Unable to add Vista Business workstation to Win2K3 domain

[cody]

Hi All,

This issue has me ripping my hair out, it is very frustrating...

We recently purchased a Dell workstation with Windows Vista Business
pre-installed.

Upon connecting this workstation to the network, I am unable to join
it to the domain.

We have two offices that fall under the one domain safe-trac

It does not have a FQDN, well that is it's FQDN, it is a domain that I
did not setup.

In one office, office A, is server A, which is a Domain Controller
with DNS installed.

In the other office, office B, is server B, which is also a Domain
Controller, but does not have DNS installed.

I have configured our Vista workstation with a static IP address in
office B, with DNS set to server A and the same gateway as server B.
The office are connected via an IPSEC VPN.

No other odd domain problems have been experienced, both server A and
B have Windows 2003 installed.

I have had no other problems joining WinXP workstations to this
domain.

When I attempt to join the Vista workstation to the domain, I get the
following error message:

"An Active Directory Domain Controller for the domain safe-trac could
not be contacted

Ensure that the domain name is typed correctly"

In the debug\dcdiag.txt file is the following:

"The domain name safe-trac might be a NetBIOS domain name. If this is
the case, verify that the domain name is properly registered with
WINS.

If you are certain that the name is not a NetBIOS domain name, then
the following information can help you troubleshoot your DNS
configuration.

DNS was successfully queried for the service location (SRV) resource
record used to locate an Active Directory Domain Controller for domain
safe-trac:

The query was for the SRV record for _ldap._tcp.dc._msdcs.safe-trac

The following AD DCs were identified by the query:

serverA.safe-trac
serverB.safe-trac

Common causes of this error include:

- Host (A) records that map the name of the AD DCs to its IP addresses
are missing or contain incorrect addresses.

- Active Directory Domain Controllers registered in DNS are not
connected to the network or are not running."

Now what I can't understand from this is that it finds the Domain
Controllers, yet cannot contact them!!!!!

From the Vista workstation, I can nslookup both servers and of course

ping them.

I have also tried to create a computer account in the AD and try to
add the computer to the domain the 'other' way, to no avail, same
error.

An important note, but should make no difference is that office A and
office B are in different subnets. But this has proved to be no issue
when adding WinXP workstations to the domain.

Any ideas on where I can start to diagnose this?

TIA

 

[Robert L [MVP - Networking]]

It is better to have DNS in the office B. Since you have VPN, it is recommended to setup WINS. This search result may help,

Name resulotion on VPNSymptom: You have a Windows 2000/2003 server is configured as VPN running DNS, WINS, you may experience some connection issues. 1) the internal computers ...
http://www.howtonetworking.com/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi All,

This issue has me ripping my hair out, it is very frustrating...

We recently purchased a Dell workstation with Windows Vista Business
pre-installed.

Upon connecting this workstation to the network, I am unable to join
it to the domain.

We have two offices that fall under the one domain safe-trac

It does not have a FQDN, well that is it's FQDN, it is a domain that I
did not setup.

In one office, office A, is server A, which is a Domain Controller
with DNS installed.

In the other office, office B, is server B, which is also a Domain
Controller, but does not have DNS installed.

I have configured our Vista workstation with a static IP address in
office B, with DNS set to server A and the same gateway as server B.
The office are connected via an IPSEC VPN.

No other odd domain problems have been experienced, both server A and
B have Windows 2003 installed.

I have had no other problems joining WinXP workstations to this
domain.

When I attempt to join the Vista workstation to the domain, I get the
following error message:

"An Active Directory Domain Controller for the domain safe-trac could
not be contacted

Ensure that the domain name is typed correctly"

In the debug\dcdiag.txt file is the following:

"The domain name safe-trac might be a NetBIOS domain name. If this is
the case, verify that the domain name is properly registered with
WINS.

If you are certain that the name is not a NetBIOS domain name, then
the following information can help you troubleshoot your DNS
configuration.

