Announcement

Collapse
No announcement yet.

server 2008 cannot join dom

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • server 2008 cannot join dom

    i should be doing this backwards in my sleep, however

    I have two cloud hosted server. One is a 2008 DC, hosted on one subnet with a hosting provider.
    The other is a 2008 terminal server, hosted on an entirely different IP range. I've inherited it like this.. so we can't just change it.

    the domain is question is company.local.

    the server was previously connected to the domain, and authenticating properly, but recently has started to display classic unable to contact domain issues - unable to resolve SIDs, unable to deply group policy, unable to logon as a non-cached user, etc.

    I can correctly ping the FQDN, and resolve the relevant host names.
    So, I took the computer out of the domain.

    Now, I can't rejoin it - i'm getting "cannot join domain, network path was not found"


    as best as I can tell, there;s no firewall in between - I've found a couple of firewall options that were blocked, (SMB, things like that) but I've specifically renabled all AD and basic network firewall profiles.

    any ideas.. ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: server 2008 cannot join dom

    How are you connecting the two subnets?
    Have you tried adding a static route on both sides -- and can you resolve names both ways?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: server 2008 cannot join dom

      the two addresses (I wouldn't really say subnets) are connected, and I can ping both ways, yes.
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: server 2008 cannot join dom

        You're going to hate me for this , but can you post IPCONFIG/ALL from each end?

        I've found the static route will sometimes resolve issues even when you can ping.
        Also, is a suitable subnet for the TS defined in ADSS?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: server 2008 cannot join dom

          Windows IP Configuration

          Host Name . . . . . . . . . . . . : VPS10
          Primary Dns Suffix . . . . . . . :
          Node Type . . . . . . . . . . . . : Hybrid
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No

          Ethernet adapter External Network:

          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
          pter
          Physical Address. . . . . . . . . : 00-15-5D-84-A0-BE
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
          Link-local IPv6 Address . . . . . : fe80::6962:3771:1cb3xxc%xx(Preferred)
          IPv4 Address. . . . . . . . . . . : 173.248.133.XX(Preferred)
          Subnet Mask . . . . . . . . . . . : 255.255.255.128
          IPv4 Address. . . . . . . . . . . : 173.248.133.XX(Preferred)
          Subnet Mask . . . . . . . . . . . : 255.255.255.128
          Default Gateway . . . . . . . . . : 173.248.133.XX
          DHCPv6 IAID . . . . . . . . . . . : 268440925
          DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-BC-C5-90-00-15-5D-84-A0-BE
          DNS Servers . . . . . . . . . . . : 184.164.158.26
          NetBIOS over Tcpip. . . . . . . . : Enabled
          and on the DC

          Windows IP Configuration

          Host Name . . . . . . . . . . . . : TheDC
          Primary Dns Suffix . . . . . . . : domain.local
          Node Type . . . . . . . . . . . . : Hybrid
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No
          DNS Suffix Search List. . . . . . : domain.local

          Ethernet adapter Private:

          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connectio
          n #2
          Physical Address. . . . . . . . . : 00-25-90-3A-BB-D8
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
          IPv4 Address. . . . . . . . . . . : 172.24.yyy.xxx(Preferred)
          Subnet Mask . . . . . . . . . . . : 255.255.255.128
          Default Gateway . . . . . . . . . :
          DNS Servers . . . . . . . . . . . : 172.24.yyy.xx
          NetBIOS over Tcpip. . . . . . . . : Enabled

          Ethernet adapter Public:

          Connection-specific DNS Suffix . :
          Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connectio
          n
          Physical Address. . . . . . . . . : 00-25-90-3A-BB-D9
          DHCP Enabled. . . . . . . . . . . : No
          Autoconfiguration Enabled . . . . : Yes
          IPv4 Address. . . . . . . . . . . : 184.164.ccc.ee(Preferred)
          Subnet Mask . . . . . . . . . . . : 255.255.255.248
          Default Gateway . . . . . . . . . : 184.164.ccc.dd
          DNS Servers . . . . . . . . . . . : 184.164.ccc.ee
          NetBIOS over Tcpip. . . . . . . . : Enabled
          I've made some changes for obvious reasons, and excluded things like isatap and 6to4
          but that;s basically it. One thing I have thought of is changing the binding order of the NICs.
          We can leave the "private" adaptor out of it though, that's backend for, as i understand it, the hosting company to manage things.
          there's no ipv6 on the DC, because I specifically disabled it as a troubleshooting scenario..



