question

MichalSumega-6610 avatar image
0 Votes"
MichalSumega-6610 asked DSPatrick answered

New computer failing to join to domain

Hello all,

I've had a problem with joining new computers to domain. It was working fine until recently (few weeks back it was still ok) - I'm not aware of anything that was changed since then, except that the primary DC was restarted. The Priamry DC has been moved to AZURE and two on-site DCs were shut down - this was done several months ago. From what I know, those old on-site DCs were not demoted yet (just in case they will be required again to turn on). However, now I'm experiencing this issue, and I kind of think it could be the root cause here? In the new DC in Azure I see:

  • WARNING about FSMO - "This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role"... etc....

  • ERROR - "The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
    " The role owner attribute could not be read."

from what I've read so far, non-working replications may be the probelm that I have to fix to get it working properly? If so, can I just turn on the old on-prem DCs and demote them to resolve this Replication issues? Those servers were off for around 5 months now...



Just FYI - the connectivity seems to be working fine between the computer and DC in Azure... I can ping it with no issue..


windows-serverwindows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
If there are any progresses, welcome to share here!
Best Regards,

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered MichalSumega-6610 commented

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt

then put unzipped text files up on OneDrive and share a link.



· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi DSPatrick,

will do it all as soon as I have again access to the laptopI want to join to the domain - laptop not with me currently.

FYI:
-there is only one DC, the one in Azure... - lets call it AZDC
-there are two on-prem DCs that were shut down months ago - DC01 and DC02
-I checked the ipconfig yesterday when on the laptop and was looking ok (got correct IP, DNS pointing to AZDC, etc)

will provide you with dcdiat, repadmin and ipconfig of AZDC and the laptop as soon as I can so you may double check whether there is somehting I could miss ;)

0 Votes 0 ·

Sounds good.

0 Votes 0 ·

Hi @MichalSumega-6610 , @DSPatrick is correct with his advice. Thank you Patrick as always! Please make sure to verify his answer if it solves your problem :) If you still need help we are tracking this issue and will post back when needed.

Best,
James

0 Votes 0 ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--




0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered MichalSumega-6610 commented

TPLAZDC01 is DHCP assigned, a domain controller must always have a static ip address


Domain controller and all domain members should the the static ip address of DC listed for DNS and no others such as router or public DNS so remove the google DNS (8.8.8.8) and possibly the 10.0.1.2 from TPLAZDC01 then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon service


LAPTOP-ETRK3HMQ remove the google public DNS (8.8.8.8)


Also check the required ports are flowing between the two networks 172.16.7.1 and 10.0.1.1
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts
https://www.microsoft.com/en-us/download/details.aspx?id=24009


I did not bother to look at other files since these items are show stoppers. After making corrections if problems persist then put up a new set of files to look at.


--please don't forget to upvote and Accept as answer if the reply is helpful--


· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thanks for taking a look....

  • TPLAZDC01 has static IP configured via Azure portal eventhough showing as DHCP when checking it in VM. As I've read, that should be the way to assign a static IP for VM in Azure (via Azure portal to configure it directly on network interface resource connected to the VM instead of configuring the network adapter the standard way inside VM->windows). I remember it was not recommended to configure IP address inside the VM..... I can change if it's better?

  • DNS on TPLAZDC01 8.8.8.8 and 10.0.1.2 (old DC2) removed

  • PORTS - ports are allowed between them

  • DNS on laptop - as I don't have the laptop for the weekend, I will do it on Monday and check whether it helped ;)


0 Votes 0 ·

Sounds good, you're welcome.

--please don't forget to upvote and Accept as answer if the reply is helpful--


0 Votes 0 ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--






0 Votes 0 ·

@DSPatrick: .... did not help. Still the same issue.

0 Votes 0 ·

Please put up a new set of files to look at.




0 Votes 0 ·
Show more comments
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

TPLDC01 and TPLDC02 both report no connectivity which leads me to believe there's no path from 172.16.7.1 to 10.0.1.1 network. If they're gone then you can do cleanup to remove them, but connectivity is still suspect. You can check the required ports are flowing between the two networks 172.16.7.1 and 10.0.1.1 (test from the problem member)
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts
https://www.microsoft.com/en-us/download/details.aspx?id=24009

--please don't forget to upvote and Accept as answer if the reply is helpful--








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichalSumega-6610 avatar image
0 Votes"
MichalSumega-6610 answered

those two are the two on-prem DCs that were shut down months ago, as I've mentioned earlier. They are not in use anymore, however, I dont think they were properly removed (demoted) yet as they are still showing there. Wondering whether that could be causing the issue, and if I could just turn them on, demote them properly, and that could fix it. All other end user computers are also on 10.0.1.0/24 subnet and they have no problem communicationg to DC (172.16.7.10) :/

Also, ... as I've mentioned earlier... it was working fine for months (had jonied several computers to domain since those two on-prem abovee were shut down with no issue)... just recently we epxerienced that issue joining new laptop to the domain.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

that were shut down months ago

Ok, they have likely tombstoned then. The simplest thing to do would be to perform cleanup.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

but this would not have an effect on the domain join problem. If the others are not having issues then this desktop may be broken for other reasons. May need to rebuild it.

--please don't forget to upvote and Accept as answer if the reply is helpful--







· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--


0 Votes 0 ·

@DSPatrick : .... good news.... After the clean up of those two DCs, ... the new computer was able to join the domain... So it looks like that was the root cause for the issue ... Thanks a lot for your help on this!

0 Votes 0 ·

Glad to hear, you're welcome.

--please don't forget to upvote and Accept as answer if the reply is helpful--


0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.