network path was not found when trying to join domain

RW · 29-08-2009

I think this is DNS issue but cannot figured out what and how to correct
this, we built new DC for new remote site, sites are connected site-to-site
vpn all routing is working ports are open between sites. New DC was built
with temp IP from HQ range location once moved to remote site new IP was
assigned, all DNS records were updated with new IP, DC was moved to its own
Site in AD topology, replication between sites works, local PCs and servers
in this remote sites are authenticating against new DC, DHCP is working, DNS
on this DC technically works as well meaning nslookup works as expected.
There are 2 visible issues which makes me believe there is a problem with DNS:
1. cannot join to domain any new workstations or server in remote site
regardless if they get IP from DHCP or static

"The following error occurred atempting to join the domain: <domain_name>:
The network path was not found"

2. if I open MMC on this particular DC in remote site and try to add other
DNS servers to MMC all works, but if I try to add this DC's DNS to MMC in our
HQ site I get this message:

"The server is unavailable. Would you like to add it anyway?" and it cannnot
be manage from remote location

same thing is I try to open Active Directory User and Computers and connect
to DC in remote site I get:

"The following domain controller could not be contacted: <DC_name> The RPC
server is unavailable"

any idea what I'm missing here?

Danny Sanders · 29-08-2009

> "The following error occurred atempting to join the domain: <domain_name>:
> The network path was not found"

This is a classic sign that the computer you are trying to loin to the
domain can not find the SRV records fo the DC.

Verify that the new DC points to itself for DNS in the properties of TCP/IP,
this will allow the server to register it's SRV records in the DC's DNS
zone. Use the actual IP address not 127.0.0.1.

Verify that the client being added to the domain points to the DNS server
for your domain only. This way the client can "find" the SRV records for the
domain and join it.

hth
DDS

"RW" <RW@discussions.microsoft.com> wrote in message
news:F9C6E845-6B95-420B-A638-AADFDE177317@microsoft.com...
>I think this is DNS issue but cannot figured out what and how to correct
> this, we built new DC for new remote site, sites are connected
> site-to-site
> vpn all routing is working ports are open between sites. New DC was built
> with temp IP from HQ range location once moved to remote site new IP was
> assigned, all DNS records were updated with new IP, DC was moved to its
> own
> Site in AD topology, replication between sites works, local PCs and
> servers
> in this remote sites are authenticating against new DC, DHCP is working,
> DNS
> on this DC technically works as well meaning nslookup works as expected.
> There are 2 visible issues which makes me believe there is a problem with
> DNS:
> 1. cannot join to domain any new workstations or server in remote site
> regardless if they get IP from DHCP or static
>
> "The following error occurred atempting to join the domain: <domain_name>:
> The network path was not found"
>
> 2. if I open MMC on this particular DC in remote site and try to add other
> DNS servers to MMC all works, but if I try to add this DC's DNS to MMC in
> our
> HQ site I get this message:
>
> "The server is unavailable. Would you like to add it anyway?" and it
> cannnot
> be manage from remote location
>
> same thing is I try to open Active Directory User and Computers and
> connect
> to DC in remote site I get:
>
> "The following domain controller could not be contacted: <DC_name> The RPC
> server is unavailable"
>
>
> any idea what I'm missing here?

Ace Fekay [MCT] · 29-08-2009

"Danny Sanders" <dsanders@NOSPAMbrakesplus.com> wrote in message
news:uTn4b%23BKKHA.4316@TK2MSFTNGP04.phx.gbl...
>> "The following error occurred atempting to join the domain:
>> <domain_name>:
>> The network path was not found"
>
>
> This is a classic sign that the computer you are trying to loin to the
> domain can not find the SRV records fo the DC.
>
> Verify that the new DC points to itself for DNS in the properties of
> TCP/IP, this will allow the server to register it's SRV records in the
> DC's DNS zone. Use the actual IP address not 127.0.0.1.
>
> Verify that the client being added to the domain points to the DNS server
> for your domain only. This way the client can "find" the SRV records for
> the domain and join it.
>
> hth
> DDS

Danny,

I agree. This is a classic DNS misconfig issue.

For RW, this can usually be attributed to one or more of the following
possibilities:

1. Using an ISP, router or some other external DNS server as a DNS address
in the server and workstations. All machiens must only point to the internal
DNS servers, no others. Otherwise expect major problems. COnfigure a
forwarder to your ISP's DNS in your DNS properties.

2. Single label DNS FQDN domain name ("domain" vs the minimal hierarchal
name of 'domain.com' domain.net' etc)

3. Multihomed DC (more than one NIC and/or IP and/or RRAS installed). SBS is
the only exception to this rule.

4. Disjointed namespace (the DC's Primary DNS Suffix doesn't match the AD
domain name)

5. DNS zone does not allow updates

6. DNS zone does not match the AD domain name

RW, if you can provide us an unedited ipconfig /all from the server and one
of your workstations, we can provide suggestions and recommendations to fix
this.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

RW · 29-08-2009

> > "The following error occurred atempting to join the domain: <domain_name>:
> > The network path was not found"
>
>
> This is a classic sign that the computer you are trying to loin to the
> domain can not find the SRV records fo the DC.

