Pls Help: Can't Join Windows 2008 R2 Domain

[stwong]

Hi all,

I'm newbie to Windows and sorry for the FAQ. A domain (mydom.edu.hk) is setup with 2 DCs. Clients on other vlan can't join the domain with error "The network was not found". All ports between DCs and clients are opened in firewall, while Windows firewall are disabled for testing purpose. Then on the DCs, I run dcdiag /v /c /e /d and got following error:

------------ cut here -----------
Testing server: Default-First-Site-Name\MY-DC1
Starting test: Advertising
The DC MY-DC1 is advertising itself as a DC and having a DS.
The DC MY-DC1 is advertising as an LDAP server
The DC MY-DC1 is advertising as having a writeable directory
The DC MY-DC1 is advertising as a Key Distribution Center
The DC MY-DC1 is advertising as a time server
The DS MY-DC1 is advertising as a GC.
......................... MY-DC1 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC MY-DC1 for domain mydom.edu.hk in site Default-First-Site-Name
Checking machine account for DC MY-DC1 on DC MY-DC1.
Could not open pipe with [MY-DC1]:failed with 53:
The network path was not found.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* SPN found :LDAP/my-dc1.mydom.edu.hk/mydom.edu.hk
* SPN found :LDAP/my-dc1.mydom.edu.hk
* SPN found :LDAP/MY-DC1

----------- cut here -----------

while dcdiag gives:

--------------------- cut here ------------------------
Doing primary tests

Testing server: Default-First-Site-Name\MY-DC1
Starting test: Advertising
......................... MY-DC1 passed test Advertising
Starting test: FrsEvent
......................... MY-DC1 passed test FrsEvent
Starting test: DFSREvent
......................... MY-DC1 passed test DFSREvent
Starting test: SysVolCheck
[MY-DC1] An net use or LsaPolicy operation failed with error 53,
The network path was not found..
......................... MY-DC1 failed test SysVolCheck
Starting test: KccEvent
......................... MY-DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... MY-DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Could not open pipe with [MY-DC1]:failed with 53:
The network path was not found.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
......................... MY-DC1 passed test MachineAccount

--------------------- cut here ------------------------

DNS seems to work if I nslookup my-dc1.mydom.edu.hk on both DCs and clients. I've no idea about cause after some google search. Would anyone please help?

Thanks a lot.
/ST Wong

 

[ICTCity]

The problem is your DNS server, I don't know what, but you can check the event viewer for errors. Something cannot be resolved. Are you sure you've installed AD properly?

 

[stwong]

Thanks for your advice. The domain was setup by other colleagues while I've just picked it up...

I can query (forward and reverse) my-dc1.mydom.edu.hk using nslookup against the DNS on the DCs, while there is no error in DNS event log. What else shall I check?

Thanks again.

Regards,
/ST Wong

 

[ICTCity]

Here's the problem:

Checking machine account for DC MY-DC1 on DC MY-DC1.
Could not open pipe with [MY-DC1]:failed with 53:
The network path was not found.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* SPN found :LDAP/my-dc1.mydom.edu.hk/mydom.edu.hk
* SPN found :LDAP/my-dc1.mydom.edu.hk
* SPN found :LDAP/MY-DC1

So, let's check some settings.

Right click "COMPUTER" > Properties and select the tab COMPUTER NAME. Check if FULL COMPUTER name matches with DOMAIN. Example: full name: mycomputer.mydomain.local.private domain: mydomain.local.private. This is OK. If you have something like this: full name: mycomputer.mydomain.local.private domain: mydomain.private. This is a DNS SUFFIX MISMATCH. Anyway, once you have checked these settings, type ipconfig /all on a command prompt and check the entry "Connection-specific DNS Suffix" if this is different from the domain you found in "computer name tab", right click on your network connection, properties > TCP/IP (v4) > properties > advanced > general and modify the DNS suffix.

 

[stwong]

Hi, the "Connection-specific DNS Suffix" is empty on the DCs. I updated and reboot them all. However, dcdiag still gets the same error while the clients still can't join the domain. What else shall I check? Thanks again.

Best Regards,
/ST Wong

 

[ICTCity]

After the update / reboot, the "Connection-specific DNS Suffix" is correct?

 

[stwong]

Yes, it's correct. Thanks.

 

[ICTCity]

Assuming that netbios is up & running, check your COMPUTER container, you SHOULD NOT see your domain controller, it should be only in DOMAIN CONTROLLER OU.

Let me know.

 

[stwong]

Netbios is not running. I enabled it and tried again. I see the DC computers' names appear in both COMPUTER and DOMAIN CONTROLLER in "Active Directory User and Computers" utility. Sorry that I accidentally deleted the computers from COMPUTER but can't be added back. What should I do next? Thank you very much.

 

[stwong]

Anyway, I'm going to setup the domain from scratch again to check if any step missed. Thanks for your help.

 

[ICTCity]

DC must not be on COMPUTER OU, but now you have the same error with netbios running?

 

[stwong]

We didn't add DC to COMPUTER OU. Will it be added in any setup step? Let's see if the problem can be 'resolved' after re-installing the domain (by different colleague .

Anyway, seems NETBIOS is needed although not mentioned in domain setup steps?

Thank you very much for your help.

 

[ICTCity]

NETBIOS should be running to avoid any problem related to name resolution. Unlucky, netbios is still used by MS, although MS says this is not true...

 

[stwong]

MS used to say so ...

Thanks a lot