DCPROMO failing for new server
Here is my set up:
2 domain controllers, Windows 2008 R2, 600-700 devices in the domain. Everything is working well with no errors in the event log.
I am moving this customer to a hosted server outside of their LAN. There is a site-to-site VPN established between the 2 locations. The new DC is Windows 2016 Standard but the IP is in a different subnet.
When I try and add the new server to the domain I receive: An Active Directory Domain Controller (AD DC) for the domain xxxx.local could not be contacted.
In the details it shows the domain controller SVR records were found but they are not available.
I have verified DNS, I can ping from the new server to both DCs by IP and FQDN. I added a static A record on the DC for the new server and I am able to ping the new server both by IP and FQDN from both DCs. i have run DCDIAG and everything passes. I can browse through Windows Explorer to the DC and see the shares SYSVOL and NETLOGON although I get access denied when I try and open them.
The only errors that I get are when I try and join the server to the domain or try dcpromo.
2 domain controllers, Windows 2008 R2, 600-700 devices in the domain. Everything is working well with no errors in the event log.
I am moving this customer to a hosted server outside of their LAN. There is a site-to-site VPN established between the 2 locations. The new DC is Windows 2016 Standard but the IP is in a different subnet.
When I try and add the new server to the domain I receive: An Active Directory Domain Controller (AD DC) for the domain xxxx.local could not be contacted.
In the details it shows the domain controller SVR records were found but they are not available.
I have verified DNS, I can ping from the new server to both DCs by IP and FQDN. I added a static A record on the DC for the new server and I am able to ping the new server both by IP and FQDN from both DCs. i have run DCDIAG and everything passes. I can browse through Windows Explorer to the DC and see the shares SYSVOL and NETLOGON although I get access denied when I try and open them.
The only errors that I get are when I try and join the server to the domain or try dcpromo.
Jacob Durham
Where did you put the A records? Did you create a reverse lookup zone?
ASKER
I put the A record in the domain.local zone and yes I create a reverse lookup.
What are the DNS settings in the new server?
In the details it shows the domain controller SVR records were found but they are not available.
I'm assuming that the error details list a specific SRV record. If you use nslookup on the new server to attempt to resolve that record, what response do you get? If you don't have much experience with nslookup, just follow these steps:
Launch a command prompt on the new server.
Type nslookup to enter nslookup's interactive mode. You'll see some output about the server you'll be querying.
Type set q=srv to tell nslookup to query SRV records.
Type the full name of the SRV record in the error with a dot at the end. It'll be something like _ldap._tcp.gc._msdcs.domai
Please post the output you receive here.
ASKER
DRDave242:
> _ldap._tcp.dc._msdcs.tfsd.
Server: tfsd-dc-hs.tfsd.local
Address: 192.168.10.254
_ldap._tcp.dc._msdcs.tfsd.
priority = 0
weight = 100
port = 389
svr hostname = tfsd-dc-jhs.tfsd.local
_ldap._tcp.dc._msdcs.tfsd.
priority = 0
weight = 100
port = 389
svr hostname = tfsd-dc-hs.tfsd.local
tfsd-dc-jhs.tfsd.local internet address = 192.168.18.253
tfsd-dc-hs.tfsd.local internet address = 192.168.10.254
> _ldap._tcp.dc._msdcs.tfsd.
Server: tfsd-dc-hs.tfsd.local
Address: 192.168.10.254
_ldap._tcp.dc._msdcs.tfsd.
priority = 0
weight = 100
port = 389
svr hostname = tfsd-dc-jhs.tfsd.local
_ldap._tcp.dc._msdcs.tfsd.
priority = 0
weight = 100
port = 389
svr hostname = tfsd-dc-hs.tfsd.local
tfsd-dc-jhs.tfsd.local internet address = 192.168.18.253
tfsd-dc-hs.tfsd.local internet address = 192.168.10.254
ASKER
masnrock - DNS on the new server is set to the DC.
The nslookup output looks good (assuming those IP addresses are correct, of course). What's the exact error? Also, does dcdiag on either DC show any problems?
Are you trying to add the server to the domain, or are you trying to make the new server a domain controller?
Have you tested communication on specific ports; like LDAP, RPC, etc?
If there's any issue grab network captures on both ends so you can see exactly what is occurring.
Have you tested communication on specific ports; like LDAP, RPC, etc?
If there's any issue grab network captures on both ends so you can see exactly what is occurring.
ASKER
DRDave242 - yes, they looked good to me also. I ran DCDIAG and everything passed with flying colors. The exact error is below:
An Active Directory Domain Controller (AD DC) for the domain "domain.local" could not be contacted.
Then in the details:
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "tfsd.local":
The query was for the SRV record for _ldap._tcp.dc._msdcs.domai
The following domain controllers were identified by the query:
tfsd-dc-hs.tfsd.local
tfsd-dc-jhs.tfsd.local
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
An Active Directory Domain Controller (AD DC) for the domain "domain.local" could not be contacted.
Then in the details:
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "tfsd.local":
The query was for the SRV record for _ldap._tcp.dc._msdcs.domai
The following domain controllers were identified by the query:
tfsd-dc-hs.tfsd.local
tfsd-dc-jhs.tfsd.local
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
Something just isn't making sense. Are there any sort of rules restricting at least some of the traffic between the two subnets?
ASKER
Thanks, footech.
I was originally trying to add it as a new DC but when that was failing I went to just trying to add it to the domain. It fails either way. I have ran screen captures on both sides and I do get one line showing DNS but nothing for LDAP RPC, etc.
I am working with our network engineers to make sure this is not a problem with the VPN tunnel.
I was originally trying to add it as a new DC but when that was failing I went to just trying to add it to the domain. It fails either way. I have ran screen captures on both sides and I do get one line showing DNS but nothing for LDAP RPC, etc.
I am working with our network engineers to make sure this is not a problem with the VPN tunnel.
ASKER
Thanks, masnrock.
I completely echo your feeling that something isn't right. I am working with my network engineers to look at the tunnel but as far as I can see all traffic is being allowed both directions of the tunnel.
I completely echo your feeling that something isn't right. I am working with my network engineers to look at the tunnel but as far as I can see all traffic is being allowed both directions of the tunnel.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.