"Domain does not exist Or could not be contacted"?

Discussion in 'Active Directory' started by marek1712, Apr 6, 2009.

  1. marek1712

    marek1712 Guest

    Hello, I have the problem with the following message:

    I’m running Windows Server 2008 and want to use it as a RADIUS server to
    authenticate WiFi users.
    It works that way:
    - I have DSL modem, connected to the PC via USB port;
    - my PC works as an internet gateway (ICS) and thus has IP address: (Internet connection with local DNS address and a forwarder set
    on the DNS server).
    - I have Linksys WRT-160N router working as an Access Point.
    PC is running Active Directory service (with integrated DNS role), DHCP, NPS
    (without Routing and Remote Access) and certificate services.
    Now there’s a problem whenever I try to set a RADIUS for wireless users
    (doesn’t matter if it’s separate user group or existing one) – I get the same
    message as presented on the screenshot.
    Below is the output from DCDIAG /test:DNS:

    "Directory Server Diagnosis

    Performing initial setup:

    Trying to find home server...

    Home Server = serwerAD

    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\SERWERAD

    Starting test: Connectivity

    ......................... SERWERAD passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\SERWERAD

    Starting test: DNS

    DNS Tests are running and not hung. Please wait a few minutes...

    ......................... SERWERAD passed test DNS

    Running partition tests on : ForestDnsZones

    Running partition tests on : DomainDnsZones

    Running partition tests on : Schema

    Running partition tests on : Configuration

    Running partition tests on : przyklad

    Running enterprise tests on : przyklad.pl

    Starting test: DNS

    Test results for domain controllers:

    DC: serwerAD.przyklad.pl

    Domain: przyklad.pl

    TEST: Records registration (RReg)
    Network Adapter [00000012] MAC Bridge Miniport:

    Missing AAAA record at DNS server

    Missing AAAA record at DNS server

    Warning: Record Registrations not found in some network

    ......................... przyklad.pl passed test DNS"

    Everything else is working fine. I really don’t know what’s wrong.
    If you need any detail just ask (I may not be able to answer immediately,
    especially starting tomorrow).
    marek1712, Apr 6, 2009
    1. Advertisements

  2. Hello marek1712,

    Do you use IPv6, then disable it:

    Also check the above link if you have 2003 DNS servers and reverse lookup

    After that run netdiag /fix.

    If you need IPv6 check this:



    For whatever reason i also read a posting that uninstalling Symantec AV from
    a DC solved this error.

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Apr 6, 2009
    1. Advertisements

  3. marek1712

    marek1712 Guest

    Hello and thank you for quick answer.

    I am home user of the MSDN AA version. Therefore I don't need IPv6.
    I wasn't sure if I can disable it. Now I'm certain. As soon as I get back
    home - I'll disable it (as shown in the link you provided).
    My PC is the only one server, with 2008 functional level. I've set up
    reverse lookup zone but I'm not really certain if it's required for a few

    As for antivirus - I've used KIS2009, but switched to the trial version of
    the Avira Server.

    Thanks again. I'll post an update later.

    Best regards,
    marek1712, Apr 6, 2009
  4. marek1712

    marek1712 Guest

    I did as you told me (except for the "netdiag" part - I had to use "dcdiag
    /fix"). That error still appears but at least I don't see AAAA warnings.
    marek1712, Apr 6, 2009
  5. In
    In addition to Meinolf's suggestion to disable IPv6 (excellent suggestion, I
    am curious of the machine's config. According to the dcdiag, your DNS server
    is Is that your router address? Can you post an unedited
    ipconfig /all from the server, please? That will help to further diagnose
    this for you.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
    Ace Fekay [Microsoft Certified Trainer], Apr 7, 2009
  6. marek1712

    marek1712 Guest

    OK, here you go:

    "Windows IP Configuration

    Host Name . . . . . . . . . . . . : serwerAD
    Primary Dns Suffix . . . . . . . : przyklad.pl
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : przyklad.pl

    PPP adapter Internet ADSL:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Internet ADSL
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 83.30.XX.XXX(Preferred)
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Network Bridge:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : MAC Bridge Miniport
    Physical Address. . . . . . . . . : XX-00-XX-4F-XX-50
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Enabled"

