BLACK THANOS
asked on
How can I join an Active Directory Domain that thinks there is a DNS issue.
Good evening Experts,
I recently installed a server 2012 R2 Active Directory Domain at home ( test environment) , however, I am not able to join the domain with any of my test machines. I will summarize with screen shots and descriptions the steps I took to configure the domain and then make it ready for joining.
First here is a screen-shot of the domain and DNS:
Screen-shot of the system information:
I am able to create accounts. users, groups, ou's and all the other features of a domain except joining. I will now show you a screen-shot of the DC's ip scheme.
I was able to join one of my machines to the domain:
Here is the ip setup of both the working machine and the non working machine.
this is what happens when I try to join the domain from the other computer:
Okay experts,
This is about as much detail as I can give you. I am hoping that what I have shown you will show me how to make the other machine work.
Regards,
Regis (BLACKTHANOS) Hyde
I recently installed a server 2012 R2 Active Directory Domain at home ( test environment) , however, I am not able to join the domain with any of my test machines. I will summarize with screen shots and descriptions the steps I took to configure the domain and then make it ready for joining.
First here is a screen-shot of the domain and DNS:
Screen-shot of the system information:
I am able to create accounts. users, groups, ou's and all the other features of a domain except joining. I will now show you a screen-shot of the DC's ip scheme.
I was able to join one of my machines to the domain:
Here is the ip setup of both the working machine and the non working machine.
this is what happens when I try to join the domain from the other computer:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "CURETON.DENTAL.COM":
The query was for the SRV record for _ldap._tcp.dc._msdcs.CURETON.DENTAL. COM
The following domain controllers were identified by the query:
dsvr.cureton.dental.com
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
Okay experts,
This is about as much detail as I can give you. I am hoping that what I have shown you will show me how to make the other machine work.
Regards,
Regis (BLACKTHANOS) Hyde
Active Directory is found via DNS. The DC finds the DNS server to register itself with (which is done by the NetLogon service) through a DNS lookup based on the DNS servers you specify in the DC's TCP/IP properties. If you specify Google or some other DNS server, they will not allow you to register (Can you imagine how many registrations they'd have to handle if they did?!) So your DC TRIES to register with them but they don't accept the registration (if you check your event logs, you'd probably see the entry - and when you're having problems, that's the first place you should look before even posting a question!)
So then, when you try to join the domain, the DNS server specified on the workstation is contacted by the workstation and the workstation asks "hey, where's the DC for this domain" - but google rejected the registration and tells the workstation "I have no idea what you're talking about". Now, the workstation says to you "hey I asked, but couldn't find the DC. I can't join. Sorry."
So then, when you try to join the domain, the DNS server specified on the workstation is contacted by the workstation and the workstation asks "hey, where's the DC for this domain" - but google rejected the registration and tells the workstation "I have no idea what you're talking about". Now, the workstation says to you "hey I asked, but couldn't find the DC. I can't join. Sorry."
ASKER
Lee,
I have used active directory for many years , so your assessment of me is unfair. I freely admit that I would not have set it up this way, but I was trying to mimic what my client has for their old active directory environment. They didnt want to change that, but I know the DNS is the server's IP. Thank you for your input, it is valuable. Also, if you look at the screen-shot, i was able to get one machine to add iteself to the domain with the 8.8.8.8 and 4.2.2.2 external DNS setups for INTERNET access. I am going to now follow your input because that is the way I normally setup AD. Let's see what happens..
Regards,
Regis
I have used active directory for many years , so your assessment of me is unfair. I freely admit that I would not have set it up this way, but I was trying to mimic what my client has for their old active directory environment. They didnt want to change that, but I know the DNS is the server's IP. Thank you for your input, it is valuable. Also, if you look at the screen-shot, i was able to get one machine to add iteself to the domain with the 8.8.8.8 and 4.2.2.2 external DNS setups for INTERNET access. I am going to now follow your input because that is the way I normally setup AD. Let's see what happens..
Regards,
Regis
My assessment was based on the information you provided.
Active Directory resolves through broadcasts as well. That's why, even when DNS is messed up, people can still logon, but it can take MINUTES to fall back to that. It's also possible that system had a host file entry or someone temporarily set the DNS correctly. That said, getting it to work is the exception, not the rule. If you want it to work properly, you MUST configure DNS properly. Further, DNS is caching, so lookups can be remembered even after changing server settings. And the lookups for Primary and Secondary aren't necessarily guaranteed to occur one then the other. If Windows can't lookup via Primary and it's successful via secondary, it may continue to use secondary until a reboot or a timeout. You can't trust it to ALWAYS use the primary if it's available. That's why you CANNOT specify a public "backup" DNS without having intermittent performance and connection problems.
