Problem joining new Server 2003 server to already existing activedirectory domain

Hey guys,

Here's my situation. I have a Server 2003 computer already setup as an
active directory domain. We'll call it "domain.com" (or NETBIOS "DOMAIN").

When I try to add another server to "domain.com", it says the domain
controller for domain.com can't be contacted, even though it really is
out there. (I've tried adding it through Manage Your Server and DCPROMO.)

Another funny thing...the old server can ping the new server I'm trying
to add (which is basically running as a workstation at this point), but
the new server can't ping the old server. The IP address for the old
server is 10.0.0.1, the ip for the new one is 10.0.0.2, the subnet mask
is 255.0.0.0, and the default gateway is 10.50.50.51.

And of course, both machines have Server 2003 R2.

Any ideas?

Hi Billy,

How is DNS set up on this server under TCP/IP properties? Where does
preferred and alternative DNS server point to? Do they point to Active
Directory DNS server?

Can you also post here the results from

ipconfig /all

from both servers?

Can you also make sure that you don't have Windows Firewall or other
Firewalls enabled on these servers.

--
Mike
Microsoft MVP - Windows Security

"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:esM4IepaGHA.4564@TK2MSFTNGP03.phx.gbl...
> Hi Billy,
>
> How is DNS set up on this server under TCP/IP properties? Where does
> preferred and alternative DNS server point to? Do they point to Active
> Directory DNS server?
>
> Can you also post here the results from
>
> ipconfig /all
>
> from both servers?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Billy Preston" <billy.preston@NOSPAMvictorychurch.com> wrote in message
> news:12539sefani3n94@corp.supernews.com...
>> Hey guys,
>>
>> Here's my situation. I have a Server 2003 computer already setup as an
>> active directory domain. We'll call it "domain.com" (or NETBIOS
>> "DOMAIN").
>>
>> When I try to add another server to "domain.com", it says the domain
>> controller for domain.com can't be contacted, even though it really is
>> out there. (I've tried adding it through Manage Your Server and DCPROMO.)
>>
>> Another funny thing...the old server can ping the new server I'm trying
>> to add (which is basically running as a workstation at this point), but
>> the new server can't ping the old server. The IP address for the old
>> server is 10.0.0.1, the ip for the new one is 10.0.0.2, the subnet mask
>> is 255.0.0.0, and the default gateway is 10.50.50.51.
>>
>> And of course, both machines have Server 2003 R2.
>>
>> Any ideas?
>
>

All firewalls are disabled (what was actually one of the first things I
checked, just out of experience).

The DNS servers entered into our network connections are in our T1
router, and it's only used for the Internet.

Any suggestions for a "simple" way to setup Active Directory DNS (and
get it to get along with the built in DNS server in the router)?


Miha Pihler [MVP] wrote:
> Can you also make sure that you don't have Windows Firewall or other
> Firewalls enabled on these servers.
>

Hi Billy,

For Active Directory domain to work (for your clients and server to find
domain controllers) you need to use DNS that supports resource records.
Clients and servers will use these resource records to locate nearest domain
controller, global catalog etc and then use this information to log the user
on. Since your clients now query DNS on your router -- the problem is that
your current DNS doesn't know which servers are domain controllers, global
catalogs etc...

My suggestion is to install DNS service on all your domain controllers. Once
this is done, point the domain controller to its own IP address and restart
Net Logon service.
Now point all your computers that are or will be members of domain to this
DNS server on Active Directory server (enter IP address of Active Directory
servers under Preferred DNS and Alternative DNS server). Now the clients and
server should not have problems locating domain resources.

When you will have two domain controllers with running DNS servers on them
point DNS settings (under TCP/IP) to each other as preferred DNS servers and
for alternative server enter their own IP addresses or your can enter
127.0.0.1.