    Sorry I haven't provided it first (MAC address of the network bridge is
    "Xed", same goes for my ADSL address).
    My internet connection is normal ADSL with dynamically assigned IP. My
    computer works as a gateway with ICS turned on (therefore .0.1 address). As
    of now router is disconnected (it works normally as an Access Point and
    switch to connect VoIP gateway).
    To keep the local connection alive (and prevent DNS errors) I have created
    network bridge with Microsoft Loopback Adapter (which is always connected and
    keeps the whole thing up). Nothing else comes to my mind now. If you have any
    more questions, please ask. I'd gladly provide more data.
    Best regards,
    marek1712, Apr 7, 2009
  7. Hello marek1712,

    Multihoming a Domain controller, what you did here, is a not recommended
    configuration and should be avoided. It results in problems exactly you have.
    Remove the multihoming and use only the domain internal ip addressing on
    the DC.

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Apr 7, 2009
  8. In

    Hello Marek,

    I must fully agree with Meinolf. You do not want to multihome a DC. This is
    what's causing the domain not found error. If I may recommend, Remove the
    PPPoE configuration, disable ICS, and purchase an inexpensive Linksys router
    (USD $80.00) to perform this function. Make sure you only use the internal
    IP of your DNS server in all clients and the DC. After that, you should be
    error free.

    Ace Fekay [Microsoft Certified Trainer], Apr 7, 2009
  9. marek1712

    marek1712 Guest

    Well, I made a mistake buying Linksys WRT160N (I need WAG160N). As USD is
    quite expensive right now, I wanted to wait a little while for it to get
    But as you suggest - I'll borrow a router from my friend (WAG200G) and test
    it out. As always - I'll provide feedback after that.
    marek1712, Apr 7, 2009
  10. marek1712

    marek1712 Guest

    Still no-go :(
    I've removed my modem and all traces of the PPPoE connections.
    After connecting WAG200G (DHCP disabled, gateway's address: and
    setting forwarder to (while keeping server's .0.1) I've made some
    DCDIAG shows no errors, nslookup works flawlessly.
    I've forgotten about one thing. After seeing that message about contacting
    domain I am able to add user group by selecting it from the list for the
    second time. I'm 99.9% sure it won't work though.
    marek1712, Apr 7, 2009
  11. Hello marek1712,

    Please post an unedited ipconfig /all from the server again.

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Apr 7, 2009
  12. marek1712

    marek1712 Guest


    "Windows IP Configuration

    Host Name . . . . . . . . . . . . : serwerAD
    Primary Dns Suffix . . . . . . . : przyklad.pl
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : przyklad.pl

    Ethernet adapter Mostek sieciowy:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : MAC Bridge Miniport
    Physical Address. . . . . . . . . : 02-XX-54-XX-XX-XX
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Enabled"
    marek1712, Apr 8, 2009
  13. Hello marek1712,

    Is the server listed correct in DNS without any other ip additional addresses?
    Check all zones for that.

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Apr 8, 2009
  14. In
    Did you disable ICS? A note on that - ICS and DHCP/DNS services conflict
    due to the way ICS works. If not disabled, please do so. An ipconfig /all
    after the changes, as Meinolf requested, would be helpful to confirm the new

    Ace Fekay [Microsoft Certified Trainer], Apr 8, 2009
  15. marek1712

    marek1712 Guest

    @Ace Fekay [Microsoft Certified Trainer],

    When you remove connection, that has been shared via ICS, ICS is disabled
    automatically (at least I think so).
    There's still a questions - how can I share my connection with other devices
    (it has to go through my PC)? Via RRaS (NAT function to be precise)?
    BTW - I'd like to know what multihoming is and why DHCP + ICS in not a good
    idea. Can I find it on Technet or should I rather search some MS Press books?

    @Meinolf Weber [MVP-DS]
    There were some entries with public IP, but I've removed them all.

