Can A Windows 2003 Server Join A 2016 Domain
Jennifer Vidmar
For Active Directory Federation Services (AD FS) to function, each computer that functions as a federation server must be joined to a domain. Federation server proxies may be joined to a domain, but this is not a requirement.
Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.
Ping and nslookup works just fine though. I tried a day testing everything that was coming to my mind and after some while I tried to eliminate as much factors as possible. So I migrated both Servers to the same Node to eliminate networking issues - and this does the trick. When I want to domain join another Server from another Node it does not work anymore, as soon as it is on the same, it does.
Do you have any ides what is causing this? As a next step, I will make the Server on the other non-nutanix environment a DC and try joining it from Nutanix to this to see if this problem is only outgoing or both, outgoing or incoming.
The solution I found yesterday is an issue I never came across before. I checked the traffic that went over the firewall thoroughly and saw errors that said "Bad Checksum" coming from the VMs. So I googled this and came across a similar issue with Boradcom NICs. After specifying for the Intel X722 that which are in the Lenovo Hosts I found this:
So apparently Windows introduced new options withing the NIC that lead to that errors. All the suggestions in this thread did not help though so I installed Server 2016 DCs and it works now. So I know the source of the issue now but not the final solution yet. But definitely it is a Windows Server 2019 and above problem - that's why the other virtual environment had the same issues - Intel NICs.
I don't know if there are new drivers out yet to fix the problem but as the problems are coming from the guest I don't even know if that would help. Apparently there are new drivers which have the said options disabled by default but that will oy help when windows is installed on bare metal with direct access to the NIC, not over a hypervisor I guess.
@srsysadmin @John Marlin How about adding a 2019 server to a 2012 domain ... which it asks for functional level to be raised which i have. I need to promote the 2019 to a controller as its replacing the 2012 R2 DC and is the only controller. Ive tried it every way possible and still asks for attributes which were meet.
Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later are using Distributed File System (DFS) for the replication. DFS is better than FRS.
The dfsrmig.exe tool is supported only on domain controllers which are running in the Windows Server 2008 domain functional level DFL. This is because SYSVOL migration from FRS replication to the DFS Replication service is possible only on domain controllers running in the Windows Server 2008 domain functional level.
The current domain functional level is not at least Windows Server 2008.
DFSRMig is only supported on at least Windows Server 2008 level domains.
PS C:\Users\Administrator> dfsrmig.exe /GetGlobalState
At the end of the server formation process, it is necessary to combine all the machines into one private network. As a result of these actions, the servers will receive additional network adapters and local IP addresses.
Although Windows recommends that you keep the Firewall turned on for all networks, we recommend that you disable it for both domain and private networks to avoid unpredictable behaviour. For a public network, however, we recommend that you leave it turned on.
What I want to do is have the clients use the PiHole to look for the active Directory. If it doesn't find it, it will forward the request by using "conditional forwarding" to active directory. Active Directory will reply and allow new Windows client to join the Windows Domain Controller.
The Windows server with AD has Windows DNS setup, and those have forwarders set to PiHole, which I think isn't ideal as it could create a "loop". However, if Pihole is setup to "conditionally forward" DNS queries, AD should reply and that will be good.
.)
That's because I can log and control each machine without spreading it out between AD and Pihole for DNS. AD would just do GP auth & management. It's much simpler to know where to look for things long term.
Putting your AD server before Pi-hole in your DNS resolution chain will make your AD server the only client of Pi-hole. Without further measures, you won't be able to attribute DNS requests to individual clients that way.
If for some reasons you would still need your router to also answer some of the DNS requests relating to local names, you could create a custom dnsmasq configuration file for a distinctive second target (i.e. an additional Conditional.Forwarding).