Active Directory resolves through broadcasts as well. That's why, even when DNS is messed up, people can still logon, but it can take MINUTES to fall back to that. It's also possible that system had a host file entry or someone temporarily set the DNS correctly. That said, getting it to work is the exception, not the rule. If you want it to work properly, you MUST configure DNS properly. Further, DNS is caching, so lookups can be remembered even after changing server settings. And the lookups for Primary and Secondary aren't necessarily guaranteed to occur one then the other. If Windows can't lookup via Primary and it's successful via secondary, it may continue to use secondary until a reboot or a timeout. You can't trust it to ALWAYS use the primary if it's available. That's why you CANNOT specify a public "backup" DNS without having intermittent performance and connection problems.
ASKER
ASKER
Hi Lee,
the DNS query was successfull, but I still get the following error message:
the DNS query was successfull, but I still get the following error message:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "CURETON.DENTAL.COM":
The query was for the SRV record for _ldap._tcp.dc._msdcs.CURETON.DENTAL. COM
The following domain controllers were identified by the query:
dsvr.cureton.dental.com
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
ASKER
" i was able to get one machine to add iteself to the domain with the 8.8.8.8 and 4.2.2.2 external DNS " Which machine is that? I didn't see it in your posting.
Lee is correct (as usual!). The DC should point only to itself for DNS, workstations should only point to the DC for DNS, whether by DHCP or by static settings. If you point to the DC as primary DNS and external DNS as secondary, you'll get inconsistent results.
Lee is correct (as usual!). The DC should point only to itself for DNS, workstations should only point to the DC for DNS, whether by DHCP or by static settings. If you point to the DC as primary DNS and external DNS as secondary, you'll get inconsistent results.
ASKER
hI CompProbSolv,
You will notice that I made the necessary changes to my domain controller. I am beyond the point you are making. I changed to setting to not include 8.8.8.8 and 4.2.2.2. I simply made my dns the same address as the server 192.168.100.110. See the previous screen shots. Any input after that would be much appreciated.
Regards,
Regis
You will notice that I made the necessary changes to my domain controller. I am beyond the point you are making. I changed to setting to not include 8.8.8.8 and 4.2.2.2. I simply made my dns the same address as the server 192.168.100.110. See the previous screen shots. Any input after that would be much appreciated.
Regards,
Regis
Did you reboot the server? You had the server pointing to outside DNS - it never registered internally. Just fixing the TCP/IP is not enough. You need to reboot (well, technically, you should be able to just restart the Netlogon service on the server. Then, when joining the domain, join the DNS domain, not the netbios domain - cureton.dental.com
ASKER
Hi Lee,
I in fact did in fact have to restart Netlog as it was disabled and not started. I went to services and made it automatic and started it. It is a server that if it has nothing to do then it stops. I restarted the server just in case , but still get the message I sent you above. It is successfully querying dns but still cant locate the server. I also concur with you that I should be using the netbios name as it does prompt for the authoritative username and password, but alas still cant join.
Regards,
Regis
I in fact did in fact have to restart Netlog as it was disabled and not started. I went to services and made it automatic and started it. It is a server that if it has nothing to do then it stops. I restarted the server just in case , but still get the message I sent you above. It is successfully querying dns but still cant locate the server. I also concur with you that I should be using the netbios name as it does prompt for the authoritative username and password, but alas still cant join.
Regards,
Regis
ASKER
I made a typo above, I said "I in fact did in fact have to restart Netlog as it was disabled and not started." I meant , I in fact did have to restart NETLOGON as it was disabled and not started."
when you specify public dns servers IP as alternate dns server in TCP/IP of server / clients, internet will work gr8 but AD name resolution will completely break
This is because public DNS servers always take precedence over private DNS IPs
DC tries to locate own DNS zone on internet instead of self and client tries to find domain on internet instead of internal DNS
Your internal domain is not available on internet, may be you have same domain name internally and externally, still clients cannot reach to internal DC because there won't be any SRV records on internet for your DCs and your DCs are not published on internet for that
There is no alternative exists that you can keep both internal and public dns on same NIC on either clients and DC
Hence as stated earlier by Lee, follow his comment
This is because public DNS servers always take precedence over private DNS IPs
DC tries to locate own DNS zone on internet instead of self and client tries to find domain on internet instead of internal DNS
Your internal domain is not available on internet, may be you have same domain name internally and externally, still clients cannot reach to internal DC because there won't be any SRV records on internet for your DCs and your DCs are not published on internet for that
There is no alternative exists that you can keep both internal and public dns on same NIC on either clients and DC
Hence as stated earlier by Lee, follow his comment
Further after you set only internal DNS as preferred dns on DCs, restart netlogon services on all DCs else it will not be effective
ASKER
Hi Lee,
I made a mistake. You said ,"Then, when joining the domain, join the DNS domain, not the netbios domain - cureton.dental.com" I had it backwards. I was in fact using the netbios domain name. When I switched over to the DNS name , which I believe is simply CURETON, I was prompted for a username and password. I provided those but still cant join. The error message does say that the domain was QUERIED,but still could not locate the server.
