Can't find ad - non existent domain using nslookup

My domain has been set up for years and working fine.  Today when I tried to join a new vm running Server 2012 to the domain, I got the error "The following error occurred attempting to join the domain mydomain.com. The network path was not found." I also tested a computer running Windows 10 and same issue.

I'll be honest b/c I just want the fix.  Yesterday I had set up another vm and it joined successfully, it had the Remote Desktop Services role and somehow in Server Manager I added a DNS server to manage under Manage > Add Servers > DNS.  I don't know why I did this and think i got distracted.  Then I didn't need that vm and deleted it.  Did I confuse DNS?

I've searched everywhere and feel like all of my DNS records are fine. PTR, GC, everything. I've got forward and reverse lookup zones. I have my DomainDnsZones, ForestDnsZones set up, I haven't' changed a thing. But this issue didn't happen until I added the server to manage under Server Manager. I think my Reverse Lookup Zone is right.  I have the NS record type, the SOA record type and then all the PTR for the computers on the domain.

When I do a nslookup ad on the server I'm trying to join the domain, I get this, but it sees my DC and the correct IP.

Server:  mydomaincontroller.mydomain.com
Address: 172.X.X.X
***mydomaincontroller.mydomain.com can't find ad: Non-existent domain
Misty EdwardsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
Try ping -t yourdomain.com from affected computer and check if will ping internal address of your domain controller.
If it does then in same time (along with ping) try add computer to domain again.

If name will not going to be resolved it mean your computer is not getting properly DNS names from DHCP
Check DHCP setting again.

You can try to put your domain controller name with local IP to local host file in C:\Windows\System32\drivers\etc
then try add computer to domain again. If this will work then for a 100% you have problem with DHCP or DNS propagation
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Server:  mydomaincontroller.mydomain.com
Address: 172.X.X.X
***mydomaincontroller.mydomain.com can't find ad: Non-existent domain
So what is "ad"?

Let's say your domain name is contoso.local. Run this command: 
nslookup contoso.local.

Open in new window

Note the trailing dot ( . ) in the DNS name. If that works, make sure you are using the domain DNS name and not the NETBIOS name to join the domain. If that doesn't work then we need to troubleshoot DNS.
arnoldCommented:
nslookup -q=srv _ldap._tcp.dc._msdcs.mydomain.com

this should return the dcs available in the environment


you either have a bad DNS or a stale DC record..
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

More Information
Misty EdwardsAuthor Commented:
@tom - I can ping but can't join, and updating host file doesn't help me to join either.

@jeremy - I think that was a typo in my cmd line and I pasted it...whoops.  Anyways, nslookup returns my domain controller computer name and IP address:

Server: mydomaincontroller.mydomain.com
Address:  172.X.X.X

Name: mydomain.com
Address: 172.X.X.X

@arnold - your exact command didn't work, I get unknown query type (but it does return my domain controller name and IP).  If I do this I get this:

C:\nslookup -q
Default server: mydomaincontroller.mydomain.com
Address: 172.X.X.X

> srv _ldap._tcp.dc._msdcs.mydomain.com
Server: mydomaincontroller.mydomain.com
Address: 172.X.X.X

***mydomaincontroller.mydomain.com can't find srv _ldap._tcp.dc._msdcs.mydomain.com: Non-existent domain
arnoldCommented:
Please type the request as I posted it
nslookup -q=srv _ldap._tcp.dc._msdcs.yourdomain.com
-q=srv signifies that you are looking for a service record
_ldap._tcp.dc._msdcs.yourdomain.com


you omitted the -q= and combined srv with the record to look for.

172.16 is a private IP space and can not be externally accessed.

there is no need to mask it, the iPs.....

it is not unique to you
arnoldCommented:
if you use
nslookup
set querytype=srv
_ldap._tcp.dc._msdcs.yourdomain.com.

would be the equivalent to the command line inquiry.
Misty EdwardsAuthor Commented:
@Arnold, thanks for your follow up.  I'm trying to copy and paste that into a console session in a VM and I can't so I had to type it.  I missed the space after srv.  I tried again and received:

Default server: mydomaincontroller.mydomain.com
Address: 172.X.X.X

_ldap._tcp.dc._msdcs.mydomain.com                  SRV service locaton:
priority=0
weight=100
port=389
svr hostname=mydomaincontroller.mydomain.com

mydomaincontroller.mydomain.com           internet address = mydomaincontroller's IP
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
When you try joining the domain, do you use the netbios name or the dns name? E.g. mydoman.com
Misty EdwardsAuthor Commented:
Here, I've unmasked it for you. I tried to edit the other one but didn't work.

Default server: mydomaincontroller.mydomain.com
Address: 172.16.0.3

_ldap._tcp.dc._msdcs.mydomain.com                  SRV service locaton:
priority=0
weight=100
port=389
svr hostname=mydomaincontroller.mydomain.com

mydomaincontroller.mydomain.com           internet address = 172.16.0.3
Misty EdwardsAuthor Commented:
@Jeremy I'm using the dns name.
arnoldCommented:
Based on the response the system should attempt to contact the DC, 172.16.0.3 .


You need to run the query on the system you are trying to joing into the domain
run ipconfig
to display the IP the VM has, if it does not have an IP on the 172.16.0.3 related segment, it might be getting an IP elsewhere and thus unable to locate the DC.
ipcofig /all making sure name server points to 172.16.0.3.
Misty EdwardsAuthor Commented:
Update, I rebooted the domain controller and the NIC card now is reading a different network as Ethernet0 (Network 2) as a Public Network.
arnoldCommented:
public network, would mean the windows firewall is blocking the requests to the AD service which is commonly only available on the private/work zone.

