Can't join domain server

Server has a static IP (192.168.1.100), Primary DNS is pointing to itself
(secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes both
tests, able to ping the server from the client. Initially client was setup
with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
Entered static address on client, pointing the primary DNS to the server
(secondary to ISP). Users were created directly in an organizational unit
instead of the default user groups (not sure that matters), after AD was
setup.

_ldap._tcp.dc._msdcs.DNSDomainName SRV resource record and Host (A) record
is present.

nslookup:
C:\Documents and Settings\tria>nslookup
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.1.100: Timed out
Default Server: (ISP)
Address: (ISP)

When trying to join the client to the domain, using the DNS name (NLS.DNS1)
I get the following error.

Error message:
The following error occurred when DNS was queried for the service location
(SRV) resource record used to locate a domain controller for domain NLC.DNS1:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1

Common causes of this error include the following:
- The DNS SRV record is not registered in DNS.
- One or more of the following zones do not include delegation to its child
zone:
NLC.DNS1
DNS1
.. (the root zone)

I have a few things to check / try, but wonder if there's anything simple
I'm overlooking?
--
I can clean the crap outta your system!

"Server has a static IP (192.168.1.100), Primary DNS is pointing to itself
(secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes both
tests, able to ping the server from the client. Initially client was setup
with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
Entered static address on client, pointing the primary DNS to the server
(secondary to ISP).

That's the first problem. All internal Active Directory domain clients
should be configured to use only an internal DNS Server hosting the zone
name for the Active Directory domain. This means that all workstations and
servers on the domain, to include all DCs and DNS servers, should never be
configured external DNS servers in any position on any network interface.
This means internal DNS server listed as the 'Preferred DNS Server' and
internal DNS server listed as the alternate, or leave that field blank. Do
not put an ISP DNS servers as alternate on the network interface of an AD
domain client.

"Users were created directly in an organizational unit instead of the
default user groups (not sure that matters), after AD was setup. "

Correct, it doesn't matter..

"nslookup:
C:\Documents and Settings\tria>nslookup
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.1.100: Timed out
Default Server: (ISP)
Address: (ISP)"

Not really a problem, Active Directory does not require a reverse lookup
zone in order to function.

"When trying to join the client to the domain, using the DNS name (NLS.DNS1)
I get the following error.

Error message:
The following error occurred when DNS was queried for the service location
(SRV) resource record used to locate a domain controller for domain
NLC.DNS1:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1

Common causes of this error include the following:
- The DNS SRV record is not registered in DNS.
- One or more of the following zones do not include delegation to its child
zone:
NLC.DNS1
DNS1
.. (the root zone)

I have a few things to check / try, but wonder if there's anything simple
I'm overlooking?"

Try this 9-point check and report back the results.

1) Is the network cable plugged in and fully seated?
2) Can you ping the DC by IP? By name?
3) In the network adapter TCP/IP properties, is the client configured with a
'Preferred DNS Server' of a DNS server supporting the Active Directory
domain?
4) In the network adapter TCP/IP properties, is the client configured with a
'Primay DNS Suffix' matching that of the Active Directory DNS domain name?
5) Do SRV records for the DC exist in DNS? Conduct the following test and
examine the result (determines if internal AD DC's are properly listed in
DNS):

a) Open a DM prompt
b) Enter nslookup
c) Enter set q=srv
d) Enter _ldap._tcp.<domain name>

(replace <domain name> above with your fully-qualified domain name)

(replace <domain name> above with your fully-qualified domain name)
6) Ensure the Internet Connection Firewall is *not* enabled on the DC and no
other host-based firewall running on it.
7) Run an adware/spyware scan on the client computer.
8) Ensure the domain is not a single-label domain name.
9) Verify you do not have a disjointed namespace. This can cause they same
sort of issues that a single-label name can cause.

Best practices for DNS client settings in Windows 2000 Server and in Windows
Server 2003:
http://support.microsoft.com/default...b;en-us;825036

HOW TO: Configure DNS for Internet Access in Windows Server 2003:
http://support.microsoft.com/default...b;en-us;323380

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

First a general comment. With AD it is best not to use the ISP DNS
address at all on the clients (or the server, for that matter). Set them to
use the local DNS server only, and configure your local DNS server to
forward to your ISP's DNS server. The DNS server at your ISP cannot resolve
your local names or SRV records.

