Cannot join domain

Discussion in 'Server Networking' started by Per Elmsäter, Feb 2, 2006.

  1. Trying to join an XP client to AD domain via VPN I receive the following
    message

    (error code 0x0000232B RCODE_NAME_ERROR)

    The query was for the SRV record for
    _ldap._tcp.dc._msdcs.MYDOMAIN

    Common causes of this error include the following:

    - The DNS SRV record is not registered in DNS.

    - One or more of the following zones do not include
    delegation to its child zone:


    The confusing part is that the name of the domain is not actually MYDOMAIN
    but MYDOMAIN.lan
    When I do the nslookup query with MYDOMAIN.lan it works fine but of course
    not with the .lan part removed.

    So why would my initial query truncate the .lan part of the domain name?
    Actually, the computer gets registered in AD but is disabled. If I enable it
    manually it will automatically become disabled again within a few minutes.

    I have googled for several days now without finding any solutions. Is it a
    setting in AD or DNS?
    My tcp/ip settings are correct. Ie I'm pointing at the only two
    existing DNS servers. I can ping everything over the VPN tunnel etc. We are
    both sitting on private networks.

    Thankful for any input.
     
    Per Elmsäter, Feb 2, 2006
    #1
    1. Advertisements

  2. Per Elmsäter

    Bill Grant Guest

    If you are connecting by VPN, make sure that you have the correct DNS
    suffix defined in the connection properties (in the TCP/IP Advanced
    properties DNS tab).
     
    Bill Grant, Feb 2, 2006
    #2
    1. Advertisements

  3. In
    Can you post an unedite ipconfig /all of the DC please and the exact
    spelling of the zone in DNS?

    I have an initial feeling that either the zone is misconfigured or you are a
    single label name AD domain name.

    Thanks,

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    Not sure how? It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Windows Server Directory Services
    Microsoft Certified Trainer
    Assimilation Imminent. Resistance is Futile.
    Infinite Diversities in Infinite Combinations.

    The only thing in life is change. Anything less is a blackhole consuming
    unnecessary energy.
    ===========================
     
    Ace Fekay [MVP], Feb 3, 2006
    #3
  4. I will do that. Unfortunately I made it home before I saw your response so
    I'm going to have to come back with this info on monday.
     
    Per Elmsäter, Feb 3, 2006
    #4
  5. Thanks, I tried that..

     
    Per Elmsäter, Feb 3, 2006
    #5
  6. In
    Ok, cool. I'll be watching this thread.

    Also, about that VPN, are you using a VPN tunnel between sites and the
    client is at a site with no DC trying to join across the WAN? Or is it a
    client VPN'd in from a home location, etc. If not, can you elaborate on that
    a bit too?

    Thanks,
    Ace
     
    Ace Fekay [MVP], Feb 4, 2006
    #6
  7. In
    Oops, I re-read your original post and you do have a tunnel. Forget my
    previous question about that. The DNS question is the bigger factor and the
    ipconfig.

    Hope you have a nice weekend and looking forward to your response on Monday.

    Ace
     
    Ace Fekay [MVP], Feb 4, 2006
    #7
  8. The domain is spelled sfbio.lan in the DNS. No caps.

    Here is the ipconfig / all for DC1

    :\Documents and Settings\Administrator>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : sfbioad01
    Primary Dns Suffix . . . . . . . : sfbio.lan
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : sfbio.lan

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
    Physical Address. . . . . . . . . : 00-0B-CD-40-F8-EF
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.166.2
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.166.1
    DNS Servers . . . . . . . . . . . : 192.168.166.2

    And the DC2

    C:\Documents and Settings\moviestar>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : SFBIOAD02
    Primary Dns Suffix . . . . . . . : sfbio.lan
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : sfbio.lan

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
    Physical Address. . . . . . . . . : 00-0F-20-7A-2C-05
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.166.7
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.166.1
    DNS Servers . . . . . . . . . . . : 192.168.166.2

    Hope you can make something out of this. At the moment we are suspecting
    the ldap port 389 in thr Firewall.

    Regards
    Per Elmsäter
     
    Per Elmsäter, Feb 6, 2006
    #8
  9. "Ace Fekay [MVP]"
    More on this. The Ipconfig is posted just previous to this.
    Here is also a succesful nslookup and a failed telnet connection over the
    ldap port. Both done from the client that cannot join the domain. Might as
    well add an ipconfig of the client at the end of everything.

    The nslookup command has been issued before the copy paste was done
    Server: sfbioad01.sfbio.lan
    Address: 192.168.166.2

    _ldap._tcp.dc._msdcs.sfbio.lan SRV service location:
    priority = 0
    weight = 100
    port = 389
    svr hostname = sfbioad02.sfbio.lan
    _ldap._tcp.dc._msdcs.sfbio.lan SRV service location:
    priority = 0
    weight = 100
    port = 389
    svr hostname = sfbioad01.sfbio.lan
    sfbioad02.sfbio.lan internet address = 192.168.166.7
    sfbioad01.sfbio.lan internet address = 192.168.166.2

    And here comes the telnet attempt

    C:\Documents and Settings\Administrator.GKLANEPC01>telnet 192.168.166.2 389
    Connecting To 192.168.166.2...Could not open connection to the host, on port
    389
    : Connect failed


    Client ipconfig

    C:\Documents and Settings\Administrator.GKLANEPC01>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : gklanepc01
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : sfbio.lan

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : sfbio.lan
    Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast
    Ethe
    rnet NIC
    Physical Address. . . . . . . . . : 00-02-3F-6B-FF-45
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 172.31.1.11
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 172.31.1.1
    DHCP Server . . . . . . . . . . . : 192.168.166.2
    DNS Servers . . . . . . . . . . . : 192.168.166.2
    192.168.166.7
    Lease Obtained. . . . . . . . . . : den 6 februari 2006 13:09:31
    Lease Expires . . . . . . . . . . : den 6 februari 2006 14:09:31

    Hope somebody can make something out of this. I'd like to point out the fact
    that there seems to be something amiss with the ldap port. There is a
    Firewall1 on each side of the tunnel. Both are configured to let everything
    pass and ldap requests go in but does not seem to come out of the tunnel.

