How to join a client to a domain behind a NAT environment
We have a development domain setup inside (VMWare) Labmanager which is "isolated" from outside. Each machine has it's private IP address such as 10.10.10.x and also has an "external" IP Address such as 172.16.48.x. There is a need to add machine external to labmanager which has 172.16.48.* address to this dev domain.
When I try to join a test XP machine to the domain I receive the following message:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain xyz-dev.com:
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.xyz-dev.com
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
172.16.48.10
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
For more information on how to correct this problem, click Help.
172.16.48.10 is the "external" IP address for the domain controller/DNS server in dev domain
In order to correct this error, I added the following to the host file on the XP test machine
172.16.48.10 xyz-dev.com
The I see some progress and got a different error:
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain xyz-dev.com:
The query was for the SRV record for _ldap._tcp.dc._msdcs.xyz-dev.com
The following domain controllers were identified by the query:
xyzdcd01.xyz-dev.com
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
For information about correcting this problem, click Help.
Even after I added the below entry in the host file - I still get the same error messag:
172.16.48.10 xyzdcd01.xyz-dev.com
After give it some thought. I believe the problem is because the test machine can resolve to xyz-dev.com through the first entry in the host file
172.16.48.10 xyz-dev.com
it queries the SRV record and got the domain controller name which is xyzdcd01.xyz-dev.com - all happy so far!
but the IP address the test machine got for the DC is not 172.16.48.10 but rather the internal IP address of the DC/DNS box which happens to be 10.10.10.10 which the test box has no way to connect to and the second entry in host file
172.16.48.10 xyzdcd01.xyz-dev.com doesn't help at all!
I tried to create a new Host(A) record for the DC let the xyzdcd01.xyz-dev.com has two A record one is point to internal IP address 10.10.10.10 and the other point to external IP address 172.16.48.10 and I can then add the test xp machine to the domain. But before I got too excited about this - I realizes and noticed that I can't do that, the DNS server automatically delete the "external" A record for the DC after a while!
Then I went back to read the above error message and focus my attention on:
_ldap._tcp.dc._msdcs.xyz-dev.com
I then go to the DNS server and modify the above pointer to the external IP address 172.16.48.10 (it had the internal IP address by default)!
Now the "external" machines can join the dev domain and the machine inside the labmanagers can still join the dev domain because they each has an external IP address and they can go out (they are setup to use the external getaway) to join the domain.
After that I created a secondary DNS zone on my "external" production DNS server which now hold the zone information for xyz-dev, so I don't have to add the xyz-dev.com host file entry. All I need to do is to let the client using the external IP address of the dev DNS server as it's preferred DNS server IP address if I need to add that client to the dev domain.
I spent quite some time on this and figure to share them but keep in mind, this may not be an officially supported scenario and may have unintended consequences!