Home / server / Questions / 795761
In Process
notmrb
Asked: 2016-08-10 05:41:59 +0800 CST

Server 2012 Can't Promote Domain Controller - Can't join domain

  • 772

Running in to an issue at a new location with promoting a new domain controller. We will call the new server "newserv".

Error is - "An Active Directory domain controller for the domain "mydomain" could not be contacted." -

  • newserv can ping domain controllers by FQDN (ie DC1.mydomain)
  • newserv cannot ping domain controller without .mydomain
  • NSLOOKUP on newserv shows default server as PDC.mydomain
  • NSLOOKUP set type=all --> _ldap.tcp.dc._msdcs.mydomain shows all SRV service locations, with correct ip addresses.
  • newserv has static ip, primary and secondary DNS pointing to DC1.mydomain & DC2.mydomain
  • If I just try to join the domain, the error details state the SRV record query shows all of my domain controllers, however they could not be contacted.

Some things i've tried, other notes;

  • I've tried setting primary DNS to point to itself.
  • I've tried adding DNS suffix "mydomain" under advanced DNS settings.
  • newserv can join different domain no issue.

  • My domain does not have a suffix. It is just "mydomain" - I've run in to issues with this with joining MAC OS to the domain in the past.

  • Server is a Virtual Machine running in HyperV which is joined to a different domain.

I'm imagining this might be some kind of DNS issue, but I don't know where to start in addressing it.

Any help greatly appreciated.

domain-name-system domain dcpromo

2 Answers

  1. That usually means a required port such as UDP/389 are blocked, probably due to a firewall. You can confirm by testing with PortQueryUI:

    PortQryUI - User Interface for the PortQry Command Line Port Scanner
    https://www.microsoft.com/en-us/download/details.aspx?id=24009

    If any of the required ports are blocked, they will show as "filtered".

    • 0

  2. Windows domain promotion rely heavily on the DNS service, if I were you, I will check if the following configurations are ready:

    1. No windows firewall enabled in between the domain controller

    2. Perform simple network check, such as ping between existing domain controller and new server from both directions.

    3. Then, setup DNS A record for your new server newserv.mydomain

    4. Also, setup DNS PTR record for your new server (if your server IP is 192.168.1.1, you properly have a PTR record as 1.1.168.192.in-addr.arpa

    5. Perform DNS lookup check from your existing domain controller to new server with:

    nslookup newserv.mydomain.com

    From the new server, perform the similar testing with:

    nslookup {domain controller's DNS}

    1. Make sure you have used the user account with Domain Admin / Enterprise Admin of the domain you would like to join. Since your Hyper-V VM is running in different domain, you will have to specify the domain name when inputting your user name:

      e.g. mydomain\administrator or [email protected]

    Hope it can give you some ideas on how to join the domain.

    • 0