Solved

Join Windows 7 WS to a Windows Server 2003 AD Domain

Posted on 2012-03-26
37
721 Views
Last Modified: 2012-03-27
I have a Windows Server 2003 PC with an Active Directory Domain named law.subrogate.net. I am trying to join a Windows 7 WS with hostname\UserID of HP001\tlp006 to this domain without any success, and it is not because I haven't tried. What knowledge I have as a programmer not a network engineer/administrator has always served me well in the past and I have never had a problem joining a workstation\user to a NetBIOS domain on a Primary Domain Controller -- very old school. This is killing me.

Please find attached a screen shot of the user properties on the Windows Server 2003 PC with an Active Directory Domain.

Also please find 2 screen shots of the subwindows I am using on the Windows 7 Workstation.
UserAccountProperties.bmp
ActiveDirectoryDomainController.bmp
ComputerName-DomainChanges.bmp
0
Comment
Question by:Ted Palmer
  • 15
  • 12
  • 9
  • +1
37 Comments
 
LVL 7

Expert Comment

by:karllangston
ID: 37769075
if you are sure the pc is on the same physical lan but it is not seeing the domain controller then you need to check the DNS settings in the network properties.  If the PC is not looking at the domains DNS server then it will not see it. They may have a manually entered DNS like Google (8.8.8.8 etc) when it needs to be the same as the server for the LAN.
0
 

Author Comment

by:Ted Palmer
ID: 37769148
IPIP Settings
My IP addresses have been set in the Advanced Settings of the TCP/IP properties window. Please see attached screen shot. 10.125.224.34 is the IP address of the Windows Server 2003 PC that is supposed to be acting as the DC for law.subrogate.net domain. I do believe, but please don't quote me on that. I can not see my screen shots while I am typing this. I must say I am not particullarly fond of this new UI on EE. This screen shot is from the Windows 7 workstation.

Ted Palmer
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37769249
if 10.125.224.34 is the Domain COntroller
than 10.125.224.34 should be the one and only DNS entry in the windows 7 tcp/ip settings. at least till it's in the domain.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37769399
You have to remove the public dns severs from the list because the suffix of you ad Omani is .net!
The issue occurs because the public dns servers are queried and they have no info on the ad domain.
Where is your dhcp  sever?
0
 

Author Comment

by:Ted Palmer
ID: 37769591
Harel66 and arnold:

I removed both of the public IPs from the list and attempted to join the domain again and got the same results that I have always gotten. Shown in the ActiveDirectoryDomainController.bmp screen shot file. I am trying to figure out how to add a code snippet to this comment but all the WP editing functions are grayed out as in disabled above this comment textbox. There is a function in there labeled "code", but it is grayed out. So I'll just paste it into this comment. Oh! the code snippet is the results of the command line statement ipconfig -all

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tlp006>ipconfig -all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HP001
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : HOBBIT

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : 802.11n Wireless LAN Card
   Physical Address. . . . . . . . . : 70-F1-A1-FC-C5-8F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : HOBBIT
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 6C-62-6D-50-2B-27
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7c8c:b2f3:dd4b:709c%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.125.224.34(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, March 24, 2012 5:22:55 PM
   Lease Expires . . . . . . . . . . : Tuesday, March 27, 2012 3:46:07 PM
   Default Gateway . . . . . . . . . : 10.125.224.1
   DHCP Server . . . . . . . . . . . : 10.125.224.1
   DHCPv6 IAID . . . . . . . . . . . : 258761325
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-A9-25-29-6C-62-6D-50-2B-27

   DNS Servers . . . . . . . . . . . : 10.125.224.1
                                       68.94.156.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.HOBBIT:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : HOBBIT
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3460:2fb8:ba69:4ba4(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::3460:2fb8:ba69:4ba4%10(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{86E18DAA-03DA-49F2-AB51-D3B05E1D9F68}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\tlp006>
++++++++++++++++++++

To arnold's question. . . . The DHCP server is in the 54Mbps Wireless DSL Gateway router. I hope I am not making myself vulnerable to hacker attack by putting all this network configuration info on the internet.
0
 

Author Comment

by:Ted Palmer
ID: 37769592
Oh!!

Maybe I don't have the DNS configured correctly on the Windows Server 2003 machine?