You didn't explain anything about the child domain. Do you have SRV
records for it? Where are they?

"'puter-rooter" <(E-Mail Removed)> wrote in message
news:F56EF1FF-CC8A-4733-85D8-(E-Mail Removed)...
> Server has a static IP (192.168.1.100), Primary DNS is pointing to itself
> (secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes both
> tests, able to ping the server from the client. Initially client was setup
> with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
> Entered static address on client, pointing the primary DNS to the server
> (secondary to ISP). Users were created directly in an organizational unit
> instead of the default user groups (not sure that matters), after AD was
> setup.
>
> _ldap._tcp.dc._msdcs.DNSDomainName SRV resource record and Host (A) record
> is present.
>
> nslookup:
> C:\Documents and Settings\tria>nslookup
> DNS request timed out.
> timeout was 2 seconds.
> *** Can't find server name for address 192.168.1.100: Timed out
> Default Server: (ISP)
> Address: (ISP)
>
> When trying to join the client to the domain, using the DNS name
> (NLS.DNS1)
> I get the following error.
>
> Error message:
> The following error occurred when DNS was queried for the service location
> (SRV) resource record used to locate a domain controller for domain
> NLC.DNS1:
>
> The error was: "DNS name does not exist."
> (error code 0x0000232B RCODE_NAME_ERROR)
>
> The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1
>
> Common causes of this error include the following:
> - The DNS SRV record is not registered in DNS.
> - One or more of the following zones do not include delegation to its
> child
> zone:
> NLC.DNS1
> DNS1
> . (the root zone)
>
> I have a few things to check / try, but wonder if there's anything simple
> I'm overlooking?
> --
> I can clean the crap outta your system!

This happened a couple days ago, but still isn't resolved. I won't have an
answer until next Monday or Wednesday. It's a new network setup, so spyware
isn't really an issue. As for your list:

> 1) Is the network cable plugged in and fully seated?
Yes

> 2) Can you ping the DC by IP? By name?
IP - Yes: Name - No

> 3) In the network adapter TCP/IP properties, is the client configured with a
> 'Preferred DNS Server' of a DNS server supporting the Active Directory
> domain?
Yes - but also the ISP (will change this)

> 4) In the network adapter TCP/IP properties, is the client configured with a
> 'Primay DNS Suffix' matching that of the Active Directory DNS domain name?
No - is this needed before you can join the domain or a helpful precaution?

> 5) Do SRV records for the DC exist in DNS? Conduct the following test and
> examine the result (determines if internal AD DC's are properly listed in
> DNS):
>
> a) Open a DM prompt
> b) Enter nslookup
> c) Enter set q=srv
> d) Enter _ldap._tcp.<domain name>
> (replace <domain name> above with your fully-qualified domain name)
I'll see next week.

> 6) Ensure the Internet Connection Firewall is *not* enabled on the DC and no
> other host-based firewall running on it.
Firewall is enabled, but I also changed the settings to 'permit / allow'
most of what was in the firewalls default list. Also have installed
Symantec's firewall, but it's not enabled. There is no anti-virus on the
server (client decision).

> 7) Run an adware/spyware scan on the client computer.
New Dell computers - straight out of the box, only updated OS / McAfee /
Office.

> 8) Ensure the domain is not a single-label domain name.
No - it's NLS.DNS1

> 9) Verify you do not have a disjointed namespace. This can cause they same
> sort of issues that a single-label name can cause.
Not a problem

I also need to verify that the time settings are identical on the clients /
server.