    Still - it doesn't work. I had to return the router, so I've tried it
    without any internet connection. In a day or two I should get my own router
    so I'll be able to do more thorough tests.
    marek1712, Apr 8, 2009
  16. In
    It is better to use the Linksys router. To share a connection using NAT,
    which can be done, requires minimum or two NICs, which is called
    multihoming. Multihoming means the machine has more than one interface
    (NICs, PPPoE, RRAS, dialup, etc). Multhoming is not recommended on a domain
    controller due to the entries it registers into DNS. AD is Site aware. Sites
    are based on IP subnets. A multihomed DC has two IPs, and registers both,
    however a DC CANNOT be part of two Sites. If you define both as part of the
    one Site, then AD will think it has two DCs on that site with the same name,
    causing problems. Also, the GC record gets registered with both IPs, whici
    causes problems when a client gets the IP of the outside NIC and cannot
    communicate to it, therefore it fails to logon, etc. The LdapIpAddress gets
    registered twice, which is used for DFS and GPOs. If the client gets the
    outside NIC, neither will work and generate errors.

    To properly make a multihomed DC work properly requires quite a number of
    configuraiton changes including registry changes to alter a DC's default
    settings to force it to work. I will post the complete step by step for you
    in a separate reply for you to review, read and study carefully if you would
    like to attempt the tasks required if you would like to keep the DC
    ICS is a mini NAT service that allows to share the outside NIC with internal
    machines. ICS sets up it's own mini version of NAT, DNS proxying, and DHCP,
    none of which can be controlled or configured esily without registry
    changes. It also sets up the machine as a DNS proxy, and not a DNS server
    itself, proxying the DNS requests to the outside interface's DNS address.
    Therefore if you install DHCP on the same server as ICS, the two will
    conflict, as well as if DNS is installed, Matter of fact you will get 11196
    (trying to rememer the event ID#) in the event logs which clearly indicates
    the conflict.

    It's a DC. To make sure a DC works propertly to perform it;s function as a
    domain controller, configure it within recommended guidelines, and do not
    multhome it, nor use ICS.
    Ace Fekay [Microsoft Certified Trainer], Apr 9, 2009
  17. In marek1712 <>, posted the following:


    The following is my blog on multihoming. Please read to gain a better
    understanding of what it is, and what it causes on a DC.


    Multihomed DCs, DNS, RRAS servers.
    By Ace Fekay, Directory Services MVP

    Multihomed DCs WILL cause numerous issues. It's highly recommended to single
    home all DCs and use a non-DC for the multihoming purposes. If it is the
    internet gateway, it is recommended to purchase an inexpensive, or cable/DLS
    router, or even better, a Cisco or similar firewall to perform the task.
    This will protect a Windows machine from internet exposure and possible
    compromise, which if compromised by an internet attacker remotely, can
    further compromise the rest of the internal network.

    Also if attempting to use ICS on a DC, this further complicates matters with
    DC functionality, and cannot be fixed with the following steps outlined in
    this article.

    To explain why will require a little background on AD and DNS:

    First, just to get this out of the way, if you have your ISP's DNS addresses
    in your IP configuration (DCs and clients), they need to be REMOVED. If the
    ISP's DNS is in there, this will cause additional problems. I usually see
    errors (GPOs not working, can't find the domain, RPC issues, etc), when the
    ISP's DNS servers are listed on a client, DCs and/or member servers, or with
    multihomed DCs. If you have an ISP's (or some other outside DNS server or
    even using your router as a DNS server) DNS addresses in your IP
    configuration (all DCs, member servers and clients), they need to be REMOVED
    and ONLY use the internal DNS server(s). This can be very problematic.

    Basically, AD requires DNS. DNS stores AD's resource and service locations
    in the form of SRV records, hence how everything that is part of the domain
    will find resources in the domain. If the ISP's DNS is configured in the any
    of the internal AD member machines' IP properties, (including all client
    machines and DCs), the machines will be asking the ISP's DNS 'where is the
    domain controller for my domain?", whenever it needs to perform a function,
    (such as a logon request, replication request, querying and applying GPOs,
    etc). Unfortunately, the ISP's DNS does not have that info and they reply
    with an "I dunno know", and things just fail. Unfortunately, the ISP's (or
    your router as a DNS server) DNS doesn't have information or records about
    your internal private AD domain, and they shouldn't have that sort of

    Also, AD registers certain records in DNS in the form of SRV records that
    signify AD's resource and service locations. When there are multiple NICs,
    each NIC registers. IF a client, or another DC queries DNS for this DC, it
    may get the wrong record. One factor controlling this is Round Robin. If a
    DC or client on another subnet that the DC is not configured on queries for
    it, Round Robin will kick in offering one or the other. If the wrong one
    gets offered, it may not have a route to it. On the other hand, Subnetmask
    Priortization will ensure a querying client will get an IP that corresponds
    to the subnet it's on, which will work. To insure everything works, stick
    with one NIC.