    Regards
    Per Elmsäter
     
    Per Elmsäter, Feb 6, 2006
    #9
  10. In
    THanks for posting the info.

    The ipconfigs actually look good. One thing I see, not really relevant, is
    the DC on 192.168.166.7 doesn;t have DNS installed on it, or you didn't
    point to itself, then the other DNS. That is a recommended best practice to
    do with both DCs if they are both running DNS.

    If you are getting blocked by a firewall, and you want AD domain
    communication, there's more than just port 389. There are under 30 ports. My
    suggestion is to make sure the actualy VPN connection is not being blocked
    by the firewall and ALL traffic is allowed thru. Have you looked into this?

    Ace
     
    Ace Fekay [MVP], Feb 7, 2006
    #10
  11. Per Elmsäter

    Bill Grant Guest

    As a general rule, firewall settings have no effect on VPN traffic. VPN
    traffic is encrypted and encapsulated between the VPN endpoints. When it is
    passing through a firewall, the firewall sees only the "wrapper", not the
    encrypted data packet. A firewall will only have an effect if it is between
    the target machine and the VPN endpoint (ie beyond the point where the VPN
    traffic has been stripped and decrypted).
     
    Bill Grant, Feb 7, 2006
    #11
  12. What you say makes sense. However we have an internal firewall that we pass
    through to our Extranet. From this Extranet we enter the tunnel via another
    Firewall and then exit the tunnel through a another firewall, at the AD
    location. We have been able to trace port 389 calls through the two first
    Firewalls, but they never come through to the last one at the end of the
    tunnel so to speak. However UDP calls through the same port comes through.
    Everything else seems to work normally. For instance we manage the AD
    servers remotely etc.

    \Per Elmsäter
     
    Per Elmsäter, Feb 7, 2006
    #12
  13. In
    In the last firewall, is the MTU set less than 1500? That will cause LDAP
    communication issues.

    Ace
     
    Ace Fekay [MVP], Feb 8, 2006
    #13
  14. "Ace Fekay [MVP]"
    No luck on that. It was set to 1500.
    However we did notice that port 389 among some others were filtered. 53 for
    instance and everything above 6000. No rules that we are aware of do this
    filtering, as far as we know we have everything opened up. Evidently not.
    Can there be hidden rules in a firewall overriding the ones we set?
     
    Per Elmsäter, Feb 8, 2006
    #14
  15. In
    No, but it may be the order the rules are in whether they are being
    superceded, such as in a Cisco IP Access List, I would be deny any" on the
    bottom of my rule set. If it is any where in the middle, any rules below it
    wouldn't work. Make specifically sure that it is wide open even if you have
    to specifically state it, such as using an "allow any" (the command would
    depend on the vendor of your unit).

    Ace
     
    Ace Fekay [MVP], Feb 9, 2006
    #15
  16. That's pretty much what we've done. We've also recieved the latest patches
    from our Vendor, Firewall1, but they had another name. I kind of doubt it
    has any impact on this though as we seem to have problems with specific
    ports. I'll know tomorrow as they're being applied right now.

    I caught something with my left ear the other day. A fairly big company
    stated in a meeting that they could not join clients to a AD domain from
    what they called "dynamic lans" I've never heard of a dynamic lan before.
    Has anybody else?
     
    Per Elmsäter, Feb 13, 2006
    #16
  17. The problem has been solved and we can now join clients to the domain across
    VPN tunnels and through Firewalls.

    It finally came down to a Firewall problem and upon contact with Clavister
    they gave us a prerelease of their next Firewall version. This solved the
    problem completely. Evidently one Firewall was a Clavister and the others
    Firewall1.

    I want to thank everyone that has tried to assist me with solutions. Your
    suggestions has helped me search in the right direction and kept from
    searching other solutions that would only have been a waste of time.

    Thankyou.
     
    Per Elmsäter, Feb 15, 2006
    #17
  18. In
    VLANs or Virtual LANs, such as created on a Layer3 switch. You can segment
    certain ports as routed vs. switched and created virtual subnets off of it.
    If the VLANs were not cinfigured properly, then I can see if they are having
    problems.

    As for the firewall issue, you will need to contact your vendor and see what
    they have to say, since after all you've stated that 389 is blocked. You
    will need to find out why.

    Ace
     
    Ace Fekay [MVP], Feb 16, 2006
    #18
  19. In
    Good to hear!

    btw- I posted my other most recent post prior to reading this stating to
    check with the vendor.

    I'm happy all is in order now!

    Ace
     
    Ace Fekay [MVP], Feb 16, 2006
    #19
  20. Per Elmsäter

    Bill Grant Guest

    Thanks for letting us know how it turned out. Very frustrating when it
    is not your fault! (I like the photo in cycling gear on the website)
     
    Bill Grant, Feb 16, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.