Cannot join domain - 'network name no longer available' & 'access denied' DHCP authorizing

(sorry for the long title)

We ran into an interesting problem I wanted to document here, hopefully it will help someone else out.

At head office: Old call center is being moved to a new building, but cannot have any downtime. We are getting infrastructure set up (DC/proxy/etc) ahead of time. We had a test network set up at head office but it was having issues (ADSL flapping), so while on the new IP subnet we were not able to join the domain (seeing 'network name no longer available' error). We figured this was due to the flapping, and we decided to leave the join/promote to when we were local.

Catch to the setup: We cannot see two of the four DCs, as our hub/spoke network design does not allow the spokes (remote offices) to see each other, only to see the hub (head office). This is fine, as we have two DCs at the spoke office, and two DCs at the head office (for this child domain...not in total).

At the remote office: Same issue persists, but we no longer have the flapping.

1. We could ping the FQDN of the domain: child.domain.local
2. We could ping the DCs involved (the two at the head office).

We brainstormed, checked security settings, disabled firewalls, telnetted to ports, and eventually we ticked on there being multiple roles, and some are only set on specific DCs (naming master, ops master, infrastructure master, etc). Last year they moved several key roles down to the remote site to speed up logon times. It turns out that you need these roles to join the domain.

The roles were moved back to the two DCs at the head office, and we were able to join the domain immediately, and promote it to DC without any issues as well.

One last issue cropped up - the new DHCP scope could not be authorized. It could be created, services started, but not authorized. A little research turned up that for CHILD domains, only ENTERPRISE admins could authorize scopes. Small point, but pretty key!! Gave the correct permissions, and authorized the scope.

Comments

Popular posts from this blog

DFSR - eventid 4312 - replication just won't work

Fixing duplicate SPNs (service principal name)

Logstash to Nagios - alerting based on Windows Event ID