If you do it the way rdwebdesign suggested, that would enable you to revert your AD back to its known working state. Then change the Windows Server's DNS to use only the Pi-hole, and the Pi-hole's upstream DNS to use whatever was previously being used by the Windows server (external DNS or router for DNS). Pi-hole can still be used to block unwanted domains for site-wide benefit, even if you don't see specific clients in there.
So the better solution still is to "Conditional Forward" or "DNS Request routes". This way, any Windows AD related queries will be routed to it while website or internet requests will be immediately routed by PiHole.
Hey @okynnor I stumbled across this reddit post which may help you. It seems that the first commenter brod33p is doing the same as what you want. He's using a custom dnsmasq config to send AD queries to the DCs and let Pi-hole handle the none-domain queries directly. Worth a look, and some other commenters further down have other input too. Simialr to your earlier reddit post, but this includes some specific steps, files etc
Comcast Internet is currently working, but only while our Windows Domain Server is ON. Once the Windows Server is offline/shutdown and using one of the computers, I am still able to access the different drives in the local network, BUT I cannot access the internet.
I am looking at the NAT Policies, but not entire sure what I am looking at. How can I make sure that my other computer will still have internet access even if the Windows Domain Server is offline? With the other windows, we created local users so that we need not be using the domain, but still, no internet. Please advise.
It is highly unlikely that this would be a NAT policy issue as that would affect the internet access even when the internal DNS server is in use. Could you please run those tests and let us know the results?
You can seamlessly join an Amazon EC2 instance to your Active Directory domain when the instance is launched. For more information, see Seamlessly join an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory. You can also launch an EC2 instance and join it to an Active Directory domain directly from the AWS Directory Service console with AWS Systems Manager Automation.
To be able to connect remotely to these instances, you must have IP connectivity to the instances from the network you are connecting from. In most cases, this requires that an internet gateway be attached to your VPC and that the instance has a public IP address.
Hey, Scripting Guy! It seems that I have been hand building a number of computers recently for a computer lab we are setting up at work. I have written a batch file that uses netdom commands to join the domain. I also use a netdom command to rename the computer, and the shutdown command to restart the computer. The syntax for each of these three commands is rather complex and convoluted. A strange thing is that it seems I can do this on Windows Server R2, but I cannot do this on Windows 7. What gives?
Microsoft Scripting Guy, Ed Wilson, is here. Well this afternoon I am drinking something a bit different. I decided to make a cup of masala chai. (The word chai, or many of its variations, simply means tea in many languages. Therefore, to speak of chai tea is redundant.) Anyway, I decided to use Dajarling tea, brewed a little strong, and I added cloves, cardamom, a cinnamon stick, fresh ground pepper, and 1/3 cup of warm milk. Coupled with an Anzac biscuit, it was quite nice.
AD, the reason that you cannot use your batch file (containing netdom commands) on Windows 7 is that by default Windows 7 does not contain the netdom command. You can add netdom to your computer running Windows 7 by installing the latest version of the Remote Server Administration Tools (RSAT). When it is installed, you still need to go to Programs and Features and turn on the tools you want to load. The RSAT tools are great, and that is where you gain access to the Active Directory module. But you should not load the RSAT only to access netdom, because you can do what you want to accomplish out of the box (assuming that your box is not Windows 7 Home edition that does not join domains).
AD, your batch file contained at least three commands to rename the computer, join the domain, and to restart the machine. The two netdom commands and the shutdown command are shown here.
In Windows PowerShell 2.0, this is still three commands, but at least the commands are native to Windows 7. In addition, the Windows PowerShell command is easier to read, and they support prototyping. An example of using Windows PowerShell to add a computer to the domain, rename the computer, and reboot the machine is shown here.
After I rename the computer, I use the Add-Computer cmdlet to join the computer to the domain. The Add-Computer cmdlet allows me to specify the credentials that have rights to add computers to the domain, in addition to the name of the domain to join. Although I did not do it in my example, there is also an ou parameter that allows you to specify the path to the OU that will contain the newly created computer account.
d3342ee215