ATOCONS
asked on
The old "Cannot join domain: network path not found" error SBS2003
I have a SBS2003 setup with a number of clients and all has been working fine for a long long time.
One of the clients is a Windows 7 machine that stopped being able to browse the network. It was connecting to Exchange, I could ping the server and any other device on the network, by name or by IP.
But I couldn't even see the domain in the browser.
All the other machines could see the domain and browse it.
At the same time a second server (just a file server) stoped responding to remote desktop - I could get the screen up but had the "RPC server is unavailable" error.
Tried a number of solutions, one of which was to remove the W7 machine from the domain and rejoin.
However I cannot rejoin the domain. I get the "Network path not found" error.
More information:
I can ping all machines from the client
I cannot connect using http://sbs-domain/ConnectComputer - I get an error re intranet settings and when I set them low, I just get a message about the wizard not being installed and maybe due to intranet settings. The settings are low and I still get it.
If I use the Change button or the Network ID button I just get the network path not found error.
I have cleared ststic IP and set it to DHCP, and it receives a valid IP andthe correct DNS IP.
nslookup can't find a DC name, but does return loopback address as DC IP address
netlogon service is not started and I cannot start it - it says it started and stopped - some services stop if they are not being used.
Where next?
I'm sure the list above is not comprehensive of the things I've checked.
I'm also concerned by the RPC error when trying to RDP to the other member server - is it related?
Thanks
One of the clients is a Windows 7 machine that stopped being able to browse the network. It was connecting to Exchange, I could ping the server and any other device on the network, by name or by IP.
But I couldn't even see the domain in the browser.
All the other machines could see the domain and browse it.
At the same time a second server (just a file server) stoped responding to remote desktop - I could get the screen up but had the "RPC server is unavailable" error.
Tried a number of solutions, one of which was to remove the W7 machine from the domain and rejoin.
However I cannot rejoin the domain. I get the "Network path not found" error.
More information:
I can ping all machines from the client
I cannot connect using http://sbs-domain/ConnectComputer - I get an error re intranet settings and when I set them low, I just get a message about the wizard not being installed and maybe due to intranet settings. The settings are low and I still get it.
If I use the Change button or the Network ID button I just get the network path not found error.
I have cleared ststic IP and set it to DHCP, and it receives a valid IP andthe correct DNS IP.
nslookup can't find a DC name, but does return loopback address as DC IP address
netlogon service is not started and I cannot start it - it says it started and stopped - some services stop if they are not being used.
Where next?
I'm sure the list above is not comprehensive of the things I've checked.
I'm also concerned by the RPC error when trying to RDP to the other member server - is it related?
Thanks
I would start with DNS, is there any stale records you can delete. Please refresh my memory if nslookup worked, I believe you said it didn't. We should work to get DNS resolving the server from the workstation.
DNS would also cause problems with RDP, matter of fact try RDP using the IP address, this will tell if DNS is bad or not.
DNS would also cause problems with RDP, matter of fact try RDP using the IP address, this will tell if DNS is bad or not.
ASKER
nslookup returns:
*** Default servers are not available
Default Server: UnKnown
Address: 127.0.0.1
which I have read is not incorrect as it would only get a name from reverse DNS which doesn't really need to be set up. But should it give the proper IP address?
RDP using the IP gives exactly the same result - RPC server not available.
Also, now the windows 7 machine is in the domain, with the server switched back, I can't logon to the domain from that machine - "no logon server is available to service the logon request"
*** Default servers are not available
Default Server: UnKnown
Address: 127.0.0.1
which I have read is not incorrect as it would only get a name from reverse DNS which doesn't really need to be set up. But should it give the proper IP address?
RDP using the IP gives exactly the same result - RPC server not available.
Also, now the windows 7 machine is in the domain, with the server switched back, I can't logon to the domain from that machine - "no logon server is available to service the logon request"
did you run nslookup from the workstation
are you getting any errors in the event logs
ASKER
When I tried to join I have:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5513
Date: 17/01/2012
Time: 15:50:12
User: N/A
Computer: ATO-DELL-SERVER
Description:
The computer ATOVOSTRO tried to connect to the server \\ATO-DELL-SERVER using the trust relationship established by the ATO-MAIN domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
then:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 17/01/2012
Time: 15:53:58
User: N/A
Computer: ATO-DELL-SERVER
Description:
The session setup from the computer ATOVOSTRO failed to authenticate. The name(s) of the account(s) referenced in the security database is ATOVOSTRO$. The following error occurred:
Access is denied.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
gthere are no errors in the DNS log
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5513
Date: 17/01/2012
Time: 15:50:12
User: N/A
Computer: ATO-DELL-SERVER
Description:
The computer ATOVOSTRO tried to connect to the server \\ATO-DELL-SERVER using the trust relationship established by the ATO-MAIN domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
then:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 17/01/2012
Time: 15:53:58
User: N/A
Computer: ATO-DELL-SERVER
Description:
The session setup from the computer ATOVOSTRO failed to authenticate. The name(s) of the account(s) referenced in the security database is ATOVOSTRO$. The following error occurred:
Access is denied.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
gthere are no errors in the DNS log
ASKER
Now, this is not that surprising, as the DC that allowed the join was a different one.
But how do I re-establish the trust relationship?
But how do I re-establish the trust relationship?
if the SID is bad I would pull the computer out of the domain, place it in a work-group, to take it a step further I would rename the computer before trying to join it back to the domain. Go into AD and delete the computer name if you don't rename the workstation.
ASKER
I suspect your answer will be that I have to leave and rejoin the domain - full circle.
In which case I still just need to fix the root cause (probably in DNS somewhere)
In which case I still just need to fix the root cause (probably in DNS somewhere)
If the SID is bad nothing is going to work whether you resolve DNS or not. User accounts authenticate like computers accounts, go with the event log it's a known issue and critical one, resolve it and move on from that point.
ASKER
Yes, remooving it will mean I can't rejoin again, won't it.
Untill the root cause error is found it's not going to work - and when that is found I suspect both the Join Domain and the RDP issue will both be fixed.
Interestingly, I can RDP to the SBS server itself, just not to the other server
Untill the root cause error is found it's not going to work - and when that is found I suspect both the Join Domain and the RDP issue will both be fixed.
Interestingly, I can RDP to the SBS server itself, just not to the other server
you have to address the SID problem first, if you can't add the workstation back in the domain we'll troubleshoot.
ASKER
I can't add to the domain.
I have deleted the computer account but it is back to the "network path not found" error - indicating the DNS fault I guess.
I have deleted the computer account but it is back to the "network path not found" error - indicating the DNS fault I guess.
sorry for any confusion I thought the workstation was still in the domain.
tried these commands
ipconfig /release
ipconfig /flushdns
ipconfig /renew
ipconfig /registerdns
ipconfig /release
ipconfig /flushdns
ipconfig /renew
ipconfig /registerdns
make sure the following services are started on the workstation: Workstation, DHCP Client, DNS Client, Server, TCP/IP Netbios helper, Computer Browser
ASKER
I joined the workstation to the domain using an alternative domain SBS server as I described above. This was to prove the DNS config or something else on the server was at fault.
I then reinstated the original SBS server (same domain name) but couldn't logon - presumably because the credentials the alternative server created are not valid on the original server.
That's why I would not be able to re-join the domain if I came out of it - and so it has proved.
So the DNS still needs to be fixed.
Now I guess I could compare entry for entry between the alternative server, which works, and the proper server, which no longer does. ut that would be error-prone I'm sure.
Or I could do a system state restore from several days ago (don't know what else I would lose).
Or some other way to recreate proper DNS entries (is there a script in SBS for it?)...
I then reinstated the original SBS server (same domain name) but couldn't logon - presumably because the credentials the alternative server created are not valid on the original server.
That's why I would not be able to re-join the domain if I came out of it - and so it has proved.
So the DNS still needs to be fixed.
Now I guess I could compare entry for entry between the alternative server, which works, and the proper server, which no longer does. ut that would be error-prone I'm sure.
Or I could do a system state restore from several days ago (don't know what else I would lose).
Or some other way to recreate proper DNS entries (is there a script in SBS for it?)...
so you added the computer back to the domain that works
on the SBS2003 open DNS right click on the DNS server name and select scavenge stale resource records, update server data files, clear cache and restart the DNS server.
On the SBS2003 what DNS Server log errors are reporting.
ASKER
All thjose services are running (though as I say netlogon is not).
/registerdns gives the error "the requested operation requires elevation"
/registerdns gives the error "the requested operation requires elevation"
ASKER
As I said, there are no ererors in the DNS log
ASKER
I added back to the working domain, using a different SBS server as described above.
