How to join computer to domain

Question

I have a DC running Windows Server 2012 with an internal IP of 172.31.27.158. It is both a DC and a DNS Server.

Here's proof that DNS is running fine:

enter image description here

The machine that I would like to add to the domain has an internal IP of 172.31.18.222

When I run ipconfig on the client machine I get:

enter image description here

However, when I try to add it to the domain, I get this:

enter image description here

Here's the full message:

Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "contoso.com":

The query was for the SRV record for _ldap._tcp.dc._msdcs.contoso.com

The following domain controllers were identified by the query: win-ld81qu9k4eu.contoso.com

However no domain controllers could be contacted.

Common causes of this error include:

Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

Domain controllers registered in DNS are not connected to the network or are not running.

Here are my IPv4 settings:

enter image description here

Also here are the group security settings:

enter image description here

How do I add a machine to the domain?

Can you confirm that you have promoted it to a DC and not just added the role? 2012 made it a 2 step process. — Jesse Paxson, Dec 04 '14 at 19:56
Start with running DCDIAG from an elevated command prompt on the DC. — Jesse Paxson, Dec 04 '14 at 20:00
@JessePaxson everything passed: http://pastebin.com/3iDJa7bP — Alex Gordon, Dec 04 '14 at 20:02
Does your DNS forward lookup zone for the domain have an A record for `win-ld81qu9k4eu.contoso.com`? The SRV record for the DC was found, identifying `win-ld81qu9k4eu.contoso.com` as the DC to contact, but `win-ld81qu9k4eu.contoso.com` couldn't be contacted, leading me to believe that there's no A record for `win-ld81qu9k4eu.contoso.com` in the zone. — joeqwerty, Dec 04 '14 at 20:05
@JessePaxson looks like firewall is ok http://screencast.com/t/laV4Dc29ZkGn — Alex Gordon, Dec 04 '14 at 20:08
No. That's not showing the A record for the DC itself. Expand and highlight the `Contoso.com` zone and post a screenshot showing the A record for the DC (or the lack thereof). — joeqwerty, Dec 04 '14 at 20:09
@joeqwerty sorry my sysadmin skills are almost nonexistent, were you referring to this? http://screencast.com/t/Su19slZjC4 — Alex Gordon, Dec 04 '14 at 20:10
Isnt the domain supposed to be corp.contoso.com? I though domain.tld wasn't an option in 2012 r2. — AWippler, Dec 04 '14 at 20:13
What are those security rules for? Are they for ec2 instance to ec2 instance communication (computer to computer)? If so, then that's probably the problem. You need to allow the appropriate communication between the two machines in order to join the domain. You probably need to just allow all traffic between the two to simplify this. — joeqwerty, Dec 04 '14 at 20:14
@joeqwerty but joe, they are able to ping each other and they are on the same VPC — Alex Gordon, Dec 04 '14 at 20:15
The ICMP rule was listed at the top... But that doesn't mean that the communication you need is allowed. — Jesse Paxson, Dec 04 '14 at 20:17
ive enabled basically everything, should i enable all UDP and all TCP? — Alex Gordon, Dec 04 '14 at 20:17
Yes, unblock (allow) all traffic. For a list of the actual ports, see here: http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple — joeqwerty, Dec 04 '14 at 20:18
There is a port list about half way through the article he provided. Make sure they are all open on the firewall. — Jesse Paxson, Dec 04 '14 at 20:22
What tool? The link was meant as a reference for the ports required for AD communication through a firewall. My suggestion would be that you unblock (allow) all traffic between these two instances through the firewall. The firewall is relevant only to these instances, right? It doesn't govern external access to your instances does it? — joeqwerty, Dec 04 '14 at 20:22
well it looks like the firewall is completely down, yet i'm still having trouble with connecting that machine to the domain: http://screencast.com/t/4vgyA0Ep4 — Alex Gordon, Dec 04 '14 at 20:57
**This is Amazon AWS EC2, a virtual server.** You cannot connect without running a VPN connection between the two. — AStopher, Dec 04 '14 at 21:32
@Yuck If it's not AWS EC2, then someone has *seriously* ripped off their Security Groups page. What firewall are you using? The *only* other way to connect is 'throw open the doors' which you shouldn't even be considering. — AStopher, Dec 04 '14 at 21:37

score 3 · Accepted Answer · answered Dec 04 '14 at 20:30

3

It appears that there's a firewall between the client and server that is blocking the communication required for the client to join the domain.

My suggestion would be that if the firewall is relevant only to these two instances that you unblock (allow) all traffic through the firewall between these two instances.

answered Dec 04 '14 at 20:30

joeqwerty

109,901
6
81
172

two things...one is that I've posted a related question in response to your suggestion about enabling every port listed on that website: http://serverfault.com/questions/649284/windows-firewall-some-ports-not-listening and the other question to you is how is it possible to simply allow all traffic between two nodes ? – Alex Gordon Dec 04 '14 at 20:54
well it looks like the firewall is completely down, yet i'm still having trouble with connecting that machine to the domain: http://screencast.com/t/4vgyA0Ep4 – Alex Gordon Dec 04 '14 at 20:57
Wrong Firewall. I'm referring to the firewall you posted in your question, not the Windows Firewall. Also, undo any changes you made to the Windows Firewall (your port rules). – joeqwerty Dec 04 '14 at 21:01
crap............ – Alex Gordon Dec 04 '14 at 21:01
that worked!!!!! but that solution SUCKS! :) i dont want to allow ALL traffic – Alex Gordon Dec 04 '14 at 21:06
thank you so much for your time and efforts joe! i learned a TON – Alex Gordon Dec 04 '14 at 21:13
Glad to help. So my question is this: Is the firewall relevant only to these two instances or does it control external access to the instances as well? – joeqwerty Dec 04 '14 at 21:18
its just going to be relevant to maybe 5 machines thats it – Alex Gordon Dec 04 '14 at 21:35
@joeqwerty It's Amazon AWS EC2, the firewall can control access both ways (external access and internal). – AStopher Dec 04 '14 at 21:36
please also check out http://serverfault.com/questions/649354/how-to-enable-internet-connection-on-ec2 and let me know if you might have any suggestions? i'm running into this issue with the non-DC machines – Alex Gordon Dec 05 '14 at 05:03

score 2 · Answer 2 · answered Dec 04 '14 at 19:48

2

It seems that the DNS record for the DC could not have been found.

Have you tried adding the DC's IP to the preferred DNS servers under the computers IPv4 settings?

enter image description here

answered Dec 04 '14 at 19:48

Itai Hay

278
1
2
8

shalom itai. thanks for your help. i've included my settings for that in my question just now. please scroll down to the bottom of my question – Alex Gordon Dec 04 '14 at 19:54

How to join computer to domain

2 Answers2