
dont forget to post ldap config
ASKER
ldap policy results:
Policy Current(New)
axPoolThreads 4
axDatagramRecv 1024
axReceiveBuffer 10485760
nitRecvTimeout 120
axConnections 5000
axConnIdleTime 900
axPageSize 1000
axQueryDuration 120
axTempTableSize 10000
axResultSetSize 262144
axNotificationPerConn 5
axValRange 0
Policy Current(New)
axPoolThreads 4
axDatagramRecv 1024
axReceiveBuffer 10485760
nitRecvTimeout 120
axConnections 5000
axConnIdleTime 900
axPageSize 1000
axQueryDuration 120
axTempTableSize 10000
axResultSetSize 262144
axNotificationPerConn 5
axValRange 0
yea continue on, ldap issues, prolly dns
ASKER
that's it.. no other results.. anything you want me to check?
ASKER
i also noticed (by comparing from other servers) that the _msdcs.server.domain.local ZONE under Forward Lookup zone is missing.. any idea how to create it again?
ASKER
**** i meant _msdcs.office.domain.local
ASKER
sorry... _msdcs.office.domain.com
... i wish EE had an edit button for posts.. lol
... i wish EE had an edit button for posts.. lol
yea, create an SRV record
do you have the pdc folder, tcp folder under forward lookup?
ASKER
i'm missing that whole Forward lookup zone _msdcs... folder that contains all the dc, domains, gc, pdc subfolders
service ldap, protocol tcp, and 0, 100, 389
host offerring is server2.office.domain.com
host offerring is server2.office.domain.com
open command prompt, run netdiag /fix
ASKER
what?
ASKER
would running netdiag /fix recreate the msdcs zone??
do all this and I will continue until complete, might be easier to export settings and dcpromo all over again but lets see..trying to figure out how far back you are,
OK, i know you done some of this already but it only takes a second
verify C:\Windows\SYSVOL exists
make sure under your internal LAN tcpvip4 properties has static configured with the DNS set to its static ip and other left blank
also, run services.msc from startmenu, make sure dhcp, dns and net logon are started and running.
goto computer management "to do list" and tell me what needs to be completed, complete the obvious.
Also, its very important you goto event viewer, under windows, get 30 latest critical errors for dhcp, dns, and dhcp, u can filter, export as text.
OK, i know you done some of this already but it only takes a second
verify C:\Windows\SYSVOL exists
make sure under your internal LAN tcpvip4 properties has static configured with the DNS set to its static ip and other left blank
also, run services.msc from startmenu, make sure dhcp, dns and net logon are started and running.
goto computer management "to do list" and tell me what needs to be completed, complete the obvious.
Also, its very important you goto event viewer, under windows, get 30 latest critical errors for dhcp, dns, and dhcp, u can filter, export as text.
no it wont, but wanted to know what it says, and it will also create an event for me to look at in the post requested above
ASKER
i'm pretty sure the missing _msdcs is our problem here, if you read closely from the logs..
Testing server: Default-First-Site-Name\SE RVER2
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
882e7190-a863-4e40-b984-7d 8ee8cbf2d2 ._msdcs.of fice.domai n.com could
not be resolved to an IP address. Check the DNS server, DHCP, server
name, etc.
......................... SERVER2 failed test Connectivity
is there a way to recreate this zone?
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
* Active Directory LDAP Services Check
The host
882e7190-a863-4e40-b984-7d
not be resolved to an IP address. Check the DNS server, DHCP, server
name, etc.
......................... SERVER2 failed test Connectivity
is there a way to recreate this zone?
Working on it, please work on my post...
I need error codes and specific error messages in order to help you. One symptom can be caused by hundreds of causes. So if I post something, im doing it to get information so we can move along.
The first thing I do when I egt to a clients site is goto event viewer and log errors. Then I run tests from cmd, but without your reply I cant help. Trust me, we could have finished yesterday ;)
The first thing I do when I egt to a clients site is goto event viewer and log errors. Then I run tests from cmd, but without your reply I cant help. Trust me, we could have finished yesterday ;)
ASKER
sysvol exists
ipv4 has static ip configured
dhcp, dns and netlogon are running
i dont see a to do list in the computer management
Here's one of the errors from eventvwr:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'office.pjlovick.com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.
ipv4 has static ip configured
dhcp, dns and netlogon are running
i dont see a to do list in the computer management
Here's one of the errors from eventvwr:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'office.pjlovick.com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.
tomorrow I have to upgrade sbs 2003 to sbs 2008 on the same box/ 32bit-64bit. Trying to think of a way to make an image of 2003, create a compatible vm,. If it works after the 64bit harware upgrade I will install 2008. Shrinking and expanding partitions, Installing a second nic card. installing 2008 on what was the 2003 server, and migrate over LAN.
Are you sure clients are using this? there is no way. You have a forward lookup zone though right? And reverse? Do you see these records from its previous domain? Unfortunatley computername is to SID as DNS is to ip, but in the registry.But go ahead and run nltest, follow thier directions But first.have you looked under local net tcpipv4 properties-advanced, DNS suffix? register in dns checked, set the default gateway and static dns on the next tabs? Also open dns and look at forward and reverse records for stale records?
after that run
ipconfig /registerdns
. How did you get this server and who managed it?
after that run
ipconfig /registerdns
. How did you get this server and who managed it?
try to run dcpromo from the command prompt and see what it says
If you are missing the _msdcs zone on a DNS server, recreate it.
