DNS lookup issue with Windows 7

Discussion in 'DNS Server' started by bradtf, Jan 29, 2010.

  1. bradtf

    bradtf Guest

    The original issue is that I can’t add a Windows 7 computer to the domain, I
    get an error saying: The following error occurred attempting to join the
    domain “domainnameâ€: An attempt to resolve the DNS name of a domain
    controller in the domain being joined has failed…â€

    Background.

    The active directory was recently upgraded from 2003 with 2 2003 domain
    controller servers. Those servers are now gone, replaced by 2 windows 2008r2
    servers both running DNS.

    Windows XP machines can join the domain and do nslookups without issues as
    well as Windows 7 Machines that are already on the domain, can do nslookups
    without issues.

    Windows 7 Machines that are not on the domain, get valid DHCP addresses from
    the domain controller, as well as the correct dns server address. They also
    show up on the DNS server as an address lease and under the reverse
    lookupzone. But nslookups to internal pc’s/server time out. The problem
    machines can browse the internet.

    I have checked the dns settings over and over again, and everything looks
    correct, I have even tried deleting and recreating the reverse lookup zones.
    Dynamic Updates on the reverse lookup zone are set for nonsecure and secure.
    I see no errors in the even log on the server.
     
    bradtf, Jan 29, 2010
    #1
    1. Advertisements

  2. bradtf

    bradtf Guest

    More Info:

    Here is the ipconfig/all from the windows 7 machine not on the domain:

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : domainname.bc.ca
    Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network
    Connecti
    on
    Physical Address. . . . . . . . . : 00-1E-68-BD-28-2E
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.100.170(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Friday, January 29, 2010 2:53:37 PM
    Lease Expires . . . . . . . . . . : Monday, February 01, 2010 3:21:41 PM
    Default Gateway . . . . . . . . . : 192.168.100.2
    DHCP Server . . . . . . . . . . . : 192.168.100.1
    DNS Servers . . . . . . . . . . . : 192.168.100.1
    NetBIOS over Tcpip. . . . . . . . : Enabled


    and a sample of the nslookup (returns properly on any XP machine on/off the
    domain, or any Windows 7 machine already joined to the domain:
    Server: chdomainy.domain.bc.ca
    Address: 192.168.100.1

    DNS request timed out.
    timeout was 2 seconds.
    *** Request to chdomainy.domain.bc.ca timed-out

    And the IPconfig from the server:

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-26-B9-39-38-A5
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.100.1(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.100.2
    DNS Servers . . . . . . . . . . . : 192.168.100.1
    192.168.100.15
    NetBIOS over Tcpip. . . . . . . . : Enabled
     
    bradtf, Jan 29, 2010
    #2
    1. Advertisements


  3. The ipconfigs look good. I was wondering what the Search Suffix is on the
    Windows 7 machine. Does it match the AD DNS domain name?

    When you are trying to join the Windows 7 machine, what are you using for
    the domain name? The FQDN name (domain.com), or the NetBIOS name ("domain")?

    How about when you provide credentials? Are you using
    "domainName\userAccount" or "?"

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Jan 30, 2010
    #3
  4. bradtf

    bradtf Guest

    Yes, the search suffix is correct, it is the full domain name and matches
    the Windows 7 machine that is working correctly.

    I have tried both ways, when using the FQDN, i get a different error:

    "Note: This information is intended for a network administrator. If you are
    not your network's administrator, notify the administrator that you received
    this information, which has been recorded in the file
    C:\Windows\debug\dcdiag.txt.

    The following error occurred when DNS was queried for the service location
    (SRV) resource record used to locate an Active Directory Domain Controller
    (AD DC) for domain "domainname.bc.ca":

    The error was: "This operation returned because the timeout period expired."
    (error code 0x000005B4 ERROR_TIMEOUT)

    The query was for the SRV record for _ldap._tcp.dc._msdcs.domainname.bc.ca

    The DNS servers used by this computer for name resolution are not
    responding. This computer is configured to use DNS servers with the following
    IP addresses:

    192.168.100.1

    Verify that this computer is connected to the network, that these are the
    correct DNS server IP addresses, and that at least one of the DNS servers is
    running."

