Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Cannot add PC to Domain

Proposed Answer Cannot add PC to Domain

  • Wednesday, July 04, 2012 3:47 PM
     
     
    Sign In to Vote
    0

    I add those ports to the Checkpoint FW and add my XP as source and DC ad detination. but is still giving me this:

    Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

    The domain name tlv might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

    If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

    The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain tlv:

    The error was: "This operation returned because the timeout period expired."
    (error code 0x000005B4 ERROR_TIMEOUT)

    The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv

    The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:

    10.0.0.1

    Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

    For more information on how to correct this problem, click Help.

    eternals81

     

All Replies

  • Wednesday, July 04, 2012 3:49 PM
     
     
    Sign In to Vote
    0

    that ports: 

    135/TCP RPC
    389/TCP/UDP LDAP
    636/TCP LDAP SSL
    3268/TCP LDAP GC
    3269/TCP LDAP GC SSL
    53/TCP/UDP DNS
    88/TCP/UDP Kerberos
    445/TCP SMB

    from: http://www.petri.co.il/forums/showthread.php?t=37062

    please help!

    eternals81

     
  • Thursday, July 05, 2012 3:54 AM
     
     
    Sign In to Vote
    0

      Why not ask Checkpoint?

    Bill

     
  • Thursday, July 05, 2012 4:10 PM
     
     
    Sign In to Vote
    0
    Because checkpoint has not have a good forum and they have never answered me for any of my questions.

    eternals81

     
  • Tuesday, July 10, 2012 8:26 AM
     
     
    Sign In to Vote
    0

    Can you turn on complete logging on checkpoint firewall to see which packets go through the firewall and which packets are dropped?

    Like logging debug - I write now as a "CISCO routers and ASA" language...

    Matjaz

     
  • Friday, July 13, 2012 6:52 AM
     
     
    Sign In to Vote
    0

    you mean in the monitor or track view not in the dashboard right???

    10x.

    eternals81

     
  • Wednesday, July 18, 2012 3:37 AM
     
     Proposed Answer
    Sign In to Vote
    1

    Please, read KB832017. NetLogon needs UDP ports 137,138 (NetBIOS), TCP ports 139, 445 and arbitary TCP ports in the range 1024-65535 (2000, XP, 2003) or 49152-65535 (Vista, Seven, 2008).

    You've had error " timeout period expired" when Your PC try to resolv "SRV record for _ldap._tcp.dc._msdcs.tlv". This means firewall blocked DNS traffic (from Your PC with UDP/arbitary high port to DNS with UDP/53) and/or revers: from DNS with UDP/53 to Your PC with UDP arbitary hight port.

    Сергей Панченко

     
  • Wednesday, July 18, 2012 3:22 PM
     
     
    Sign In to Vote
    0

    thanks for reply but it is still do not work but another message:  

    Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

    DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain tlv.local:

    The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv.local

    The following domain controllers were identified by the query:

    dc03.tlv.local

    Common causes of this error include:

    - Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

    - Domain controllers registered in DNS are not connected to the network or are not running.

    For information about correcting this problem, click Help.

    eternals81

     
  • Wednesday, July 18, 2012 3:25 PM
     
     
    Sign In to Vote
    0

    and i did add the new ports to R70 like you've told me to.

    ( NetLogon needs UDP ports 137,138 (NetBIOS), TCP ports 139, 445 and arbitary TCP ports in the range 1024-65535 (2000, XP, 2003) or 49152-65535 (Vista, Seven, 2008).)

    eternals81

     
  • Thursday, July 19, 2012 6:27 AM
     
     
    Sign In to Vote
    1

    DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain tlv.local:


    The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv.local

    The following domain controllers were identified by the query:

    dc03.tlv.local

    Common causes of this error include:

    - Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

    - Domain controllers registered in DNS are not connected to the network or are not running.

    OK. This is good. Your PC was able to get the info about DC (domain controller) from DNS. Now, Your must enable connection between Your PC and computer dc03.tlv.local on Your firewall. 

    PS. Please, check IP address of computer dc03.tlv.local with NSLOOKUP.EXE on Your PC.

    Сергей Панченко

     
  • Thursday, July 19, 2012 3:30 PM
     
     
    Sign In to Vote
    0

    By connection you mean ping(icmp)? if so then it is enabled. i will check the nslookup and i will let you know.

    10x man.

    eternals81

     
  • Thursday, July 19, 2012 5:32 PM
     
     
    Sign In to Vote
    0
    here you go sir: 

    eternals81

     
  • Friday, July 20, 2012 3:08 AM
     
     
    Sign In to Vote
    1

    By connection you mean ping(icmp)?

    No. Ping may be permitted, but the UDP and/or TCP - no. You must check the firewall rules.

    Сергей Панченко

     
  • Friday, July 20, 2012 6:35 AM
     
     
    Sign In to Vote
    0

    Here are my rules:

    something is wrong with my rules?

    eternals81

     
  • Friday, July 20, 2012 6:47 AM
     
     
    Sign In to Vote
    0

    log when i am trying to add PC to DC:

    eternals81

     
  • Friday, July 20, 2012 7:00 AM
     
     
    Sign In to Vote
    0
    and after few minutes there is the same log just the source port=1124.

    eternals81

     
  • Friday, July 20, 2012 11:04 AM
     
     
    Sign In to Vote
    1

    something is wrong with my rules?

    Yes. You permitted traffic from DMZ to DMZ and from LAN to LAN. You must permit traffic from LAN to DMZ and (probably) from DMZ to LAN in rule 2.

    Сергей Панченко



     
  • Friday, July 20, 2012 11:27 AM
     
     
    Sign In to Vote
    0

    and now i did like you said and even installed policy after change, but it is still not working sir.

    eternals81

     
  • Monday, July 23, 2012 11:43 AM
     
     
    Sign In to Vote
    0
    Please, see to the log file of Your firewall, which kind of traffic between Your client and Yuor DC is blocked by DENY_ANY rule, then add this to rule "Join To Domain".

    Сергей Панченко

     
  • Tuesday, July 24, 2012 3:40 PM
     
     
    Sign In to Vote
    0
    Please, see to the log file of Your firewall, which kind of traffic between Your client and Yuor DC is blocked by DENY_ANY rule, then add this to rule "Join To Domain".

    Сергей Панченко

    Very smart Sergey, but where i can find the log file?

    eternals81

     
  • Tuesday, July 24, 2012 4:33 PM
     
     
    Sign In to Vote
    0
    yeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaassssssss   i finaly made it i finaly added the PC to the domain    thank you my brother!!!!!!!!!!!!!!!!!!!!!   true love!

    eternals81

     
  • Tuesday, July 24, 2012 4:59 PM
     
     
    Sign In to Vote
    0
    now all i have left is to let PC from LAN get to the internet i mean WAN. And to let user from LAN send email to the internet. is it hard to do???

    eternals81

     
  • Wednesday, July 25, 2012 3:06 AM
     
     
    Sign In to Vote
    0
    now all i have left is to let PC from LAN get to the internet i mean WAN. And to let user from LAN send email to the internet. is it hard to do?

    Best practice is intsall and set up some HTTP-proxy for clients inet access and some MTA (SMTP-server) for send e-mail. Then You can audit users activity (track getting inet resource, control e-mail, und so waiter).

    Using NAT/PAT (or other kind of addresses translation) is not recommended by security reasons.

    Сергей Панченко

     
  • Wednesday, July 25, 2012 5:15 AM
     
     
    Sign In to Vote
    0
    SMTP server i should put in my DMZ? http-proxy i should put in my LAN?

    eternals81

     
  • Wednesday, July 25, 2012 6:02 AM
     
     
    Sign In to Vote
    1
    SMTP server i should put in my DMZ? http-proxy i should put in my LAN?
    SMTP server and HTTP-proxy should be placed in DMZ area. Direct access from any LAN hosts to any inet hosts should be forbidden (in best practice).

    Сергей Панченко



     
  • Wednesday, July 25, 2012 12:55 PM
     
     
    Sign In to Vote
    0

    Can i place my Edge server and Exchange server to DMZ and use it as Email-Relay? But where the HTTP-proxy service is placed or installed? Who will be used as DHCP server that distribute IP to its LAN stations???

    10x.

    eternals81