Server 2012 can't join clients to domain

I am receiving the following error when trying to join a client to domain:  "the following error occurred attempting to join the domain: the network path was not found"

This is a brand new 2012 R2 server with freshly installed Active Directory and DNS.  I have screwed something up....there is definitely a DNS issue going on.  When I try nslookup of server name, it comes back with my ISP as server and address is ISP DNS.  If I nslookup FQDN, Non-authoritative shows proper name, but address is IP address of www. externally.  

If I run a simple query against DNS server it fails.

Any ideas are appreciated.
itechresultsAsked:
Who is Participating?
 
Cliff GaliherCommented:
From the ipconfig /all you posted, DHCP clearly shows as not being used. But in your DNS entries, there are two 2001:: addresses, which would never be there from an out-of-box autoconfiguration. So there is clearly something bigger going on and you can't expect DNS to work properly under those conditions. Windows will default to IPv6 first, so until you figure that out, it'll not work as expected.
0
 
becraigCommented:
Please ensure that the client is using the internal DNS server as the primary DNS.

If you have a Single DC environment then this will most probably be the ip address of the 2012 server.

Try entering that as the dns server in the ip address config of the client and try again.
0
 
itechresultsAuthor Commented:
Becraig:

Yes, this is a single DC environment.
Yes, I have IP of 2012 server as DNS for client

thanks
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
becraigCommented:
If this is the case you may have dns forwarding for your domain configured.
What zone is your local dns server in ?

Is it the same .com as your public site ?


I would suggest this from the client

run nslookup  hit enter   (Take note of the dns server name and IP  [if you set it up correctly it should resolve your 2012 server])

Then run set q=a  "hit enter"
Then enter the short name for the 2012 server and hit enter.

You can paste the results but redact the actual server name.
0
 
Cliff GaliherCommented:
Are the clients getting any information from a DHCP server, such as a router? Can you post an ipconfig /all from a client that is failing?
0
 
itechresultsAuthor Commented:
Cliff

DHCP is my router.  Here is ipconfig /all from a failing client:

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>ipconfig/all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : server2
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-14-9B-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:d:7000:513:85b7:8c10:1673:b5b6(Prefe
rred)
   Link-local IPv6 Address . . . . . : fe80::85b7:8c10:1673:b5b6%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.20.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::21d:ceff:fea2:2aaf%12
                                       10.0.20.1
   DHCPv6 IAID . . . . . . . . . . . : 301995357
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-EC-99-EB-00-15-5D-14-9B-01

   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       10.0.20.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:10b9:16:f5ff:ebfa(Prefer
red)
   Link-local IPv6 Address . . . . . : fe80::10b9:16:f5ff:ebfa%13(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 369098752
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-EC-99-EB-00-15-5D-14-9B-01

   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{A0CCBD36-8108-418E-BA04-342CA95612AE}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator>
0
 
itechresultsAuthor Commented:
becraig:

My domain is corp.domain.com

Nslookup shows:

Default Server:  cdns01.isp.net
Address:  2001:558:feed::1
0
 
itechresultsAuthor Commented:
becraig:

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>nslookup
Default Server:  cdns01.isp.net
Address:  2001:558:feed::1

> set q=a
> dc1
Server:  cdns01.isp.net
Address:  2001:558:feed::1

*** cdns01.isp.net can't find dc1: Non-existent domain
>
0
 
becraigCommented:
So there is your problem your client is resolving to the isp dns server.

Since the router is handing out IP addresses and DNS server name you will also want to configure the router to list the 2012 server as the primary dns server.

So this looks like a change you will have to make on the router.
0
 
Cliff GaliherCommented:
Looks like someone has tried to set up IPv6 on your network and it is handing out bad IPv6 DNS entries, so DNS is failing.
0
 
becraigCommented:
You can also reserve the ip address on the router and assign it statically on the server and configure your 2012 server as primary dns and the router / isp as secondary.
0
 
itechresultsAuthor Commented:
Becraig:

OK, I will set my router's primary dns as dc1.  I have the server offsite
0
 
becraigCommented:
Before you make that change, be sure it won't impact any current traffic.

I would say your setup needs some housekeeping, for now I would configure server2 manually with the dns info and proceed.

Out of an abundance of caution, not knowing your internal setup and what is relying on your router.
0
 
itechresultsAuthor Commented:
cliff:

what I do know is IPv6 is disabled on my router.  I didn't make any ipv6 changes on dc1 - 2012 server, just changed ipv4 address to static
0
 
itechresultsAuthor Commented:
becraig:

thanks, but i'm currently in a home environment, traffic problems will only affect me
0
 
becraigCommented:
What make/model router are you using.