"Todd J Heron" wrote:

> "Server has a static IP (192.168.1.100), Primary DNS is pointing to itself
> (secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes both
> tests, able to ping the server from the client. Initially client was setup
> with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
> Entered static address on client, pointing the primary DNS to the server
> (secondary to ISP).
>
> That's the first problem. All internal Active Directory domain clients
> should be configured to use only an internal DNS Server hosting the zone
> name for the Active Directory domain. This means that all workstations and
> servers on the domain, to include all DCs and DNS servers, should never be
> configured external DNS servers in any position on any network interface.
> This means internal DNS server listed as the 'Preferred DNS Server' and
> internal DNS server listed as the alternate, or leave that field blank. Do
> not put an ISP DNS servers as alternate on the network interface of an AD
> domain client.
>
> "Users were created directly in an organizational unit instead of the
> default user groups (not sure that matters), after AD was setup. "
>
> Correct, it doesn't matter..
>
> "nslookup:
> C:\Documents and Settings\tria>nslookup
> DNS request timed out.
> timeout was 2 seconds.
> *** Can't find server name for address 192.168.1.100: Timed out
> Default Server: (ISP)
> Address: (ISP)"
>
> Not really a problem, Active Directory does not require a reverse lookup
> zone in order to function.
>
> "When trying to join the client to the domain, using the DNS name (NLS.DNS1)
> I get the following error.
>
> Error message:
> The following error occurred when DNS was queried for the service location
> (SRV) resource record used to locate a domain controller for domain
> NLC.DNS1:
>
> The error was: "DNS name does not exist."
> (error code 0x0000232B RCODE_NAME_ERROR)
>
> The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1
>
> Common causes of this error include the following:
> - The DNS SRV record is not registered in DNS.
> - One or more of the following zones do not include delegation to its child
> zone:
> NLC.DNS1
> DNS1
> .. (the root zone)
>
> I have a few things to check / try, but wonder if there's anything simple
> I'm overlooking?"
>
> Try this 9-point check and report back the results.
>
> 1) Is the network cable plugged in and fully seated?
> 2) Can you ping the DC by IP? By name?
> 3) In the network adapter TCP/IP properties, is the client configured with a
> 'Preferred DNS Server' of a DNS server supporting the Active Directory
> domain?
> 4) In the network adapter TCP/IP properties, is the client configured with a
> 'Primay DNS Suffix' matching that of the Active Directory DNS domain name?
> 5) Do SRV records for the DC exist in DNS? Conduct the following test and
> examine the result (determines if internal AD DC's are properly listed in
> DNS):
>
> a) Open a DM prompt
> b) Enter nslookup
> c) Enter set q=srv
> d) Enter _ldap._tcp.<domain name>
>
> (replace <domain name> above with your fully-qualified domain name)
>
> (replace <domain name> above with your fully-qualified domain name)
> 6) Ensure the Internet Connection Firewall is *not* enabled on the DC and no
> other host-based firewall running on it.
> 7) Run an adware/spyware scan on the client computer.
> 8) Ensure the domain is not a single-label domain name.
> 9) Verify you do not have a disjointed namespace. This can cause they same
> sort of issues that a single-label name can cause.
>
> Best practices for DNS client settings in Windows 2000 Server and in Windows
> Server 2003:
> http://support.microsoft.com/default...b;en-us;825036
>
> HOW TO: Configure DNS for Internet Access in Windows Server 2003:
> http://support.microsoft.com/default...b;en-us;323380
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>
>

There really is no child - this is a new AD structure in it's own forest -
first DC.

I'll remove all references to the ISP DNS when I return to the client's
site, next Monday / Wednesday.

The site is connected via cable to the ISP, a LinkSys router leases the DHCP
addresses. I suppose it would be better to just setup DHCP on the server and
disable it on the router... after I get this other issue resolved.

Thanks for your response!

"Bill Grant" wrote:

> First a general comment. With AD it is best not to use the ISP DNS
> address at all on the clients (or the server, for that matter). Set them to
> use the local DNS server only, and configure your local DNS server to
> forward to your ISP's DNS server. The DNS server at your ISP cannot resolve
> your local names or SRV records.
>
> You didn't explain anything about the child domain. Do you have SRV
> records for it? Where are they?
>
> "'puter-rooter" <(E-Mail Removed)> wrote in message
> news:F56EF1FF-CC8A-4733-85D8-(E-Mail Removed)...
> > Server has a static IP (192.168.1.100), Primary DNS is pointing to itself
> > (secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes both
> > tests, able to ping the server from the client. Initially client was setup
> > with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
> > Entered static address on client, pointing the primary DNS to the server
> > (secondary to ISP). Users were created directly in an organizational unit
> > instead of the default user groups (not sure that matters), after AD was
> > setup.
> >
> > _ldap._tcp.dc._msdcs.DNSDomainName SRV resource record and Host (A) record
> > is present.
> >
> > nslookup:
> > C:\Documents and Settings\tria>nslookup
> > DNS request timed out.
> > timeout was 2 seconds.
> > *** Can't find server name for address 192.168.1.100: Timed out
> > Default Server: (ISP)
> > Address: (ISP)
> >
> > When trying to join the client to the domain, using the DNS name
> > (NLS.DNS1)
> > I get the following error.
> >
> > Error message:
> > The following error occurred when DNS was queried for the service location
> > (SRV) resource record used to locate a domain controller for domain
> > NLC.DNS1:
> >
> > The error was: "DNS name does not exist."
> > (error code 0x0000232B RCODE_NAME_ERROR)
> >
> > The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1
> >
> > Common causes of this error include the following:
> > - The DNS SRV record is not registered in DNS.
> > - One or more of the following zones do not include delegation to its
> > child
> > zone:
> > NLC.DNS1
> > DNS1
> > . (the root zone)
> >
> > I have a few things to check / try, but wonder if there's anything simple
> > I'm overlooking?
> > --
> > I can clean the crap outta your system!
>
>
>

Point #2 (and possibly point #6) is the source of the problem. Thanks for
the detailed responses and being frank with your reply. It allows us to
help you better. Inline with your responses below...

> 2) Can you ping the DC by IP? By name?
IP - Yes: Name - No

If a client can't reach a DC by name, then it will fail on any operations
with that DC. Including logging on and joining a domain. Is your DNS zone
for this domain set to allow dynamic updates? You have correct SRV records
of this DC in the zone? Is it configured for 'Register this connection's
address in DNS' under TCP/IP properties? Restart the netlogon service on
the DC to see if that helps.

> 4) In the network adapter TCP/IP properties, is the client configured with
> a 'Primary DNS Suffix' matching that of the Active Directory DNS domain
> name?
No - is this needed before you can join the domain or a helpful precaution?

No, it is not needed to join the domain. If you have a computer which is a
stand-alone sitting in a workgroup. When you go to join an AD domain it
won't have the 'Primary DNS Suffix' just yet. It gets that after joining.
However, the point to take away here is that after joining, if the 'Primary
DNS Suffix' of the client does not match that of the Active Directory
domain, it will not register it's name in the DDNS supporting Active
Directory domain. But thanks for asking that question, as answering it has
led me to remove it from my notes.

> 6) Ensure the Internet Connection Firewall is *not* enabled on the DC and
> no other host-based firewall running on it.
Firewall is enabled, but I also changed the settings to 'permit / allow'
most of what was in the firewalls default list. Also have installed
Symantec's firewall, but it's not enabled. There is no anti-virus on the
server (client decision).

Figure out the problem with point #2 above first, then examine the firewall
settings more closely. Perhaps it is interfering with the DC's ability to
register itself in DDNS.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

Thank you (all) for your suggestions and input! I'm amazed at the speed of
the responses in this group! I found the group as a result of researching the
problem at hand (accidentally), but wish I had known about it during the
immediate need!

I will attempt to apply your suggestions tomorrow (Monday). I'm a contracted
computer services / network technician. This is the first AD I've tried to
setup - and have no other means of support (I'm 'IT' for the small computer
shop I'm contracted with).
I have a degree and certifications, as well as a Server 2003 running at my
house (while going through 'the book').
Can't tell you how much it means to me to have a resource like this to turn
too!

Thanks again!
I'll definitely let you know more when I know more.


"Todd J Heron" wrote:

