# 2003r2 / XP Pro sp3 - cannot contact domain controller



## JHS (Aug 15, 2002)

Here's a good one for you...

W2003 R2 as the DC/ DNS
IP 192.168.1.10
GW 1.1
DNS self (127.0.0.1)
20+ other machines in the same site, no problem logging in, all joined to the domain already.

Now.. new laptop brought aboard. XP Pro/sp3
IP 192.168.1.150
GW 1.1
DNS 192.168.1.10 (the server)

I can ping from the laptop, the server by name or by its IP
I can ping the laptop from the server by IP
Used netsh firewall reset to default all the firewall settings on the laptop
Then tried disabling the firewall on the laptop (never normally do, but tried it)
Disabled the firewall on the server (never normally do, but tried it)
Checked both are in sync for their clocks/date
I've enabled NetBIOS on the server and the Laptop (never needed it before though but tried this anyway)
I can use Remote Desktop on the laptop to connect to the server
Rebooted the laptop multiple times along the way just to be sure changes were refreshed and loaded

But no matter what, the laptop will not be allowed to join the domain. 
I keep getting the stupid error "A domain controller for the domain cannot be contacted"

Looking at the dcdiag.txt file this error creates on the laptop, it shows the results for a query of domain controllers has all our DC's exactly as they should be (there are others aside from the 1.10). It shows their names just fine. There are no error events in the server logs anywhere to indicate conversation with the laptop or errors/rejections from the server side.

The gateway, a router, has no rules that block chatter between the two machines (self apparent I guess since I mentioned pings work both ways, and remote desktop). 

It just produces instantaneous refusal to speak to a controller when I try to join the domain. I have never seen anything this screwed over before. It's eaten 3 hours of my time now, and after all those variants, I have no idea why the hell this thing won't even give a split second delay like its actually trying to talk to one of the controllers, and then refusing. 

Anyone else have some suggestions on a source for this problem?


----------



## srhoades (May 15, 2003)

Use netsh to reset the TCP/IP stack. Also, let it get an address DHCP if it is not already. Lastly, check for the latest NIC drivers. Check eventvwr on both sides, see if you get something more specific.


----------



## JHS (Aug 15, 2002)

Well actually, the machine was at first getting all its settings from DHCP. I then went static to see if that would make any difference, but it hasn't.

I just reset the TCP/Ip using the manual method described here
http://support.microsoft.com/kb/299357

No errors in the event view on either the server or the client that shows any clue as to the refusal for the joining of the domain. No messages about access denied, policy blocked, routing issues, etc.


----------



## Rockn (Jul 29, 2001)

What IP address is the laptop getting when you use DHCP on the laptop? I am also unsure why you would use a loopback address on the server as a DNS server entry, use it's own address.

I would also delete every component in the network connection for the laptop, reboot and add them again.


----------



## mucker2010 (May 24, 2011)

The key here is that it says a domain controller cannot be found!

The normal error to this is that the domain cannot be found.

This suggests that basic networking (inc DNS to a point) is working correctly. I think that your client can resolve DNS name correctly. Maybe one of the DNS servers it contacts has a messed up DNS zone.
That error indicates that it finds the DNS zone but then looks up records to locate a DC and can't find one. I suggest you try configuring IP settings manually and configure it to look at one DNS server at a time. Try adding it again each time. When it fails try another DNS server until it (possibly) works. This will not take long to test so it is worth a go.


----------



## JHS (Aug 15, 2002)

No that's what I've already said - DHCP was the method of assignment, and I have already switched to static IP settings, which made no difference. When the error message arises, it shows a list of DC's that a query of the domain found. The DC's listed are correct. 

Each time I re-try to join the domain it shows the list cycles correctly too (the first listed DC becomes the bottom of the list when I try the second time, the new top one becomes the bottom listed DC when I try a third time, etc). 

nslookup by the DC name shows the correct IP. 
Forward and reverse settings are configured for the zone. 