From the DNS management consol:
Right click the "office.domain.com" zone and choose "New Domain". Call it "_msdcs". Restart the Netlogon service and the zone should be populated.
From the DNS management consol:
Right click the "office.domain.com" zone and choose "New Domain". Call it "_msdcs". Restart the Netlogon service and the zone should be populated.
First make sure the MSDTC service is running. I mean yea I could tell you how to" restore" the msdtc zone but its gonna be incorrect records from the wrong domain most likely pointing root records to thier isp., if the previous doesnt work we just need to create it.
Go to the properties of your forward looup zone under the DNS manager: Make the forward lookup zone 'not active directory intergrated' and apply, then make it 'active directory intergrated' and apply!
2 Then restart DNS service en reload the zone in DNS manager, no error should occur!
In system:
You might see: Event ID 5781
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.DOMAINNAME .' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
Restart netlogon service
In application : MSDTC Errors
You might see the following MSDTC errors:
Event with source MSDTC, ID 53258: MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1
Event with source MSDTC, ID 4439: Failed to verify MS DTC service account information. Internal Information : msdtc_trace : File: d:\srvrtm\com\complus\dtc\ dtc\adme\u iname.cpp, Line: 9390, VerifyAccountInfo: CService::Create failed, hr=0x80070005
To get rid of the first event, do the following:
From Administrative Tools, start Component Services.
In the MMC snap-in, go to Component Services, Computers, My Computer.
Open the properties of My Computer and click the MSDTC tab.
Click the button Security Configuration.
Do not change anything, just click OK (silly, I know).
(This thanks to an other IT nerd )
Click OK again and then close the MMC
Stop and start MSDTC. (net stop/net start in dos) The event with ID 53258 should not appear anymore.
To get rid of the 4439 event, do the same as for the Windows Time Service. In the Sytem Services section of the server’s policy in AD, give the account SERVICE read/start/stop rights. Refresh group policy with gpupdate /force and then restart MSTDC. The error should disappear.
Hope this helps…
Go to the properties of your forward looup zone under the DNS manager: Make the forward lookup zone 'not active directory intergrated' and apply, then make it 'active directory intergrated' and apply!
2 Then restart DNS service en reload the zone in DNS manager, no error should occur!
In system:
You might see: Event ID 5781
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.DOMAINNAME
Restart netlogon service
In application : MSDTC Errors
You might see the following MSDTC errors:
Event with source MSDTC, ID 53258: MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1
Event with source MSDTC, ID 4439: Failed to verify MS DTC service account information. Internal Information : msdtc_trace : File: d:\srvrtm\com\complus\dtc\
To get rid of the first event, do the following:
From Administrative Tools, start Component Services.
In the MMC snap-in, go to Component Services, Computers, My Computer.
Open the properties of My Computer and click the MSDTC tab.
Click the button Security Configuration.
Do not change anything, just click OK (silly, I know).
(This thanks to an other IT nerd )
Click OK again and then close the MMC
Stop and start MSDTC. (net stop/net start in dos) The event with ID 53258 should not appear anymore.
To get rid of the 4439 event, do the same as for the Windows Time Service. In the Sytem Services section of the server’s policy in AD, give the account SERVICE read/start/stop rights. Refresh group policy with gpupdate /force and then restart MSTDC. The error should disappear.
Hope this helps…
He has bigger issues than root zones, moving forward could be a waste of time...
I would demote the server and run dcpromo all over again because you have previous domain names and ip addressess riddled in the registry.
seriously, step by step, lets see how bad it is, post back
click Start, click Administrative Tools, and then Server Manager. Double-click Roles, and click Active Directory Domain Services. In the Best Practices Analyzer section, click Scan this role.
click Start, click Administrative Tools, and then Server Manager. Double-click Roles, and click Active Directory Domain Services. In the Best Practices Analyzer section, click Scan this role.
I took over a client that had an IT guy who used his own money, he had integrated several edge DC's and was moving across the U.S. I removed his servers associations with ours as did he, but our servers were still trying to communicate across the U.S. Of coarse that was win2k3. But we had a good laugh.
ASKER
@snusgubben
- i did that, but how about the other folders inside it? (i.e, pdc, etc..)
i'm trying to compare other servers with their folders, how would i create those folders inside msdcs?
- i did that, but how about the other folders inside it? (i.e, pdc, etc..)
i'm trying to compare other servers with their folders, how would i create those folders inside msdcs?
You should not manually create all the "subfolder/zones" within the _msdcs zone. The Netlogon service should do that.
Did you try restarting the Netlogon service after creating the _msdcs zone?
Btw. on the other DC/DNS, is the _msdcs zone delegated? (you will see it as a greyed out folder if that is the case)
Did you try restarting the Netlogon service after creating the _msdcs zone?
Btw. on the other DC/DNS, is the _msdcs zone delegated? (you will see it as a greyed out folder if that is the case)
ASKER
i'll try it out again and let you know.
there is no other DC in the environment.. i'm just saying that i compare those msdcs settings from the other servers we manage.
there is no other DC in the environment.. i'm just saying that i compare those msdcs settings from the other servers we manage.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
reboot the pc.. then try again :)
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I've already tried restarting netlogon service to recreate the records but didnt seem to fix anything.
OK:
I didn't see your reply within email..
Now, go to the command prompt of the DC and type DCdiag /fix:DNS
I didn't see your reply within email..
Now, go to the command prompt of the DC and type DCdiag /fix:DNS
turn off anti virus. Same issue Anti Virus was preventing the change on the local PC