> Point #2 (and possibly point #6) is the source of the problem. Thanks for
> the detailed responses and being frank with your reply. It allows us to
> help you better. Inline with your responses below...
>
> > 2) Can you ping the DC by IP? By name?
> IP - Yes: Name - No
>
> If a client can't reach a DC by name, then it will fail on any operations
> with that DC. Including logging on and joining a domain. Is your DNS zone
> for this domain set to allow dynamic updates? You have correct SRV records
> of this DC in the zone? Is it configured for 'Register this connection's
> address in DNS' under TCP/IP properties? Restart the netlogon service on
> the DC to see if that helps.
>
> > 4) In the network adapter TCP/IP properties, is the client configured with
> > a 'Primary DNS Suffix' matching that of the Active Directory DNS domain
> > name?
> No - is this needed before you can join the domain or a helpful precaution?
>
> No, it is not needed to join the domain. If you have a computer which is a
> stand-alone sitting in a workgroup. When you go to join an AD domain it
> won't have the 'Primary DNS Suffix' just yet. It gets that after joining.
> However, the point to take away here is that after joining, if the 'Primary
> DNS Suffix' of the client does not match that of the Active Directory
> domain, it will not register it's name in the DDNS supporting Active
> Directory domain. But thanks for asking that question, as answering it has
> led me to remove it from my notes.
>
> > 6) Ensure the Internet Connection Firewall is *not* enabled on the DC and
> > no other host-based firewall running on it.
> Firewall is enabled, but I also changed the settings to 'permit / allow'
> most of what was in the firewalls default list. Also have installed
> Symantec's firewall, but it's not enabled. There is no anti-virus on the
> server (client decision).
>
> Figure out the problem with point #2 above first, then examine the firewall
> settings more closely. Perhaps it is interfering with the DC's ability to
> register itself in DDNS.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>
>

It is definitely desireable to kill the router's DHCP server and use the
Windows Server instead. First of all it will give you many more scope
options than the typical low end router. Secondly, the Windows Server will
set the client's primary DNS to the Server's IP. Low end routers frequently
accomplish the same thing by setting the clients to use the router's LAN IP
for primary DNS and then redirecting requests to the Windows DNS server.
The process usually works OK, but it can be just clunky enough to cause or
contribute to the kinds of problems you are having.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"'puter-rooter" <(E-Mail Removed)> wrote in message
news:E0D0F28F-EBEC-4317-92E4-(E-Mail Removed)...
> There really is no child - this is a new AD structure in it's own forest -
> first DC.
>
> I'll remove all references to the ISP DNS when I return to the client's
> site, next Monday / Wednesday.
>
> The site is connected via cable to the ISP, a LinkSys router leases the
DHCP
> addresses. I suppose it would be better to just setup DHCP on the server
and
> disable it on the router... after I get this other issue resolved.
>
> Thanks for your response!
>
> "Bill Grant" wrote:
>
> > First a general comment. With AD it is best not to use the ISP DNS
> > address at all on the clients (or the server, for that matter). Set them
to
> > use the local DNS server only, and configure your local DNS server to
> > forward to your ISP's DNS server. The DNS server at your ISP cannot
resolve
> > your local names or SRV records.
> >
> > You didn't explain anything about the child domain. Do you have SRV
> > records for it? Where are they?
> >
> > "'puter-rooter" <(E-Mail Removed)> wrote in message
> > news:F56EF1FF-CC8A-4733-85D8-(E-Mail Removed)...
> > > Server has a static IP (192.168.1.100), Primary DNS is pointing to
itself
> > > (secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes
both
> > > tests, able to ping the server from the client. Initially client was
setup
> > > with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
> > > Entered static address on client, pointing the primary DNS to the
server
> > > (secondary to ISP). Users were created directly in an organizational
unit
> > > instead of the default user groups (not sure that matters), after AD
was
> > > setup.
> > >
> > > _ldap._tcp.dc._msdcs.DNSDomainName SRV resource record and Host (A)
record
> > > is present.
> > >
> > > nslookup:
> > > C:\Documents and Settings\tria>nslookup
> > > DNS request timed out.
> > > timeout was 2 seconds.
> > > *** Can't find server name for address 192.168.1.100: Timed out
> > > Default Server: (ISP)
> > > Address: (ISP)
> > >
> > > When trying to join the client to the domain, using the DNS name
> > > (NLS.DNS1)
> > > I get the following error.
> > >
> > > Error message:
> > > The following error occurred when DNS was queried for the service
location
> > > (SRV) resource record used to locate a domain controller for domain
> > > NLC.DNS1:
> > >
> > > The error was: "DNS name does not exist."
> > > (error code 0x0000232B RCODE_NAME_ERROR)
> > >
> > > The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1
> > >
> > > Common causes of this error include the following:
> > > - The DNS SRV record is not registered in DNS.
> > > - One or more of the following zones do not include delegation to its
> > > child
> > > zone:
> > > NLC.DNS1
> > > DNS1
> > > . (the root zone)
> > >
> > > I have a few things to check / try, but wonder if there's anything
simple
> > > I'm overlooking?
> > > --
> > > I can clean the crap outta your system!
> >
> >
> >

As Doug said, it usually works. But sometimes the NAT router redirects
the DNS requests to the DNS server configured on its public interface. When
that happens, you can't see your local DNS SRV records.

