Re: Help! Can't add server to a domain

From: Herb Martin (news_at_LearnQuick.com)
Date: 02/25/05

  • Next message: Paul Adare: "Re: 2003 PKI Design Question" 
    Date: Fri, 25 Feb 2005 15:36:06 -0600

    "Clayton Sutton" <none@none.com> wrote in message
    news:OhmSzB4GFHA.1172@TK2MSFTNGP12.phx.gbl...
    > We are running a win2k forest with two domains. To the primary domain
    > (domain #1) I added two Win2k3 servers just fine. However, I can't seem
    to
    > add any servers to the second domain (domain #2). I am a member of
    "Domain
    > Admins", "Enterprise Admins" and "Schema Admins" in the first domain. Any
    > ideas what might be going on? I checked the trusts and they seem to be
    > working fine too.

    Most such problems are really DNS problems.

    This is especially likely with multi-domain
    forests where having ALL of the DNS server
    resolve the entire forest is commonly 'broken'.

    ALL internal DNS servers must be able to resolve
    ALL internal domains -- either directly or by some
    form of (win2003 conditional) forwarding.

    Parent domains must effectively delegate to child
    domains and when you have multiple "trees" it
    geneally requires that (at least the top level) DNS
    servers hold "cross secondaries" for the "other
    tree" (or some equivalent to the cross secondary.)

    Check you DNS using the general suggestions
    (especially the tools) below.

    DNS for AD
        1) Dynamic for the zone supporting AD
        2) All internal DNS clients NIC\IP properties must specify SOLELY
            that internal, dynamic DNS server (set.)
        3) DCs and even DNS servers are DNS clients too -- see #2
        4) If you have more than one Domain, every DNS server must
                be able to resolve ALL domains (either directly or indirectly)

        netdiag /fix

    ...or maybe:

        dcdiag /fix

       (Win2003 can do this from Support tools):
        nltest /dsregdns /server:DC-ServerNameGoesHere
    http://support.microsoft.com/kb/q260371/

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Label domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

  • Next message: Paul Adare: "Re: 2003 PKI Design Question"

    Relevant Pages

    • Re: New Domain
      ... You have disjoint name space in the same forest. ... same dns server within your primary dns server in your original domain and ... One way of accessing the resources will be using UNCs. ...
      (microsoft.public.windows.server.active_directory)
    • Re: New Domain
      ... Paul I will try your suggestions and let you know how it goes. ... DC again for the new domain tree under the existing forest. ... "The DSA operation is unable to proceed because of a DNS lookup ... same dns server within your primary dns server in your original ...
      (microsoft.public.windows.server.active_directory)
    • Re: Universal Group Membership Caching - DNS?
      ... Try to avoid excessive replication of other Large zones/domains ... Stub or conditional fowarding from the local DNS can avoid having ... least one working DNS server as things change but this might not ... need forest wide Browsing etc to work. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Protected Forest with One Child domain
      ... The forest is in native mode. ... so your child DNS servers can resolve both their ... INTERNAL zone on every DNS server using AD-Integrated Forest ...
      (microsoft.public.windows.server.dns)
    • Re: New Domain
      ... DC again for the new domain tree under the existing forest. ... browse via unc with no problem - Paul thanks. ... "The DSA operation is unable to proceed because of a DNS lookup ... same dns server within your primary dns server in your original domain ...
      (microsoft.public.windows.server.active_directory)