Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot join domain (Windows XP). Non-ideal AD

Status
Not open for further replies.
BigTN

BigTN

IS-IT--Management
Jul 14, 2004
18
0
0
US
I have an interesting issue with a client network that I have been working on for about 20 hours now to no avail. I will try and keep this as brief as possible to get the ball rolling here:

Original Client Configuration
1 Windows 2000 AD
Mixed 2000 and XP workstations

New Configuration
A new Windows 2008 server was installed. The MS instructions to migrate to a 2003 AD first were completed and then the steps to turn over control (Operational master and GC) to the 2008 server were completed. Replication appeared to work fine; accounts added/modified on either server were replicated to the other.

Here's where it gets interesting. All of a sudden (was reported yesterday, could have started anytime) connectivity issues came up. Connection to shares on the new server is intermittent and no new systems can join the domain (get the path not found message).

Everything points to DNS and I have spent the last 15 hours or so attempting to figure out what is happening, to no avail. I have exhausted every "do this and try that" link I could find and still have the same issue. Again, don't want to fill this up with every troubleshooting step I've taken but will say that all of the 'obvious' DNS issues have been resolved. Here are some of the things known as of now:

• NSLOOKUP (from non-connecting client) is returning valid name servers
• _ldap._tcp._<domain> returns correct value(s) [note: returns both the old and new servers)
• DNS on the AD server is pointing to itself and resolves OK
• DNS on client side is set only to AD server
• AD Server (new) is multi-homed; I turned one NIC off (ensured DNS was listening on active): no luck

Is there any way to "trace" a login/join attempt to see which server is attempting to authenticate the workstation? One other item to note: There are two Windows 2000 clients in the environment, neither has any issue connecting like the XP systems do...go figure.

I realize this is not an ideal network/AD configuration but it did seem to work fine for a couple months. I am open to just about anything at this point…desperate even.

Thanks,
Tony
 
Sort by date Sort by votes
Have you done an IPCONFIG /REGISTERDNS from the AD server? Multi-homed DCs tend to be problematic because they register both IP addresses in DNS. You may still have an entry from the NIC that is now disabled. Forcing the DC to re-register should update the DNS records.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
Certified Quest vWorkspace Administrator
 
Upvote 0 Downvote
No go on the re-register.

I did get closer to calling this an absolute DNS issue. I turned off DNS on the old server and now NSLOOKUP fails. When the old one was running I had resolution for everything. Now I get a timeout/server not found.

nslookup fs2 results in:

Server fs2.domain.net can't find fs2

FS2 is the DNS server (the new one) and it can't resolve it's own short name.

I know someone has this issue whipped - let me know.
 
Upvote 0 Downvote
Just had a Vista box connect (DHCP) to the network and nslookup resolves just fine for him. The XP systems cannot resolve the 'short' names. I know the domain join uses FQN but there is most definitely a DNS issue here and I suspect it is the root cause of the XP system's inability to join the domain.
 
Upvote 0 Downvote
If you're using short names instead of FQDN then you're either using WINS or you need to configure the TCP/IP settings to append the domain name suffix.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
Certified Quest vWorkspace Administrator
 
Upvote 0 Downvote
I had to break down and call in the big dogs at MS Support. This particular client is a CPA firm. Can you guess what time of year it is for them? Not the best time to have this problem...

KMCFERRIN: Thank you very much for posting up here and assisting. You're on the right track. I will post up what MS comes up with at the end of the day.

This is a multi-level problem. More as I have it.

Tony
 
Upvote 0 Downvote
Here's a brief summary of what was going on (and things to check if you run in to these issues):

Windows 2000 Server
Failed to change to DST; this is the basic root cause of the main issues. Because the time between the domain controllers was an hour off the comm between them went bad. Corrected the time issue and the the domain sync was back in business.

DNS
The new server is multi-homed. Seems there was some WINS/NetBT issues since they were both listening on the same network (duplicate name on the network error was popping up for the server). Turned off WINS on one NIC. Plan on taking the second NIC offline and just keeping it as a "hot spare" in the box.

Windows XP Workstation (could not join domain)
The user had the NetBIOS Helper service turned off. Even though I was trying to join it to the domain using the domain FQN it continued to report 'no path found'. Turned the service on and it joined right up. **NOTE: all things were happening at the same time. This could have been resolved because of the DNS 'fix' or the DC's finally syncing. No way to know for sure but it's worth looking at the service if you run in to this issue on an XP system.

Windows 2000 workstation (no domain access - object not found)
This was definitely caused by not having WINS - the 2K systems were not using the FQN to log in. There was another issue with the computer object missing so I removed the system from the domain and then joined it back.


There were a few underlying issues here. I think the system(s) were working just enough to keep everyone connected until the time change - that's when it went downhill. For now, they are back up and running and everything seems to be in order. Hope someone can get something useful out of this if they run in to similar issues.
 
Upvote 0 Downvote
Thanks for the follow-up, that's really good information to have if something similar shows up.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
Certified Quest vWorkspace Administrator
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
144
suncit
suncit
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
190
goombawaho
goombawaho
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
119
Aquiles Vidal
Aquiles Vidal
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
101
antonio_dsanchez
antonio_dsanchez
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top