    Since this DC is multi-homed, it requires additional configuration to
    prevent the public interface addresses from being registered in DNS. This
    creates a problem for internal clients locating AD to authenticate and find
    other services and resources such as the Global Catalog, file sharing and
    the SYSVOL DFS share and can cause GPO errors with Userenv 1000 events to be
    logged, authenticating to shares and printers, logging on takes forever,
    among numerous other issues.

    But if you like, there are some registry changes to eliminate the
    registration of the external NIC or simply use the internal networking
    routing to allow access. Here's the whole list of manual steps to follow.

    Another problem is the DC now becomes part of two Sites. This is another
    issue that can be problematic.

    But believe me, it's much easier to just get a separate NAT device or
    multihome a non-DC then having to alter the DC. If the both NICs are
    internal, I would suggest to pick a subnet, team the NICs and allow your
    internal routers handle the traffic between subnets - Good luck!

    1. Insure that all the NICS only point to your internal DNS server(s) only
    and none others, such as your ISP’s DNS servers’ IP addresses.

    2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
    move the internal NIC (the network that AD is on) to the top of the binding
    order (top of the list).

    3. Disable the ability for the outer NIC to register. The procedure, as
    mentioned, involves identifying the outer NIC’s GUID number. This link will
    show you how:
    246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per
    NIC too):

    4. Disable NetBIOS on the outside NIC. That is performed by choosing to
    disable NetBIOS in IP Properties, Advanced, and you will find that under the
    “WINS†tab. You may want to look at step #3 in the article to show you how
    to disable NetBIOS on the RRAS interfaces if this is a RRAS server.
    296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
    [Registry Entry]:

    Note: A standard Windows service, called the “Browser serviceâ€, provides the
    list of machines, workgroup and domain names that you see in “My Network
    Places†(or the legacy term “Network Neighborhoodâ€). The Browser service
    relies on the NetBIOS service. One major requirement of NetBIOS service is a
    machine can only have one name to one IP address. It’s sort of a
    fingerprint. You can’t have two brothers named Darrell. A multihomed machine
    will cause duplicate name errors on itself because Windows sees itself with
    the same name in the Browse List (My Network Places), but with different
    IPs. You can only have one, hence the error generated.

    5. Disable the “File and Print Service†and disable the “MS Client Serviceâ€
    on the outer NIC. That is done in NIC properties by unchecking the
    respective service under the general properties page. If you need these
    services on the outside NIC (which is unlikely), which allow other machines
    to connect to your machine for accessing resource on your machine (shared
    folders, printers, etc.), then you will probably need to keep them enabled.

    6. Uncheck “Register this connection†under IP properties, Advanced
    settings, “DNS†tab.

    7. Delete the outer NIC IP address, disable Netlogon registration, and
    manually create the required records

    a. In DNS under the zone name, (your DNS domain name), delete the outer
    NIC’s IP references for the “LdapIpAddressâ€. If this is a GC, you will need
    to delete the GC IP record as well (the “GcIpAddressâ€). To do that, in the
    DNS console, under the zone name, you will see the _msdcs folder.

    Under that, you will see the _gc folder. To the right, you will see the IP
    address referencing the GC address. That is called the GcIpAddress. Delete
    the IP addresses referencing the outer NIC.
    i. To stop these two records from registering that information,
    use the steps provided in the links below:
    Private Network Interfaces on a Domain Controller Are Registered in DNS

    ii. The one section of the article that disables these records is
    done with this registry entry:

    (Create this Multi-String Value under it):
    Registry value: DnsAvoidRegisterRecords
    Data type: REG_MULTI_SZ
    Values: LdapIpAddress

    iii. Here is more information on these and other Netlogon Service records:
    Restrict the DNS SRV resource records updated by the Netlogon service
    [including GC]:

    b. Then you will need to manually create these two records in DNS with
    the IP addresses that you need for the DC. To create the LdapIpAddress,
    create a new host under the domain, but leave the “hostname†field blank,
    and provide the internal IP of the DC, which results in a record that looks
    (same as parent) A ( is used for illustrative

    i. You need to also manually create the GcIpAddress as well, if
    this is a GC. That would be under the _msdcs._gc SRV record under the zone.
    It is created in the same fashion as the LdapIpAddress mentioned above.

