• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

unexpected issue joining domain (WS2008)

Hello

I am trying to add a new (standalone) 2008 server into our plain vanilla AD (2 win 2008 DC + BDC) + a dozen client machines.

The error I get is

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "domain.local":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.domain.local

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

172.16.200.25
172.16.100.5

- One or more of the following zones do not include delegation to its child zone:

domain.local
local
. (the root zone)

Open in new window


The strange thing is that the above seems correct as far as the domain name goes and the IPs of the DNS servers - the machine I am trying to join is getting it's IP through DHCP from those DC (172.16.200.x subnet in our case) and everything seems to work ok network wise.

Any idea / suggestion most welcome
0
Alexandre Takacs
Asked:
Alexandre Takacs
  • 5
  • 3
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Check if DNS server services are working fine on your servers.
Please ensure if both Domain Controllers are available.
Verify, if DHCP server, issues appropriate IP address(es) of DNS servers

In the meantime, please attach an output from dcdiag command for analyze here, please.
Run on any DC in command-line
dcdiag /e /c /v /f:c:\dcdiag.log

Open in new window


Regards,
Krzysztof
0
 
Alexandre TakacsCTOAuthor Commented:
As far as I can tell DNS / DHCP are working ok - both servers are reachable.

See enclosed diagnostic log - some interesting warnings - thanks in advance for your expert opinion :)
diag.txt
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Looks like the issue for AD replication. Please ensure if all required ports for AD replication are opened on firewall
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls-en-us.aspx

in the meantime, please also provide an output from
repadmin /showrepl /intersite /all /verbose >c:\repadmin.log

Open in new window


Thanks in advance

Krzysztof
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
Alexandre TakacsCTOAuthor Commented:
Would a replication issue prevent joining the domain (not that it should not be fixed but little surprised) ?

Anyway here is the requested diagnostic

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\MYSERVER

DSA Options: IS_GC 

Site Options: (none)

DSA object GUID: e19027c0-4d2c-478a-af05-05faa2718310

DSA invocationID: c049d3e6-2a30-4de0-8c18-43cb788d57d4



==== INBOUND NEIGHBORS ======================================



==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============



DC=mydomain,DC=local

    Default-First-Site-Name\MYBDC via RPC

        DSA object GUID: 63c094b9-78f4-4173-b277-6bf5c5f248d3

        Address: 63c094b9-78f4-4173-b277-6bf5c5f248d3._msdcs.mydomain.local

        WRITEABLE

        Last attempt @ 2012-09-12 12:54:40 was successful.



CN=Configuration,DC=mydomain,DC=local

    Default-First-Site-Name\MYBDC via RPC

        DSA object GUID: 63c094b9-78f4-4173-b277-6bf5c5f248d3

        Address: 63c094b9-78f4-4173-b277-6bf5c5f248d3._msdcs.mydomain.local

        WRITEABLE

        Last attempt @ 2012-09-12 12:20:08 was successful.



CN=Schema,CN=Configuration,DC=mydomain,DC=local

    Default-First-Site-Name\MYBDC via RPC

        DSA object GUID: 63c094b9-78f4-4173-b277-6bf5c5f248d3

        Address: 63c094b9-78f4-4173-b277-6bf5c5f248d3._msdcs.mydomain.local

        WRITEABLE

        Last attempt @ 2012-07-08 23:38:42 was successful.



DC=DomainDnsZones,DC=mydomain,DC=local

    Default-First-Site-Name\MYBDC via RPC

        DSA object GUID: 63c094b9-78f4-4173-b277-6bf5c5f248d3

        Address: 63c094b9-78f4-4173-b277-6bf5c5f248d3._msdcs.mydomain.local

        WRITEABLE

        Last attempt @ 2012-09-12 12:53:44 was successful.



DC=ForestDnsZones,DC=mydomain,DC=local

    Default-First-Site-Name\MYBDC via RPC

        DSA object GUID: 63c094b9-78f4-4173-b277-6bf5c5f248d3

        Address: 63c094b9-78f4-4173-b277-6bf5c5f248d3._msdcs.mydomain.local

        WRITEABLE

        Last attempt @ 2012-09-12 07:26:40 was successful.



==== KCC CONNECTION OBJECTS ============================================

Connection --

    Connection name : 0c0b3644-a5c7-4357-827c-591a9e0ba3f6

    Server DNS name : MYSERVER.mydomain.local

    Server DN  name : CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local

DsReplicaGetInfo() failed with status 8453 (0x2105):

    Replication access was denied.

DsReplicaGetInfo() failed with status 8453 (0x2105):

    Replication access was denied.

        Source: Default-First-Site-Name\MYBDC

                No Failures.

        TransportType: intrasite RPC

        options:  isGenerated

        ReplicatesNC: DC=ForestDnsZones,DC=mydomain,DC=local

        Reason:  RingTopology

                Replica link has been added.

        ReplicatesNC: CN=Configuration,DC=mydomain,DC=local

        Reason:  RingTopology

                Replica link has been added.

        ReplicatesNC: DC=mydomain,DC=local

        Reason:  RingTopology

                Replica link has been added.

        ReplicatesNC: CN=Schema,CN=Configuration,DC=mydomain,DC=local

        Reason:  RingTopology

                Replica link has been added.

