General discussion

Locked

Cannot join computer to domain

By Blackcurrant ·
HELP!!

It's now Monday - 00.05am and several hours ago we finished repartitioning our old DC and had installed Windows Server 2003.

We have created two user accounts - each account is a member of the Administrator Group, Domain Admins and Domain Users, and we are unable to add a computer to the domain using these accounts. We have also created the relevant computer accounts on the DC. When we try to add the computers (right-click my computer>computer name>then use either Network ID or Change), the system recognises that there is a computer account, but then gives an access denied message after we supply the username and password of a domain admin account.

We have also used group policy (ADUC - right-click Domain controller, GP Pol tab>Edit>Computer configuration>Windows settings>security settings>local policy>user rights assigment) and added both the user accounts to Add computers to the domain policy setting.

I had exported all the AD directory objects from the old Win2k AD by using the LDIFDE command, but when I try to import this information there is an error saying the domain name already exists. When we created the new domain using the DCPROMO command we gave it the same name as the previous installation.

The firewall is disabled by default according to the services snap in.

The DNS server has been started on the DC. The network card is setup with a 192.168.0.1 address, 255.255.255.0 subnet mask and the IP address of the router for Internet connection. The other computers that already exist on the network (but which are now sitting outside the domain), all have static IP addresses.

We have also tried removing the computers from the old domain, joining them to a workgroup called WORKGROUP and rejoining the new domain without luck.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Blackcurrant In reply to Cannot join computer to d ...

continued...

I thought this process would be a simple affair. When using SBS2k, there was the ability to create a network setup disk - this always worked when the method described above failed. However, I cannot seem to find any information about this for Win2k3.

There is going to be pandemonium tomorrow morning and I will be very grateful if anyone can help me minimise this by giving me instructions on how to add a computer to the domain, or telling where I have gone wrong.

Please do not hesitate to ask for more information. I think I'm going to be up late tonight...

Collapse -

by Blackcurrant In reply to Cannot join computer to d ...

It has become apparent (we think) that the access denied message is aimed at the computers themselves and not our accounts.

We've now also tried changing the name of the computers and changing the IP address.

Collapse -

by rbmrf In reply to Cannot join computer to d ...

Hi!
For what i've understood, you already have the accounts for the computers in your new AD, right? 1. If you try to remove it first? Or make an Reset Account for the PC in the AD?
2. The username you are trying to use is something like this: username@domain.new or just username?
3. Have you killed the older DC? if not, you could make the new server, has a new DC, the objects from the AD in older DC would pass to the new DC and you could pass the problem without ldifde easily, than you kill the old one! For installing Windows Server 2003 in an environment with 2000 you will have to run the adprep command first!

This are just some questions to understand what was made, and what you can do next!

hope it helps in something...

Collapse -

by Blackcurrant In reply to

Hi, and thanks for answering.

1.The computer and user accounts do exist on the AD - but they are new accounts we have just created.

2. We have tried username@domain.local, username@servername.domain.local, domain.local\username and servername.domain.local\username.

3. This installation of Windows Server 2003 replaces a previous single copy of Windows Server 2000/Small Business Server 2000. We have just one domain and one DC. The partition was deleted, recreated and reformatted before the OS was installed. This was because the previous OS was unhealthy.

We have had a local tech support guy in all afternoon. He described the symptons as "weird". He tried removing and reinstalling the DNS server, adding a reverse lookup zone and we even used DCPROMO to remove the domain and then created a new domain. He discovered that the domain was functioning/emulating a Windows 2000 domain, so he upgraded it to 2003.

He also discovered that when trying to connect a client to the domain, the netlogon service was giving an error saying it was unable to find the old domain. We have no idea why it should be looking for the old domain when it has been deleted - completely.

When we run nslookup from either a (potential) client or from the DC itself, the DNS server cannot be found. If we supply an incorrect password when trying to add a client to the domain we get a username/password error, so connectivity does exist. We can ping from clients to server and from server to clients.

Now, the really odd thing is that we have been able to join 3 clients to the domain. But this has been through sheer persistence. I have no idea why these three computers were suddenly able to join. We were not doing anything differently on any of them nor the other computers.

One of the error messages suggested using nltest.exe /deregdns. Although the command completed successfully, there was no difference, and we are still unable to connect....

Does anyone have any idea what is occurring here?

Collapse -

by Blackcurrant In reply to Cannot join computer to d ...

Point value changed by question poster.

Collapse -

by Gigelul In reply to Cannot join computer to d ...

Hi,

Regarding the previous answer:
"1. If you try to remove it first? Or make an Reset Account for the PC in the AD?"
Your comments:
"1.The computer and user accounts do exist on the AD - but they are new accounts we have just created."

The suggestion was to remove computer account from AD and create/add it to AD from workstation console, using the new domain admin account.

Before this, join the computer to a workgroup

Collapse -

by Blackcurrant In reply to

Thank you very much for answering. Please see my last two comments

Collapse -

by Blackcurrant In reply to Cannot join computer to d ...

Hi again.

Thanks very much to rbmrf and florinel for their suggestions. Florinel came closest, but the problem went way beyond the correct procedure for joining a computer to a 2003 domain.

Please note I am not very experienced with DNS so some of this explanation may be a little off...

As I said previously, the netlogon service was stating it could not find our old domain (heritage). This inexplicably resulted in 'heritage' records being added to the DNS server on the 2003 domain controller. Then, last night we got a DNS event error stating it could not find a SOA and that the A record was missing. This must have been why the nslookup command could not identify the DNS server. So, we added the appropriate records. There was also a DNS folder named HTLINCS (our new domain name), and we renamed it to HTLINCS.LOCAL which is the full name of our domain. Hey Presto! nslookup found the primary DNS server.

BUT.... we were still unable to add a computer to the domain. I had realised the previous day that because the computers on the network were trying to log on to the htlincs domain with the heritage domain information, they may be 'corrupting' the new DNS server. As I said, there were records present which attempted to point to heritage.local. Why this happened I do not know. I would have expected the new DNS server to have rejected any requests to look up the heritage.local domain, simply because it did not exist.

After correcting the DNS error we had to:

1. Remove the computers from the heritage domain and join them to a 'workgroup' workgroup <reboot>
2. Add the primary DNS suffix htlincs.local to the computer name while they were still members of the workgroup <reboot>
3. Join the computer to the domain.

Collapse -

by Blackcurrant In reply to Cannot join computer to d ...

continued...


Simply removing them from the heritage domain and joining them to a workgroup did not allow us to join them to the htlincs domain - we still received an 'access denied' message. It was not until the computers were called computername.htlincs.local and were in the workgroup that they could then be added to the htlincs domain. And we still have one lonely little XP Pro machine that can not 'join up' so I am going to reinstall the OS on that one tomorrow.

Another thing - as the network administrator I had a record of the administrator passwords for every machine. This came in very handy when the htlincs domain was created, as suddenly I was unable to log on through the domain with administrative rights. This went well. Then I got to my own machine - and **** me if I could not remember my own admin password. DOH!

Well, it's been a learning experience, and I hope this explanation helps someone out there with a similar problem.

Collapse -

by Blackcurrant In reply to Cannot join computer to d ...

This question was closed by the author

Back to Windows Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums