An error ocurred while trying to contact the domain RRS feed

  • Question

  • I'm just trying to configure UAG. The UAG server  is joined to the the domain and the DC is on the same subnet and reachable on the internal interface.

    When I try to do the "Client and GPO configuration", UAG automatically fills the domain with the correct name but when I click "Next" it just says "An error ocurred while trying to contact the domain". No further explanations :(

    With Microsoft Network Monitor I see that LDAP packets are transmitted from/to the DC.

    Where can I look for the cause of this problem? Is UAG writing some logfiles anywhere?

    Tuesday, May 31, 2011 8:49 AM

All replies

  • Having exact same issue.

    Hoping to source a solution somewhere....

    Monday, September 5, 2011 11:05 AM
  • Hello!

    In my case it was an offline DC that caused the problem. UAG checks ALL DCs in the forest. If a single one can't be contacted the installation fails.


    Monday, September 5, 2011 11:07 AM
  • Hi,

    can u see blocked rpc traffic in tmg realtime log? Can u remove the "forced strict rpc compliance" checkbox from the system rule allowing rpc traffic to the internal network? Perhaps it is related to rpc filtering.



    Andreas Hecker - Blog: Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    Monday, September 5, 2011 11:18 AM
  • Hi All

    Thanks for the comments.

    I've verified all DC's are up and available.

    TMG is not set to enforce strict RPC compliance.

    I even did a manual machine cert request (which I know if dependant on RPC working) which works 100%.

    All Dc's and TMG DA servers have local machine authentication certificates.

    There is no evidence in the TMG live log view that comms is failing or being blocked.

    Both array members are 100% healthy. NLB working 100%. Fully patched to current date.

    I've completed the following:

    Create AD DS Group for DA clients

    --add clients to group

    Remove ISATAP name from DNS Global block list  (dnscmd /config /globalqueryblocklist wpad)


    PKI up and running.


    DA server  as ISATAP router.

    Net stop iphlpsvc on DC's and app servers and clients.

    Net start iphlpsvc on DC's and app servers and clients.


    IPv4 address and routing configuration.

    Ext Nic 1x Dip per server in array.

    Ext NLB 2x VIP consecutive IP addresses.


    Int Nic 1x Dip per server in array.

    Int NLB 1x VIP consecutive IP addresses.



    Add ISATAP records for DIP and VIP of internal nic on DA server.

    Add A record for NLS server.



    DNS and Time service working 100%

    Tuesday, September 6, 2011 5:59 AM
  • Could it be that the DA server is talking to a RODC?

    Checked TMG Live log and LDAP requests going to R/W AD and some kerberos comms to RODC.

    • Edited by Riddler-man Tuesday, September 6, 2011 10:06 AM
    Tuesday, September 6, 2011 6:15 AM
  • anyone find an answer to this?  I have just tried setting up UAG in our test domain and got the same issue?



    Monday, September 26, 2011 4:40 PM
  • I currently have a call open with MS support and will post a response on our findings.
    Tuesday, September 27, 2011 3:51 PM
  • I ran into the same issue recently and it ended up being caused by GPOs that had am incorrect Administrator account defined. Once the GPOs were corrected and SIDs updated the issue went away. Does TMG on the UAG server lose the ability to communicate with the TMG Storage service?
    Steve Angell - IDA Consultant (
    Tuesday, September 27, 2011 8:42 PM
  • Hi Steve

    I only have two GPOs in the test domain both seem ok, the UAG does not lose comms with TMG storage service.  All DC's are online and i can see UAG box making ldap connections with the DC in the same site but i just get that error stated in the first comment.


    Wednesday, September 28, 2011 1:39 PM
  • Ok, I also ran into a similair issue once before with one of the first UAG deployments I did. I ened up having to re-install the servers but for testing purposes (and you may have already done this)

    Try installing the telnet client and verifying that you can open a connection to all AD services ports:

    445 - Microsoft DS

    389 - LDAP

    3268 - Global Catlog

    88 - Kerberos

    135 - RCP

    If you can't connect to any of these then start looking there. If you can, do you see anything in Event Viewer? Also, can you performe a gpupdate /force on the UAG server without error?

    Steve Angell - IDA Consultant (
    Thursday, September 29, 2011 5:57 PM
  • I tried reload at the begining

    Connected to the local DC via telnet on all listed services

    Gpupdate /force runs with no errors and there are no errors in Event viewer.

    Hopefully riddler-man can get something from MS Support!

    Thursday, September 29, 2011 10:55 PM
  • Hi All.

    OK, so hats off the MS support team, they really know their stuff!

    After triple checking DNS and resolving a name server misconfiguration and getting the IPV6 domain prefix setup correctly it turned out there were multiple entries  in the domain partition for one of our RODC servers that resides in the DMZ. 

    I quote " this probably would have been created when there was a conflict while replication for this object."

    They located the entry via ADSI edit and removed it so now the UAG server was no longer trying to communicate with an object that didn't exsist.

    I ran through the remainder of the wizard then updated the GPO on the UAG server and was welcomed by

     "Activation Completed Successfully "

    Hope this helps you all.

    Tuesday, November 8, 2011 7:01 AM