Might help to be able to recommend a config.
0
 
itechresultsAuthor Commented:
becraig:

don't laugh, I'm using an Arris TG852
0
 
itechresultsAuthor Commented:
Cliff,

That makes sense.  My router is clearly interfering with my setup
0
 
itechresultsAuthor Commented:
becraig:

I did configure server2 Ipv4 settings manually.  Is that what you are referring to or I might be confused?
0
 
itechresultsAuthor Commented:
would it be easier to disable DHCP on my router and setup DHCP on DC1 - Server 2012?
0
 
becraigCommented:
Since your setup is so small I'd just disable ipv6 on the router and add server1 as first dns server.

Yes I was talking about manually figuring a static address on server 2
0
 
Cliff GaliherCommented:
Unlikely. Since disabling DHCP and using static didn't solve the issue. You really have to look at the IPv6 issue. *SOMETHING* on your network is advertising that stuff or it got manually configured. And that can happen independent of DHCP (or even DHCPv6) as IPv6 supports other network discovery methods.
0
 
itechresultsAuthor Commented:
cliff

the  two 2001:: addresses are coming from my router:

I copied this from my router:

 WAN IPv6 DNS Server: 2001:558:feed::1 2001:558:feed::2
0
 
itechresultsAuthor Commented:
This router I have is a piece of @#@@.  There's no option to disable DHCP.
0
 
itechresultsAuthor Commented:
And can't make changes to DNS on router
0
 
Cliff GaliherCommented:
If this is ISP supplied equipmemt and cannot be replaced, and if you regularly work on or prep client hardware before moving it onsite, i'd put an extra barrier between you and the ISP. Something you control and that can block unwanted stuff like DHCP. Something like a Microtik or one of the SMB SonicWalls. Or repurpose an old PC and run something like Untangle.
0
 
itechresultsAuthor Commented:
Cliff:

Thanks for the suggestion.  You're right.  This is an ISP supplied router.  

I'm going to move this server to my office and put it behind a spare sonicwall I have.  I'll post results Saturday or Monday.  

Thank you both - Cliff and Becraig
0
 
Rob WilliamsCommented:
To add.
I would disable the internet, reboot machines and see if everything works, just as a test.
I suspect the router is passing IPv6 traffic and since the ISP obviously supports it, they are providing an IPv6 address.  This is going to become a problem, and a security risk in the future if we cannot block or configure IPv6 properly.

If an ISP supports IPv6 and your router allows the traffic to pass, any device outside of your network could be providing IPv6 DHCP.  Can you disable on the router.  Do not disable on the server.

Never use an ISP as a secondary DNS server.  Only use your internal DNS servers.  Windows will often user the secondary resulting in slow logons, name resolution failures, and inability to join the domain.
Best if you can use your server for DHCP so you can configure all scope options; IP, subnet mask, gateway, domain suffix, and any others you might want.  This also allows for IP management and reservations.,
0
 
DeleteCommented:
If you want to stop using IPv6, or even test not using it the why don't you just uncheck IPv6 in your network adapters on each server so they no longer try to use it?
0
 
Rob WilliamsCommented:
It is not recommended you disable IPv6 on any server 2008 and newer.  If you feel you must do it let us know, unchecking the box does not properly disable it, you have to do so in the registry.


From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.
from:  http://blogs.technet.com/b/askpfeplat/archive/2013/06/17/ipv6-for-the-windows-administrator-why-you-need-to-care-about-ipv6.aspx
0
 
itechresultsAuthor Commented:
RobWill,

I agree.  I will not disable ipv6 on server nics.  I understand Justin mentioned this just for testing.

Update:  I brought server to my office and booted with network cable disconnected.  I ran nslookup from dc1 and server2.  It is now returning correct internal IP.  I also ran a simple query against DNS server and it passed.  Later today, I will hook up behind a segregated managed router.  I will enable DHCP on dc1 since this is what I want anyhow when server goes into production.
0
 
becraigCommented:
Great to hear dude,I also think you should consider Cliff's suggestion for future home testing:

If this is ISP supplied equipmemt and cannot be replaced, and if you regularly work on or prep client hardware before moving it onsite, i'd put an extra barrier between you and the ISP. Something you control and that can block unwanted stuff like DHCP. Something like a Microtik or one of the SMB SonicWalls. Or repurpose an old PC and run something like Untangle.
0
 
Rob WilliamsCommented:
As mentioned it sounds like it may be getting an IPv6 address form somewhere on the public side of the router.

