It shouldn't take 3 days...W2K Domain problem

[athithi]

OK, this thing has officially taken over my life.

1. One fine day, my simple Workgroup at home stops working. My XP Pro desktop can see my XP Home Laptop and my wife's W2K Pro office laptop, but none of them can my W2K Server. But, my W2K Server can see them all.

Tried every trick in the book and couldn't get it to work and felt it was high time I progressed to learning a little more...

2. Used dcpromo to make my W2K Server a PDC. Had surprisingly few hitches and everything looks fine as far as the PDC is concerned.

My XP Pro Desktop cannot join that domain. But, I can add my XP Pro to that domain from the Active Directory Users and Computers Tool in the PDC and I am able to "Manage" my XP Pro from the PDC just fine.

Scenario:

I use a D-link router and all my computers sit behind it. It runs a DHCP server too but I use static ips for the W2K server and the XP Pro.

- The W2K Server PDC points to itself for primary DNS.
- The XP Pro points to the PDC for primary DNS.
- Both are on the same subnet.
- NetBIOS is enabled on both
- I am logged into the XP Pro using a local Administrator ID
- User Rights Assignments for Local Security Settings permits Authenticated Users to add workstations to domain

Why am I not able to join the domain from the XP Pro machine?

It's been three days and I can't take it anymore

EDIT: The errors I am getting are usually "Specifiec Network Name can no longer be found" and "The Semaphore time out has expired" after I enter the PDC Admin username/pwd while I try to join the domain from the XP Pro. I can ping fine from the XP Pro to the Win2k server <1ms

 

[athithi]

bump...

 

[owensdj]

athithi, I checked the Microsoft Knowlege Base for that first error message you say you get when you try to join your domain and found an article that might fix your problem.

293403 - Error Message "Network Name Is No Longer Available" Joining Windows XP Domain

Please reply and let me know if this fixes your issue.

 

[WannaFly]

First off, theres no such thing as a PDC in W2K server. Just so you know.

Try reading that link owensdj posted. Also when you are joining your domain - make sure your putting the right name with a .com or whatever behind it.

Make sure you have the right NIC drivers installed, and force the card to 10 or 100 Mb/s and full or half duplex. Goto the advanced network settings and make sure TCP/IP is the only thing binded for LAN.

That's all i have for now.

 

[athithi]

Thanks for the response guys. The problem still exists, I'm afraid.

First off, theres no such thing as a PDC in W2K server. Just so you know

So, would I just call it a Domain Controller then? Just out of curiosity when would a Domain Controller be called a Primary Domain Controller? Or is it terminology that just can't be used with Windows OSes aptly?

Try reading that link owensdj posted. Also when you are joining your domain - make sure your putting the right name with a .com or whatever behind it.

Done and done. Still didn't help.

Make sure you have the right NIC drivers installed, and force the card to 10 or 100 Mb/s and full or half duplex. Goto the advanced network settings and make sure TCP/IP is the only thing binded for LAN.

Done (onboard LAN - all I have for now ), done (forced 100Mbps full duplex), done (moved TCP/IP up the order and unchecked NWLink IPX/SPX/NetBIOS)

owensdj,
From the MS KB article: To resolve this problem, make sure to bind and install TCP/IP to the adapter that has a route to the Active Directory domain and DNS server.

Done as above and rebooted the XP Pro to make doubly sure.

Both my W2K server and the XP Pro are connected to my router. For good measure, I even rebooted my router after turning it off for about 30 minutes.

Right now I am using the Network Identification Wizard to try and join the domain - it's been trying for close to 10 minutes now and just sits there with the busy cursor. It doesn't look very promising, though

I'll get my W2K Pro laptop from work today and give it a shot with that. I truly appreciate you guys taking the time to answer this Please let me know if there is anything else I can try!

 

[Saltin]

Your DNS isnt configured properly. There are plenty of threads on this board and in the OS forum about configuring DNS for WIN2k AD properly, if you search you should find some.

 

[athithi]

Saltin, I did try searching first, but I'll try again for dns configuration. Meanwhile, here's a detailed error message I received after trying the latest suggestions:


The domain name AAVARTHANA might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain AAVARTHANA:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.AAVARTHANA

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its child zone:

AAVARTHANA
. (the root zone)

For information about correcting this problem, click Help.


I won't be able to work on it until this evening, but I'll search for more info from work. Thanks!

 

[owensdj]

athithi, Windows NT 4.0 Domains had Primary Domain Controllers and Backup Domain Controllers, but Windows 2000 Active Directory Domains just have Domain Controllers. In other words, all DCs are equal, more or less.

Have you tried deleting the client computer you can get to join the domain from the domain and then joining the domain from the client computer? Make sure the client computer is in a Workgroup and then add it to your domain.

You may also want to check out this article:
810402 - Clients Cannot Join a Domain with Norton Internet Security 2002

 

[athithi]

Have you tried deleting the client computer you can get to join the domain from the domain and then joining the domain from the client computer? Make sure the client computer is in a Workgroup and then add it to your domain.

Tried that too...

As for the article, I don't have Norton Internet Security, but I do have Norton Antivirus! I'll try disabling auto-protect this evening when I get home!

 

[Saltin]

Looking at your error logs, I can confirm that it is DNS.

Here's the scoop.

As you know, Active Directory relies on DNS in order to resolve computers and services available on the domain.

Some of the more important services that are advertised in DNS, include Kerberos (logins), LDAP (the Directory), etc, etc.

When you try to join a workstation to the domain, it queries DNS in order to find the Active Directory service, and then it sends the join request to the DC for authorization.

This is where your machine is failing. It is contacting DNS and DNS is not returning an answer to the question "where can I find the Active Directory for this domain".