Its insane - everything is there, this should be perfectly fine. The speed with which it replies with a domain controller cannot be found is bizarre, because the query for a DC is blazingly fast, shows them, but says it doesn't find one?? Its totally senseless. I'm at the point where I may just wipe this laptop right out and re-install windows from scratch. But this is a new laptop to begin with, so its never been corrupted by a virus or malware crap.


----------



## mucker2010 (May 24, 2011)

Isn't Dcdiag ran on the DC and not the laptop? I'm sure it's a server tool. So in other words this doesn't prove that the client can resolve a DC. I know you can download dcdiag and run it on the client so if you have done this then ignore this comment.


----------



## Rockn (Jul 29, 2001)

Have you tried to prepopulate that computer account in AD users and computers? The server should be logging these events if I am not mistaken. There isn't by chance a duplicate computer name in AD....somewhere?

DCDIAG is a server tool, but I think you can run it from anywhere as long as you point it at a server and have the correct credentials to run it. Just like you can run any admin tools from a workstation in an MMC.


----------



## mucker2010 (May 24, 2011)

> DCDIAG is a server tool, but I think you can run it from anywhere as long as you point it at a server and have the correct credentials to run it. Just like you can run any admin tools from a workstation in an MMC.


Yeah but it will use your local TCP/IP settings for DNS won't it? in other words if ran on the server it prob only has one DNS IP configured (itself) so can only query one DNS server all the time. If there are probs with the other DNS server this won't show it but if ran on the laptop where it connects to 4 DNS servers then it might indicate an issue with one particular DNS server (if there is one).


----------



## Rockn (Jul 29, 2001)

You can run dcgiag from anywhere and you can specify which server to hit via the /s:servername switch. 

Might also indicate some replications issues if there is more than one DNS server.


----------



## JHS (Aug 15, 2002)

The laptop only has one DNS server configured now, the IP I mentioned above, which is the IP of the server in the same office / LAN (192.168.1.10)

At first the laptop was set to get its IP and DNS settings by DHCP, which gave it that same DNS server anyway. I would much prefer to go back to this once this is resolved of course. 

As for Dcdiag, when you go to join a domain, the client machine error gives you the text description of that error under the "Details" button of the error message. In that details view it shows the nslookup result, and points you at a log file (dcdiag.txt) on the local client in the windows folder (which just contains the same info displayed in the details button). 

There is no other machine with the same name no. The laptop hostname is a unique name representing its inventory ID. 

I did try adding the laptop's name manually in the Computers list of the server. That was fine. But it made no difference in then allowing the laptop to actually join the domain. My experience with that has been that if you have such a scenario, you actually have to remove the name from the computers list on the server first anyway, then try joining. I've seen that a few times over the years, where you need to unjoin and rejoin a domain to resolve some weird login issue. But this is a first join for this machine. I've now even tried renaming the laptop with a new name of just "workdammit" and no luck.


----------



## Rockn (Jul 29, 2001)

And this is a hardwired LAN connection? Anything unusual in the network items listed under the particular network adapter? Is it some off the wall NIC with some sort of embedded sonmethingoranother? I am still concerned about the loopback address you have set on your DC for DNS

W2003 R2 as the DC/ DNS
IP 192.168.1.10
GW 1.1
*DNS self (127.0.0.1)*


----------



## mucker2010 (May 24, 2011)

> As for Dcdiag, when you go to join a domain, the client machine error gives you the text description of that error under the "Details" button of the error message. In that details view it shows the nslookup result, and points you at a log file (dcdiag.txt) on the local client in the windows folder (which just contains the same info displayed in the details button).


So this WOULD indicate an issue with DNS. You said before when you ran DCDiag everything worked?
I am assuming (but would like you to confirm) that you have now ran DCdiag from the laptop? this will give us more detailed info from the laptop point of view.

Also, why don't you just try pointing the DNS IP settings to another DNS server? I really think this DNS zone on this server is screwed.

@Rockn, that DNS setting is ok. It wouldn't be if it was on the forwarding tab of course.


----------



## Rockn (Jul 29, 2001)

If there is replication going on and you only have a loopback address listed there will be issues.
http://technet.microsoft.com/en-us/library/ff807362(WS.10).aspx

This should also apply to Server 2003

What FSMO roles does this server hold you are trying to join the computer to the domain?


----------



## mucker2010 (May 24, 2011)

Rockn said:


> If there is replication going on and you only have a loopback address listed there will be issues.
> http://technet.microsoft.com/en-us/library/ff807362(WS.10).aspx
> 
> This should also apply to Server 2003
> ...


Very interesting Rockn, just read that link. That is almost certainly the cause, good find! I knew it was a dodgy DNS zone but this will why and the root cause of it. I didn't know that a DNS server shouldn't look at itself for replication purposes! :up:


----------



## JHS (Aug 15, 2002)

That article does not apply to 2003. The solid proof of that for myself is that our server has been running in this configuration for over 2 years already and never rejected domain joins of new machines like this before.

But to test it, I kicked everyone out of their open documents, changed the settings for Pri DNS to another server, secondary to self at 192.168.1.10, rebooted the server, rebooted the laptop, and still get an instant rejection when attempting to join the laptop to the domain.

Replication within our domain is fine. replmon has no errors or lost connections showing for any of the servers. 
dcdiag on the server shows no errors.

I've re-installed the NIC drivers for the laptop now too, and no difference (yes, wired lan, not wireless).

SOLUTION AT LONG LAST - NetBios has to be Enabled on DC's
This is rediculous to me. Nothing we have for other software or hardware has any need at all for the 1980's crap, yet Microsoft has made it necessary to keep it on (even though THEY suggest disabling it if nothing you run needs it).

I found discussion about this at 
http://www.minasi.com/forum/topic.asp?TOPIC_ID=36581

Sure enough, when I enabled Netbios on the PDC, the Join Domain action produced a login prompt for an account allowed to join. Disabled it again, and it returned to the super-fast total rejection/error. We shut off NetBios months ago and nothing else we have has ever had a problem.. databases, other MS products, replication, logins, ping tests, absolutely nothing. But just for the purpose of joining, it has to be there. G** d**m f**king stupid.


----------



## mucker2010 (May 24, 2011)

How did you "shut netbios" off months ago? And why?
Because like you I also thought it was disabled by default (at least in 2008 server).


----------



## mucker2010 (May 24, 2011)

I have now read that link you sent and realised something.

First off this is your own doing...not MS.

That discussion shows him trying to connect to a NETBIOS domain name. How can you expect to connect to a NetBIOS domain (windows domain) if you disable NetBIOS? Here is the his command when he tried to connect it:


> *C:\>netdom join MS2 /domain:bigfirm /userd:admin /passwordd: **


See he is connecting on a NetBIOS name. You may be thinking I am wrong but I will ask you a simple question. What is the structure of a DNS name? It is hierachial which means it has a dot in it somewhere. When you create your domain name you usually give it a name like bigfirm.local. Now this is a DNS name. Flat namespaces with no dots are NETBIOS names. So it is quite simple, you were trying to join the PC to your domain using the NetBIOS name but with NetBIOS disabled. It was never going to work. How can I be so sure of this? Because in Windows 2008 R2 (maybe R1 but not confirmed) NetBIOS is disabled by default. Again how do I know? Because like you I tried joining a machine using the NetBIOS name, I knew this always worked in the past so why not now? It kept failing so then I tried the DNS name which had .local on the end. It worked.

Do you have a DNS name for it? As in it has dots in the name? If so why don't you try disabling NBT again and this time try joining it using the DNS name. It will work...

EDIT: Also I just read more of that post and saw an entry which is basically saying the same as me but he doesn't explain why. Here it is:


> Dave,
> if you disable NetBIOS, you can't use NetBIOS names anymore. Your synthax should be
> netdom join MS2 /domain:bigfirm.local /userd:[email protected] etc.


The replies after him saying it is not the case are wrong. They don't understand the technology properly. Just try it and see what happens 

EDIT AGAIN LOL: actually further down that post they say it did work. Before I only read as far as the posts that said it wouldn't work


----------

