A common thing we need to deal with as Directory Services people is difficulty adding a client as a domain member, also known as ‘domain join’. For Windows SKUs which support being a domain member this is the first step into having the computer take advantage of the authentication, centralized account administration and all that other goodness that is Active Directory.
But domain join is pretty straightforward, right? True enough, but not all of us have had a high volume of similar issues like that. Hence, a post to the blog.
The most common domain join is via the System control panel applet. When it fails it should give a brief descriptive error. Sometimes it may be a little too brief and a little less descriptive, but it’s a start.
The messages passed are the same errors you may see when you take an error code and map it to the description for it in the Windows headers using ERR.EXE (which was discussed in a post on AD replication a while back).
One question you should ask yourself is whether you can successfully “net view” to the closest domain controller? If not, what is the error code returned?
Where in the domain join process is it failing?
Which domain controller is my client trying this against?
Some of the questions above can be answered by reviewing the %systemroot%\debug\NETSETUP.LOG which is automatically created during the join. This is a debug log, so the entries may sound cryptic when reviewing it since they entries are arranged by function name, but there’s enough there to take you through and see where problems lie.
There is a very good, but not comprehensive, link on domain join troubleshooting below. The not comprehensive assessment comes from not seeing every possible domain join failure scenario we’ve seen appear there. So maybe that’s a little harsh…but you be the judge. Also, don’t disregard this link since its from Windows 2000-the info there still applies.
The more common basic requirements of a domain join to keep in mind are:
-credentials being used to do the join must have sufficient privilege for that action
-network connectivity must be sufficient for this.
-said network connectivity should be ports needed (NetBIOS
-Security must not be too restrictive on the domain controller side (of course, if it’s that restrictive-like gulag level user rights-other things aren’t working well anyway).
-the computer name must be unique
And this is where this post ends, since it has the word short in the title….As always, let me know if you have questions or requests.