Mark Salonius
asked on
Active Directory Remote Server VPN can't find DC
Hi Guys and Gals,
I have a problem that I am banging my head and can't seem to get work.
I have 2 locations
Location 1
IP 10.10.10.0/24
Location 2
IP 20.20.20.0/24
There is a Site to Site IPSec VPN connection between them with all ports wide open..Location 1 has the active directory domain server for MYDOMAIN.com...I want to add a second server at location 2 as a domain server as well, but I can't get it to find the domain. The server in location 2 has the AD DNS server in Location 1 as the DNS server and I can ping the domain without problem but when I go to join the domain it camn't find the domain controller it says...all ports are open so I am lost...HELP!!!!
I have a problem that I am banging my head and can't seem to get work.
I have 2 locations
Location 1
IP 10.10.10.0/24
Location 2
IP 20.20.20.0/24
There is a Site to Site IPSec VPN connection between them with all ports wide open..Location 1 has the active directory domain server for MYDOMAIN.com...I want to add a second server at location 2 as a domain server as well, but I can't get it to find the domain. The server in location 2 has the AD DNS server in Location 1 as the DNS server and I can ping the domain without problem but when I go to join the domain it camn't find the domain controller it says...all ports are open so I am lost...HELP!!!!
Rob Williams
The server wanting to join the domain must have ONLY the DC as it's DNS server. Make sure there is no secondary such as a router or ISP. Also if the server has multiple NIC you may need to disable all but one till domain joined.
on the server location 2, do nslookup
then fill in a valid lookup (of something in location 1), see if it returns anything.
then fill in a valid lookup (of something in location 1), see if it returns anything.
PS: You may want to review an article I wrote a while back. Not directly related to your issue but items #1 to 5 still apply.
https://blog.lan-tech.ca/tag/join-domain/
https://blog.lan-tech.ca/tag/join-domain/
Hm. i hope 20.20.20.0/24 is just an example. 20.x.x.x is a public address space.
10.20.20.0/24 would be a valid choice for a private network.
Some tooling (using auto find, auto ...) just broadcasts to find companions, broadcasts don't pass routers. (that is not a bug, but a requirement).
Is there no wai to specify that the Primary DC is somewhere else? Or a possiblity to specify a secondary DC from the PDC?
10.20.20.0/24 would be a valid choice for a private network.
Some tooling (using auto find, auto ...) just broadcasts to find companions, broadcasts don't pass routers. (that is not a bug, but a requirement).
Is there no wai to specify that the Primary DC is somewhere else? Or a possiblity to specify a secondary DC from the PDC?
ASKER
Yes 20.20.20.0 is just an example
ASKER
My goal is to use the cloud as an AD server so I need to join the domain promote it to a DC and then demote the old one so that the cloud one is theonly one....there has to be a way for this.
If you want to join a domain you need to specify a DC dont you? (or dns name of a domain) though a DNS lookup it should find all other stuff...
Then ends my Windows Knowledge....
Then ends my Windows Knowledge....
If you are doing this with Azure, i.e. over the internet I bet you have a DNS server listed which is not part of your domain. You must point ONLY to your DNS server.
Please answer #a42524539
ASKER
I did a nslookup and this is the result...but I can ping by name so I am a bit confused...
I did this nslookukp from the cloud server
nslookup lindapc.mydomain.com
server:dns.mydomain.com
Address: 10.10.10.154
DNS request timed out
timeout was 2 seconds.
DNS request timed out
timeout was 2 seconds.
*** Request to dns.mydomain.com timed-out
but I can ping:
ping lindapc.mydomain.com
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
I did this nslookukp from the cloud server
nslookup lindapc.mydomain.com
server:dns.mydomain.com
Address: 10.10.10.154
DNS request timed out
timeout was 2 seconds.
DNS request timed out
timeout was 2 seconds.
*** Request to dns.mydomain.com timed-out
but I can ping:
ping lindapc.mydomain.com
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
Reply from 10.10.10.54: bytes=32 time=38ms TTL=126
You cannot resolve DNS. Try telnet 53 to 10.10.10.54
The ping is probably host file or DNS cache
The ping is probably host file or DNS cache
ASKER
Connects no problem
Increase the query timeout on the DNS server
ASKER
I increased it and I get one timeout then it resolves...so strange...any other ideas? I can't seem to still join the domain
I am not convinced that all ports are open
ASKER
How can i prove it to you besides telnetting to port 53 from one to the other? that works just fine.
Can you post an Ipconfig /all from the machine trying to join the domain?
Follow these portqry commands with all AD ports
https://support.microsoft.com/en-za/help/816103/how-to-use-portqry-to-troubleshoot-active-directory-connectivity-issue
https://support.microsoft.com/en-za/help/816103/how-to-use-portqry-to-troubleshoot-active-directory-connectivity-issue
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.