TedPalmer
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37769632
firstly the 10.x.x.x adresses are not routeable so aren't a big threat the full domain name you should probably edit out.
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37769644
if the windows 7 machine can't ping the AD domain it's not going to be able to join most likely.  start there.
I have to ask why is the intrnal domain named with a .net name?
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37769655
try pinging/joining subrogate01 as the domain
0
 
LVL 76

Expert Comment

by:arnold
ID: 37769668
You still have a reference to the public Dns server.
Could you confirm that the dns server is on the referenced ip?
On th windows 7 system run in a command window
nslookup -q=srv _ldap._tcp.msdcs.yourdomainname
Better example and exp.
http://technet.microsoft.com/en-us/library/cc738991(v=ws.10).aspx
0
 

Author Comment

by:Ted Palmer
ID: 37769904
Guys,

I had to restore the public IPs to the list or I would not be able to respond to you at all. I was getting the error message "DNS server not responding" until I restored the public IPs. I work on this some more in the morning. It's late and I fell asleep in my chair. Thank you both for your help.

Talk to you tomorrow. Oh! I don't recall why there is a ".net" at the end of my local domain name. It has been a long time since I made it up. I must have seen that some place in something I read as an example. Should I go back and just truncate that off?

TedPalmer
0
 
LVL 76

Expert Comment

by:arnold
ID: 37770753
The error means that the internal server referenced is not working and would explain why you can not join the domain.
You can not truncate. You could try renaming the domain.
Double check the dns on the dc to make sure it is running. Make sure if you have software firewall on the dc, that you allow port 53 access. Etc.
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37771524
renaming the domain basically will involve a complete re-do of the server/user-accounts on the server, and rejoining all the machines to a new domain, and all the user profiles will be blank and files will need to copied a new profile on every machine.

basically bad idea unless you are ready for a full systems rebuild.
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37771599
my advice is to
1) Remove and re-install the active directory integrated DNS server on the AD controller
ensure the DNS server is listening on all addresses.
*Do Not put any forwarders on the Newly DNS setup. 2003 doesn't need forwarders in a normal setup*
2)add any external records for your .net url for instance www
3) Turn off DHCP Server on the Wireless device.
4) install DHCP on the Active directory controller.
5) setup a new Scope using the AD DNS server as the DNS server, and the wireless device as the gateway. *I would use a slightly different IP range so I could imeadiately see if any new problems where related to DHCP* also means adding or changing servers internal IP.
6) ensure the DHCP options are set to register clients in DNS.

this has potential to sort you out, but also may uncover some other issues that could be problematic.
0
 

Author Comment

by:Ted Palmer
ID: 37771730
Harel66 and arnold:

First of all things look different in the morning after a good nights sleep. The first thing that I noticed this morning is that I had the IP address of the Windows Server 2003 PC wrong. It is supposed to be 10.125.224.101 not 10.125.224.34. IP 10.125.224.101 is static. I assigned it to the  Windows Server 2003 machine when I installed the OS about 5 years ago.  But changing that in the list of IPs for DNSs didn't make a difference when I tried to join the Windows 7 workstation to the domain law.subrogate.net.

arnold: Where on the Windows Server 2003 machine do I set allow port 53 access? I have found a place that looks like it would be the one -- see attached screen shot -- but if I set it there it looks like I would have to specify all the ports that I want open, and I don't have a comprehensive list of ports that have to be open
TCP-IP-Filtering.bmp
0
 

Author Comment

by:Ted Palmer
ID: 37771792
Harel66 and arnold:

I have added a screen shot of Computer Management console that shows some information about my DNS server that supports domain law.subrogate.net. BTW I did double click the DNS name in Computer Management and didn't get an error message. I hope that is a good sign that it is working. Perhaps you can tell more from the screen shot? Oh! LAWOFFICE is the host name of the Windows Server 2003 machine.

TedPalmer
ComputerManagement.bmp
0
 
LVL 76

Expert Comment

by:arnold
ID: 37771938
Lawoffice is the name of your dc server?
Remove the record pointing to .0 This ip is a network address and can not be reached.
0
 

Author Comment

by:Ted Palmer
ID: 37772046
arnold:

I removed the .0 as you suggested. It has been about 4 years since I created this AD so I don't know why I put that there.

Yes LAWOFFICE is the host name of the PC that is performing the function of DC for the law.subrogate.net domain.

Thanks,

Ted
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Expert Comment

by:arnold
ID: 37772090
Double check the network configuration on the server to make sure it does not reference .0 anywhere there as that could add it back in.

when you ran the nslookup -q=srv _tcp._ldap._msdcs.law.subrogate.net
what is the answer that is returned?
FYI, when attaching images, it is best to save them in a PNG or JPG format rather than bitmap. mspaint can be used to paste the screen capture and then save the image in an alternative format.