Regards,
Regis
I made a mistake. You said ,"Then, when joining the domain, join the DNS domain, not the netbios domain - cureton.dental.com" I had it backwards. I was in fact using the netbios domain name. When I switched over to the DNS name , which I believe is simply CURETON, I was prompted for a username and password. I provided those but still cant join. The error message does say that the domain was QUERIED,but still could not locate the server.
Regards,
Regis
ASKER
It looks as if you're trying to join the domain "cureton" when the domain is actually "cureton.dental.com"
I've looked at the screenshots before my post and still don't see where a workstation was shown to connect to the domain without the public DNS settings. I'll bow out of the discussion.
I've looked at the screenshots before my post and still don't see where a workstation was shown to connect to the domain without the public DNS settings. I'll bow out of the discussion.
ASKER
Please dont CompProbSolv,
I will show you a screenshot of the machine that joined the domain.
I will show you a screenshot of the machine that joined the domain.
@OP:
You are not innovated Microsoft way of working
Its already defined by Microsoft and verified by IT would
I will opt out from this question as what you are trying to do will not work and you cannot make it work in professional / business network and all participants already told you the fact.
You can play around with your own concepts and world
You are not innovated Microsoft way of working
Its already defined by Microsoft and verified by IT would
I will opt out from this question as what you are trying to do will not work and you cannot make it work in professional / business network and all participants already told you the fact.
You can play around with your own concepts and world
I have suspect that the one machine that worked only queried your Primary DNS listing.
If you try to ping the DC from the machine that is not joining, does it resolve it?
If you try to ping the DC from the machine that is not joining, does it resolve it?
ASKER
the pc's and domain controller can ping one another. I have probably made this question more difficult that it needed to be, as two professionals have already dropped out of this thread. I however have taken the advice of Lee W, MVP and configured the workstations and domain controller per Microsoft definition. I will start from there and troubleshoot further.
you do realize that you don't have a gateway address on the DNS server so any queries outside of your domain will fail.
ASKER
Hi David,
The DNS server configuration looks like this now:
I am not sure what the default gateway should be: 192.168.100.110 or 192.168.100.254.
It's been a while since I have done this and in the past it was very simple to setup a AD domain that can be joined. After all of the copious screen-shots and other experts leaving the thread, I am hopeful that you will be a little more patient with me. I know that I am doing something wrong that I just cant figure out. Can we start from the screen-shot I just added and go from their. I will follow your suggestions.
The DNS server configuration looks like this now:
I am not sure what the default gateway should be: 192.168.100.110 or 192.168.100.254.
It's been a while since I have done this and in the past it was very simple to setup a AD domain that can be joined. After all of the copious screen-shots and other experts leaving the thread, I am hopeful that you will be a little more patient with me. I know that I am doing something wrong that I just cant figure out. Can we start from the screen-shot I just added and go from their. I will follow your suggestions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow footech,
You summarized everything that has been said so far. I couldn't have done it better. Just so you know, I am no longer using either of the external DNS ip addresses, 8.8.8.8 and 4.2.2.2.
I have simplified the domain controller to :
and the workstation to:
Here is the join error:
As you can see it is a very simple setup now and I am getting the message above.
Any further input would be appreciated.
Regards,
Regis Hyde
You summarized everything that has been said so far. I couldn't have done it better. Just so you know, I am no longer using either of the external DNS ip addresses, 8.8.8.8 and 4.2.2.2.
I have simplified the domain controller to :
and the workstation to:
Here is the join error:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "CURETON.DENTAL.COM":
The query was for the SRV record for _ldap._tcp.dc._msdcs.CURETON.DENTAL. COM
The following domain controllers were identified by the query:
dsvr.cureton.dental.com
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
As you can see it is a very simple setup now and I am getting the message above.
Any further input would be appreciated.
Regards,
Regis Hyde
It seems that it's finding the DC through DNS just fine, but that it's not responding. So I would be checking dcdiag results and event logs for problems.
ASKER
I have viewed the event logs , but I will give it another go. I also check dcdiag results.
Regards,
Regis Hyde
Regards,
Regis Hyde
ASKER
Good evening experts,
This was a grueling lesson for me in how to setup active directory correctly. A combination of modifying the domain controller to accept dns queries without interference from external dns', netlogon restart and a restart of the server , now allows me to join computers to the domain. All of your help is appreciated. As always , a great job by all.
This was a grueling lesson for me in how to setup active directory correctly. A combination of modifying the domain controller to accept dns queries without interference from external dns', netlogon restart and a restart of the server , now allows me to join computers to the domain. All of your help is appreciated. As always , a great job by all.
You CANNOT use 8.8.8.8 or 4.2.2.2 ANYWHERE *EXCEPT* as DNS forwarders in the DNS Server's configuration.
The DC's IP is 192.168.100.110. Use that as the ONLY DNS server (NO SECONDARY!) on ALL systems, including the DC itself and all workstations.