troubleshooting DNS when joining a computer to the domain

I was just wondering if someone could provide for me a list of possible
problems
you might come across when joining a computer to the domain.

I have a Server 2003 computer DC with DNS & DHCP installed. I've been
trying to join an XP workstation to the domain, but have not been able to do
so. I can ping the server from the workstation and vice versa, I'm using the
domain admin account, and I know I'm typing in the correct name of the domain
after I hit the change button. I'm not sure whether or not ICS is installed
on the workstation, but I'm thinking if I disable that it should work. I
suppose I should also look at the DNS errors in the Event Viewer. Short of
that are there any other best practices, troubleshooting techniques, or other
general advice that you could give me about potential problems when joing
workstations to the domain should a different kind of problem come up in the
future? I want to be confident that I can always join a workstation to the
server and CONSISTENTLY resolve DNS resolution problems, because right now it
seems kind of hit and miss.

Thanks

 

What error message are you getting when you try to add the machine to the
domain?

 

Ping with the IP address only tells you that you have the connection. Try
to ping with the host name. If you got a reply, then your DNS is ok
otherwise you know you have a problem with your DNS service. If you are
using DHCP for your ip address, run ipconfig/all to see if there is an IP
address for your DNS server or not. Last but not least, check your DNS
server to see if there is an A record created for your machine. Good luck

 

was the machine ever on the domain before? If theres still a record for in
in AD you should try deleting that then try join again

 

Not sure about this - I seem to remember that the computer must be a member
of a workgroup before joining a domain.

 

NT, W2K Pro, XP and Vista have 2 states. Either they are domain members or
they are workgroup members. There is no other possible configuration... so
if the computer is not a domain member it will automatically be a member of
a workgroup.

 

Good advice

Not true.

The name could have been resolved through WINS or a NetBIOS name
broadcast...
Try pinging the server by name... lets say it's called "SERVER". Look
closely at the first line of ping output.
If you type "ping SERVER" and you get back "pinging SERVER [ip address]"
then the name was probably resolved through WINS or a NetBIOS broadcast.
If you type "ping SERVER" and you get back "pinging SERVER.DOMAIN.COM [ip
address]" then the name was almost certainly resolved through DNS because it
returned an FQDN. To be certain, use NSLOOKUP to test whether the PC can
find the DC's IP address in DNS.

Good tip. Don't just check that this client has a preferred DNS server IP
listed, it must be the correct DNS server IP.

That's not necessary. The existence of your machine's A record in the DNS
server only proves that dynamic update is working. You may still experience
issues with joining the domain if your workstation can't resolve the Active
Directory SRV records held in DNS.

You might want to test joining the domain by it's NetBIOS name (DOMAIN
instead of domain.com). If the NetBIOS name works but the DNS format does
not, there might be an issue with the AD records held in DNS...

Terence

 

Hi Dogray77

The firewall service on the client has no effect on its ability to join the
domain.

Terence Rabe

 

"automatically be a member of a workgroup. " I don't think so - computer
must be designated a member of a workgroup - otherwise it can be a stand
alone unit - not member of a workgroups or domain.
..

 

This could be semantics, but I think he is correct. I see two options
-- workgroup or domain.

 

Quite simply make sure you workstation is using the IP of your DC for DNS.

Any other dns server and it isn't going to work.


Oliver

 

Terence,

- First of all if you see his post closely again, you will not see anything
mention about WIN or NetBios. For the NetBios to work, you will have to
either use WIN or manually entering the information into a LMHost file.
- Second of all, what I meant by getting a reply is just exactly similar to
what you wrote "pinging SERVER.DOMAIN.COM " ( I might have stopped short by
saying that).
- Third, by telling him to check for the A record, my intention was to
advise him to manually add it in in case it's not there.
- However, you have pointed out a very interesting point by telling him to
join the domain by its NetBios name. XP machines are quite strange sometime.
I had to use NetBios name to join the domain once because it wouldn't take
the whole FQDN. In my case, I had a domain name abc.mycompany.com but it
took only abc when I tried to join the domain. NSlookup also a very good tip.

 

Is your DC registered in DNS database? Also, try to remove File and Printer
Sharing from the workstation, and then join the domain again.

Also remember that you can not change a workstation computer name while you
are trying to join that workstation to the domain.

 

Are you sure you know what you are talking about?????????????

if the DC weren't registered in the DNS database, it wouldn't even install
AD at the first place. You've got to have to either install DNS along with
AD or have a working DNS server at the time and evidently the DC "A" record
should be already there.

What does this have anything to do with joining a domain?

This is totally untrue

 

I appreciate all the help I've received on this thread so far. Here's is an
update of your advice in action:

The workstation is set to use the DNS ip address of the server. I was able
to ping the domain controller from the workstation by its DNS name.

The computer account of the workstation was previously in the Active
Directory Computers container. I deleted it, and tried to join the
workstation again. No dice.

I tried joining the computer by NetBIOS name and that also failed to work.

When I look at the DNS server utility it seems there are some important
records missing. I can see the start of authority record, and host records
for the DNS server, but it seems to be missing some relevant folders that I
remember seeing before: tcp / udp / etc. So I think the problem has
something to with the integration of Active Directory and DNS.

I should probably note that since this is a test computer using an
evaluation copy of Server 2003, I deleted and recreated the DNS server AND
Active Directory using the same names as I used before for the domain and DNS
forward lookup zone. This is obviously not something you would do on a
production server, but it brings up some new questions: What are the
consequences, besides adding new administrator user profiles, of deleting
Active Directory and recreating it on the same server with the same name?
Could this have something to do with the missing forward lookup zone resource
records, and therefore the inability for the workstation to find the SRV
record of the DNS server necessary to join the domain?

And how is it I'm able to access shares on the server from the workstation
if the workstation isn't even part of the domain?

 

Nothing. AD and DNS are totally different animals even though they are
intergrated (hence optional). NSLookup will be a good tool to use. Plus,
check your event viewer for any DNS related errors.

Let's say your server name is SERVER1 and its IP address is 192.168.0.1.
From your workstation, open windows explore and type in \\SERVER1 or
\\192.168.0.1 this will open a login screen prompting you for the user name
and password (make sure you have created an user account in the server).
Type in the username and password and off you go.