XP Machine cannot join domain but can ping domain controller 1

[tygressjanie]

We have an xp machine that we brought into an office at a remote location (which is connected via a T1 connection through our phone system and set up as a vpn) after the previous one's hdd failed.

When trying to join the domain it indicates that a domain controller is not able to be contacted for the domain. We can ping the pdc and bdc, however, as well as any other machine on said network. Our pdc and bdc are running Server 2008.

We took it to another location and it joined the domain just fine. Upon returning it to the remote site, it will not complete a log in to a domain account, however, if we unplug the network cable and let it log in to a previously cached login, it completes the login.

When we plug the cable back in it indicates that the LAN connection is active, however, if we try to access any network based resource it will not load. For example, we can try accessing a website and it waits for a reply until it times out. The only accessible site is google.com; we can do a search, but are not able to access any of the sites in the search.

No other users are having an issue with connectivity at the site. Also of note, the computer is able to see the computers at the remote site via network places and it can also access their c shares, but cannot access anything outside of the building. In addition, the pc that was in this location before had no connection issues.

It pulls the proper DNS information via ipconfig -all. We can also receive successful pings and tracerts for any website or other machine on the network.

We have tried reinstalling windows, flushdns and registerdns, release/renew, etc. and it all appears fine.

Any other pc plugged into the same location also has the same issues as well. There are no bad ports on our switches and there is more than one jack in the office and all have the same issue for a pc plugged into them as well. The IP phone that is plugged into the office runs properly (though I don't know if this is of relevance).

We also run a sonic wall which has had a recent firmware upgrade, but I do not handle this part of the network so am unsure of the specifics.


Any ideas?

 

[itsp1965]

Since this machine is accessing your main network remotely, do you happen to have a firewall in place that is possibly blocking the necessary ports to allow for domain communications. Being able to ping a DC is not enough

 

[tygressjanie]

We have a sonic firewall, but as far as I know this is only used to block certain websites.

Also, we have Windows firewall disabled on all our machines. We have it through GPO as well as disabling it manually on the machines to ensure there is no GPO failure.

 

[Shad007]

you could try unjoining it from the domain (put it back into a workgroup) ..then remove any computer accounts on the AD network then rejoin it.

ps, also to clarify server 2008 doesnt run on the old pdc/bdc scenario. All domain controllers in the network are equal, just certain ones have exra FSMO roles assigned to them.

another point is when you recreate the computer account on the domain, if you have more than one DC, ensure that replication of the computer account has occurred prior to logging the machine in

 

[netsec50]

If you run nslookup from a cmd prompt do you connect to the dns of the domain controller that you are trying to validat against.



Chris Jessup
IT Director

http://www.network-security.uk.net

 

[tygressjanie]

NSLOOKUP works just fine!

 

[tygressjanie]

Also, if we un-join the computer from the domain and put it back into the workgroup, we can't re-join it back onto the domain unless we take it back out of the office and plug it in to another location on the network.

Also, the computer name didn't exist in AD before, so there is no former record for it. So I don't think it's a conflicting DNS record from AD or anything of that nature...as I said we have no domain issues in any other locations with this pc, it's just this particular office.

 

[Shad007]

If you've recently rebuilt the new xp pc and brought it into the office have you got all the software you require on it? perhaps the other pc's at the remote site are running a sonicwall client?

If your pc is not talking to the sonicwall firewall properly it probably isn't authorised to navigate the VPN (therefore being denied access to remote network resources such as proxy servers)

just a guess.

 

[tygressjanie]

@Shad007:
There is no missing software as it was built from the same image as is the standard for the location.

We do have a sonicwall, however, after spending 1.5hrs on the phone with the vendor for it, it was determined that it's not our issue.

We have also tried plugging it into another port at the switch with the same results.

 

[Shad007]

quite a puzzle!

Have you checked to ensure that AD replication between your two sites is working ok? Could be that the computer account was not replicated to the remote site?

 

[tygressjanie]

You're not kidding, quite a puzzle!

I don't think it's an AD problem as all other PC's at the site work just fine, and if we take this PC to another location it has no problems seeing the network in any respect. If we take it back to this site, however, it can't see any computers on the network (via microsoft windows network) except those at the remote site, however, can ping any machine on the network whether at the remote site or elsewhere on the network....I can also VNC or RDP from the PC to only computers within the remote site but no others outside of the facility.

Systems Technician, A+, N+, MCP

 

[ShackDaddy]

Sounds to me like the MTU on that workstation may be set to something besides the default size. That would explain why small-packet communications with remote hosts work OK, and local communications are fine, but anything that would use a larger packet size would fail. Why don't you do some MTU ping tests and then use something like Dr. TCP to change the MTU size as appropriate and see if that resolves the issue. It may well.

Dave Shackelford MVP
ThirdTier.net
TrainSignal.com

 

[Shad007]

any static routes missing on the new pc? compare it to one of the others

 

[ShackDaddy]

Routing would be an issue if she couldn't ping outside the network, but apparently pinging works.

When you ping a remote host, are you doing it by IP or by name? You've rule out name resolution problems, right?

I still think it might be an MTU thing.

Dave Shackelford MVP
ThirdTier.net
TrainSignal.com

 

[NetworkTek]

Can you manually configure the ip settings on the machine and try again? If that works possibly reset the winsock stack on the machine. This is just a thought. It looks like you have eliminated almost everything else.

Network+
Inet+
MCP
MCSA 2003
MCTS

 

[tygressjanie]

I've tried putting in the dns servers to see if it will see the domain properly but it doesn't help either.

It is pulling an IP address properly with dhcp as well so I don't think that's it either. *SIGH!!*

Systems Technician, A+, N+, MCP

 

[tygressjanie]

It did turn out to be the MTU size. We set it to 1372 and it finally worked without a hitch. Thanks for everyone's help!

Systems Technician, A+, N+, MCP

 

[ShackDaddy]

You're welcome!

Dave Shackelford MVP
ThirdTier.net
TrainSignal.com