I reinstated the original SBS server
I tried to logon and could not
I removed from the domain as you instructed
I cannot rejoin
The Windows 7 machine is no longer in any domain
Also did all the DNS stuff you list above - "network path not found"
I reinstated the original SBS server
I tried to logon and could not
I removed from the domain as you instructed
I cannot rejoin
The Windows 7 machine is no longer in any domain
Also did all the DNS stuff you list above - "network path not found"
ASKER
I have just checked through the entire DNS, record by record, comparing the other SBS server I have with the one in question.
Every entry is pretty much identoical, the differences being the server name (of course) and in some cases some of the data.
So, msdcs.domainname.local has an entry that looks like a SID, that is of course different.
the SOA entry has a different value - [26], servername.domain.local in the one case and [16], servername.domain.local in the other
msdcs.domainname.local/dom ains also has an entry that looks likje a SID that is different on the other server, as I would expect - it's also different to the one directly under msdcs.domainname.local (that's true on both machines so looks OK)
FLZ/mydomain.local has an SOA record that has [56],servername.domainname .local in the one that works, but [6931],servername.domainna me.local in the other server. Is that odd? I don't know what this value means or is used for.
Otherwise all looks identical
Every entry is pretty much identoical, the differences being the server name (of course) and in some cases some of the data.
So, msdcs.domainname.local has an entry that looks like a SID, that is of course different.
the SOA entry has a different value - [26], servername.domain.local in the one case and [16], servername.domain.local in the other
msdcs.domainname.local/dom
FLZ/mydomain.local has an SOA record that has [56],servername.domainname
Otherwise all looks identical
ASKER
Can I uninstall and reinstall DNS safely on SBS?
I wouldn't, it's integrated into AD and will most likely cause problems. My opinion more than if it can or can't be done. I've never uninstalled DNS but I've recreated the forward and revers lookup zones before to fix a DNS problem.
ASKER
I did find that somehow the NIC setting had lost it's reference to itself as the DNS server. I added the entry but no joy there.
Also tried changing the zone to non-integrated, restarting netlogon and DNS, switching back to integrated and restarting them again. No joy there either.
Otherwise been short on time today.
However, if I now try to join the domain I have a different error:
An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain.
Also tried changing the zone to non-integrated, restarting netlogon and DNS, switching back to integrated and restarting them again. No joy there either.
Otherwise been short on time today.
However, if I now try to join the domain I have a different error:
An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain.
ASKER
BTW, ran DCDIAG tests for RegisterInDomain, Services and MachineAccount. All passed
ASKER
Ran netdiag
..........................
Computer Name: servername
DNS Host Name: servername.domainname.loca
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Server Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : servername
IP Address . . . . . . . . : 192.168.16.2
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.16.1
Primary WINS Server. . . . : 192.168.16.2
Dns Servers. . . . . . . . : 192.168.16.2
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{CBE068C9-86E6
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '192.168.16.2'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{CBE068C9-86E6
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{CBE068C9-86E6
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
ASKER
And that is the correcct DNS server IP:
Windows IP Configuration
Host Name . . . . . . . . . . . . : servername
Primary Dns Suffix . . . . . . . : domainname.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : domainname.local
Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-10-18-0D-AF-F8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
Windows IP Configuration
Host Name . . . . . . . . . . . . : servername
Primary Dns Suffix . . . . . . . : domainname.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : domainname.local
Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-10-18-0D-AF-F8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
have a look on the workstation and the see if TCP/IP NetBIOS Helper Service is turned off and set to manual:
Set service to auto and then try and add the machine back to the domain
Set service to auto and then try and add the machine back to the domain
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had tried all suggestions made by the contributors (many thanks guys) but unfortunately none of them worked.
ASKER
Something is definitely awry with the domain controller/SBS server.
I have another server I built as a complettely clean SBS.
I was intendoing at some point to copy across the website hosted on SBS, and do export/import of the info store, then switch to the new server.
This server is very vanila currently.
I happen to have it on a VLAN so that I can set up without interfering with anything else - it can see a network etc, and a NAS device that I can switch intoi the VLAN as I make the changes to bring it live one day.
So I switched the existing SBS server out of the network (by changing its VLAN) and moved the new one in (put it in the main VLAN).
Then - hey presto! I could join the Windows 7 machine to the domain.
And, I could do Remote Desktop to the other server.
No answers yet, but how can I trouleshoot the existing SBS server (I've switched back to it as it has my live services on it)?
NETDAG and DCDIAG throw no errors....