Open up the DNS snap in on your DC, and note the following

1) How many forward lookup zones do you have, and what are thier names
2) If you have a forward lookup zone for your AD, when you expand it, do you see four folders named _udp, _tcp, _msdcs, _sites? (these four folders hold the service records for your Domain Controllers, I suspect they arent there).

Also, please list the fully qualified domain name of your AD domain.

Generally, the four folders I listed above are automatically registered when DNS is properly configured.
You should ensure your DC is referencing *only* itself as a DNS server, you should also ensure that the forward lookup zone for your Active Directory namespace is configured to allow Dynamic Updates.

 

[athithi]

1) How many forward lookup zones do you have, and what are thier names

This is from memory, since I am at work now - I created one forward lookup zone for aavarthana.com

2) If you have a forward lookup zone for your AD, when you expand it, do you see four folders named _udp, _tcp, _msdcs, _sites? (these four folders hold the service records for your Domain Controllers, I suspect they arent there).

Actually, I do see these four folders and if I remember right, below them I see 4 additional files, 2 of which are host (one with my server name and ip address and the other with my workstation name and its ip address).

Also, please list the fully qualified domain name of your AD domain.

aavarthana.com - this is also an internet domain name that I have registered which maps to my router's external ip address. Currently I have my W2K server running a webserver (not IIS) on port 80 for my website.


EDIT:
You should ensure your DC is referencing *only* itself as a DNS server, you should also ensure that the forward lookup zone for your Active Directory namespace is configured to allow Dynamic Updates.

I might have my router's ip for secondary dns on my W2K, but I can try taking that out this evening. The forward lookup zone is configured to allow Dynamic Updates (changed it to "Yes").

 

[stash]

In other words, all DCs are equal, more or less.

This is not totally correct, but thats a discussion for a different thread.

As far as your DNS woes, the 4 subdirectories for SRV records are there, but are they populated with records? You can manually register the needed SRV records in DNS by stopping and starting the netlogon service on your domain controller(s).

 

[athithi]

As far as your DNS woes, the 4 subdirectories for SRV records are there, but are they populated with records? You can manually register the needed SRV records in DNS by stopping and starting the netlogon service on your domain controller(s).

I recall seeing some warnings in the Event log about Netlogon and a google search advised to make Netlogon dependent on the DNS service. In the process, I did stop and start Netlogon several times. But I will check to see if the SRV records are present - are you suggesting that stopping and starting Netlogon would create those records? If they are not present, should I remove the forward lookup zone and recreate it? Would that solve the problem of missing records?

 

[Saltin]

Ath,

Yes, starting and stopping Netlogon will force the registration of the pertinent SRV records, assuming everything else is in order.

It's certainly worth a try recreating if your issues persist. You can't do any harm erasing and recreating.

Make sure all of your machines (DC and the workstations you are adding) reference only your internal DNS server. If you go to the properties of the DNS server in the DNS MMC, you can configure a forwarder there, enter you ISP's DNS servers.

Any request your DNS server can't service (i.e. internet names), will be passed on up to DNS servers that can.

 

[athithi]

Saltin,
I tried deleting and re-creating the forward lookup zone but to no avail. Like StaSh mentioned, I checked the folders and all of them seem to have SRV records. Starting and stopping Netlogon didn't help either.

Now, this is just a gut feeling, so please let me know if I am mistaken - but when I try to join the domain, it appears as is the procedure is as follows:

1. When I try to join the domain from a workstation, I am informed that this computer is not a part of this domain and I am asked to enter the computer name and the domain I wish to join.

2. When I enter the above information, I am prompted to enter a username, password and domain which has enough permission to add this computer to the domain.

3. When I enter this domain, I am informed that the specified network name is no longer available.

Does this procedure still indicate that my DNS server is not responding to requests for the AD from other computers on the network? Can I safely assume that my workstation never ever saw the domain (not even to determine that it was currently not part of the domain as it seemed to indicate in Step 1)?

Could there be something running on my server that suppresses it from responding to requests from other computers? My server happily responds to pings regardless of whether pinged by hostname or by ip address.

EDIT:

I added a host record to the forward lookup zone for me W2K Pro office laptop and added it as a computer to the domain. Now, when I try to join the domain, I received a message saying an account was found for this computer and if I would like to use it. I said yes, only to receive this message: "The domain name AAVARTHANA is invalid or does not exist". I swear, I entered AAVARTHANA.COM in the domain entry box and not just AAVARTHANA! I used the Network Identification Wizard. Am I getting closer to a solution? :sun:

EDIT 2:

XP Pro was a bit more helpful - it says the query was for the record _ldap._tcp.dc._mcds.AAVARTHANA

Shouldn't it be querying for _ldap._tcp.dc._mcds.AAVARTHANA.COM? This is the domain I asked to join!

EDIT 3:

I just realized something - when I tried to join the domain now, it said it found an account for my computer on the domain AAVARTHANA and asked if I would like to use it. I guess that's why the query was for AAVARTHANA and not AAVARTHANA.COM

The workstation was able to find an account for the computer only after I added the host record in the forward lookup zone and added the computer in the AD Users and Computers Tool under computers. If this is the info it used to determine that an account exists for the computer in the AAVARTHANA domain, have I entered the domain name as AAVARTHANA instead of AAVARTHANA.COM some place else on the Server? Is anyone even listening any more

 

[athithi]

nslookup -d aavarthana.com

Can't list domain aavarthana.com: Query refused

and so on and so forth...

Ok, I'm convinced my DNS server is not setup right. Just can't imagine what might be wrong here

 

[athithi]

Re-installed W2K Server and got it to work Thanks for all the help guys