Need help joining a domain

HeilandS
HeilandS used Ask the Experts™
on
When I try to join newly built Windows Server 2012 R2 to a domain I get the following message:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "tlith.com": The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR)  The query was for the SRV record for _ldap._tcp.dc._msdcs.tlith.com
Common causes of this error include the following:
- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:
10.1.100.21
10.1.100.11
- One or more of the following zones do not include delegation to its child zone:
tlith.com
com
. (the root zone)


How do I troubleshoot this?

Thanks,

Scott
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Chris DentPowerShell Developer
Top Expert 2010

Commented:
What DNS servers have you configured the server to use?

What DNS servers have you configured the Domain Controller to use?

What are these servers in the context of your network? 10.1.100.21 and 10.1.100.11?

Chris
Chris DentPowerShell Developer
Top Expert 2010

Commented:
Sorry, scratch the first question, it's Friday and it's late :) The others apply as it suggests either:

1. Your DNS servers are just wrong
2. The DNS servers are right, but something is preventing the DCs registering records. The most likely is that the DCs don't have the right DNS servers configured.

Chris
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
I would suggest inspecting DNS as suggested.

Then check your DCs event logs and ensure you don't have any unexplained errors there

Then, run DCDIAG /C /E /V on the DC.  resolve any unexplained errors.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Chris,

In answer to your questions:

What DNS servers have you configured the Domain Controller to use?
  My primary and secondary Domain Controllers are using each other for DNS

What are these servers in the context of your network? 10.1.100.21 and 10.1.100.11?
  These are my primary and secondary Domain Controllers
Chris DentPowerShell Developer
Top Expert 2010

Commented:
Excellent.

Did you manage to run DCDiag as Lee advised?

You can test a few basic things as well, but perhaps it's simpler to open the DNS console and say what you see. I'd expect you to have a Forward Lookup Zone for your internal domain name, and another for _msdsc.<internal.domain.name>. Do you see those?

Chris

Author

Commented:
Lee W,

I inspected event logs and no related errors existed.  DCDIAG /C /E /V passed all tests.

Scott

Author

Commented:
Chris,

Yes, I have inspected event logs and no related errors existed.  DCDIAG /C /E /V passed all tests.

I have both forward lookup zones as you described.

Scott

Author

Commented:
All,

On a whim, I disabled the IPV6 protocol and was able to successfully join the domain.
Any thoughts?

Scott
Chris DentPowerShell Developer
Top Expert 2010

Commented:
It probably ended up trying to look-up the AAAA record for the server. If there's a firewall / router between the client and server and you don't really support IPv6 that might be problematic.

Chris

Author

Commented:
I believe that am going to need IPV6 as this server is being set up to be an access server.  Any further thoughts on how to resolve the IPV6 contentions?
Chris DentPowerShell Developer
Top Expert 2010

Commented:
Sorry, bit of a late reply.

I'd say, either:

1. Fully embrace IPv6, support it all the way across the network. To be honest that statement makes me chuckle a bit, it's hard to get traction on something like that unless you're in charge of every intermediate networking device.

Or:

2. Disable IPv6 on the client-side. That should prevent it looking for AAAA records in the first place and preferring IPv6 as a means of connecting.

Finally, access server as in acting as a terminal server? Hosting that on a Domain Controller is far from advisable.

Chris

Author

Commented:
Chris,

I do have control of the entire network and had enabled IPv6 based on Microsoft's pre-configuration requirements for DirectAccess.  I would prefer not to use it.  Are you saying that's possible.  This server will be in a role of a DirectAccess server only and will not be a DC.

Thanks,

Scott
Chris DentPowerShell Developer
Top Expert 2010

Commented:
Ahh I'm with you, this thing you're trying to join must support IPv6. How about the Domain Controllers? Are they on the same network segment or do you have to traverse firewalls / routers to get to them?

Chris
PowerShell Developer
Top Expert 2010
Commented:
Perhaps you can run:

nslookup -q=aaaa yourdomain.com.

And:

nslookup -q=aaaa domaincontroller.yourdomain.com.

If you get an IPv6 address returned by that, see if you can ping each (just to begin with, Ping is not a great test).

Chris

Author

Commented:
The IPv6 address returned by nslookup responded to a ping. for my domaoin.  The ping to my DC at my domain returns a can't find message.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial