0

Running in to an issue at a new location with promoting a new domain controller. We will call the new server "newserv".

Error is - "An Active Directory domain controller for the domain "mydomain" could not be contacted." -

  • newserv can ping domain controllers by FQDN (ie DC1.mydomain)
  • newserv cannot ping domain controller without .mydomain
  • NSLOOKUP on newserv shows default server as PDC.mydomain
  • NSLOOKUP set type=all --> _ldap.tcp.dc._msdcs.mydomain shows all SRV service locations, with correct ip addresses.
  • newserv has static ip, primary and secondary DNS pointing to DC1.mydomain & DC2.mydomain
  • If I just try to join the domain, the error details state the SRV record query shows all of my domain controllers, however they could not be contacted.

Some things i've tried, other notes;

  • I've tried setting primary DNS to point to itself.
  • I've tried adding DNS suffix "mydomain" under advanced DNS settings.
  • newserv can join different domain no issue.
  • My domain does not have a suffix. It is just "mydomain" - I've run in to issues with this with joining MAC OS to the domain in the past.

  • Server is a Virtual Machine running in HyperV which is joined to a different domain.

I'm imagining this might be some kind of DNS issue, but I don't know where to start in addressing it.

Any help greatly appreciated.

notmrb
  • 1
  • 1
  • `mydomain` is a single label domain. I'm fairly certain that in Windows Server 2008 R2 and forward that the creation of an SLD is blocked. You must have therefore created this domain with Windows Server 2008 or prior? Is this a production domain? My first inclination is to suggest that you wipe it out and start from scratch, but that may not be possible if this is a production environment. – joeqwerty Aug 09 '16 at 15:05
  • This is a production domain. The domain was created around 2003, but the domain functional level is operating at Windows Server 2012. – notmrb Aug 09 '16 at 15:27

2 Answers2

0

That usually means a required port such as UDP/389 are blocked, probably due to a firewall. You can confirm by testing with PortQueryUI:

PortQryUI - User Interface for the PortQry Command Line Port Scanner
https://www.microsoft.com/en-us/download/details.aspx?id=24009

If any of the required ports are blocked, they will show as "filtered".

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Alright, so I ran the PortQry utility on about three machines and i get a runtime error on all three machines, however the query result completes and I can save out a report. I'm going to post the results in a moment, accidentally hit "enter". – notmrb Aug 09 '16 at 15:17
  • From newserv to DC1.mydomain these are what shows as "filtered"; UDP port 389 (unknown service): LISTENING or FILTERED UDP port 88 (kerberos service): LISTENING or FILTERED UDP port 138 (netbios-dgm service): LISTENING or FILTERED TCP port 42 (nameserver service): NOT LISTENING LDAP Query Response looks good. I see the DC name, ldapservicename, etc. Sorry, looks like formatting is different in comments. – notmrb Aug 09 '16 at 15:32
0

Windows domain promotion rely heavily on the DNS service, if I were you, I will check if the following configurations are ready:

  1. No windows firewall enabled in between the domain controller

  2. Perform simple network check, such as ping between existing domain controller and new server from both directions.

  3. Then, setup DNS A record for your new server newserv.mydomain

  4. Also, setup DNS PTR record for your new server (if your server IP is 192.168.1.1, you properly have a PTR record as 1.1.168.192.in-addr.arpa

  5. Perform DNS lookup check from your existing domain controller to new server with:

nslookup newserv.mydomain.com

From the new server, perform the similar testing with:

nslookup {domain controller's DNS}

  1. Make sure you have used the user account with Domain Admin / Enterprise Admin of the domain you would like to join. Since your Hyper-V VM is running in different domain, you will have to specify the domain name when inputting your user name:

    e.g. mydomain\administrator or administrator@mydomain.com

Hope it can give you some ideas on how to join the domain.

Simon MC. Cheng
  • 396
  • 1
  • 6
  • Thanks for the reply. I've verified steps one thru six - all good. The only thing to mention is if i run `nslookup pdc` _from_ newserv, it shows dc.mydomain for server / address, but the second set states `pdc.mydomain can't find pdc: Server failed`. – notmrb Aug 09 '16 at 17:45