          dcdiag doesn't find any problems at all..

          doing some more troubleshooting now, specifically with relation to dns and I find this:
          > set q=any
          > _gc._msdcs.domain.local
          Server: exch.domain.local
          Address: 184.164.yy.zz

          *** exch.domain.local can't find _gc._msdcsdomain.local: Non-existent domain
          >
          shouldn't DCDiag detect this ? having run dcdiag again, I get the following:
          Warning: The AAAA record for this DC was not found
          Warning: no DNS RPC connectivity (error or non Microsoft DNS s
          rver is running)
          no fatals, just warns.... I re-added ipv6 and that seems fixed now.


          from the remote computer, I can do net view \\domain.local and it comes up with "access is denied"
          if i try "map computer" via explorer, and pass it explicit credentials, it just sits for a while and will then time out.
          Last edited by tehcamel; 30th October 2011, 22:10.
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: server 2008 cannot join dom

            I'm still not clear how the two subnets route from one to the other, especially since the DC doesnt have a default gateway. I would be inclined to look into the networking side and see if the datacentre have "improved" things recently without telling you
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: server 2008 cannot join dom

              the dc does have a default gateway, it's on the "public" nic
              the private is just for management by the data centre.

              uhm.. they route over the internet..
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: server 2008 cannot join dom

                Originally posted by tehcamel View Post
                ...
                unable to resolve SIDs, unable to deply group policy, unable to logon as a non-cached user, etc.
                ...
                My bet is that this computer is not able to see the domain, but i was able once.

                First, make sure DNS is working, use nslookup like this:

                Code:
                C:\Users\mKolus>nslookup
                > server DC_IP_ADDRESS
                > gc._msdcs.DOMAIN.COM
                It should return the IP addresses of the Global Catalog servers.

                Comment


                • #9
                  Re: server 2008 cannot join dom

                  Originally posted by tehcamel View Post
                  the dc does have a default gateway, it's on the "public" nic
                  the private is just for management by the data centre.

                  uhm.. they route over the internet..
                  Did you check this?

                  technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

                  One or more ports may be blocked.

                  Comment


                  • #10
                    Re: server 2008 cannot join dom

                    I already completely downed the firewall on both hosts for testing purposes. I also turned on the firewall log. All I could see was dns (port53) connections, then port 389 connections.

                    the dns lookups are working..v I just checked again to make sure
                    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                    Comment


                    • #11
                      Re: server 2008 cannot join dom

                      Originally posted by tehcamel View Post
                      I already completely downed the firewall on both hosts for testing purposes. I also turned on the firewall log. All I could see was dns (port53) connections, then port 389 connections.
                      the dns lookups are working..v I just checked again to make sure
                      1) What about the firewall and routers between the hosts?

                      2) Is there a time difference between the server and the DC? (more than 5 minutes).

                      3) I assume there isnt, but, is there a machine account already in the domain?

                      4) Can you access the DC by using an UNC path and providing valid credentials? (ie: \\DC\NETLOGON)

                      5) What about the security log on the DC? Does it say anything about your server?

                      and as a desperate move...

                      6) Try to use wireshark on BOTH hosts during the domain join operation, and see it there are any network related errors.

                      Comment


                      • #12
                        Re: server 2008 cannot join dom

                        Andy, can you create a simple VPN just to get you direct connectivity that will allow you to DCPROMO it?

                        If we throw enough ideas at it one of the suckers is going to work.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment


                        • #13
                          Re: server 2008 cannot join dom

                          been told not to expend too much time on it..
                          they are happy to have it standalone.. ..

                          i did consider a vpn.. but then there'd be the hassle of making the vpn always come up.. etc.
                          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                          Comment

                          Working...
                          X