Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!
Learn how Concerto can help you.
Solved
Unable to join domain using FQDN
Posted on 2014-02-16
Hi Guys,
I am having an issue on a customer site where I can join the domain if I use "blah". However if I use the full root domain "blah.co.uk" I get the error message below.
Where this is really an issue is promoting a new domain controller, it is required to resolve the FQDN. Exchange is also unable to resolve the domain and cannot receive emails.
If I ping "blah.co.uk" this works correctly.
In the event log there are logs such as:
As well as this one which points towards it trying to register against a public DNS server:
I am having an issue on a customer site where I can join the domain if I use "blah". However if I use the full root domain "blah.co.uk" I get the error message below.
Where this is really an issue is promoting a new domain controller, it is required to resolve the FQDN. Exchange is also unable to resolve the domain and cannot receive emails.
If I ping "blah.co.uk" this works correctly.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "blah.co.uk":
The query was for the SRV record for _ldap._tcp.dc._msdcs.blah.co.uk
The following domain controllers were identified by the query:
dc1.blah.co.uk
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
In the event log there are logs such as:
The DNS server was unable to add or write an update of domain name Sales7 in zone blah.co.uk to the Active Directory. Check that the Active Directory is functioning properly and add or update this domain name using the DNS console. The extended error debug information (which may be empty) is "". The event data contains the error.
As well as this one which points towards it trying to register against a public DNS server:
The dynamic registration of the DNS record '422bc67f-c55f-461d-8f86-22d452011ec6._msdcs.blah.co.uk. 600 IN CNAME dc1.blah.co.uk.' failed on the following DNS server:
DNS server IP address: 213.143.3.4
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
7
2
2- +5
18 Comments
Active 1 day ago
I think one of your issues is going to be that your Windows domain is named the same as your Internet domain. This really should not be done and this is one of the reasons why. Your domain controller is using DNS to resolve the PUBLIC IP address most likely as it is trying to join as opposed to the local naming.
If you create a HOSTS table entry on the new server temporarily that points to the domain controller IP and try it again to see if that works.
If you create a HOSTS table entry on the new server temporarily that points to the domain controller IP and try it again to see if that works.
I have found that in many cases - the problem is
1. The New Domain Server is not the DHCP Server
2. The Workstation is using Dynamic IPs and is not pointing to the Domain server as the 1st DNS IP and the Router as the 2nd.
If something else is providing the DHCP - you pretty well need to go Static IP on the Workstation and the primary DNS should be the Domain Server.
The other way is to put an entry in the HOSTS file to point to the Domain Controller
I now use profwhiz.exe to move workstations from one domain to another without having to worry about creating a new profile for the User on the Workstation.
1. The New Domain Server is not the DHCP Server
2. The Workstation is using Dynamic IPs and is not pointing to the Domain server as the 1st DNS IP and the Router as the 2nd.
If something else is providing the DHCP - you pretty well need to go Static IP on the Workstation and the primary DNS should be the Domain Server.
The other way is to put an entry in the HOSTS file to point to the Domain Controller
I now use profwhiz.exe to move workstations from one domain to another without having to worry about creating a new profile for the User on the Workstation.
Thanks guys tried that, no luck.
The logs above are from the existing domain controller.
Agreed on the domain name, this wasn't our choice. We have inherited this issue.
The logs above are from the existing domain controller.
Agreed on the domain name, this wasn't our choice. We have inherited this issue.
Active today
Hi,
when you perform nslookp against your domain controller, does it resolving fine? i suspect that the DC is missing an A record. Try to create a host A record and see it works fine.
when you perform nslookp against your domain controller, does it resolving fine? i suspect that the DC is missing an A record. Try to create a host A record and see it works fine.
Active 1 day ago
Can you take the domain controller and the new server and isolate them on a switch with no access to the Internet and try to join them. Once they are joined, they should be fine.
Is the DNS zone for the domain hosted locally on the DC? If not, it should be. Try creating a new host record on the DC's DNS zone for 'www' and point that to the public IP address on the Internet. Do the same for the MX records for exchangeInternal DNS zone should have an MX record for the private IP address of the Exchange server. Public DNS should have an MX record for the public address where exchange can be reached.
Tried isolating them so they had no internet access but the same result.
