“My DC is online, the TCP/IP itÂ´s OK, the DNS service running but I still cannot make a valid connection with AD! “
This is a problem that can be present in many ways. The most common example is: you have your DC completely configure for Active Directory, the DNS server too, and you try to join a workstation to your domain and the following error appears:
An Active Directory Domain Controller for the domain [yourdomain.com] could not be contacted.
Ensure that the domain name is typed correctly
First of all, the obvious: Check that the connectivity is working fineâ€¦ the DNS server and the DC both of them responds to PING requests. Itâ€™s most likely that if you cannot connect to the domain, the PING requests for the FQDN (such as: ping dcname.yourdomain.com or ping yourdomain.com) will not respond as wellâ€¦ but with the IP parameter should be workingâ€¦ if itâ€™s not, then thereâ€™s definitely a connectivity problem, a bad TCP/IP configuration or a firewall within the way .
Well, letâ€™s see, this is a problem that can really make you nuts trying to solve it.
Letâ€™s assume that you have the correct configuration in your DC and workstations. If you have a DHCP server in you network, check that he is doing his jobâ€¦ giving the correct IP address for the workstations, the subnet mask, the DNS server and the other parameters that you are using.
DCDIAG really? Can that help me?
One of the possible reasons of your problem is that DC didnâ€™t register himself in the DNS for let the AD know that he is a valid domain controller. To do that, use the DCDIAG tool (included in the Windows 2003 Support Tools) as it follows:
dcdiag /test:registerindns /dnsdomain:yourdomain.com /v
Where yourdomain.com is the complete FQDN of your domain
If everything goes ok, you will get a message like this:
NSLOOKUP is a very helpful utility to test the name resolution in a DNS server. Youâ€™ll use this tool to check the SRV (service) records are in place for the correct functionality of Active Directory.
Type in the command line nslookup and press enter. You will probably find a message like this:
â€ś*** Canâ€™t find name server for the address : Non-existent domainâ€ť, donâ€™t worry about it. This happens when you donâ€™t have set any PTR (or reverse records) in your DNS server, to resolve IP address in names.
Carry on then, at nslookup (“>”) prompt type:
set q=srv press enter.
Then type: _ldap._tcp.dc._msdcs.yourdomain.com
Again, sometimes because you donâ€™t have any PTR records you may find some â€śtime outâ€ť messages, but there is nothing vital at this point.
If there is no problem with that, you will see the DNS server name and its IP addressâ€¦ if you don’t, you still have one thing to do.
That thing you never wanted to doâ€¦ modifying a .dns file
The file that probably will save you is saved in: C:WINDOWSsystem32config and with the name netlogon.dns.
You have to open this file with the notepad and take a look to it, but donâ€™t get frightened! â€¦ You will see a bunch of lines that will probably donâ€™t have much sense to you, but one of them we are looking for:
_ldap._tcp.yourdomain.com IN SRV 0 0 389 ldap_server_name
_ldap._tcp.dc._msdcs.yourdomain.com IN SRV 0 0 389 domain_controller_name
The LDAP server name should be the same for the DC server name. So if you are going to manually change this file, use them as the same.
Iâ€™m gonna publish some other documents for similar problems. They all are from situations like you lost your only DC and you get back on service an old backup that has a different configuration. Check them too.