I have a remote site with some servers that need to be joined to a domain. The two sites are connected via VPN and I have been told by network administrators at both sites that there is an any/any rule in place on each side between the two networks. However, there are several other sites with DC's that this particular remote site does not have connectivity to. The DC that has all FSMO roles can be contacted, though.
When I try to join, this is the error I get:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "my.domain":
The query was for the SRV record for _ldap._tcp.dc._msdcs.my.domain
The following domain controllers were identified by the query:
usnyc1adc01.my.domain
uspa3ad01.my.domain
ussea1adc02.my.domain
usnyc1adc02.my.domain
inche1ad02.my.domain
inche1ad01.my.domain
chsch1ad02.my.domain
gblon1ad02.my.domain
gblon1ad01.my.domain
usch1adc01.my.domain
usch3ad01.my.domain
debehqad01.my.domain
usch3adc02.my.domain
usch2adc01.my.domain
chsch1ad01.my.domain
debehqad02.my.domain
usch3ad05.my.domain
ussfo1adc01.my.domain
ussea1adc01.my.domain
uspa3ad02.my.domain
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
Here is a snippet from the NetSetup log:
04/16/2013 23:19:19:891 -----------------------------------------------------------------04/16/2013 23:19:19:891 NetpValidateName: checking to see if 'KOREATEST' is valid as type 1 name
04/16/2013 23:19:22:907 NetpCheckNetBiosNameNotInUse for 'KOREATEST' [MACHINE] returned 0x0
04/16/2013 23:19:22:907 NetpValidateName: name 'KOREATEST' is valid for type 1
04/16/2013 23:19:22:909 -----------------------------------------------------------------
04/16/2013 23:19:22:909 NetpValidateName: checking to see if 'koreatest' is valid as type 5 name
04/16/2013 23:19:22:910 NetpValidateName: name 'koreatest' is valid for type 5
04/16/2013 23:19:22:912 -----------------------------------------------------------------
04/16/2013 23:19:22:912 NetpValidateName: checking to see if 'my.domain' is valid as type 3 name
04/16/2013 23:19:37:922 NetpCheckDomainNameIsValid for my.domain returned 0x54b, last error is 0x0
04/16/2013 23:19:37:922 NetpCheckDomainNameIsValid [ Exists ] for 'my.domain' returned 0x54b
04/16/2013 23:38:29:373 -----------------------------------------------------------------
04/16/2013 23:38:29:373 NetpValidateName: checking to see if 'KOREATEST' is valid as type 1 name
04/16/2013 23:38:32:431 NetpCheckNetBiosNameNotInUse for 'KOREATEST' [MACHINE] returned 0x0
04/16/2013 23:38:32:431 NetpValidateName: name 'KOREATEST' is valid for type 1
04/16/2013 23:38:32:431 -----------------------------------------------------------------
04/16/2013 23:38:32:431 NetpValidateName: checking to see if 'koreatest' is valid as type 5 name
04/16/2013 23:38:32:431 NetpValidateName: name 'koreatest' is valid for type 5
04/16/2013 23:38:32:431 -----------------------------------------------------------------
04/16/2013 23:38:32:431 NetpValidateName: checking to see if 'my.domain' is valid as type 3 name
04/16/2013 23:38:47:438 NetpCheckDomainNameIsValid for my.domain returned 0x54b, last error is 0x0
04/16/2013 23:38:47:438 NetpCheckDomainNameIsValid [ Exists ] for 'my.domain' returned 0x54b
I have verified that I can telnet to all the ports listed here (http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx) and I have tested out a few of the ports in the RPC dynamic range 49152-65535. I have name resolution and can ping my DC that holds all FSMO roles. We have other sites with a similar setup in that they cannot contact all DC's in the domain and they have been successful in joining the domain. I can also browse \\my.domain\ and see the NETLOGON and SYSVOL folders and browse into them after providing credentials. I am kind of at a loss here, does anyone have any suggestions?