DNS is local to the single DC. browsing and pinging the domain name returns the DC and not the public site.
DNS is local to the single DC. browsing and pinging the domain name returns the DC and not the public site.
It seems as if netbios over TCP/IP is working if the clients can join via DOMAINNAME instead of domainname.com. What are the netbios over TCP/IP settings on the client. If it is set to the default, "Get from DHCP", try turning it on.
Active today
Does client computers also residing on public IPs or they have got private IPs ?
If client computers has private IP, how would they can communicate with DC with FQDN ?
If client computers has private IP, how would they can communicate with DC with FQDN ?
Active 6 days ago
Are your clients explicitly using the internal DNS server or do they send lookups to the internet ?
It sounds like short names were in use in the environment for local resolution while DNS resolution on clients for the fqdn might be going out to the internet as indicated above.
I would try checking the internal dns servers to see if it forwards requests for the internal domain fqdn to the internet (if not then I would use the local dns server for name resolution on the internal clients)
Firebar is pretty much on point with the troubleshooting / resolution path.
You may also want to see if any lmhost files are configured in your environment
It sounds like short names were in use in the environment for local resolution while DNS resolution on clients for the fqdn might be going out to the internet as indicated above.
I would try checking the internal dns servers to see if it forwards requests for the internal domain fqdn to the internet (if not then I would use the local dns server for name resolution on the internal clients)
Firebar is pretty much on point with the troubleshooting / resolution path.
You may also want to see if any lmhost files are configured in your environment
Becraig, thats what we are seeing on the DNS server. It looks to be forwarding to the internet, but cant find a reason for this.
Tried changing the netbios over TCP/IP setting and this hasnt helped. Same result.
We are contemplating building a new domain to get over this issue, but would really like to avoid that.
Tried changing the netbios over TCP/IP setting and this hasnt helped. Same result.
We are contemplating building a new domain to get over this issue, but would really like to avoid that.
Active 6 days ago
So firebar has given you the best path:
1) Ensure your internal clients explicitly use your DNS server
2) Forward all internet lookups to public DNS (domains other than your own)
3) Create a zone for your Domain in your DNS server
4) Forward all other request for your zone except for the AD related records to the internet.
Here is a nice little primer on your setup:
http://community.spiceworks.com/how_to/show/21213-using-same-fqdn-on-internal-and-public-networks
You might probably just want to do a walk through and compare.
1) Ensure your internal clients explicitly use your DNS server
2) Forward all internet lookups to public DNS (domains other than your own)
3) Create a zone for your Domain in your DNS server
4) Forward all other request for your zone except for the AD related records to the internet.
Here is a nice little primer on your setup:
http://community.spiceworks.com/how_to/show/21213-using-same-fqdn-on-internal-and-public-networks
You might probably just want to do a walk through and compare.
Active today
I am not ware why you published Domain controller on internet directly ?
Either you need to use split DNS scenario or you need to establish separate domain for internal clients
In split DNS you need to place one member server \ workgroup server in DMZ having standard primary zone with same name as your active directory dns zone (domain.co.uk) and you can publish it directly to internet with required records for external name resolution.
Same time your existing server that is having FSMO roles need to be placed \ transferred in corporate LAN network segment and its public IP needs to be replaced with private IP
Mahesh
Either you need to use split DNS scenario or you need to establish separate domain for internal clients
In split DNS you need to place one member server \ workgroup server in DMZ having standard primary zone with same name as your active directory dns zone (domain.co.uk) and you can publish it directly to internet with required records for external name resolution.
Same time your existing server that is having FSMO roles need to be placed \ transferred in corporate LAN network segment and its public IP needs to be replaced with private IP
Mahesh
Active today
From the last message you posted in the original question (dynamic registration failed...), it looks like perhaps you have a public DNS server configured in the NIC configuration on the DC.
Usually the easiest way to get to the bottom of issues like this is to run
dcdiag /v
dcdiag /v /test:dns
If you can post the results here that would be great.
Usually the easiest way to get to the bottom of issues like this is to run
dcdiag /v
dcdiag /v /test:dns
If you can post the results here that would be great.
Featured Post
We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units?
This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource.
Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month7 days, 1 hour left to enroll
704 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.