Announcement

Collapse
No announcement yet.

Cannot join a 2008-R2 machine (isa server is my guess)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot join a 2008-R2 machine (isa server is my guess)

    Hello,

    I have 2 DCs (2008 R2). ( lan network, 192.168.1.0/24)
    I have also a ISA Server 2006.

    On the perimeter network ( 192.168.2.0/24 ) I try to join both a 2008 32bits and a 2008 R2 machine to the domain.
    The former joins the domain flawlessly, the latter cannot, there is an error message.

    The interesting is that if I put the 2008-R2 machine in the same lan as the DCs, the problem disappears, which makes me think of ISA Server.

    Does anyone know about any known issues when attaching a 2008 R2 to a domain, through ISA?. I am getting a bit desperate, I have reviewed event viewer, dcdiag, looking on the internet for the same problem, and so forth, no luck so far.

    THANKS IN ADVANCE!
    Last edited by loureed4; 14th July 2014, 17:40. Reason: makes things more clear
    -
    Madrid (Spain).

  • #2
    Re: Cannot join a 2008-R2 machine (isa server is my guess)

    If you get an error message then please post it. That will help in determining a possible solution. Also get used to looking in the Event Viewer as it can help determine what is happening.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: Cannot join a 2008-R2 machine (isa server is my guess)

      Just for a test, see if the 2008-R2 machine can successfully ping to the DC. If not, try adding an ICMP permit rule to your firewall from the joining-PC's IP source to the DC's subnet (allowing for multiple DCs), and see if that sorts it out. Never could find any documentation about it, but if pings are disabled, joins don't work.

      If that works OK, open a monitor session on your firewall from the joining server to your DC and try the join again. There has to be some comms issue, and the blocked traffic should show right up.

      Not certain about ISA 2006, but I used to use ISA2004 and monitoring traffic in real time wasn't difficult at all. The in-built help did just that.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: Cannot join a 2008-R2 machine (isa server is my guess)

        Thanks both RicklesP and biggles77.

        RicklesP, the error message:

        "Changing the Primary Domain DNS name of this computer to "" failed." . I googled it and nothing doing until I found this:

        http://blogs.technet.com/b/instan/ar...ot-failed.aspx

        which says:
        "...
        This is a bogus error message that can be safely ignored - it's caused by the domain join code ending up in a function which it doesn't need to run anyway during a domain join operation using the GUI.

        What's failing is the attempt to change the Primary DNS suffix of the machine after the domain join has succeeded - but the Primary DNS suffix is already correct at that point which is why this can be ignored.

        The domain join itself is not affected at all and will have succeeded if you're seeing this specific error message with the empty quotation marks as that code is only run after a successful domain join.

        As frustrating as it is, this is unfortunately one of those cosmetic issues which aren't likely to be fixed until the next OS version - primarily because it has zero impact and no effect beyond the ugly error message.
        A workaround that removes the error message is to populate the Primary DNS suffix of the machine before attempting the domain join.
        ..."


        .....................


        AND THAT MADE THE TRICK!!.


        I created a rule permitting all the traffic back and forth between LAN and Perimeter, just to see if it was a bad-built rule what was causing the problem, but nothing doing.


        I also monitor the traffic between the pc trying to join the domain and the DCs, and saw nothing red-coloured "denied traffic".


        Thanks all !! .



        Finally I worked it out with the bold text above, but I cannot undertand the issue.
        -
        Madrid (Spain).

        Comment


        • #5
          Re: Cannot join a 2008-R2 machine (isa server is my guess)

          FYI loureed4: The article at the link you provided included someone's footnote from a Technet article, which referred to NetBIOS traffic to port 137 at the DC. That's not routed traffic, unless you've turned on the option to use etBIOS over TCP/IP under your NIC advanced properties. When there's a Cisco device as the router, I recommend putting in what's called an 'ip helper-address' entry. When you opened up the ISA rule to allow everything between the 2 server legs, that effectively did the same thing.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            Re: Cannot join a 2008-R2 machine (isa server is my guess)

            Thanks a lot RicklesP!

            I don't fully understand the idea of Netbios being enabled.

            As a matter of fact, I have just checked it and it is enabled in my DC (the other DC is down on purpose, to test some things).

            Anyway, as soon as I remove the ISA from the picture, things run smoothly, the 2008 R2 machine joins the domain, that is why I put the blame on the ISA machine.

            Also, If I don't recall badly, I saw 137 TCP traffic when monitoring the ISA Server when the pc tried to join the domain, there was, as you know, many different types of traffic at that moment: 445, 88, 389....

            Probably I didnít undertand the whole idea of yours Rickles, for I am not that expert.

            Again: THANKS A LOT !!
            -
            Madrid (Spain).

            Comment

            Working...
            X