Are you testing this AD or do you have systems that are in use with this AD?

netstat -rn | find ":53"
what is returned from the above?
does it have 0.0.0.0?
post what the response is this will tell you to which resource DNS is bound. 0.0.0.0 means all IPs on the system, a specific IP means that a request has to be sent to that IP only. if it is 127.0.0.1 that will be bad since this IP is only accessible on the local system (server itself).
0
 

Author Comment

by:Ted Palmer
ID: 37772369
arnold:

I'm not sure what you mean by "Double check the network configuration", but I double clicked the AD domain name in . . . . The screen title is in the attached screen shot:

I am just TESTing the AD. I do not have any users on this AD domain. I'm the only one who can see it in my small home office.

When I do NSLOOKUP on the client W7 PC I get the following:

C:\Users\tlp006>nslookup -q=srv _tcp._ldap._msdcs.law.subrogate.net
Server:  dnsr1.sbcglobal.net
Address:  68.94.156.1

*** dnsr1.sbcglobal.net can't find _tcp._ldap._msdcs.law.subrogate.net: Non-exis
tent domain

When I do NSLOOKUP on the server LAWOFFICE PC I get the following:

>nslookup -q=srv _tcp._ldap._msdcs.law.subrogate.net
Server:  localhost
Address:  127.0.0.1

*** localhost can't find _tcp._ldap._msdcs.law.subrogate.net: Non-existent domai
n

>

++++++++++++++++++++
When I do a netstat -rn | find ":53" from the DOS prompt on the server

all I get is the DOS prompt; i.e. no response.
ActiveDirectoryUsersAndComputers.JPG
0
 

Author Comment

by:Ted Palmer
ID: 37772379
dnsr1.sbcglobal.net is my ISP.
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37772406
this shouldn't be so difficult, You keep saying PC that is blah blah.... it's eaither a server or it's not. in this context server relates to a function, not a hardware platform.

A cheap little machine becomes a server as soon as you install Server OS or deliver Network access and function regardless of the hardware. However if someone is sitting at the server and working with Office and all the legal stuff needed for ops you have a significantly higher list of variables of what could be wrong.

a workstation is a machine that uses servers and or Provides access to a terminal server. so pretty much any machine that someone sits down and works at is generally a workstation (unless your a server tech all day :) )

the basic Issue here is the "workstation" needs to get the the active directory DNS, based on what you have posted, only the 10.125.224.101 is the address for the only AD/DNS ,

it appears that the problem is coming from the fact that you have a .net domain in active directory, and there is a real(external or the network thinks there is a real ) .net domain that also has independent DNS servers.  so most likely unless you stop the network from being able to pull DNS from the active internet DNS servers. your workstation is going to remain confused. based on the fact your getting back SBCGlobal.net in reply.

workstation needs to be set (static is probably better) to an IP address inside the IPrange and subnet of your domain controller.  IT must ONLY look at your Active Directory Controller for DNS (at least initially).

from the workstation you need to open a command prompt and type the previous "nslookup" it should list 10.125.224.101 (or whatever is the real address) as the default Name Server, and executing a "ping subrogate01" or "ping law.subrogate.net" should reply with 10.125.224.101 any other replay and it's not going to join.
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37772447
you might be able to slap a host file together on the windows7, (although I admit I'm not quite sure how I'd do that, someone on EE knows :) ) machine to trick it but I would fix the underlying issue instead of adding another layer of confusion in the future
0
 
LVL 76

Expert Comment

by:arnold
ID: 37772462
In the image you posted when you drilled down where you have teddns
The response you should get is Lawoffice.law.sybrugate.net.
You can not have the external dns server as the name server because it has no information on the ad.
I likely provided the wrong query.
Please refer to the link in http:#a37769668 that details how to test to make sure you dns provides answers for domain joining.
There Is a way to rename the domain as others pointed out it depends on the current use that will deal with whether it is useful.
http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx
0
 

Author Comment

by:Ted Palmer
ID: 37772546
Harell66:

After reordering the IP address in my Advanced IP settings on my workstation (please see attached) I tried the pings that you suggested. Here are the results:

C:\Users\tlp006>ping subrogate01
Ping request could not find host subrogate01. Please check the name and try agai
n.

C:\Users\tlp006>ping law.subrogate.net
Ping request could not find host law.subrogate.net. Please check the name and tr
y again.