"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> It is definitely desireable to kill the router's DHCP server and use the
> Windows Server instead. First of all it will give you many more scope
> options than the typical low end router. Secondly, the Windows Server
> will
> set the client's primary DNS to the Server's IP. Low end routers
> frequently
> accomplish the same thing by setting the clients to use the router's LAN
> IP
> for primary DNS and then redirecting requests to the Windows DNS server.
> The process usually works OK, but it can be just clunky enough to cause or
> contribute to the kinds of problems you are having.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> "'puter-rooter" <(E-Mail Removed)> wrote in message
> news:E0D0F28F-EBEC-4317-92E4-(E-Mail Removed)...
>> There really is no child - this is a new AD structure in it's own
>> forest -
>> first DC.
>>
>> I'll remove all references to the ISP DNS when I return to the client's
>> site, next Monday / Wednesday.
>>
>> The site is connected via cable to the ISP, a LinkSys router leases the
> DHCP
>> addresses. I suppose it would be better to just setup DHCP on the server
> and
>> disable it on the router... after I get this other issue resolved.
>>
>> Thanks for your response!
>>
>> "Bill Grant" wrote:
>>
>> > First a general comment. With AD it is best not to use the ISP DNS
>> > address at all on the clients (or the server, for that matter). Set
>> > them
> to
>> > use the local DNS server only, and configure your local DNS server to
>> > forward to your ISP's DNS server. The DNS server at your ISP cannot
> resolve
>> > your local names or SRV records.
>> >
>> > You didn't explain anything about the child domain. Do you have SRV
>> > records for it? Where are they?
>> >
>> > "'puter-rooter" <(E-Mail Removed)> wrote in
>> > message
>> > news:F56EF1FF-CC8A-4733-85D8-(E-Mail Removed)...
>> > > Server has a static IP (192.168.1.100), Primary DNS is pointing to
> itself
>> > > (secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes
> both
>> > > tests, able to ping the server from the client. Initially client was
> setup
>> > > with DHCP from router (192.168.1.101-151) all on 255.255.255.0
>> > > subnet.
>> > > Entered static address on client, pointing the primary DNS to the
> server
>> > > (secondary to ISP). Users were created directly in an organizational
> unit
>> > > instead of the default user groups (not sure that matters), after AD
> was
>> > > setup.
>> > >
>> > > _ldap._tcp.dc._msdcs.DNSDomainName SRV resource record and Host (A)
> record
>> > > is present.
>> > >
>> > > nslookup:
>> > > C:\Documents and Settings\tria>nslookup
>> > > DNS request timed out.
>> > > timeout was 2 seconds.
>> > > *** Can't find server name for address 192.168.1.100: Timed out
>> > > Default Server: (ISP)
>> > > Address: (ISP)
>> > >
>> > > When trying to join the client to the domain, using the DNS name
>> > > (NLS.DNS1)
>> > > I get the following error.
>> > >
>> > > Error message:
>> > > The following error occurred when DNS was queried for the service
> location
>> > > (SRV) resource record used to locate a domain controller for domain
>> > > NLC.DNS1:
>> > >
>> > > The error was: "DNS name does not exist."
>> > > (error code 0x0000232B RCODE_NAME_ERROR)
>> > >
>> > > The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1
>> > >
>> > > Common causes of this error include the following:
>> > > - The DNS SRV record is not registered in DNS.
>> > > - One or more of the following zones do not include delegation to its
>> > > child
>> > > zone:
>> > > NLC.DNS1
>> > > DNS1
>> > > . (the root zone)
>> > >
>> > > I have a few things to check / try, but wonder if there's anything
> simple
>> > > I'm overlooking?
>> > > --
>> > > I can clean the crap outta your system!
>> >
>> >
>> >
>
>

I'll definitely take that into consideration, going forward.
As for the problem at hand, Todd Heron (see previous posts) nailed it.
All I needed to do was remove all references to the ISP DNS, on the server
and the client. I also disabled the firewall on the server (just in case).
Domain login went off without a hitch after that.

