Sid_F
asked on
Cannot join domain over VPN
I am trying to join a win 7 client to a domain over a vpn. All ports are opened correctly but I do not get prompted for credentials I just get the below error. The remote site I am trying to join from is on 192.168.0.X and the DC server ranges are 192.168.1.X
The client is set to the dns of the servers. When I bring the win 7 machine back to the same network the servers are on I am able to join the machine to the domain fine. Any ideas if this is a firewall port issue or should I be looking at the server side. I am obviosuly making contact as I am able to get the server details just not join the domain. Thanks.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain
"mydomain.local":
The query was for the SRV record for _ldap._tcp.dc._msdcs.mydom
The following domain controllers were identified by the query:
firstdc.mydomain.local
seconddc.mydomain.local
thirddc.mydomain.local
fourthdc.mydomain.local
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect
addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
The client is set to the dns of the servers. When I bring the win 7 machine back to the same network the servers are on I am able to join the machine to the domain fine. Any ideas if this is a firewall port issue or should I be looking at the server side. I am obviosuly making contact as I am able to get the server details just not join the domain. Thanks.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain
"mydomain.local":
The query was for the SRV record for _ldap._tcp.dc._msdcs.mydom
The following domain controllers were identified by the query:
firstdc.mydomain.local
seconddc.mydomain.local
thirddc.mydomain.local
fourthdc.mydomain.local
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect
addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
Also see http://technet.microsoft.com/en-us/library/cc961817.aspx
This section discusses diagnostic tools and gives examples of possible authentication problems, along with suggested solutions.
This section discusses diagnostic tools and gives examples of possible authentication problems, along with suggested solutions.
ASKER
I appreciate the links but its more specific what I am looking for. I can google the usual ms articles and the above ports cover every possible requirement for a domain PC but mine is specific error after opening
dns and
135/TCP RPC
389/TCP/UDP LDAP
636/TCP LDAP SSL
3268/TCP LDAP GC
3269/TCP LDAP GC SSL
53/TCP/UDP DNS
88/TCP/UDP Kerberos
445/TCP SMB
dns and
135/TCP RPC
389/TCP/UDP LDAP
636/TCP LDAP SSL
3268/TCP LDAP GC
3269/TCP LDAP GC SSL
53/TCP/UDP DNS
88/TCP/UDP Kerberos
445/TCP SMB
Ok. Just making sure.
This seems to point to your VPN endpoint and a NAT or routing issue. Do you know what address you are being assigned once the VPN is established?
This seems to point to your VPN endpoint and a NAT or routing issue. Do you know what address you are being assigned once the VPN is established?
are you able to ping from a domain controller to the VPN connected endpoint ?
I would guess that the VPN traffic is going over NAT
I would guess that the VPN traffic is going over NAT
ASKER
Ping is not enabled unfortunately
if you can;t ping, then you are unlikely to be able to join the domain.
I would work on establishing the VPN and allowing full bidirectional connectivity
I would work on establishing the VPN and allowing full bidirectional connectivity
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
granted, but usually if ICMP is blocked, other ports will also be blocked, which is what you experienced...
Which ports other than those you had already listed did you need to open ?
Which ports other than those you had already listed did you need to open ?
ASKER
Resolved
Service overview and network port requirements for Windows:
http://support.microsoft.com/kb/832017#method1
A summarized list of services, ports and protocols required for member computers and domain controllers to inter-operate with one another or for application servers to access Active Directory include but are not limited to the following.
List of services on which Active Directory depends:
Active Directory / LSA
Computer Browser
Distributed File System Namespaces
Distributed File System Replication (if not using FRS for SYSVOL replication)
File Replication Service (if not using DFSR for SYSVOL replication)
Kerberos Key Distribution Center
Net Logon
Remote Procedure Call (RPC)
Server
Simple Mail Transfer Protocol (SMTP)
WINS (in Windows Server 2003 SP1 and later versions for backup Active Directory replication operations, if DNS is not working)
Windows Time
World Wide Web Publishing Service
List of services that require Active Directory services:
Certificate Services (required for specific configurations)
DHCP Server
Distributed File System Namespaces (if using domain-based namespaces)
Distributed File System Replication
Distributed Link Tracking Server
Distributed Transaction Coordinator
DNS Server
Fax Service
File Replication Service
File Server for Macintosh
Internet Authentication Service
License Logging
Net Logon
Print Spooler
Remote Installation
Remote Procedure Call (RPC) Locator
Remote Storage Notification
Remote Storage
Routing and Remote Access
Server
Simple Mail Transfer Protocol (SMTP)
Terminal Services
Terminal Services Licensing
Terminal Services Session Directory