Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Unable to join domain using FQDN

Posted on 2014-02-16
18
Medium Priority
?
7,436 Views
Last Modified: 2014-03-17
Hi Guys,

I am having an issue on a customer site where I can join the domain if I use "blah". However if I use the full root domain "blah.co.uk" I get the error message below.

Where this is really an issue is promoting a new domain controller, it is required to resolve the FQDN. Exchange is also unable to resolve the domain and cannot receive emails.

If I ping "blah.co.uk" this works correctly.


DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "blah.co.uk":

The query was for the SRV record for _ldap._tcp.dc._msdcs.blah.co.uk

The following domain controllers were identified by the query:
dc1.blah.co.uk


However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

Open in new window


In the event log there are logs such as:
The DNS server was unable to add or write an update of domain name Sales7 in zone blah.co.uk to the Active Directory.  Check that the Active Directory is functioning properly and add or update this domain name using the DNS console. The extended error debug information (which may be empty) is "". The event data contains the error.

Open in new window


As well as this one which points towards it trying to register against a public DNS server:

The dynamic registration of the DNS record '422bc67f-c55f-461d-8f86-22d452011ec6._msdcs.blah.co.uk. 600 IN CNAME dc1.blah.co.uk.' failed on the following DNS server:  

DNS server IP address: 213.143.3.4 
Returned Response Code (RCODE): 5 
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

USER ACTION  
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about  DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by  this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain  controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows  Server Resource Kit CD. 
  Or, you can manually add this record to DNS, but it is not recommended.  

ADDITIONAL DATA 
Error Value: DNS bad key. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
Comment
Question by:Chris--W
  • 7
  • 2
  • 2
  • +5
18 Comments
 
LVL 12

Expert Comment

by:Gregory Miller
ID: 39862761
I think one of your issues is going to be that your Windows domain is named the same as your Internet domain. This really should not be done and this is one of the reasons why. Your domain controller is using DNS to resolve the PUBLIC IP address most likely as it is trying to join as opposed to the local naming.

If you create a HOSTS table entry on the new server temporarily that points to the domain controller IP and try it again to see if that works.
0
 
LVL 14

Expert Comment

by:Don Thomson
ID: 39862765
I have found that in many cases - the problem is
1. The New Domain Server is not the DHCP Server
2. The Workstation is using Dynamic IPs and is not pointing to the Domain server as the 1st DNS IP and the Router as the 2nd.

If something else is providing the DHCP - you pretty well need to go Static IP on the Workstation and the primary DNS should be the Domain Server.

The other way is to put an entry in the HOSTS file to point to the Domain Controller

I now use profwhiz.exe to move workstations from one domain to another without having to worry about creating a new profile for the User on the Workstation.
0
 
LVL 1

Author Comment

by:Chris--W
ID: 39862776
Thanks guys tried that, no luck.

The logs above are from the existing domain controller.

Agreed on the domain name, this wasn't our choice. We have inherited this issue.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Expert Comment

by:Radhakrishnan R
ID: 39862777
Hi,

when you perform nslookp against your domain controller, does it resolving fine? i suspect that the DC is missing an A record. Try to create a host A record and see it works fine.
0
 
LVL 1

Author Comment

by:Chris--W
ID: 39862780
Nslookup works fine
0
 
LVL 12

Expert Comment

by:Gregory Miller
ID: 39862785
Can you take the domain controller and the new server and isolate them on a switch with no access to the Internet and try to join them. Once they are joined, they should be fine.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39862787
Is the DNS zone for the domain hosted locally on the DC? If not, it should be. Try creating a new host record on the DC's DNS zone for 'www' and point that to the public IP address on the Internet. Do the same for the MX records for exchangeInternal DNS zone should have an MX record for the private IP address of the Exchange server. Public DNS should have an MX record for the public address where exchange can be reached.
0
 
LVL 1

Author Comment

by:Chris--W
ID: 39862792
Tried isolating them so they had no internet access but the same result.

DNS is local to the single DC. browsing and pinging the domain name returns the DC and not the public site.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39862803
It seems as if netbios over TCP/IP is working if the clients can join via DOMAINNAME instead of domainname.com. What are the netbios over TCP/IP settings on the client. If it is set to the default, "Get from DHCP", try turning it on.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39862898
Does client computers also residing on public IPs  or they have got private IPs ?

If client computers has private IP, how would they can communicate with DC with FQDN ?
0
 
LVL 1

Author Comment

by:Chris--W
ID: 39862930
No they are on a private address range: 192.168.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39863189
Are your clients explicitly using the internal DNS server or do they send lookups to the internet ?

It sounds like short names were in use in the environment for local resolution while DNS resolution on clients for the fqdn might be going out to the internet as indicated above.

I would try checking the internal dns servers to see if it forwards requests for the internal domain fqdn to the internet (if not then I would use the local dns server for name resolution on the internal clients)

Firebar is pretty much on point with the troubleshooting / resolution path.

You may also want to see if any lmhost files are configured in your environment
0
 
LVL 1

Author Comment

by:Chris--W
ID: 39863221
Becraig, thats what we are seeing on the DNS server. It looks to be forwarding to the internet, but cant find a reason for this.

Tried changing the netbios over TCP/IP setting and this hasnt helped. Same result.

We are contemplating building a new domain to get over this issue, but would really like to avoid that.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39863228
So firebar has given you the best path:

1) Ensure your internal clients explicitly use your DNS server
2) Forward all internet lookups to public DNS (domains other than your own)
3) Create a zone for your Domain in your DNS server
4) Forward all other request for your zone except for the AD related records to the internet.

Here is a nice little primer on your setup:
http://community.spiceworks.com/how_to/show/21213-using-same-fqdn-on-internal-and-public-networks

You might probably just want to do a walk through and compare.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39863338
I am not ware why you published Domain controller on internet directly ?

Either you need to use split DNS scenario or you need to establish separate domain for internal clients

In split DNS you need to place one member server \ workgroup server in DMZ having standard primary zone with same name as your active directory dns zone (domain.co.uk) and you can publish it directly to internet with required records for external name resolution.

Same time your existing server that is having FSMO roles need to be placed \ transferred in corporate LAN network segment and its public IP needs to be replaced with private IP

Mahesh
0
 
LVL 41

Expert Comment

by:footech
ID: 39875780
From the last message you posted in the original question (dynamic registration failed...), it looks like perhaps you have a public DNS server configured in the NIC configuration on the DC.

Usually the easiest way to get to the bottom of issues like this is to run
dcdiag /v
dcdiag /v /test:dns

If you can post the results here that would be great.
0
 
LVL 1

Accepted Solution

by:
Chris--W earned 0 total points
ID: 39923116
Issue was caused by AV. Even tho this was disabled, it had to be uninstalled to fix the issue.
0
 
LVL 1

Author Closing Comment

by:Chris--W
ID: 39933730
Issue was found with Anti-virus, not AD-DS or DNS.
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question