Cannot join the domain

[Greg Brewer]

I cannot get new computers to join the domain including mine.

The Domain computer is win2k server. Currently, I am on the network as a
workgroup. I can see the server so I am on the network correctly. I can
access files on the domain computer after giving it my server username and
password.

the setup is as follows (with example being substituted for the actual name
of the domain):
example is the name of the domain.
example-y2v is the name of the computer the domain is on.
gregb is my name on the server
example.com is the name of our website.

I can ping example-y2v (192.168.1.4)
I cannot ping example (Unknown host example)
I cannot ping example.com (resolves to the correct IP address but has 100%
loss)

What I read suggests the domain should be named example.com but wouldn't
that interfere with the web site? It's Win2K so I'm not sure how I could
rename the domain anyway.

When I run the networkid wizard and it asks for user and domain account
information, I have entered gregb with domain example and I have entered
gregb@example; either way I am told "Windows cannot find an account for your
computer on the EXAMPLE domain". I am then allowed to enter a computer name
and a computer domain. I enter gregb and example: the response is to enter
the name and password of an account with permission to join the domain.
Since gregb does have permission to join the domain, I enter that along with
the password. The final response is "The network path was not found."

Any ideas on what I do next? What network path cannot it find?

Any suggestions on books that would help me administer this are appreciated.


Greg Brewer

 

[Steven L Umbach]

You really should use a fully qualified domain for your internal domain name. Some
suggest using a sub name [internal.example.com] and others say use the same name. You
can successfully use the same domain name if you use "split brains" dns configuration
where the outside world has no knowledge of you internal domain and only access the
dns records for your website on ISP dns servers. Meanwhile you create your internal
domain with the same name and simply add static records for your external resources
in your AD dns zone which allows the internal lan users to reach the external
services. There would be no connection between your internal dns server and the ISP
dns server that hosts dns for your website.

http://www.microsoft.com/serviceproviders/whitepapers/split_dns.asp -- split brains
dns.

The biggest mistake in configuring an AD domain is improper dns configuration. The
domain controller MUST point to itself as it's preferred dns server and all domain
members and those ready to be joined to the domain must point to an AD domain
controller running dns [usually they all do]. NEVER point a domain computer to an ISP
dns server or bad things will happen.

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -- FAQ on dns for
an AD domain.

So make sure your dns is configured correctly and you will find that you probably can
then join computers to the domain. Netdiag for all domain computers and dcdiag for
domain controllers are two important tools to troubleshoot Active Directory Problems.
Those tools and others are found on the install disk under the support/tools folder
where you will have to run the setup there to install them. I really like Mark
Minasi's Mastering Windows 2000 Server as a Windows 2000 book and he does an
excellent job on dns. Either check out the fourth edition or get the one for Windows
2003 which basically covers all Windows 2000 plus explains the enhancements for W2003
and goes into security much better than previous versions. --- Steve

http://support.microsoft.com/?kbid=260371
http://support.microsoft.com/default.aspx?scid=kb;en-us;247811

 

[Greg Brewer]

You really should use a fully qualified domain for your internal domain name. Some
suggest using a sub name [internal.example.com] and others say use the same name. You
can successfully use the same domain name if you use "split brains" dns configuration
where the outside world has no knowledge of you internal domain and only access the
dns records for your website on ISP dns servers. Meanwhile you create your internal
domain with the same name and simply add static records for your external resources
in your AD dns zone which allows the internal lan users to reach the external
services. There would be no connection between your internal dns server and the ISP
dns server that hosts dns for your website.

I'm curious why .com is used for the upper level domain name and if it could
be something else. If example.com where the web site, perhaps the internal
network could be example.net or perhaps example.lan. In the first case,
there might be a conflict with an actual web site with that name but if we
never go there then no problem. In the second case, I would be using an
unofficial upper level domain name but I don't know anything that would make
that a problem. Just curious is all.

Greg

 

[Phillip Windell]

I'm curious why .com is used for the upper level domain name and if it could
be something else. If example.com where the web site, perhaps the internal
network could be example.net or perhaps example.lan. In the first case,

Most don't use the same name because of all the conflicts and all the
configuration headstands and cartwheels you have to perform to keep it
straight. I typically use a *.loc on the end for private internal systems
(loc = "Local"). You can make it whatever you want but I always prefer using
something that would not ever be used on the Internet (like *.loc). It is
the same concept as IP Addressing when using Private Address Blocks on the
private system that aren't compatible and never used on the Internet.

