none
Can't Join PCs To Domain - Incorrectly Attempting to Discover Single Label AD DC & Failing RRS feed

  • Question

  • This is a weird issue. We had a Windows 10 PC unable to connect to the domain profile correctly, so we took it off the domain and attempted to re-add it. However, when attempting to rejoin the domain, we were greeted with the following error: 

    An Active Directory Domain Controller (AD DC) for the domain "MYDOMAIN" could not be contacted.
    
    Ensure that the domain name is typed correctly.
    
    If the name is correct, click Details for troubleshooting information.
    
    The domain name "MYDOMAIN" might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.
    
    If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
    
    The following error occurred when DNS was queried for the service location (SRV) resource record used to location an Active Directory Domain Controller (AD DC) for domain "MYDOMAIN".
    
    The error was: "DNS name does not exist."
    (error code 0x0000233B RCODE_NAME_ERROR)
    
    The query was for the SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN
    
    Common causes of this error include the following:
    
    - The DNS SRV records required to locate a AC DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set interfvals. This comoputer is configured to use DNS servers witht he following IP addresses:
    
    192.168.1.xx1
    192.168.1.xx2
    
    - One or more of the following zones do not include delegation to its child zone:
    
    MYDOMAIN
    (the root zone)

    The thing is, this isn't a single label domain. The domain is actually of the form local.mydomain.net, and when joining the domain we were doing so using the full DNS name, and initially it responded with the successful message: An account for this computer has been found in the domain "MYDOMAIN". Would you like to use this? If we click 'Yes', we receive the above error. However, if we click 'No', we can proceed to create a new registration, where we can specify the full domain name. If we use the single label domain at any point, we receive the above error again. However, if we ensure all Domain fields contain the full domain name, we are able to successfully join the domain.

    The single label only appears as 'MYDOMAIN' in the 'Domain name (pre-Windows 2000)' field in the domain properties in Active Directory Domains and Trusts. This domain was created on Windows Server 2012R2 servers and has a Server 2012R2 functional level. It doesn't have a WINS server currently (although apparently it's not a bad idea to continue to run one just to stop unnecessary broadcast traffic, so we might set it up just for that).

    It appears to us that this is new behaviour enforced by Microsoft, perhaps to ensure domains move away from legacy single label configurations. If that's the case, why isn't the behaviour from the domain join procedure to respond to the user that the computer name was found on the full domain name, instead of using the single label name?

    Should we remove the 'pre-Windows 2000' single label name in the domain properties? Would this improve functionality?

    Thanks,

    Trevor

    Friday, July 27, 2018 4:20 PM

All replies

  • Hi,

    Have a nice day!

    According to my extensive research and experiences, this error means our computer unable to find the Active Directory Domain Controller, so we need to tell our computer where it find the DNS server. Here, for your convenience, I have listed the main steps as below:

    1. Open Network and Sharing Center from the control panel and then click Changes Adapter Settings and take the properties of Local Area Connection, and then take properties of Internet Protocol Version 4. Click on Advanced button in the bottom and select DNS tab.


    2. Add DNS server address in the list.


    3. Preferred DNS Server automatically set, so click OK button and then close the Local Area Connection Properties.


    4. Again open the Computer Name/Domain Changes screen by take properties Computer following screen appear, select Domain option and type domain name in the textbox and click OK button.


    Meanwhile, I also found some documents about the single label name for your reference:

    Naming conventions in Active Directory for computers, domains, sites, and OUs

    https://support.microsoft.com/sk-sk/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

    Active Directory User Name Limitations

    https://community.spiceworks.com/topic/175457-active-directory-user-name-limitations

    If you have any questions or concerns, please don't hesitate to let me know.

    Best Regards, 

    William

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 31, 2018 9:33 AM
  • Hi,

    Seems like a client side DNS issue, did you tried to rebuild the PC? If you cannot rebuild try the following settings:

    In LAN Connection Properties, set an IP's address and then under "Use the following DNS server addresses" – set that to the domain controller's IP address. 

    Also if you dont use IPv6 try disabling that, and later once you add the client re-add IPV6.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, July 31, 2018 11:16 AM
  • Thanks William for taking the time to try to help. Unfortunately that isn't the issue - the whole network knows the locations of the DNS servers because they receive that from DHCP (except for statically assigned devices like the domain controllers, obviously). Here's an IPConfig report from a PC on the domain, right after a renew:

    Ethernet adapter Ethernet:
    
       Connection-specific DNS Suffix  . : local.mydomain.net
       Description . . . . . . . . . . . : Intel(R) I350 Gigabit Network Connection
       Physical Address. . . . . . . . . : 01-02-03-04-05-06
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.1.116(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Wednesday, 1 August 2018 5:06:35 PM
       Lease Expires . . . . . . . . . . : Wednesday, 1 August 2018 6:06:35 PM
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.2
       DNS Servers . . . . . . . . . . . : 192.168.1.2
                                           192.168.1.22
       NetBIOS over Tcpip. . . . . . . . : Enabled

    There are two domain controllers on this network, a Primary Domain Controller (192.168.1.2) and a Replica Domain Controller (192.168.1.22). These are correctly configured in DHCP and DNS, replication between them works fine, clients have been joined to this domain successfully and the domain has been in operation for years without issue.

    The problem is what happens when we try to join a new client PC to the domain. If we use the shortened (single label) domain name in the domain fields, we get this:

    However, if we use the FQDN for the domain:

    We first get a successful acknowledgement that the domain has been contacted successfully:

    As soon as you click 'Yes', however, you receive the same error as before:

    Instead you have to click 'No', then proceed to create a new record with that computer name and the FQDN of the domain:


    At which point you'll receive the security prompt that allows you to join the domain:


    This happened with a new PC (laptop, technically), never before domain joined. We tested this behaviour with several other VMs and physical PCs - we can reliably join the domain every time using the FQDN, but we get exactly the same behaviour (error) if we try to use the single label domain.

    I have realised that the single label functionality for things like authentication continues to work fine - for example, if you need to provide a user name for a security prompt that doesn't include a separate domain field, you can continue to use 'MYDOMAIN\UserName' fine. The only thing this seems to affect (that we have found) is in the domain joining procedure.



    • Edited by Trevor_Xion Wednesday, August 1, 2018 1:43 PM
    Wednesday, August 1, 2018 1:34 PM
  • Thanks for your reply Jim. Unfortunately this isn't the issue - please see my response to William, above.
    Wednesday, August 1, 2018 1:35 PM
  • I have exactly the same problem. Did you ever you manage to figure it out?

    Thanks.


    • Edited by David556 Wednesday, July 17, 2019 4:41 PM
    Wednesday, July 17, 2019 4:41 PM
  • Hi David,

    The domain I experienced this on was a Server 2012R2 domain. Most of the domains I work with are 2016 or 2019 and I haven't seen the same issue on them, so I don't know if it's specific to 2012R2 or not. I spent quite a lot of time checking and rechecking everything to do with the way the domain was designed, configured and operating and nothing seemed out of place, and no communication or health checks failed - the only problem I was able to find related to joining new machines to the domain. Other than that everything seemed to work fine, as far as I could tell, so eventually I just got used to working around it.

    Sorry I couldn't provide a more useful answer.

    Cheers,

    Trevor

    Saturday, July 20, 2019 5:16 PM