    8. In the DNS console, right click the server name, choose properties, then
    under the “Interfaces†tab, force it only to listen to the internal NIC’s IP
    address, and not the IP address of the outer NIC.

    9. Since this is also a DNS server, the IPs from all NICs will register,
    even if you tell it not to in the NIC properties. See this to show you how
    to stop that behavior (this procedure is for Windows 2000, but will also
    work for Windows 2003):
    275554 - The Host's A Record Is Registered in DNS After You Choose Not to
    Register the Connection's Address:

    10. If you haven't done so, configure a forwarder. You can use if
    not sure which DNS to forward to until you've got the DNS address of your
    How to set a forwarder? Good question. Depending on your operating
    system,choose one of the following articles:

    300202 - HOW TO: Configure DNS for Internet Access in Windows 2000

    323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
    (How to configure a forwarder):

    Active Directory communication fails on multihomed domain controllers

    <==*** Some additional reading ***==>
    More links to read up and understand what is going on:

    292822 - Name Resolution and Connectivity Issues on Windows 2000 Domain
    Controller with Routing and Remote Access and DNS Insta {DNS and RRAS and
    unwanted IPs registering]:

    Active Directory communication fails on multihomed domain controllers

    246804 - How to enable or disable DNS updates in Windows 2000 and in Windows
    Server 2003

    295328 - Private Network Interfaces on a Domain Controller Are Registered in
    DNS [also shows DnsAvoidRegisterRecords LdapIpAddress to avoid reg
    sameasparent private IP]:

    306602 - How to Optimize the Location of a DC or GC That Resides Outside of
    a Client's Site [Includes info LdapIpAddress and GcIpAddress information and
    the SRV mnemonic values]:

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003 (including how-to configure a forwarder):

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS

    296379 - How to Disable NetBIOS on an Incoming Remote Access Interface
    [Registry Entry]:

    Rid Pool Errors and other multihomed DC errors, and how to configure a
    multihomed DC, Ace Fekay, 24 Feb 2006

    257623 257623 Domain Controller's Domain Name System Suffix Does Not Match
    Domain Name

    Ace Fekay [Microsoft Certified Trainer], Apr 9, 2009
  18. marek1712

    marek1712 Guest

    I have bought my own router (Linksys WAG160N), did what you told me and that
    problem still exists.
    marek1712, Apr 12, 2009
  19. In
    Apprently something else is going on that is preventing you from opening

    Have you confirmed that RRAS, ICS, NAT, uninstall the PPPeE software, and
    everything else that was implemented prior to this are all disabled?

    Please run and/or post the following:
    1. net start > c\netstart.txt (please post what is in the text file)
    2. dcdiag /v /fix > c:\dcdiag.txt (please post what is in the text file)
    3. netdiag /v /fix > c:\netdiag.txt (please post what is in the text file)
    4. Re-run a new ipconfig /all for us.
    5. Any event log errors (in any of the logs)?
    6. When you look in DNS, do you see any IP addresses other than the current
    IP address thsi machine is set to? If so, please delete them. This includes
    the LdapIpAddres, which is the one that shows up as "(same as parent)" name.
    The only IP that shows up for this is the current IP. Same with the hostname
    record. Also check the _gc folder under _msdcs. There should only be one IP

    Ace Fekay [Microsoft Certified Trainer], Apr 12, 2009
  20. marek1712

    marek1712 Guest

    "Windows IP Configuration

    Host Name . . . . . . . . . . . . : serwerAD
    Primary Dns Suffix . . . . . . . : przyklad.pl
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : przyklad.pl

    Ethernet adapter PoˆĄczenie lokalne:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
    Ethernet NIC
    Physical Address. . . . . . . . . : XX-08-XX-07-XX-XX
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Enabled" is the router's address. I've disabled ICS, removed all the
    unnecessary entries from the DNS and nothing has changed (at least that was
    what I've thought).

    However, it doesn't work when I try to add the group using default "From
    this location": przyklad.pl. It works only when I choose "Users" container
    from the list (built-in part of the domain).
    Could someone explain that phenomena to me?
    Anyway: big thanks to you, Meinolf and Ace Fekay. There were some issues I
    didn't know about and you told me about them.
    marek1712, Apr 13, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.