 

[Steven L Umbach]

That would be perfectly fine also. You can use pretty much whatever you
want on your internal domain as long as your dns is configured
correctly. --- Steve

You really should use a fully qualified domain for your internal domain name. Some
suggest using a sub name [internal.example.com] and others say use the same name. You
can successfully use the same domain name if you use "split brains" dns configuration
where the outside world has no knowledge of you internal domain and only access the
dns records for your website on ISP dns servers. Meanwhile you create

your

internal
domain with the same name and simply add static records for your

external

resources
in your AD dns zone which allows the internal lan users to reach the external
services. There would be no connection between your internal dns server and the ISP
dns server that hosts dns for your website.

I'm curious why .com is used for the upper level domain name and if it could
be something else. If example.com where the web site, perhaps the internal
network could be example.net or perhaps example.lan. In the first case,
there might be a conflict with an actual web site with that name but if we
never go there then no problem. In the second case, I would be using an
unofficial upper level domain name but I don't know anything that would make
that a problem. Just curious is all.

Greg

 

[Doug Sherman [MVP]]

For a description of problems and some work arounds for single level AD
domain names See:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;300684

If you are not able to ping the public IP for example.com, it may be that
ICMP response is blocked, or you have a routing/default gateway issue.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Greg]

Still working on this problem.

You really should use a fully qualified domain for your internal domain

name.
I didn't set it up and I have to live with what it is unless someone knows a
way to change it.

The biggest mistake in configuring an AD domain is improper dns configuration. The
domain controller MUST point to itself as it's preferred dns server and all domain
members and those ready to be joined to the domain must point to an AD domain
controller running dns [usually they all do]. NEVER point a domain computer to an ISP
dns server or bad things will happen.

This may be what is happening. When I enter nslookup, it responds with the
isp as the default server. What really puzzles me is that we do have some
computers on the domain and I cannot find anything that is different about
them; including the response from nslookup. I thought about setting the
prefered domain controller to the ip of our server; however, it has a
dynamic ip.

I've been trying to go back to the basics but I'm still not finding
anything. Correct me if I'm wrong on how it works. First, the computer
broadcasts over the network looking for an IP address which the DHCP server
(our router) responds with. Somewhat later when joining the domain, the
computer then broadcasts looking for the DNS server which the server is
suppose to respond with. But if the ISPs DNS server is getting set for the
computers then maybe the local DNS server isn't answer the broadcast. But
that doesn't seem likely since there are computers that are able to join our
domain. Perhaps the computers that are on where set to look at the local
DNS server the changed to find it; however, they still remember where it was
and keep looking there. Maybe the firewall is stopping us from looking
stuff up. The guy who's been in charge says he hired people to put the
computers on the network that are on. He also told me that the reason I was
having trouble ping is that the firewall stops pings. I don't see how that
is possible on an internal ping. I can ping IP addresses but not domains.

I'm kind of shooting in the dark on this. I'm a little leery of making
changes as somethings work now. If I knock off the computers that are on
then I'm in trouble. About the only thing I can really think of to do is to
Ghost a computer that is on. But I would really prefer to understand what
is going on.

Any ideas would be appreciated.

Greg

 

[Steven L Umbach]

Your domain controllers need to have static IP addresses. You can configure a sort of
static IP address by having reservations in the dhcp scope [which they may have] but
I prefer static IP or bad things can happen

A computer will NEVER broadcast for a dns server. If it is not configured to use a
dns server in tcp/ip properties or via a dhcp scope then it can not use a dns server
and can only resort to netbios name resolution unless the hosts file has entries.
Ipconfig /all will show what dns servers a computer is currently using, and looking
in the dhcp scope options will list the dns servers for the scope. What many do, is
INCORRECTLY configure their domain computers with dns server entries for both their
domain controller and their ISP dns server which will cause all kinds of havoc. If
you want to get everything working correctly you need to make sure the domain
controllers have static IP addresses and that W2K/XP Pro computers use only domain
computers for their preferred dns servers. I have not had experience with a single
label dns zone, so I can give limited advice. I suggest you also post in the
win2000.dns newsgroup for best way to proceed from here with the least
sruption. --- Steve

Still working on this problem.

You really should use a fully qualified domain for your internal domain

name.
I didn't set it up and I have to live with what it is unless someone knows a
way to change it.

The biggest mistake in configuring an AD domain is improper dns configuration. The
domain controller MUST point to itself as it's preferred dns server and all domain
members and those ready to be joined to the domain must point to an AD domain
controller running dns [usually they all do]. NEVER point a domain computer to an ISP
dns server or bad things will happen.

This may be what is happening. When I enter nslookup, it responds with the
isp as the default server. What really puzzles me is that we do have some
computers on the domain and I cannot find anything that is different about
them; including the response from nslookup. I thought about setting the
prefered domain controller to the ip of our server; however, it has a
dynamic ip.