        ReplicatesNC: DC=DomainDnsZones,DC=mydomain,DC=local

        Reason:  RingTopology

                Replica link has been added.

        enabledConnection: TRUE

        whenChanged: 20120912095133.0Z

        whenCreated: 20120708214513.0Z

        Schedule:

        day: 0123456789ab0123456789ab

        Sun: 111111111111111111111111

        Mon: 111111111111111111111111

        Tue: 111111111111111111111111

        Wed: 111111111111111111111111

        Thu: 111111111111111111111111

        Fri: 111111111111111111111111

        Sat: 111111111111111111111111

1 connections found.

Partition Replication Schedule Loading:

     

      00      01      02      03      04      05      06      07      08      09      10      11

     

 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3

        Sun: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Sun: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Mon: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Mon: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Tue: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Tue: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Wed: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Wed: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Thu: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Thu: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Fri: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Fri: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Sat: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

        Sat: 050000000500000005000000050000000500000005000000050000000500000005000000050000000500000005000000

Open in new window



As far as I know there is no filtering between the two servers (they are on two different subnets but the routing is completely open). Disclaimer: this is an existing setup I am "taking over" without proper documentation so I might be missing some information. But so far it has been working just as expected. I certainly joined W7 client machines a few weeks ago without issue...
0
 
Krzysztof PytkoActive Directory EngineerCommented:
No, replication issue is not causing problem with joining server to the domain.
However, there is an issue with KCC and I need to check what could be that.

Can you review Event Logs on your Domain Controllers to see if there are any errors for that, please ?

Krzysztof
0
 
Alexandre TakacsCTOAuthor Commented:
Indeed some errors in the event log
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2012-09-12 08:31:30
Event ID:      2092
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      MYSERVER.mydomain.local
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
 
FSMO Role: CN=Partitions,CN=Configuration,DC=mydomain,DC=local 
 
User Action: 
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 
 
The following operations may be impacted: 
Schema: You will no longer be able to modify the schema for this forest. 
Domain Naming: You will no longer be able to add or remove domains from this forest. 
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
    <EventID Qualifiers="32768">2092</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>5</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2012-09-12T06:31:30.105191500Z" />
    <EventRecordID>4445</EventRecordID>
    <Correlation />
    <Execution ProcessID="588" ThreadID="752" />
    <Channel>Directory Service</Channel>
    <Computer>MYSERVER.mydomain.local</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>CN=Partitions,CN=Configuration,DC=mydomain,DC=local</Data>
  </EventData>
</Event>

Open in new window

and
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2012-09-12 07:19:17
Event ID:      2087
Task Category: DS RPC Client
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      MYSERVER.mydomain.local
Description:
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. 
 
Source domain controller: 
 MYBDC 
Failing DNS host name: 
 63c094b9-78f4-4173-b277-6bf5c5f248d3._msdcs.mydomain.local 
 
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: 
 
Registry Path: 
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client 
 
User Action: 
 
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 
 
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>". 
 
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns 
 
  dcdiag /test:dns 
 
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: 
 
  dcdiag /test:dns 
 
 5) For further analysis of DNS error failures see KB 824449: 
   http://support.microsoft.com/?kbid=824449 
 
Additional Data 
Error value: 
 11004 The requested name is valid, but no data of the requested type was found. 

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="49152">2087</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>22</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2012-09-12T05:19:17.741255400Z" />
    <EventRecordID>4426</EventRecordID>
    <Correlation />
    <Execution ProcessID="588" ThreadID="776" />
    <Channel>Directory Service</Channel>
    <Computer>MYSERVER.mydomain.local</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>MYBDC</Data>
    <Data>63c094b9-78f4-4173-b277-6bf5c5f248d3._msdcs.mydomain.local</Data>
    <Data>11004</Data>
    <Data>The requested name is valid, but no data of the requested type was found.</Data>
    <Data>System\CurrentControlSet\Services\NTDS\Diagnostics</Data>
    <Data>22 DS RPC Client</Data>
  </EventData>
</Event>

Open in new window

Tried a  dcdiag /test:dns  on the BDC:
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MYBDC
   * Identified AD Forest. 
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MYBDC
      Starting test: Connectivity
         ......................... MYBDC passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MYBDC
   
      Starting test: DNS
         
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... MYBDC passed test DNS
   
   Running partition tests on : ForestDnsZones
   
   Running partition tests on : DomainDnsZones
   
   Running partition tests on : Schema
   
   Running partition tests on : Configuration
   
   Running partition tests on : mydomain
   
   Running enterprise tests on : mydomain.local
      Starting test: DNS
         ......................... mydomain.local passed test DNS

Open in new window

And on the PDC
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = MYSERVER

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\MYSERVER

      Starting test: Connectivity

         ......................... MYSERVER passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\MYSERVER

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... MYSERVER passed test DNS

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : mydomain

   
   Running enterprise tests on : mydomain.local

      Starting test: DNS

         Test results for domain controllers:

            
            DC: MYSERVER.mydomain.local

            Domain: mydomain.local

            

                  
               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone mydomain.local
         
               MYSERVER                  PASS PASS PASS PASS WARN PASS n/a  
         ......................... mydomain.local passed test DNS

Open in new window

Any idea ?
0
 
Alexandre TakacsCTOAuthor Commented:
FYI I managed to solve my domain joining issue by turning off IP v6 on the server I wanted to add into the domain (I had a hint that  _ldap._tcp.dc._msdcs.mydomain.local would resolve if I explicitly defined the resolver in a nslookup but would return an error for default server ::1 otherwise). Still not exactly clear why I had this behavior and what is creating my replication issues but at least the immediate problem is solved.
0
 
Alexandre TakacsCTOAuthor Commented:
self solved
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now