Joining a domain over a VPN (Win 2003)

caff · 24 Jul 2007 at 15:29

Hi

I really hope someone can help point me in the right direction, as my suppliers aren't able to help and I'm tearing my hair out!

- I have 3 servers in the office, in a typical AD and DNS (on two servers) setup. Windows server 2003.

- I have a webserver hosted offsite, linked via a VPN tunnel.

- All servers can ping one another.

- I can RDC from the office to offsite, and vice versa

But I cannot join the offsite server fully to the domain - it cannot find the domain name, even if I use the FQDN.

I'm thinking it must be a DNS issue, or is it because the server is on a different subnet / IP address scheme?

UniqueID · 24 Jul 2007 at 15:45

yeah i think the server would have to be in the same ip address range in order to join the domain.
i haven't tried join a computer to a domain over a vpn, but i don't see why it should not be possible if the domain server can see it.

IAmATeaf · 24 Jul 2007 at 15:51

The server doesn't have to be in the subnetwork AFAIK.

It's most likely a DNS issue, try pinging from either end using the FQDN and see if the names can be resolved.

caff · 24 Jul 2007 at 16:39

Sweet! It was a WINS problem - it wasn't setup on my domain at all.

One quick install later and it's straight on the domain

Thanks the_chicco I owe you a million dollars!

[spoke a bit too soon - this seemed to resolve the issue, but still getting AD authentication probs - will report back when I've had a play]

stoofa · 24 Jul 2007 at 18:33

You shouldn't require WINS for anything these days.
Rumour was that support for WINS would be removed from Server 2003.
It should almost certainly have vanished before the next version of Server.

oddjob62 · 24 Jul 2007 at 19:01

Is the webserver's primary DNS pointing to one of the DNS servers in the main office?

m4cc45 · 24 Jul 2007 at 19:51

On the network card you can add the DNS suffixes. That might resolve it. As stated before can you ping the FQDN?

Check in DNS that the domain name suffixes are added. If you have a domain named mydomain.co.uk check that you can ping mydomain.co.uk - you may have to open ports on the firewall (port 53 for DNS) as well.

M.

Carling · 24 Jul 2007 at 20:21

You have to make sure that you have a dns server, for the domain your trying to join, added in the setting for the network card your using.

mr.bond · 24 Jul 2007 at 22:03

stoofa said:
You shouldn't require WINS for anything these days.
Rumour was that support for WINS would be removed from Server 2003.
It should almost certainly have vanished before the next version of Server.

Unless you want to browse multiple subnets. Or have any application that requires NetBIOS name resolution and you have more than one subnet (like Exchange 2000 IIRC). You then have an extremely (and needed) practical use for WINS.

The OP's question though should be fixed by adding the DNS server(s) authoratitive for the AD Domain's zone into the said machines NIC properites.

caff · 25 Jul 2007 at 12:24

Thanks for the help so far

DNS settings on the offsite server's NIC are correct.

I ran "dcdiag /test: DNS -v" on both the PDC in the office, and on the offsite server. Both fail on 'connectivity', with slightly different errors.

On the PDC+DNS server - I get the message:
[SERVERNAME] DsBindWithSpnEx() failed with error -2146892976

So only Basc FAIL, all other are PASS

On the offsite server - the dcdiag gives this:

Domain Controller Diagnosis

Performing initial setup:
* Connecting to directory service on server 172.240.1.7.
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
[172.240.1.7] Directory Binding Error 87:
Win32 Error 87
This may limit some of the tests that can be performed.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\PDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Although the Guid DNS name
(19debba7-206a-498e-a39a-5d5a62df3d0c._msdcs.pdc.mydomain.co.uk) resolved to
the IP address (10.0.5.2), which could not be pinged, the server name
(pdc.mydomain.co.uk) resolved to the IP address (172.240.1.7) and could
be pinged. Check that the IP address is registered correctly with the
DNS server.
......................... PDC failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\HABDC
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Test omitted by user request: frssysvol
Test omitted by user request: frsevent
Test omitted by user request: kccevent
Test omitted by user request: systemlog
Test omitted by user request: VerifyReplicas
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

DNS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : ForestDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : DomainDnsZones
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : Schema
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : Configuration
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running partition tests on : hab
Test omitted by user request: CrossRefValidation
Test omitted by user request: CheckSDRefDom

Running enterprise tests on : mydomain.co.uk
Test omitted by user request: Intersite
Test omitted by user request: FsmoCheck
Starting test: DNS
Test results for domain controllers:

DC: pdc.mydomain.co.uk
Domain: mydomain.co.uk

TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Error: No LDAP connectivity
Error: No WMI connectivity
[Error details: 0x80070721 (Type: HRESULT - Facility: Win32, Description: A security package specific error occurred.) - Connection to WMI server failed]

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg Ext
________________________________________________________________
Domain: mydomain.co.uk
pdc PASS FAIL n/a n/a n/a n/a n/a

......................... mydomain.co.uk failed test DNS

caff · 25 Jul 2007 at 13:34

And I cannot ping the FQDN from the offsite server to any of the servers in the office. I can ping the servers by IP, but not by servername.domainname.co.uk. One server resolves to 10.0.5.2 which is on the office IP scheme - it should resolve to 172.240.1.7. So it's definitely using the DNS, but the DNS isn't giving the correct relative IP address... do I need to create new records in the PDC's DNS for the offsite server?

Fr0dders · 25 Jul 2007 at 15:05

caff said:
do I need to create new records in the PDC's DNS for the offsite server?

in short ... no

the DNS is broken. The PCs at the main site are clinging onto the network only by virtue of having known where to find the domain controller before it went wrong using their own DNS cache.

your DNS is broken and you will probably need to re-create both the forward and reverse lookup zones.

Least youve only got about 4/5 pcs though ?

caff · 25 Jul 2007 at 15:54

Oh dear.

Yep 3 servers at office, and 1 offsite. About 30 clients in total.

Should I uninstall / reinstall DNS completely?

Cheers,
C

mr.bond · 25 Jul 2007 at 19:48

Is the Domain Controller at the main office multihomed? (2 or more IP addresses)

May be worth checking.

Also, can you post an unedited ipconfig/all from the Domain Controller.

5tephen · 25 Jul 2007 at 23:57

Does a PTR record exist for your server name + IP address in the reverse lookup zone?
There's not a lot to fixing DNS apart from deleting & recreating the forward & reverse zones, so no real point in reinstalling it. At least in my experience anyway.
You could possibly cheat by creating entries in the hosts file but I've never ended up using that to fix a problem. There's always something else that can fix it.

caff · 26 Jul 2007 at 12:55

Thanks all.

I seem to have resolved the netdiag and dcdiag errors / warnings on the actual PDC, but I don't understand enough about DNS to figure out the name resolution problems on the offsite server in order to ping from offsite to office by FQDN... do I need to create a new zone for the different subnet?