Cannot join Windows client to Win DC

Hello Experts,

I have a few DCs (Server 2008 and 2016) in my environment. Three of them are on the 192.168.0.0/24 network and one is located at a remote site (192.168.1.0/24) which is accessible over a site to site VPN. I can join any Windows client to the domain when the client is on 192.168.0.0/24 subnet. If I am at the remote site I can join any Win client to the domain that is part of the 192.168.1.0/24 subnet.

The problem I have is when I attempt to join a Win client that is not part of the DCs' subnets. I believe this is true for both locations. Please see the attached file to review the error message I get when I attempt to join a Win client to the domain. My client is on the 10.0.0.0/24 network. There is no ACLs on the def. GW  (Cisco ASR) between 192.168.0.0/24 and 10.0.0.0/24. Also, I am not filtering any traffic on VPN.

So far I was able to confirm the DCs are reachable from 10.0.0.0/24 (ping and RDP). As far as I can tell the SRV records look good, however I do not see the _msdcs folder in the Forward Lookup Zone. Also, I noticed that the domain name is GPS instead of GPS.local or GPS.net for example.

GPS-AD-2.GPS was decommissioned some time ago and AD-1 is to follow shortly. All DC are multi-homed but the I only have one NIC active at the moment for troubleshooting purposes.

Any help is greatly appreciated.

Thank You in advance.
Error.txt
LVL 3
Svet ChinkovAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
In the NIC config make sure only the remote DNS server is added.  Do not add any others even as an alternate.  Aslo if there are multiple NICs, wired or wireless, disable them, not just disconnect, until domain joined.  I would also add the DNS suffix gps.local to the NICs DNS config under "DNS suffix for this connection"
0
Svet ChinkovAuthor Commented:
HI Rob,

There is only one NIC enabled on each server now and using the suffix does not seem to be making any difference. I still get the same error message. Any other ideas?

Thank You
0
Rob WilliamsCommented:
But is there a second/alternate DNS server?   Though we have primary and secondary locations or DNS server addresses in the NIC configuration, windows does not necessarily wait for the first to time out.  Thus often the secondary responds first and it cannot resolve the remote name. This is very common over VPNs, thus, at least while connecting the domain, you should only use the one remote DNS server for the domain to which you want to join.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Svet ChinkovAuthor Commented:
No, there is not an alternative DNS IP configured at the moment on the client NIC. On main DNS server the primary DNS IP is pointing to the secondary DNS server and the alternative DNS IP is pointing to 127.0.0.1 and vices versa for the secondary DNS server

Thanks
0
masnrockCommented:
So I am assuming you have one of the DCs statically set as the DNS server at the moment? Have you tried running a port scan against the DC from one of the subnets you're having issues with? Maybe there is an inability to see certain needed ports.
0
Svet ChinkovAuthor Commented:
Hi masnrock,

You are correct in your assumption. I have did not run a port scan, instead I checked the netstat output on one of the servers and it looks to me that all necessary ports are open. Please feel free to review the attached netstat output form one of the servers.

Thanks
0
masnrockCommented:
There's no attachment..

Also, using netstat is a bad test. While it may tell you that the server is listening on those ports, it won't tell you if traffic won't reach there from other subnets. So you actually need to run the port scan.
0
Rob WilliamsCommented:
The server likely has the correct ports open, but only from the local subnet.  By default when the firewall exception is created it configures such that only the local subnet has access for most of the ports. You will need to add the remote subnet, set to public, or disable the firewall.

If doing the port scan as masnrock suggested, do it over the VPN to test this.

You will need as a minimum:
File and Print Sharing  portsTCP 139 & 445, UDP 137 & 138
DNS  port 53
0
DrDave242Commented:
however I do not see the _msdcs folder in the Forward Lookup Zone. Also, I noticed that the domain name is GPS instead of GPS.local or GPS.net for example.

Is there a separate _msdcs.<domain> forward lookup zone, or is _msdcs missing entirely?

Regarding the other issue, that's known as a single-label DNS domain name. I'm not certain it's causing the issue you're seeing, but it's a minefield of badness. This domain must have been around for quite some time, because newer versions of Windows won't let you create a domain with a single-label name and will give you ample warning if you promote an additional DC into such a domain.

Unfortunately, fixing a single-label domain is not simple; you either rename the domain (if you can - see that first link for a list of deal-breakers), or you create a new one with a properly formatted name and migrate everything to it.

Again, I'm not sure the single-label name is causing your issue (it seems odd that it would, in fact), but it really should be addressed at some point. The _msdcs issue may be a more likely cause, since DCs register site-specific DNS records in _msdcs.
0
Svet ChinkovAuthor Commented:
Mansrock, my apologies for not attaching the netstat file earlier.

Rob, thanks for listing the required port numbers. I have all of the ports opened on all servers. Exception is port 139 which is only opened on one of the servers (also DC).

DrDave242, this is an old domain which I inherited. The problem is my primary role is not  System Admin and and I do not have that much experience with DNS. Now I am straggling. I will be ok if I start from scratch but is is not a small task. One of the servers is 2008 and the remaining were upgraded to 2016 at some point, but that leaves the issue with the single labeling. My guess is that the domain was somehow replicated, because as you said newer versions of Windows won't let you create a single label domain.

The _msdcs folder is within the domain (GPS) folder, but in my limited experience it should be at forward lookup zone folder along side the domain folder. (Hope I am making sense :) )

Bottom line is it seems the best solution is rebuilding everything from scratch but I was hoping for a temporary fix to give me time to complete other project.
GPS.PNG
netstat.txt
0
DrDave242Commented:
The _msdcs folder is within the domain (GPS) folder, but in my limited experience it should be at forward lookup zone folder along side the domain folder. (Hope I am making sense :) )

Yep, makes sense. Either configuration will work; _msdcs can be a folder within the domain forward lookup zone, or it can be a separate zone. Your configuration is the way it was done in the Windows 2000 days, supporting the theory that your domain has been around a while.

For what it's worth, I don't believe this is a DNS issue. The error message indicates that the DNS query for _ldap._tcp.dc._msdcs.GPS was successfully resolved, but none of the DCs in the response could be reached. If you're certain that traffic isn't blocked by a firewall, you may want to consider starting a packet capture on the client before trying to join the domain again. This should give you some idea of what traffic it's sending out and what's coming back to it. You may end up having to run a capture on one or more DCs as well in order to get a complete picture of what's happening. Unfortunately, this probably won't be a quick process.
0
Svet ChinkovAuthor Commented:
Hello,

We actually decided to rebuild the domain starting from scratch. Thank You all for the help and all the suggestions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DrDave242Commented:
Asker resolved issue by recreating the domain (which was very likely the best course of action).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.