Coffeehouse Thread

10 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Troubleshooting Joining a Domain

Back to Forum: Coffeehouse
  • User profile image
    Be#

    I wanted to rejoin a newly installed Win 2003 Server Standard edition to our domain.

    However when trying to do so we received an error stating:

    The following error occurred atempting to join the domain "domain" Access Denied.

    I googled and found hundreds of entries pointing into completely different directions. So my question here is: Is there any log file or anything I could trace the error down with to a bit more detailed explaination of what has failed?

  • User profile image
    Maddus Mattus

    maybe something stored in the eventlog?

  • User profile image
    AndyC

    Reset the Computer Account for that computer (assuming there already is one) and ensure that the account you are using to join the computer to the domain has appropriate permissions within AD. If there isn't a pre-existing computer account object in AD, try creating one and see if that works.

  • User profile image
    Be#

    AndyC wrote:
    Reset the Computer Account for that computer (assuming there already is one) and ensure that the account you are using to join the computer to the domain has appropriate permissions within AD. If there isn't a pre-existing computer account object in AD, try creating one and see if that works.


    Is there a difference between the right to join WORKSTATIONS to a Domain and SERVERS? Which one? Where do we find them?

  • User profile image
    AndyC

    Be# wrote:
    
    Is there a difference between the right to join WORKSTATIONS to a Domain and SERVERS? Which one? Where do we find them?


    Not exactly.

    If there is a pre-existing account, then permissions may have been delegated to a specific group of people. In that case, there may be differences between which people can add which kind of machines. Otherwise it shouldn't matter, a computer account is just a computer account as far as AD is concerned. You can check the permission on an OU in ADUC (though you need to enable the 'Advanced Features' IIRC)

    One other thing to consider: By default any user can add up to ten computers to AD (god alone knows who thought that was a good idea!), after that attempting to add further machines will fail with permission denied. Is the account you are using a Domain Admin?

  • User profile image
    SlackmasterK

    Does it ask you for network credentials of a user who has access to join a computer to the domain?  Are you entering a domain admin's credentials?

    Make sure your clocks are about the same.

    Try setting a static IP. I know, wierd, but it's been my solution on more than one occasion.

  • User profile image
    Be#

    Thanks so far! Great feedback and some more input to consider.

    1. I am using my personal Domain Account, not a Domain Admin member, but has the rights to join computers into a Domain.

    Here is the log file indicating the failed attempt. The key line seems to be:

    01/23 15:05:11 SamOpenUser on 2191 failed with 0xc0000022


    however, what exactly does this mean? How can I resolve the situation?

    01/23 15:05:11 -----------------------------------------------------------------

    01/23 15:05:11 NetpDoDomainJoin

    01/23 15:05:11 NetpMachineValidToJoin: 'DOR-DEV-05'

    01/23 15:05:11 NetpGetLsaPrimaryDomain: status: 0x0

    01/23 15:05:11 NetpMachineValidToJoin: status: 0x0

    01/23 15:05:11 NetpJoinDomain

    01/23 15:05:11   Machine: DOR-DEV-05

    01/23 15:05:11   Domain: xxx.yyy.zzz.com

    01/23 15:05:11   MachineAccountOU: (NULL)

    01/23 15:05:11   Account: ZZZ\peter.foo

    01/23 15:05:11   Options: 0x25

    01/23 15:05:11   OS Version: 5.2

    01/23 15:05:11   Build number: 3790

    01/23 15:05:11 NetpValidateName: checking to see if 'xxx.yyy.zzz.com' is valid as type 3 name

    01/23 15:05:11 NetpValidateName: xxx.yyy.zzz.com' is not a valid NetBIOS domain name: 0x7b

    01/23 15:05:11 NetpCheckDomainNameIsValid [ Exists ] for 'xxx.yyy.zzz.com' returned 0x0

    01/23 15:05:11 NetpValidateName: name 'xxx.yyy.zzz.com' is valid for type 3

    01/23 15:05:11 NetpDsGetDcName: trying to find DC in domain 'xxx.yyy.zzz.com', flags: 0x1020

    01/23 15:05:11 NetpDsGetDcName: found DC '\\dor-dc-21.xxx.yyy.zzz.com' in the specified domain

    01/23 15:05:11 NetpJoinDomain: status of connecting to dc '\\dor-dc-21.xxx.yyy.zzz.com': 0x0

    01/23 15:05:11 NetpGetLsaPrimaryDomain: status: 0x0

    01/23 15:05:11 NetpGetDnsHostName: Read NV Hostname: dor-dev-05

    01/23 15:05:11 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: xxx.yyy.zzz.com

    01/23 15:05:11 NetpLsaOpenSecret: status: 0xc0000034

    01/23 15:05:11 NetpGetLsaPrimaryDomain: status: 0x0

    01/23 15:05:11 NetpLsaOpenSecret: status: 0xc0000034

    01/23 15:05:11 SamOpenUser on 2191 failed with 0xc0000022

    01/23 15:05:11 NetpJoinDomain: status of setting machine password: 0x5

    01/23 15:05:11 NetpJoinDomain: initiaing a rollback due to earlier errors

    01/23 15:05:11 NetpLsaOpenSecret: status: 0x0

    01/23 15:05:11 NetpJoinDomain: rollback: status of deleting secret: 0x0

    01/23 15:05:11 NetpJoinDomain: status of disconnecting from '\\dor-dc-21.xxx.yyy.zzz.com': 0x0

    01/23 15:05:11 NetpDoDomainJoin: status: 0x5

    01/23 15:05:11 -----------------------------------------------------------------

  • User profile image
    fknight

    If you are not using a domain administrator account and are using a personal account that has permission to join machines to a domain, ensure that you have not already joined 10 machines to the domain with that account.  AD will stop you after 10 and deny you.

  • User profile image
    Be#

    fknight wrote:
    If you are not using a domain administrator account and are using a personal account that has permission to join machines to a domain, ensure that you have not already joined 10 machines to the domain with that account.  AD will stop you after 10 and deny you.



    Is there any known way to allow me to add more (unlimited) machines without having to put my user into the domain admin group? Is there a policy or right?

    -Ralf

  • User profile image
    AndyC

    Be# wrote:
    

    Is there any known way to allow me to add more (unlimited) machines without having to put my user into the domain admin group? Is there a policy or right?



    Use the Delegation of Control wizard to assign the right to create computer accounts in Active Directory. It's best to delegate this right to a group (or groups as appropriate) and then add your account to that group.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.