Win NT workstation cannot join domain to windows 2003 server. 2

[bombergirl]

Hi:

My office setup is like this, we have 3 domain controllers (running on windows 2003 servers) all users are logon to MIS domain. One DC is setup in main office, the 2 other DCs are setup in 2 different branches. All my users workstations are windows NT with Service Pack 6a. I am abled to join the pcs from the main office to the domain, however, when i am at any of the 2 branches, I am unabled to join these pcs to the domain.The error message was "the domain controller cannot be found". All 3 servers at each site has its own DNS, main office has AD intergrated DNS server,with the other 2 servers acting as secondary DNS. The other 2 servers are just normal primary DNS servers.

Any help could be appreciated. Thanks

 

[PScottC]

Install WINS on your network. NT4 machines need it to find the PDC Emulator so they can join the domain. NetBIOS broadcasts do not cross routers.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[bombergirl]

I just came back from office, wasted one whole day with no results.PScottC, i just saw your reply, will try it out tml when i get back from office.

Appreciate your reply, will post back my testing tml.

 

[bombergirl]

Hi:

I just wanna asked this, hope to get some answers too.
When i am at my site office, shouldn't it try to contact the DC in the site office? Or it needs to contact all 3 domains, in order for my clients to join to the domain.
I am quite confuse over this.

 

[PScottC]

NT 4 systems rely on an NT4 PDC for certain operations. In Active Directory there is no PDC per se. There is a PDC Emulator, and that role can only be performed by 1 DC at any given time. For most domains, the PDC emulator is on the first AD DC that was built in the domain.

In your situation you have DC's that are linked across WAN connections. When your NT4 systems reach out to do domain joins or password changes they will look for the PDC. If WINS is not configured, then the system will broadcast on the network for the "browser master" and ask it who the PDC is. If there is a WAN link between, the broadcast will get cut off at the router.

So.. 1) Install WINS on all your DC's, 2) Configure branch servers to replicate WINS only with core location, 3) Configure WINS setting on DC to point to itself, 4) Configure clients WINS settings to point to nearest DC as primary and core site as secondary (If you have DHCP, configure options 044 with WINS servers and 046 with 0x8)



PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[bombergirl]

PScottC, thanks for your help. It work. Appreciate your advise.
But now
i am facing another problem, when these win NT client join to the domain, I am unable to find their entry in the DNS Servers. My main office DNS is AD integrated
and my zone name is mis.com. My 2 other office branches, their DNS zone name is branch1.mis.com and branch2.mis.com.
They are not AD integrated DNS servers as my mgr would like these 2 office to have their own DNS servers.

Is it because Win NT client do not allow dynamic update?
I have set my DNS server to have secure and non-secure update. Is there any other settings that I have missed?
Hope you can help. Thanks

 

[PScottC]

If you want the older clients to register with DNS you will have to input them manually or put them on DHCP. The 2000+ DHCP server can register for non-dynamic clients.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[bombergirl]

You mean at the DHCP server, under the DNS tab,
i should check, enable dynamic update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running window nt 4.0)?

I already did that, but still did not see the records in my DNS server

 

[PScottC]

Make sure that you are using option 015 in your dhcp scope to specify your AD domain name. Should be the full domain name, like mycompany.local.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[bombergirl]

I have already addded that option in my DHCP server, and its still not working.

 

[bombergirl]

Thanks its finally working.
But i am facing this problem, when i join these workstations to the domain at the branch office, when i reboot and try to login, it always promopt me that the pc account cannot be found. Only when i force a replication from the branch office back to the main office and the computer account appear on the branch office AD Users and Computers then am i able to login to the workstation.

Is it due to the NT emulator

 

[JimWells]

This is again related to the PDC Emulator issue. The machines are joined to the domain through a DC back at the main office, and thus have to wait for replication for a branch DC to authenticate them.

If you don't have to add machines very often, forcing replication might be what you have to do...

How fast are your WAN links?


Also -- you COULD cut down on these problems by having three different domains under one forest (company.local, mainoffice.company.local, branch1.company.local...) - but this is a waste of Active Directory time and effort usually. Will you be able to upgrade to workstations to 2000/XP anytime soon?

 

[bombergirl]

Each branch office, I have about 200 to 300 workstations to promote them to the new domain. My Wan link is only 2MBPS, cause i have to force a replication each time i promote the workstations to the new domain...


Yap I will be changing these workstations to windows xp, but it will only happen end of this year.

 

[JimWells]

Ouch.

Here's one thing you can do...

That PDC Emulator is called a FSMO - a "Flexible Single-Master Operator," if memory serves. It's a unique domain controller fulfilling a special function, that you're familiar with now (most people running XP might not even know what it does).

You CAN transfer this role of PDC Emulator to another DC in your domain. If logistics allows you to do one branch office at a time, you can transfer the PDC Emulator role to a DC at that branch office. This can be done in Active Directory Users and Computers---first right-click and "Connect to Domain Controller." Choose the domain controller you want to be the new PDC Emulator. Right-click on the domain and choose "Operations Masters." Click the PDC Emulator tab and CHANGE. This SHOULD change the selected DC to be the new PDC Emulator, and reflect that change in the GUI. Then force a replication and CHECK that replication has succeeded in ALL of your sites. I'd suggest using Replication Monitor for this task (found in the Windows 2000/2003 Support Tools on the installation CD). Once you have confirmed that the PDC Emulator is in your branch office site, and all other DCs are aware of the change, you can then go to work on those client computers..

Let us know if you have any questions!

 

[bombergirl]

Hi JimWells,

thanks for your valuable information. Yap I will be doing one branch office at one time. From your information, does that means I can change the role of the PDC Emulator each time I am at either one of the branch office?

I will test it out tomorrow and post back my results.

Thanks again

 

[JimWells]

bombergirl,

Yup. You can change the PDC Emulator role at any time. I don't ever change FSMO roles and need the result instantly, so I don't know if there are any hiccups to watch for doing it as you plan to...but if the entire domain replicates at least once after each change, it SHOULD be fine.

If you have problems using the GUI to transfer the PDC Emulator role, you CAN use a command-line tool called NTDSUTIL to force it. Try the GUI first, though.

Good luck!

 

[bombergirl]

Thanks, will try it out tommorow and let you know.

 

[PScottC]

Jumping back in here... You may also want to cut the replication cycle down from the default 180 minutes to 15 minutes (the minimum) for your inter-site replication schedule. This is set on your inter-site transport in AD sites and services.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers