Our system is in swedish so the translation isn't 100% but this is what the basics are. I have a server 2003 R2 running dns - active directory integrated - which I intend to use for testing and learning purposes. I have completed all the appropriate configuration. Basic details: Server Name = att-srv-dc01 Domain=K2 Dynamic Updates = enabled When I try to join an XP workstation to the domain I receive the following message: Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt. Domain name K2 maybe is a NetBIOS-domain name. If this is the case you should controll that the domain name is registrered with WINS. If you are sure that the name is not a netBIOS-domain name the following information may help you troubleshoot the DNS-configuration. The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain K2: The query was for the SRV record for _ldap._tcp.dc._msdcs.K2 Following domain controller was identified by the query: se-avs-srv01.k2 att-srv-dc02.k2 att-srv-dc01.k2 Usual reason for this is: - . Resource post (A-post) that maps domain controller to its ip adress is missing or containing wrongful adresses. - . The domain controllers that are registered in DNS are not connected to the network or are not running. Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running. For more information on how to correct this problem, click Help. I have poured through all kinds of docs and knowledgebases and nothing I have seen to date applies directly to this situation. Any feedback or @ssistance in resolving this would be greatly appreciated. p.s I'm able to ping the dc from the XP machine if I use the FQDN for e.g. ping att-srv-dc01.k2 then I get respons, but if I only ping the server by att-srv-dc01 it can't locate the server. Ping on ip adress works fine. d.s

Pleae make it sure that your client is ppointing towards the correct dns server and also please post the ipconfig /all here http://www.virmansec.com/blogs/skhairuddin

Hi The client is pointing to the correct dns server, when I do nslookup I get this respons. Default Server: att-srv-dc01.k2 Address: x.x.x.x for obvious reasons I will not post the ip adress here. Since I will not post ip adress here I'm asking what exactly you are looking for in ipconfig /all. All I can say is that everything looks ok. The client has a static ip adress but we have tried also when the client has DHCP but that doesn't matter.

Hi ! Try to use ipconfig/flushdns , check dhcp server and configuratin on DHCP server.

looks like you are using single label domain K2. read following KB about known issues when using such domains - http://support.microsoft.com/kb/300684/en-us

Hi yes we are using single label domain and have been doing so for all times and until a couple of days ago this hasn't been an issue. I've red the article and none of the mentioned reasons are anything that we have an issue with. Any more suggestions ? I've also tested to disjoin a computer from the domain and rejoin it again and get the same error and with the first computer. So now I have 2 computers which I can't join.

please disable the firewalls and the av on both the client and server and give a tryhttp://www.virmansec.com/blogs/skhairuddin

What says C:\WINDOWS\debug\dcdiag.txt?

Still the same problem.

Read the first post I did. " Domain name K2 maybe is a NetBIOS-domain name. If this is the case you should controll that the domain name is registrered with WINS. If you are sure that the name is not a netBIOS-domain name the following information may help you troubleshoot the DNS-configuration. The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain K2: The query was for the SRV record for _ldap._tcp.dc._msdcs.K2 Following domain controller was identified by the query: se-avs-srv01.k2 att-srv-dc02.k2 att-srv-dc01.k2 Usual reason for this is: - . Resource post (A-post) that maps domain controller to its ip adress is missing or containing wrongful adresses. - . The domain controllers that are registered in DNS are not connected to the network or are not running. Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running. For more information on how to correct this problem, click Help. "

run dcdiag /test:DNS on your DCs to check if all DNS records are consistent

Hi Here is the result, everything looks ok. Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Avesta\ATT-SRV-DC01 Starting test: Connectivity ......................... ATT-SRV-DC01 passed test Connectivity Doing primary tests Testing server: Avesta\ATT-SRV-DC01 DNS Tests are running and not hung. Please wait a few minutes... Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : K2 Running enterprise tests on : K2 Starting test: DNS ......................... K2 passed test DNS

Does ATT-SRV-DC01 server resides in same AD site as 2 XP stations that cannot be added to AD? You also have se-avs-srv01.k2 DC. Is it online?

Hi ATT-SRV-DC01 and the 2 xp clients are in the same AD site, just different containers. We only have 1 domain in our company. In our domain we have 3 DC's. PDC is ATT-SRV-DC01. SE-AVS-SRV01 is online. The first xp client was a complete new computer and hadn't been added to AD as it usually pops up automatically in our AD, the second xp client was in our AD and once I disjoined it from the domain the computer account got disabled. We also tried to manually add the first xp client to our AD to see if that solved the issue but still the same problem.

Use http://support.microsoft.com/kb/314861/ and http://technet.microsoft.com/en-us/library/cc786478(WS.10).aspx for futher troubleshooting. Double check that all required DNS records for all 3 DCs are present. No firewalls interfere connection between Windows XP stations and all 3 DCs, especially in same AS site. Check DCs Event logs for relevant errors.

Hi I've done the troubleshooting according the the articles and can't fins any errors on the DC's. All DNS records are correct in all 3 DC's. No firewall interferense from any client/server. No errors in none of the Event logs on any of the Dc's. These are the logs from our PDC. nltest /dclist Get list of DCs in domain 'K2' from '\\ATT-SRV-DC01.K2'. se-avs-srv01.K2 [DS] Site: Avesta ATT-SRV-DC01.K2 [PDC] [DS] Site: Avesta ATT-SRV-DC02.K2 [DS] Site: Stockholm The command completed successfully nltest /dnsgetdc:k2 List of DCs in pseudo-random order taking into account SRV priorities and weights: Non-Site specific: se-avs-srv01.k2 x.x.x.x:389 att-srv-dc02.k2 x.x.x.x:389 att-srv-dc01.k2 x.x.x.x:389 The command completed successfully nltest /domain_trusts List of domain trusts: 0: K2 K2 (NT 5) (Forest Tree Root) (Primary Domain) (Native) The command completed successfully nltest /dsgetdc:K2 DC: \\ATT-SRV-DC01.K2 Address: \\x.x.x.x Dom Guid: 2d83b6e1-e3dc-4607-a0e7-0a76c022c17e Dom Name: K2 Forest Name: K2 Dc Site Name: Avesta Our Site Name: Avesta Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE The command completed successfully These are the logs from the new xp client: nltest /dsgetdc:K2 Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN nslookup Default Server: att-srv-dc01.k2 Address: x.x.x.x I've removed the ip adresses from the log for obvious reasons but I have verified that these are correct. Any more ideas ? Regards

In turn you have correct DNS records, proper connectivity & no firewalls between clients & DCs, no error messages in Event Logs. I have no other ideas than use Network Monitor to see live picture of communications during domain join operation.

Hi Tried with the monitoring tool and I can see the request from the client but no answer back. Anyone else that has any ideas ?

Hi, It seems that the error in your initial post was partial of the message: ======= The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain K2: The query was for the SRV record for _ldap._tcp.dc._msdcs.K2 ======= What is the exact error mentioned? Please check it on your side. Beside SRV record, please make sure the A record for the DCs are registered correctly. At this time, please make the following changes on the problematic XP computer to check the results. 1. Click Start, click Run, type regedit, and then click OK. 2. Locate and then click the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 3. In the details pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, follow these steps: On the Edit menu, point to New, and then click DWORD Value.Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER. 4. Double-click the AllowSingleLabelDnsDomain entry. 5. In the Value data box, type 1, and then click OK. 6. Exit Registry Editor. Please repeat the similar steps to set the following key value to 1: HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\UpdateTopLeveldomainZones If the issue persists, please help gather the following files for research: Error screenshot =============== 1. When the issue occurs (please click “Details”), press the Print Screen key (PrtScn) on your keyboard. 2. Click the "Start" menu, click “Run”, type "mspaint" and Press Enter. 3. In the Paint program, click the "Edit" menu, click "Paste", click the "File" menu, and click "Save". 4. The "Save As" dialogue box will appear. Type a file name in the "File name:" box, for example: "screenshot". 5. Make sure "JPEG (*.JPG;*.JPEG;*.JPE;*.JFIF)" is selected in the "Save as type" box, click “Desktop” on the left pane and then click "Save". Please send this saved JPEG file to us. ipconfig /all > c:\ipconfig.txt (on both problematic XP client and the DNS server) Upload these file to the following workspace. ------------------------------------------------------------ You can upload the information files to the following link. (Please choose "Send Files to Microsoft") Workspace URL: (https://sftus.one.microsoft.com/choosetransfer.aspx?key=ec6e0d7f-68b9-4467-8396-edeadbb9ef45) Password: A2AXdkR$+2Xc Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding. Thanks. Nina This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Nina, Thanks for taking the time to have a look into this. The first advice did the trick (after I created the new keys), I'm now able to join the computer to the domain. However out of intereset I wounder why this has happened in our system and I have uploaded some files, for e.g. dcdiag.txt and screenshots.doc and ipconfigalldns.txt from the DNS server and also ipconfigallclient.txt from the client. As you can see from the screenshots and dcdiag there is no error message, just what I wrote in my initial post. Oh, everything is in swedish since our OS is Swedish, I hope you can make some sense out of it anyway, if not please let me know and I will translate it for you. How can I prevent this from happening in the future ? I have another pc which has the same problem, I can fix that by editing the registry but I don't want to have to do it with every single pc I want to add to our domain. Thanks for all the help so far. Regards, NackieL

Hi, Basically issue you had is because of design. As I wrote in my 1st post is the thread there are known issues and limitations when you are using single label domains. steps to resolve it are described in kb300684. Registry keys/ values suggested by Nina are described in this article. Besides article also describes best-practice for Active Directory domain names Best-practice Active Directory domain names consist of one or more subdomains that are combined with a top-level domain that is separated by a dot character ("."). The following are some examples: contoso.com corp.contoso.com contoso.local Single-label names consist of a single word like "contoso." As you wrote at the beginning "configuration you have is intended to be used for testing and learning". When you will implement you production - follow best practices to avoid extra configuration steps. For current test implementation you can automate registry fixes by creating special .reg file with required values or by creating special cmd file utilizing reg.exe commands. Or you can create custom image for unattended installations having these values written automatically at the moment of system deployment.