I've been trying to go back to the basics but I'm still not finding
anything. Correct me if I'm wrong on how it works. First, the computer
broadcasts over the network looking for an IP address which the DHCP server
(our router) responds with. Somewhat later when joining the domain, the
computer then broadcasts looking for the DNS server which the server is
suppose to respond with. But if the ISPs DNS server is getting set for the
computers then maybe the local DNS server isn't answer the broadcast. But
that doesn't seem likely since there are computers that are able to join our
domain. Perhaps the computers that are on where set to look at the local
DNS server the changed to find it; however, they still remember where it was
and keep looking there. Maybe the firewall is stopping us from looking
stuff up. The guy who's been in charge says he hired people to put the
computers on the network that are on. He also told me that the reason I was
having trouble ping is that the firewall stops pings. I don't see how that
is possible on an internal ping. I can ping IP addresses but not domains.

I'm kind of shooting in the dark on this. I'm a little leery of making
changes as somethings work now. If I knock off the computers that are on
then I'm in trouble. About the only thing I can really think of to do is to
Ghost a computer that is on. But I would really prefer to understand what
is going on.

Any ideas would be appreciated.

Greg

 

[Fran]

Please excuse my tardiness on this but what problem is this user
having joining the domain?

Fran

 

[Greg]

Your domain controllers need to have static IP addresses. You can configure a sort of
static IP address by having reservations in the dhcp scope [which they may have] but
I prefer static IP or bad things can happen

I would have thought so too but this domain controller doesn't.

A computer will NEVER broadcast for a dns server.

I confess I'm a little confused on this point. The computers are configured
to "Obtain DNS server address automatically". I'm unsure how it does this;
broadcasting for a dns server is the only way I can think of to do it.

If it is not configured to use a
dns server in tcp/ip properties or via a dhcp scope then it can not use a dns server
and can only resort to netbios name resolution unless the hosts file has entries.
Ipconfig /all will show what dns servers a computer is currently using, and looking
in the dhcp scope options will list the dns servers for the scope. What many do, is
INCORRECTLY configure their domain computers with dns server entries for both their
domain controller and their ISP dns server which will cause all kinds of havoc. If
you want to get everything working correctly you need to make sure the domain
controllers have static IP addresses and that W2K/XP Pro computers use only domain
computers for their preferred dns servers. I have not had experience with a single
label dns zone, so I can give limited advice. I suggest you also post in the
win2000.dns newsgroup for best way to proceed from here with the least
sruption. --- Steve

I'll check out that newsgroup. I tried to configure my computer to point to
the IP address of the DNS server; it didn't work and I couldn't get to the
internet either. I wasn't surprised I couldn't get there. As you might can
tell, DNS is an area where my knowledge is a little sketchy. I've done it
before but it was a couple of years ago and I just can't remember. Using ip
config /all, I do get 2 DNS servers. The first I recognize as our ISP but
the second isn't familiar. Reverse IP lookup came up empty. The first
number is 64; isn't that a class A or B address? I really miss my old
reference books!

Greg

 

[Greg]

I'm new on the job and this server is set up in a way I wouldn't recommend.
Anyway, I cannot get new computers onto the domain. Everything I know to
check looks ok-ish. And there is at least one computer that is on the
domain. All the settings that are different from what I am used to work on
that computer.

When I try to join, I am told that "Windows cannot find an account for my
computer on the domain." Which isn't true; I added an account for my
computer. It then asks for computer name and domain. So I enter it. It
then asks me for the name and password of an account with permission to join
the domain. I have tried the account I set up and the administrator
account; both result in an error of "The computer could not be joined to the
domain because The network path was not found." I'm not sure what path it
couldn't find. I can access the domain computer using explorer. It asks
for an id and password before giving me access and I use the account I set
up for me. I'm stumped.

Greg

 

[Fran]

Is this an Active Directory domain?

Try this and let me know if it helps:
1) Make sure you are not part of the domain now (i.e. change all
workstations not successfully connected to "Workgroup" instead of
"Domain" membership

2) Disconnect ALL mapped drives

3) Reboot

4) Try to join the domain

5) Remap drives (or use a login script)

6) Go have a beer (or two)

I had the very same issue with two workstations on my domain. Seems
that Winders (2000 server) had trouble with the credintials of the
system when mapped drives existed before they were joined to the
domain (don't ask me why but apparently AD keeps track of these
through GUID's or something.) Anyway, after disconnecting all mapped
drives I was able to join the domain flawlessly and then I wrote a
login script instead of depending on roaming profiles.

HTH

Fran