DNS was successfully queried for the service location (SRV) resource
record used to locate an Active Directory Domain Controller for domain
safe-trac:

The query was for the SRV record for _ldap._tcp.dc._msdcs.safe-trac

The following AD DCs were identified by the query:

serverA.safe-trac
serverB.safe-trac

Common causes of this error include:

- Host (A) records that map the name of the AD DCs to its IP addresses
are missing or contain incorrect addresses.

- Active Directory Domain Controllers registered in DNS are not
connected to the network or are not running."

Now what I can't understand from this is that it finds the Domain
Controllers, yet cannot contact them!!!!!

From the Vista workstation, I can nslookup both servers and of course

ping them.

I have also tried to create a computer account in the AD and try to
add the computer to the domain the 'other' way, to no avail, same
error.

An important note, but should make no difference is that office A and
office B are in different subnets. But this has proved to be no issue
when adding WinXP workstations to the domain.

Any ideas on where I can start to diagnose this?

TIA

 

[cody]

Thanks Robert,

I should have said that the VPN is an IPSEC tunnel between two ADSL
endpoints, they're Impel units, aka linux boxes with ADSL termination.

Thankfully I think I have fixed my own problem.

After doing some digging it was found that the PDC, server A was
having file replication problems.

The main event indicating this was:
"The File Replication Service has detected that the replica set
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying
to read from the NTFS USN journal is not found. This can occur because
of one of the following reasons.

[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated.
Chkdsk can truncate the journal if it finds corrupt entries at the end
of the journal.
[4] File Replication Service was not running on this computer for a
long time.
[5] File Replication Service could not keep up with the rate of Disk
IO activity on "\\.\C:".

Following recovery steps will be taken to automatically recover from
this error state.
[1] At the first poll which will occur in 5 minutes this computer
will be deleted from the replica set.
[2] At the poll following the deletion this computer will be re-added
to the replica set. The re-addition will trigger a full tree sync for
the replica set."

I followed the steps in this on server A, and it worked a treat.

I then restarted the File Replication service on server B, which then
sync'ed the required files.

It worked out that server B was demoted from being a domain
controller, as it's files on the domain system volume had not been
sync'ed in 60 days!

So after doing the sync, I got an event stating that server B had been
reinstated as a domain controller.

I have not tried to add the Vista Business workstation, but I have a
high confidence that it will

Thanks for your assistance Robert!

 

[Robert L [MVP - Networking]]

Thank you for the update.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Thanks Robert,

I should have said that the VPN is an IPSEC tunnel between two ADSL
endpoints, they're Impel units, aka linux boxes with ADSL termination.

Thankfully I think I have fixed my own problem.

After doing some digging it was found that the PDC, server A was
having file replication problems.

The main event indicating this was:
"The File Replication Service has detected that the replica set
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying
to read from the NTFS USN journal is not found. This can occur because
of one of the following reasons.

[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated.
Chkdsk can truncate the journal if it finds corrupt entries at the end
of the journal.
[4] File Replication Service was not running on this computer for a
long time.
[5] File Replication Service could not keep up with the rate of Disk
IO activity on "\\.\C:".

Following recovery steps will be taken to automatically recover from
this error state.
[1] At the first poll which will occur in 5 minutes this computer
will be deleted from the replica set.
[2] At the poll following the deletion this computer will be re-added
to the replica set. The re-addition will trigger a full tree sync for
the replica set."

I followed the steps in this on server A, and it worked a treat.

I then restarted the File Replication service on server B, which then
sync'ed the required files.

It worked out that server B was demoted from being a domain
controller, as it's files on the domain system volume had not been
sync'ed in 60 days!

So after doing the sync, I got an event stating that server B had been
reinstated as a domain controller.

I have not tried to add the Vista Business workstation, but I have a
high confidence that it will

Thanks for your assistance Robert!