Joining Domain across WAN

I have a 2003 server set up as a DC for my domain. I have 8 sites all connected with 100Mbps fiber provided by the local telco, we are set up on our own VLAN on their equipment. Each site has a Mikrotik router. I am trying to join a 2008 server at each site to the domain and promote it to DC, but I'm having trouble. I took one of the servers to the physical site where the 2003 DC is hosted and joined it without any problem, but when I returned it to the remote site it could not see the domain.

Each router is set up with the following IP scheme.

The external interface has an IP in the 10.125.5.x network, the internal IP is 10.y.1.1 where y ranges from 1-8. The servers are setup 10.y.200.1 at each site. I can ping each way, tracert shows that it hits local router, remote router, remote machine, no additional hops either way. I have the DC set as the primary DNS and can ping the DC by name. When I try to join the domain it gives me the following:

The domain name "domain" might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "domain":

The query was for the SRV record for _ldap._tcp.dc._msdcs.domain

The following domain controllers were identified by the query:
my-dc.domain


However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.


I have tried to use PortQry to check ports and have been unable to find anything blocked. Any suggestions?

 

It looks your domain was configured for a netbios name and not FQDN (domain.local or domain.com) typically from my understanding you not suppose to use a single name for your domain (domain) but I never looked into the side effects of doing so.

Have you tried using 'nslookup' to make sure DNS is working?
> nslookup server <servername>
> <computer name>

If everything is working correctly you should get the ip address of the computer name as long as that computer name has a record (A) in DNS.

You may also want to check the DNS server for (SRV) records for the domain controller. They should already be there as they are updated each time the DC is rebooted but it might be something to check.

 

when I do a nslookup I get the following which is correct

c:\>nslookup my-dc.domain
Server: my-dc.domain
Address: 10.1.100.2

Name: my-dc.domain
Address 10.1.100.2


This domain was set up years before I started this job. It was originally an NT4 domain and I migrated it to a 2003 server 7-8 years ago.

DNS is working properly and I can ping it by FQDN, it just doesn't appear to be communicating for anything else. When I try to join to the domain, I watched the router and the only traffic I could see was the DNS request. I have netbios over TCP enabled.

 

This might be more of a workaround than a fix but the following thread has a similar issue that added the DC to the host file on the computer that is to be joined to the domain.
http://www.networksteve.com/windows...o_a_Windows_2008_R2_VM/?TopicId=52999&Posts=2

This post has a series of troubleshooting steps that may apply to your situation, their fix which may not be yours was that LDAP was being filtered on their VPN connection.
http://serverfault.com/questions/297300/cannot-join-win7-workstations-to-win2k8-domain