Thanks for the input!

"Doug Sherman [MVP]" wrote:

> It is definitely desireable to kill the router's DHCP server and use the
> Windows Server instead. First of all it will give you many more scope
> options than the typical low end router. Secondly, the Windows Server will
> set the client's primary DNS to the Server's IP. Low end routers frequently
> accomplish the same thing by setting the clients to use the router's LAN IP
> for primary DNS and then redirecting requests to the Windows DNS server.
> The process usually works OK, but it can be just clunky enough to cause or
> contribute to the kinds of problems you are having.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> "'puter-rooter" <(E-Mail Removed)> wrote in message
> news:E0D0F28F-EBEC-4317-92E4-(E-Mail Removed)...
> > There really is no child - this is a new AD structure in it's own forest -
> > first DC.
> >
> > I'll remove all references to the ISP DNS when I return to the client's
> > site, next Monday / Wednesday.
> >
> > The site is connected via cable to the ISP, a LinkSys router leases the
> DHCP
> > addresses. I suppose it would be better to just setup DHCP on the server
> and
> > disable it on the router... after I get this other issue resolved.
> >
> > Thanks for your response!
> >
> > "Bill Grant" wrote:
> >
> > > First a general comment. With AD it is best not to use the ISP DNS
> > > address at all on the clients (or the server, for that matter). Set them
> to
> > > use the local DNS server only, and configure your local DNS server to
> > > forward to your ISP's DNS server. The DNS server at your ISP cannot
> resolve
> > > your local names or SRV records.
> > >
> > > You didn't explain anything about the child domain. Do you have SRV
> > > records for it? Where are they?
> > >
> > > "'puter-rooter" <(E-Mail Removed)> wrote in message
> > > news:F56EF1FF-CC8A-4733-85D8-(E-Mail Removed)...
> > > > Server has a static IP (192.168.1.100), Primary DNS is pointing to
> itself
> > > > (secondary to ISP), dcdiag.exe passes all tests, debugging DNS passes
> both
> > > > tests, able to ping the server from the client. Initially client was
> setup
> > > > with DHCP from router (192.168.1.101-151) all on 255.255.255.0 subnet.
> > > > Entered static address on client, pointing the primary DNS to the
> server
> > > > (secondary to ISP). Users were created directly in an organizational
> unit
> > > > instead of the default user groups (not sure that matters), after AD
> was
> > > > setup.
> > > >
> > > > _ldap._tcp.dc._msdcs.DNSDomainName SRV resource record and Host (A)
> record
> > > > is present.
> > > >
> > > > nslookup:
> > > > C:\Documents and Settings\tria>nslookup
> > > > DNS request timed out.
> > > > timeout was 2 seconds.
> > > > *** Can't find server name for address 192.168.1.100: Timed out
> > > > Default Server: (ISP)
> > > > Address: (ISP)
> > > >
> > > > When trying to join the client to the domain, using the DNS name
> > > > (NLS.DNS1)
> > > > I get the following error.
> > > >
> > > > Error message:
> > > > The following error occurred when DNS was queried for the service
> location
> > > > (SRV) resource record used to locate a domain controller for domain
> > > > NLC.DNS1:
> > > >
> > > > The error was: "DNS name does not exist."
> > > > (error code 0x0000232B RCODE_NAME_ERROR)
> > > >
> > > > The query was for the SRV record for _ldap._tcp.dc._msdcs.NLC.DNS1
> > > >
> > > > Common causes of this error include the following:
> > > > - The DNS SRV record is not registered in DNS.
> > > > - One or more of the following zones do not include delegation to its
> > > > child
> > > > zone:
> > > > NLC.DNS1
> > > > DNS1
> > > > . (the root zone)
> > > >
> > > > I have a few things to check / try, but wonder if there's anything
> simple
> > > > I'm overlooking?
> > > > --
> > > > I can clean the crap outta your system!
> > >
> > >
> > >
>
>
>