We are in the process of updating our client routers with ones that offer IPv6 compatibility, including the ability to block outgoing IPv6 traffic so that we can block for now and enable when we are ready, not when the ISP is.  There are also problems with Exchange and IPv6 which will send using IPv6 if it can, i.e. ISP supports it.  If public IPv6 DNS is not configured properly some hosts, such as GoDaddy will not accept the mail.  Internally I have seen no IPv6 issues since XP SP2.
0
 
itechresultsAuthor Commented:
Thanks everyone.  I was able to join a client to the domain.  Although I had to use the entire domain (corp.domain.com).  The NetBIOS name (corp) did not resolve on the client when trying to join domain.  Is that because WINS is not enabled on DC1?  After reboot of client, I was able to login with corp\username.

Also, please review nslookup of my FQDN.  Below nslookup was run on DC1:

C:\Windows\system32>NSLOOKUP
Default Server:  UnKnown
Address:  DC1 IP

> DC1.CORP.DOMAIN.COM
Server:  UnKnown
Address:  DC1 IP

Non-authoritative answer:
Name:    DC1.CORP.DOMAIN.COM.DOMAIN.COM
Address:  WWW IP OF PUBLIC WEBSITE

>
0
 
itechresultsAuthor Commented:
Becraig,

Thanks man.  I will definitely take Cliff's advice when testing from home.  I made a stupid mistake and it cost me many hours, plus your time and the other experts!
0
 
Rob WilliamsCommented:
According to your earlier ipconfig  your DHCP server is not handing out the domain suffix, internaldomainname.local
That is important.  If not you have to add the suffix, but it can cause problems elsewhere so better to fix the problem.  Using the server for DHCP allows this, scope option 015.

You mentioned domain.com  Is your internal domain suffix .com?  It would normally be .local
.com can cause problems.
0
 
itechresultsAuthor Commented:
RobWill,

I went ahead and setup DHCP on server before I joined client.  I just checked scope option 015 and it says corp.domain.com.  Should I change this to just corp?

Also, yes I named internal domain suffix .com.  I had read that new best practice is to use a sub domain of .com.  Also Microsoft lists example as corp.contoso.com?  

Should I stop and reinstall server from scratch?
0
 
Rob WilliamsCommented:
Servers are normally .local on the internal domain, and that is the default Windows will create.
External might be acmaecorpUSA.com
Internal might be acmecorpUSA.local or can be different like ACUSA.local
Using .com internally can cause DNS issues.

http://technet.microsoft.com/en-us/library/cc626155(v=ws.10).aspx
The MAC issue mentioned in the article has been resolved.

http://technet.microsoft.com/en-us/library/cc739077(v=ws.10).aspx
0
 
itechresultsAuthor Commented:
Robwill,

Ok, thanks.  I know there is a lot of debate on this topic.
0
 
Rob WilliamsCommented:
Not really.  :-)
The only time I have ever seen an internal domain, since NT4 with a .com suffix is on Experts Exchange with issues.  Having said that it is possible but requires some customizations.
0
 
DeleteCommented:
Looking at your ipconfig output, the reason you can't use a shortname is because you have no primary DNS suffix defined.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : server2
  Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid

When you do a DNS query using a shortname your system will attempt to append the primary DNS suffix, since you don't have one defined it isn't appending anything and therefore failing.

The Primary DNS Suffix generally gets populated when you join a machine to the domain.  If the machine is not on the Domain and you want to use the shortname then there are a few different options.
1.  Go into your System Properties -> Computer Name tab -> click the Change... button -> in the Computer Name/Domain Changes window click the More... button -> populate the Primary DNS suffix for this computer (requires a reboot).

2. In DHCP configure option 015 DNS Domain Name with your Domain Name

3. On the NIC of the server that can't resolve the shortname, go into the IPv4 Properties and click Advanced -> go to the DNS tab -> Set DNS suffix for this connection and/or click the radio button to "Append these DNS suffixes (in order) and add your domain name in the list.


If you want to see how your DNS is resolving then do the following from a command prompt:


C:\>nslookup
>set d2
>query your shortname
0
 
itechresultsAuthor Commented:
Justin,

Thanks.  Primary dns suffix is now resolving full domain name (corp.domain.com) on server2 ipconfig /all
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.