SRV record is there

> Verify that the new DC points to itself for DNS in the properties of TCP/IP,
> this will allow the server to register it's SRV records in the DC's DNS
> zone. Use the actual IP address not 127.0.0.1.

it does point to itself

> Verify that the client being added to the domain points to the DNS server
> for your domain only. This way the client can "find" the SRV records for the
> domain and join it.

it does regardless if it it gets this info from dhcp or static, client has
only one IP for DNS

> hth
> DDS
>
> "RW" <RW@discussions.microsoft.com> wrote in message
> news:F9C6E845-6B95-420B-A638-AADFDE177317@microsoft.com...
> >I think this is DNS issue but cannot figured out what and how to correct
> > this, we built new DC for new remote site, sites are connected
> > site-to-site
> > vpn all routing is working ports are open between sites. New DC was built
> > with temp IP from HQ range location once moved to remote site new IP was
> > assigned, all DNS records were updated with new IP, DC was moved to its
> > own
> > Site in AD topology, replication between sites works, local PCs and
> > servers
> > in this remote sites are authenticating against new DC, DHCP is working,
> > DNS
> > on this DC technically works as well meaning nslookup works as expected.
> > There are 2 visible issues which makes me believe there is a problem with
> > DNS:
> > 1. cannot join to domain any new workstations or server in remote site
> > regardless if they get IP from DHCP or static
> >
> > "The following error occurred atempting to join the domain: <domain_name>:
> > The network path was not found"
> >
> > 2. if I open MMC on this particular DC in remote site and try to add other
> > DNS servers to MMC all works, but if I try to add this DC's DNS to MMC in
> > our
> > HQ site I get this message:
> >
> > "The server is unavailable. Would you like to add it anyway?" and it
> > cannnot
> > be manage from remote location
> >
> > same thing is I try to open Active Directory User and Computers and
> > connect
> > to DC in remote site I get:
> >
> > "The following domain controller could not be contacted: <DC_name> The RPC
> > server is unavailable"
> >
> >
> > any idea what I'm missing here?
>
>
>

Danny Sanders · 29-08-2009

Can you post an unedited ipconfig /all from the problem machine?

hth
DDS

"RW" <RW@discussions.microsoft.com> wrote in message
news:F31B6898-8C18-44FB-B543-84B53F280B63@microsoft.com...
>> > "The following error occurred atempting to join the domain:
>> > <domain_name>:
>> > The network path was not found"
>>
>>
>> This is a classic sign that the computer you are trying to loin to the
>> domain can not find the SRV records fo the DC.
>
> SRV record is there
>
>> Verify that the new DC points to itself for DNS in the properties of
>> TCP/IP,
>> this will allow the server to register it's SRV records in the DC's DNS
>> zone. Use the actual IP address not 127.0.0.1.
>
> it does point to itself
>
>> Verify that the client being added to the domain points to the DNS server
>> for your domain only. This way the client can "find" the SRV records for
>> the
>> domain and join it.
>
> it does regardless if it it gets this info from dhcp or static, client has
> only one IP for DNS
>
>> hth
>> DDS
>>
>> "RW" <RW@discussions.microsoft.com> wrote in message
>> news:F9C6E845-6B95-420B-A638-AADFDE177317@microsoft.com...
>> >I think this is DNS issue but cannot figured out what and how to correct
>> > this, we built new DC for new remote site, sites are connected
>> > site-to-site
>> > vpn all routing is working ports are open between sites. New DC was
>> > built
>> > with temp IP from HQ range location once moved to remote site new IP
>> > was
>> > assigned, all DNS records were updated with new IP, DC was moved to its
>> > own
>> > Site in AD topology, replication between sites works, local PCs and
>> > servers
>> > in this remote sites are authenticating against new DC, DHCP is
>> > working,
>> > DNS
>> > on this DC technically works as well meaning nslookup works as
>> > expected.
>> > There are 2 visible issues which makes me believe there is a problem
>> > with
>> > DNS:
>> > 1. cannot join to domain any new workstations or server in remote site
>> > regardless if they get IP from DHCP or static
>> >
>> > "The following error occurred atempting to join the domain:
>> > <domain_name>:
>> > The network path was not found"
>> >
>> > 2. if I open MMC on this particular DC in remote site and try to add
>> > other
>> > DNS servers to MMC all works, but if I try to add this DC's DNS to MMC
>> > in
>> > our
>> > HQ site I get this message:
>> >
>> > "The server is unavailable. Would you like to add it anyway?" and it
>> > cannnot
>> > be manage from remote location
>> >
>> > same thing is I try to open Active Directory User and Computers and
>> > connect
>> > to DC in remote site I get:
>> >
>> > "The following domain controller could not be contacted: <DC_name> The
>> > RPC
>> > server is unavailable"
>> >
>> >
>> > any idea what I'm missing here?
>>
>>
>>

RW · 29-08-2009

"Ace Fekay [MCT]" wrote:

> "Danny Sanders" <dsanders@NOSPAMbrakesplus.com> wrote in message
> news:uTn4b%23BKKHA.4316@TK2MSFTNGP04.phx.gbl...
> >> "The following error occurred atempting to join the domain:
> >> <domain_name>:
> >> The network path was not found"
> >
> >
> > This is a classic sign that the computer you are trying to loin to the
> > domain can not find the SRV records fo the DC.
> >
> > Verify that the new DC points to itself for DNS in the properties of
> > TCP/IP, this will allow the server to register it's SRV records in the
> > DC's DNS zone. Use the actual IP address not 127.0.0.1.
> >
> > Verify that the client being added to the domain points to the DNS server
> > for your domain only. This way the client can "find" the SRV records for
> > the domain and join it.
> >
> > hth
> > DDS
>
>
> Danny,
>
> I agree. This is a classic DNS misconfig issue.
>
> For RW, this can usually be attributed to one or more of the following
> possibilities:
>
> 1. Using an ISP, router or some other external DNS server as a DNS address
> in the server and workstations. All machiens must only point to the internal
> DNS servers, no others. Otherwise expect major problems. COnfigure a
> forwarder to your ISP's DNS in your DNS properties.
>

both DC and clients point to same DNS which is DC itself

> 2. Single label DNS FQDN domain name ("domain" vs the minimal hierarchal
> name of 'domain.com' domain.net' etc)

unfortunatelly our domain is single label, but this is not preventing us to
join domin in HQ only remote site
>
> 3. Multihomed DC (more than one NIC and/or IP and/or RRAS installed). SBS is
> the only exception to this rule.

No

> 4. Disjointed namespace (the DC's Primary DNS Suffix doesn't match the AD
> domain name)

Not a case here

>
> 5. DNS zone does not allow updates

it does

>
> 6. DNS zone does not match the AD domain name

it does

>
> RW, if you can provide us an unedited ipconfig /all from the server and one
> of your workstations, we can provide suggestions and recommendations to fix
> this.

there is something more no just simple IP config we dealing here with when I
run dcdiag /e /test:dns on working DC I get:

DC: <dc_server_name I have problem with>
Domain: <our_domain>

TEST: Authentication <Auth>
Error: Authentication failed with specified credentials

TEST: Basic <Basc>
Error: Open Service Control Manager Failed

so basically DNS test fails for this DC

>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>

Ace Fekay [MCT] · 29-08-2009

"RW" <RW@discussions.microsoft.com> wrote in message
news:D3EBB27E-BA85-4E6D-AE21-FD32ECBC6DA3@microsoft.com...
>
>> 2. Single label DNS FQDN domain name ("domain" vs the minimal hierarchal
>> name of 'domain.com' domain.net' etc)
>
> unfortunatelly our domain is single label, but this is not preventing us
> to
> join domin in HQ only remote site
>
>>
>> RW, if you can provide us an unedited ipconfig /all from the server and
>> one
>> of your workstations, we can provide suggestions and recommendations to
>> fix
>> this.
>
> there is something more no just simple IP config we dealing here with when
> I
> run dcdiag /e /test:dns on working DC I get:
>
> DC: <dc_server_name I have problem with>
> Domain: <our_domain>
>
> TEST: Authentication <Auth>
> Error: Authentication failed with specified credentials
>
> TEST: Basic <Basc>
> Error: Open Service Control Manager Failed
>
> so basically DNS test fails for this DC

The issue is the single label name. Locally at HQ, it's using NetBIOS to
join, however remotely, it's relying on DNS. DNS queries do not work
properly with single label names on Windows 2000 SP4 and all newer machines.
Period. Why? good question. It's based on the fact DNS is hierachal.
Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc
names. The client side resolver service algorithm (which is governed by the
DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name
"domain" in domain.com, etc). If the name is a single label name, it thinks
THAT name is the TLD. Therefore it then hits the Internet Root servers to
find how owns and is authorative for that TLD.Such as when looking up
microsoft.com. It queries for the COM portion, which the roots return the
nameservers responsible for the COM servers, then it queries for the servers
responsible for microsoft. If it's a single label, the query ends there, and
it won't go further. However what is funny (sic) is that even though the
single label name is being hosted locally in DNS, it will NOT query locally
first, because it believes it is a TLD, therefore goes through the normal
resolution (recursion and devolution) process, which causes excessive query
traffic to the internet Root servers.

Here's an explanation from a Microsoft engineer:

============
Single label names, from Alan Woods, MS:

"We really would preffer to use FQDN over Single label name. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that. NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON'T DO IT. It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this. We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]"
============

As a temporary resort, you can use the patch/bandaid registry entry to force
resolution and registration that is mentioned in the following link. This
must be applied to every machine. Unfortunately it must be done on every
machine in the domain, including the DCs, member servers, workstations and
laptops.

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names:
http://support.microsoft.com/?id=300684

More Info:

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
Domain
http://support.microsoft.com/?id=555040

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003:
http://support.microsoft.com/?id=825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/?id=291382

Naming conventions in Active Directory for computers, domains, sites, and
OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

Ace