Is the IP on the niC configured as static or dynamic?
Set it to a static IP would be a way to fix, and categorize it as a work/private network type.
Misty EdwardsAuthor Commented:
@arnold, I did run it on the system trying to join the domain.  ipconfig /all was the first thing I ran and everything is right.  It even shows my domain name.  For some reason my network connection on my DC is going to a public network. Something isn't right.
arnoldCommented:
the classification is based on the connection setup, it commonly prompts but on the first, one can set any new network would automatically be classified as public unless changed when using network sharing interface and configure this network as private. When you join the domain, the domain, the connection would be classified as a work network which is the same as private/home..

if the IP is not static on the server/s OS, the flactuation might be .........
Misty EdwardsAuthor Commented:
The IP is static on the servers, all of my servers.  My users can't even use their mapped drives on a file server now.  The get the local device name is already in use when clicking on mapped drive. May be a hunch but all theses issues have to be related to some common issue.  The public network and mapped drive issue didn't start until I rebooted the DC.
Misty EdwardsAuthor Commented:
Issue is fixed.  I unchecked IPv6 in network adapter on DC.
arnoldCommented:
Since windows 2008 there are some resources rely on ipv6 protocol even if not active,
It should often be enabled and network resource categorized/classified as Private/work..
Misty EdwardsAuthor Commented:
IPv6 was enabled after I did a full restore of the VM, but I remembered reading something about that so I just wanted to see what happened when I unchecked IPv6, that's when the issues resolved.  I was going to try to look further into what happened today, but I can't enable it right now or it will bring all my users down.  Can you point me in the direction on where to start? I still don't know what happened.
arnoldCommented:
If it works and seemingly you do not have a role that is impacted by the disabling of the IPv6 protocol.

When IPv6 was disabled, the network type changed from public to work/private?
Misty EdwardsAuthor Commented:
Yes, it was immediate the network type changed automatically.
arnoldCommented:
enabling IPv6 and re-categorizing the network as work/private should resolve the issue for future while having both IPv6 and ipv4 active.
interface defined as public applies different advanced firewall settings (MS builtin firewall)

Try at your convenience.
Misty EdwardsAuthor Commented:
Thanks, I will give it a try.  When "re-categorizing the network as work/private", do I just do that in the Network List Manager Policies in the local security policy (gpedit).  Looks like I can change it on Unidentified Networks and Identifying Networks.

BTW, last night I did make this exact change for Unidentified networks and changed it to Private, it changed the network adapter back to my domain, but I still had the issues until I disabled IPv6.
arnoldCommented:
usually, the network categorization, applies to both. not sure what happens with your IPv6.
If it works for you, not sure why the enabling of IPV6 shifts your network interface type, are you able with the IPv6 enabled change the categorization from public to work/private?

Is there an IPv6 DHCP server within the setup?
Misty EdwardsAuthor Commented:
There is no scope within DHCP for IPv6.  There is also no reverse lookup zone in DNS.  (My predecessor set this up. I have just started, so I'm getting a grip on things.)

My question was more on how do I change that categorization? Is it with the steps I mentioned or are you referring to something else?
arnoldCommented:
yes, I think so.
Tom CieslikIT EngineerCommented:
I've noticed more than few times that some workstation are prefer IP6 over Ip4.
I don't know why. You should not disable IPv6 on network properties but you can apply Microsoft fix do set IPv4 to be prefer.

You can do it by Powerschell command


Break #In case you paste this in to PowerShell ISE and press run script:)
#Check if IPv4 IP address is preferred
ping $env:COMPUTERNAME
#If the reply is IPv6 address, run following registry setting to just prefer ipv4 and reboot
New-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\” -Name “DisabledComponents” -Value 0x20 -PropertyType “DWord”
#If DisabledComponents exists, use the set cmdlet
Set-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\” -Name “DisabledComponents” -Value 0x20
#You need to reboot the computer

or,

use Microsoft Fix

https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows
Greg StringerCommented:
I would love to know exactly what Microsoft background utilities get impacted by disabling IPv6. I have found that having it enabled on computers causes all kinds of communication issues with seemingly random applications even when IPv4 is the preferred protocol. As soon as I disable IPv6 the issues are resolved. This has been true with various printers, LOB DBs, even simple communication with the server for basic things like group policy fail until I disable IPv6 on the workstation. I have for a few years now been unchecking IPv6 in the adapter properties and changing the  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents Dword key to 0xfffffff to completely disable IPv6 on the workstations. I also find that if I change the setting for the Domain and Private profiles Incoming from Block(Default) to Allow in Windows Firewall with Advanced Security settings, then I have no issues joining the workstation to the domain and applying group policy. This are the first two things I do when I deploy a new workstation in an AD environment. To be clear, I am in smaller environments with less than 100 computers where I am certain there are no application using IPv6, so I also know their applications will not be affected if I do not enable IPv6 afterwards. I have found that when I work behind other techs, and there are odd communication issues, doing this resolves those issues nearly every single time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Misty EdwardsAuthor Commented:
We are a very small environment too (less than 30 computer) and I do know we are not using it at this time.  I still have yet to determine what happened, but for the sake of this case, I'm going to close it as I don't have any further information to provide.  You all have been very helpful, if not with a direct fix to the solution, but helping me to gain a better understanding of what might have happened.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.