Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cannot join domain over VPN

Posted on 2013-01-30
10
Medium Priority
?
3,835 Views
Last Modified: 2013-02-17
I am trying to join a win 7 client to a domain over a vpn. All ports are opened correctly but I do not get prompted for credentials I just get the below error. The remote site I am trying to join from is on 192.168.0.X and the DC server ranges are 192.168.1.X
The client is set to the dns of the servers. When I bring the win 7 machine back to the same network the servers are on I am able to join the machine to the domain fine. Any ideas if this is a firewall port issue or should I be looking at the server side. I  am obviosuly making contact as I am able to get the server details just not join the domain. Thanks.



DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain

"mydomain.local":

The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.local

The following domain controllers were identified by the query:
firstdc.mydomain.local
seconddc.mydomain.local
thirddc.mydomain.local
fourthdc.mydomain.local


However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect

addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.
0
Comment
Question by:Sid_F
  • 4
  • 3
  • 3
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38836164
Check to make sure you are allowing NetBios over TCP/IP within your firewall.


Service overview and network port requirements for Windows:
http://support.microsoft.com/kb/832017#method1

A summarized list of services, ports and protocols required for member computers and domain controllers to inter-operate with one another or for application servers to access Active Directory include but are not limited to the following.

List of services on which Active Directory depends:

    Active Directory / LSA
    Computer Browser
    Distributed File System Namespaces
    Distributed File System Replication (if not using FRS for SYSVOL replication)
    File Replication Service (if not using DFSR for SYSVOL replication)
    Kerberos Key Distribution Center
    Net Logon
    Remote Procedure Call (RPC)
    Server
    Simple Mail Transfer Protocol (SMTP)
    WINS (in Windows Server 2003 SP1 and later versions for backup Active Directory replication operations, if DNS is not working)
    Windows Time
    World Wide Web Publishing Service

List of services that require Active Directory services:

    Certificate Services (required for specific configurations)
    DHCP Server
    Distributed File System Namespaces (if using domain-based namespaces)
    Distributed File System Replication
    Distributed Link Tracking Server
    Distributed Transaction Coordinator
    DNS Server
    Fax Service
    File Replication Service
    File Server for Macintosh
    Internet Authentication Service
    License Logging
    Net Logon
    Print Spooler
    Remote Installation
    Remote Procedure Call (RPC) Locator
    Remote Storage Notification
    Remote Storage
    Routing and Remote Access
    Server
    Simple Mail Transfer Protocol (SMTP)
    Terminal Services
    Terminal Services Licensing
    Terminal Services Session Directory
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38836183
Also see http://technet.microsoft.com/en-us/library/cc961817.aspx

This section discusses diagnostic tools and gives examples of possible authentication problems, along with suggested solutions.
0
 
LVL 6

Author Comment

by:Sid_F
ID: 38837472
I appreciate the links but its more specific what I am looking for. I can google the usual ms articles and the above ports cover every possible requirement for a domain PC but mine is specific error after opening
dns and
135/TCP RPC
389/TCP/UDP LDAP
636/TCP LDAP SSL
3268/TCP LDAP GC
3269/TCP LDAP GC SSL
53/TCP/UDP DNS
88/TCP/UDP Kerberos
445/TCP SMB
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38837515
Ok. Just making sure.

This seems to point to your VPN endpoint and a NAT or routing issue. Do you know what address you are being assigned once the VPN is established?
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38839237
are you able to ping from a domain controller to the VPN connected endpoint ?

I would guess that the VPN traffic is going over NAT
0
 
LVL 6

Author Comment

by:Sid_F
ID: 38843208
Ping is not enabled unfortunately
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38843311
if you can;t ping, then you are unlikely to be able to join the domain.

I would work on establishing the VPN and allowing full bidirectional connectivity
0
 
LVL 6

Accepted Solution

by:
Sid_F earned 0 total points
ID: 38879929
If ICMP is blocked this would only affect ICMP traffic which is not needed for joining a domain. The problem has been resolved and this is down to firewall not allowing specific ports. I used the tools PortQryUI.exe and ldp.exe to identify the problem ports. Thanks
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38880038
granted, but usually if ICMP is blocked, other ports will also be blocked, which is what you experienced...

Which ports other than those you had already listed did you need to open ?
0
 
LVL 6

Author Closing Comment

by:Sid_F
ID: 38898151
Resolved
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question