Share This Post

How to join a client to a domain behind a NAT environment

We have a development domain setup inside (VMWare) Labmanager which is "isolated" from outside. Each machine has it’s private IP address such as 10.10.10.x and also has an "external" IP Address such as 172.16.48.x. There is a need to add machine external to labmanager which has 172.16.48.* address to this dev domain.

When I try to join a test XP machine to the domain I receive the following message:

Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain xyz-dev.com:

The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for _ldap._tcp.dc._msdcs.xyz-dev.com

The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:

172.16.48.10

Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

For more information on how to correct this problem, click Help.

172.16.48.10 is the "external" IP address for the domain controller/DNS server in dev domain

In order to correct this error, I added the following to the host file on the XP test machine

172.16.48.10 xyz-dev.com

The I see some progress and got a different error:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain xyz-dev.com:

The query was for the SRV record for _ldap._tcp.dc._msdcs.xyz-dev.com

The following domain controllers were identified by the query:

xyzdcd01.xyz-dev.com

Common causes of this error include:

– Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

– Domain controllers registered in DNS are not connected to the network or are not running.

For information about correcting this problem, click Help.

Even after I added the below entry in the host file – I still get the same error messag:

172.16.48.10 xyzdcd01.xyz-dev.com

After give it some thought. I believe the problem is because the test machine can resolve to xyz-dev.com through the first entry in the host file

172.16.48.10 xyz-dev.com

it queries the SRV record and got the domain controller name which is xyzdcd01.xyz-dev.com – all happy so far!

but the IP address the test machine got for the DC is not 172.16.48.10 but rather the internal IP address of the DC/DNS box which happens to be 10.10.10.10 which the test box has no way to connect to and the second entry in host file

172.16.48.10 xyzdcd01.xyz-dev.com doesn’t help at all!

I tried to create a new Host(A) record for the DC let the xyzdcd01.xyz-dev.com has two A record one is point to internal IP address 10.10.10.10 and the other point to external IP address 172.16.48.10 and I can then add the test xp machine to the domain. But before I got too excited about this – I realizes and noticed that I can’t do that, the DNS server automatically delete the "external" A record for the DC after a while!

Then I went back to read the above error message and focus my attention on:

_ldap._tcp.dc._msdcs.xyz-dev.com

I then go to the DNS server and modify the above pointer to the external IP address 172.16.48.10 (it had the internal IP address by default)!

Now the "external" machines can join the dev domain and the machine inside the labmanagers can still join the dev domain because they each has an external IP address and they can go out (they are setup to use the external getaway) to join the domain.

After that I created a secondary DNS zone on my "external" production DNS server which now hold the zone information for xyz-dev, so I don’t have to add the xyz-dev.com host file entry. All I need to do is to let the client using the external IP address of the dev DNS server as it’s preferred DNS server IP address if I need to add that client to the dev domain.

I spent quite some time on this and figure to share them but keep in mind, this may not be an officially supported scenario and may have unintended consequences!

Share This Post

Ying Li obtained a Master degree of Medicine in China and worked in the medical field before he came to the states in 1996. He made the career switch from troubleshooting people to troubleshooting computers after he came to the states. Not entirely a surprise there, if you know that his second preference for college is Mathematics. Ying is two times Admin Framework MVP awardee (2007-2008).His previous employment experience in the US includes UUNET, MCI WorldCom. MMC (Marsh & McLennan Companies), Merrill Lynch. He is currently employed by Related Companies as a Senior Infrastructure Engineer. He is proficient in virtually all Microsoft products (Office/Back office). His craving for efficiency naturally leads him to scripting, automation and before you know it, PowerShell! He is currently a MCSE (NT4, 2000, 2003) and MCITP Server Administrator. Ying enjoys wines and love to travel. His non work related passion is to advocate Health Living!

Leave a Reply