Now what you have to do (for optimal DNS configuration) is to configure
forwarders. Open DNS MMC console on Active Directory DNS server and right
click on name of the server. Select the properties and click on Forwarders
tab. Now enter IP address of your T1 router or IP address of your ISP DNS
server etc.. Repeat this on the other AD DNS server. This will now enable
your clients to resolve internet domain names e.g. www.google.com,
www.microsoft.com etc. since your Active Directory DNS server doesn't know
anything about these domains. It only knows about your AD domain. So now the
clients will still ask your AD DNS server for www.google.com etc, but AD DNS
server will forward this request to T1 router get the IP address and then
forward it back to AD DNS which will forward it to the client that requested
the information.

Let me know if you need more assistance with this.

--
Mike
Microsoft MVP - Windows Security

"Billy Preston" <billy.preston@NOSPAMvictorychurch.com> wrote in message
news:1255smv49mvt52d@corp.supernews.com...
> All firewalls are disabled (what was actually one of the first things I
> checked, just out of experience).
>
> The DNS servers entered into our network connections are in our T1 router,
> and it's only used for the Internet.
>
> Any suggestions for a "simple" way to setup Active Directory DNS (and get
> it to get along with the built in DNS server in the router)?
>
>
> Miha Pihler [MVP] wrote:
>> Can you also make sure that you don't have Windows Firewall or other
>> Firewalls enabled on these servers.
>>

Did everything you said, and here's the message I get when I try to
connect to the domain...

>"The following error occurred when DNS was queried for the service
>location (SRV) resource record used to locate a domain controller for
>domain domain.com:
>
>The error was: "This operation returned because the timeout period
>expired."
>(error code 0x000005B4 ERROR_TIMEOUT)
>
>The query was for the SRV record for >_ldap._tcp.dc._msdcs.domain.com

>The DNS servers used by this computer for name resolution are not
>responding. This computer is configured to use DNS servers with the
>following IP addresses:
>
>10.0.0.1
>
>Verify that this computer is connected to the network, that these are
>the correct DNS server IP addresses, and that at least one of the DNS
>servers is running.
>
>For more information on how to correct this problem, click Help."

Here's the ipconfig /all data for both (after I made the changes you
said to make)...

SERV001 (the domain controller with DNS server installed)
>Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : serv001
> Primary Dns Suffix . . . . . . . : domain.com
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : Yes
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.com
>
>Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : NVIDIA nForce Networking
>Controller
> Physical Address. . . . . . . . . : 00-15-F2-7B-6D-38
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.0.0.1
> Subnet Mask . . . . . . . . . . . : 255.0.0.0
> Default Gateway . . . . . . . . . : 10.50.50.51
> DNS Servers . . . . . . . . . . . : 10.0.0.1

and SERV002 (the server I'm trying to join to domain.com)
>Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : serv002
> Primary Dns Suffix . . . . . . . :
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
>
>Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : NVIDIA nForce Networking
>Controller
> Physical Address. . . . . . . . . : 00-15-F2-7B-6D-40
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.0.0.2
> Subnet Mask . . . . . . . . . . . : 255.0.0.0
> Default Gateway . . . . . . . . . : 10.50.50.51
> DNS Servers . . . . . . . . . . . : 10.0.0.1

Any idea of what's wrong? Let me know if you need anymore information.
Thanks!

Hi,

Can you check following things:
- is DNS service running on server serv001 (10.0.0.1)? You can see this if
you open services MMC and look for DNS service. Is it started?
- can you run nslookup www.cnn.com on this server. What do you get?
- if you open DNS MMC do you have and zones in there? You should have at
least one primary Forward Lookup Zone. This one should be named domain.com
(depending how you named your domain).
- if you don't have this zone -- add it as primary Active Directory
integrated zone. After you add it on serv001 restart Net Logon on this
server

- can you connect from server002 to \\10.0.0.1\c$ Does it work? Were you
able to connect?
- on serv002 can you ping 10.0.0.1? If yes, can you run nslookup
www.microsoft.com? What do you get?

An update...

I've taken the original server (SERV001) offline because of some
problems with the HDD LED staying on when it's not supposed to (probably
has nothing to do with my problems, but I do feel the need to RMA the
motherboard as I've diagnosed it as being a hardware issue). Anwways-I
took the second server and wiped the hard drive, and set it up as a DNS
server and Active Directory Domain Controller. SERV002's IP address has
also been changed as well, to 10.0.2.2. The domain is now called
"domain.local".