C:\Users\tlp006>ping 10.125.224.101

Pinging 10.125.224.101 with 32 bytes of data:
Reply from 10.125.224.101: bytes=32 time=1ms TTL=128
Reply from 10.125.224.101: bytes=32 time<1ms TTL=128
Reply from 10.125.224.101: bytes=32 time<1ms TTL=128
Reply from 10.125.224.101: bytes=32 time<1ms TTL=128

Ping statistics for 10.125.224.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Users\tlp006>
AdvancedIPsettings.jpg
0
 

Author Comment

by:Ted Palmer
ID: 37772591
Harell66:

Also I did the NSLOOKUP you suggested after reordering the IPs in my Advanced IP settings on the workstation and got the following:


C:\Users\tlp006>nslookup -q=srv _tcp._ldap._msdcs.law.subrogate.net
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.125.224.101

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\tlp006>

++++++++++++

So that now that 10.125.224.101 is first in the sequence I know that the DNS server on the server is not responding. Is that correct?

TedPalmer
0
 
LVL 76

Expert Comment

by:arnold
ID: 37772608
ping Lawoffice.law.subrogate.net

You have dns issues if when you remove the public dns records all things grind to a halt

On the server run dcdiag and attach the results looking for errors dealing with dns setup.
On the server look at the properties of your dns server root hints, forwarders. Roo hints should have data forwarders if you want can point to sbc's servers.
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37772629
your picture still shows external DNS in the list.


ok go to the Server

Make a List:

Computer name of the server: _______
found under computer properties.


IP Addresses adapter1:____________
IP Addresses adapter2:_________
    *make sure to check advanced for more than 1 IP on each adapter*
in network properties

Domain Name: __________
Open ActiveDirectory Users and Computers and right down the DomainName. should be right under the first section(saved queries)  and the icon looks like 3 little computers

DNS is Listenig on: _____________
DNS server Name in MMC: ____________
Open the DNS mmc and ensure that the service is running and listening on all ports.  right click on the computer name and look in the properties.

Turn Off Firewall for testing ONLY on both server and workstation.


Router Address:_______
External DNS Server1:_____________
External DNS Server2:_____________


also log into the router, and make sure there isn't another machine pulling a DHCP address using the 10.125.224.101 address.
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37772648
haha experts exchange should make a conference call option I bet we could talk you through this in like 30 minutes :)
0
 

Author Comment

by:Ted Palmer
ID: 37772805
Harel66 and arnold:

I followed the link you gave me arnold. The results that I see tells me that the DNS on my server machine is not responding. I'll have to see what I can do about that. I have the book Mastering Windows Server 2003 by Mark Minasi and others that I can use as a reference to get what I need to fix this I do believe. I'm going to leave this question open for now in case I need some more help with this. Right now I have a repairman working on my house. His pounding got my attention.

I'll get this resolved by the end of the day.

Thanks guys,
Ted Palmer
0
 
LVL 76

Expert Comment

by:arnold
ID: 37772911
Could you post the output from running the comman
netstat -an |find ":53"

What applications do you have installed on the server? Any Internet security type programs?
0
 

Author Comment

by:Ted Palmer
ID: 37773416
arnold:

I already did post the results of netstat -an |find ":53" they are back at comment http:#a37772369 . The results were that I got nothing back at all. Just the DOS prompt.

Thank you for your help.

Ted
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 37773486
Ted, you posted but it was not the output of running netstat -an | find ":53"
Sorry in the earlier request I provided the wrong swith netstat -rn returns the routing table, the -an switch is different i.e. it lists all network related item

please note the change from the prior request

netstat -an | find ":53"

I am looking for a line that says that your server has something that is LISTENING on port 53

Alternative, using the administrative tool, dns
Properties of lawoffice in that interface, look on the interface tab which is the first one when the properties pop up, do you have the option selected that says listen on all interfaces, or does it have a set of IPs listed and the option Only the following IP addresses?
Make sure all IPs is what is selected. restart the dns service (just in case the change is not imidiate)
0
 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37773961
ok make sure the client is ONLY using the 10.125.224.101 dns server ONLY DNS server

Turn off the Firewall, on Both Machines.  

try pinging the server and than the domain

if it works join the machine to the domain and reboot.
0
 

Author Comment

by:Ted Palmer
ID: 37773993
OK That worked but when I turn the firewall back on on the server it doesn't work. Please tell me how to fix this.
0
 
LVL 16

Accepted Solution

by:
R. Andrew Koffron earned 300 total points
ID: 37774007
go into the excpetions section and build an exception list based on the technet list.
You might not need all of them, depending on what your doing, but it's a good guide line.

http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
0
 

Author Closing Comment

by:Ted Palmer
ID: 37774393
Thank guys very much. This was a learning GREAT experience for me
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now