    I have tried both ways for credentials, as well as entering wrong
    credentials to try to get a different error, but the error is the same either
    way.

    Thank you for the help.
     
    bradtf, Jan 30, 2010
    #4


  5. Does this record exist?
    _ldap._tcp.dc._msdcs.domainname.bc.ca

    Are all the SRV records populated/registered in the zone? Check both the
    domainname.bc.ca and the _msdcs.domainname.bc.ca zones.

    Also, that nslookup message occured because there is either no reverse zone
    (I think you said you deleted it?) or the zone exists but a PTR does not
    exist for the DNS server (in this case, your DC). It won't affect joining or
    anything else regarding the current issues.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 30, 2010
    #5

  6. I forgot to ask, is the firewall on the DCs and the Win7 machines, disabled?
    How about any 3rd party security/AV software?

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 30, 2010
    #6

  7. Darn, forgot to ask again. What errors (eventID#s) do you see on the DC or
    any other machines?

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 30, 2010
    #7
  8. WWW browser access is very likely a red herring. For all we know, you
    have a proxy HTTP server, and the DNS lookups to turn (the domain name
    portions of) URLs into IP addresses aren't even being done locally on
    those machines. WWW browsers are not DNS diagnosis tools.

    It's time for you to watch der blinkenlichten, either with some
    appropriate network traffic sniffing tools or with your own eyes. When
    you perform a query using a DNS lookup tool, a DNS/UDP packet is being
    sent to the proxy DNS server at 192.168.100.1. You need to prove that it
    even leaves the machine and goes along the wire. If it does, you then
    need to prove that the proxy DNS server at 192.168.100.1 receives it and
    responds. Then you need to prove that the response returns to the
    machine at 192.168.100.170. If you fail at any stage, then you need to
    investigate what is stopping the network traffic at that point. (For the
    response traffic, for example, one potential cause would be two machines
    erroneously sharing that IP address.)
     
    Jonathan de Boyne Pollard, Jan 31, 2010
    #8
  9. bradtf

    bradtf Guest

    Sorry for the delayed response, and thank you for the tips.

    There are 2 of those records (_ldap), one for each of the dns servers under
    the \_msdcs\dc\sites\default-first-site-name\_tcp folder.


    I believe that the SRV records are present, they are listed under the TCP
    folder in domainname.bc.ca folder and in the
    \_msdcs\dc\sites\default-first-site-name\_tcp folder as well

    Firewalls are turned off on both.

    For errors, there are none on the domaincontroller/dns server, but there are
    a few on the client, not sure if they are related, but here they are.

    1014 - "Name resolution for the name isatap.domainname.bc.ca time out after
    non of the configured dns servers responded"

    I'm not sure what that isatap is, but the error repeats again for something
    else, this time wpad.domainname.bc.ca and then again for
    "_ldap._tcp.dc._msdcs.domainname.bc.ca"
     
    bradtf, Feb 1, 2010
    #9

  10. It sounds like your SRVs are ok. As for the isatap and wpad, they indicate
    you have an ISA firewall client installed?

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 1, 2010
    #10
  11. bradtf

    bradtf Guest

    hmm, not isa, but a firewall client for remote access.
     
    bradtf, Feb 1, 2010
    #11
  12. bradtf

    bradtf Guest

    Oh wow. Great catch. That firewall client was the cause. I removed it,
    rebooted, and NSlookups started working again, and I was able to add the
    computer to the domain. Looking over my other problem windows 7 machines,
    they all have the firewall client installed.

    Many many thanks!
     
    bradtf, Feb 1, 2010
    #12

  13. You are welcome! Glad it wound up being that easy. :)

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 1, 2010
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.