Still, I'm having problems with DNS with the redone SERV002. Here's what
it is (and isn't) doing...

----I made the Forward Lookup Zone integrated with Active Directory and
is the primary zone (and the object is named after the domain, which
I've named domain.local)

----When I try to connect to SERV002 from another computer using
\\10.0.2.2\c$, it prompts me for a user name/psw and I can connect and
see all of C drive.

----Everything on my network can ping SERV002. SERV002 can ping
everything on my network, except for my ISP's DNS servers, which it
times out on.

----nslookup returns this error if you try to lookup www.cnn.com...
C:\>nslookup www.cnn.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 10.0.2.2: Timed out
Server: UnKnown
Address: 10.0.2.2

DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
(It also returns the same error if you try to run NSLOOKUP on SERV002
itself)
(Also...the computer will not allow me to surf the internet)

----the ipconfig /all information for SERV002 is...
C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : serv002
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-15-F2-7B-6D-40
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.2.2
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.50.50.51
DNS Servers . . . . . . . . . . . : 10.0.2.2

----If I try to join a WinXP Pro workstation to the domain.local domain,
I get...

The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate a domain controller for
domain victorydc.local:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.victorydc.local

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its
child zone:

victorydc.local
local
.. (the root zone)


Let me know if you need anymore information. Your help is much appreciated!

Hi,

To be able to resolve internet addresses. Did you configure forwarders on
your new DNS server? To do this open DNS MMC on the server and right click
on the name of the server. Click on Properties and now click on Forwarders
tab. Here enter IP address of your ISP's DNS server (or another external DNS
server that will allow you to do queries).

Another thing. If you run

\\serv002\

do you see SYSVOL and NETLOGON shares?

On the client -- what is set for preferred DNS server? Did you enter
10.0.2.2.

I already have forwarders added, however, they aren't working for some
reason. (and in the same location you specified, of course.)

On my client, I made the preferred DNS 10.0.2.2 and I was able to
connect to the domain.local AD domain. However, when I tried to surf the
Internet, the connection timed out. If I tried NSLOOKUP, the connection
timed out as well. (and remember, the forwarders are setup.) I could
ping the ISP DNS and the server IP.

On the server, I can't ping the ISP DNS (probably the reason why the
internet connection timed out).

I suppose I could setup the first ISP DNS server as the secondary DNS
server, but I'd rather get the forwarders working right.

When I run \\serv002\, I can see the SYSVOL and NETLOGON shares.

Any ideas as to what might be keeping the forwarders and NSLOOKUP from
working?

Hi,

Can you make sure that you are using right servers for forwarders? Can you
check with your ISP?

you can also test in this way

nslookup www.cnn.com 10.10.10.10

where 10.10.10.10 is IP address of your ISP.

This will make your computer query specific DNS server (not the one
specified under TCP/IP properties).

Do you have any firewall between your server and your ISP? For DNS to work
you will need to open at least UDP 53 to your ISP server.

Can you also check your TCP/IP properties on your server to make sure that
they are correct. Can you ping default gateway from your server? What is the
result of command

tracert -d 10.10.10.10

where again 10.10.10.10 is IP address of your ISP DNS server.

What is the result of that same command if you run it from the client?

Mike,

Sorry about the delay in my messages. We had a Windows XP based backup
"server" go down and I spent most of my time in the past few weeks
trying to get it back up and running again.

I did a tracert as you described on my client and noticed that in order
to get to the ISP's DNS server, you have to go through the gateway
(which is something I hadn't thought of before). Seems like that might
have something to do with the problems I'm having (especially since I
can ping everything except for the ISP DNS from the server). The gateway
is setup on the server, so I'm not sure what I can do to tell the
machine to look for the ISP DNS server (or forward to it) via the
gateway. Is there a way to manually do that?

Hi,

Can you run this command:

ipconfig /all

on computer that can ping your ISP DNS and on computer that can't ping your
ISP DNS server. Post back the results