Join Log in
Score:1
rumplesmyboy avatar Server

Adding a machine to a domain fails with internal error

ng flag
rumplesmyboy

I've enabled winrm, disabled firewall, enable remoting, GPOs for winrm, enabled SMBv1 and completed updates first as troubleshooting but I still get the error. I can ping the DC as well.

The error I get is:

Add-Computer: Computer "server2019' failed to join domain 'dev.domain.com' from its current workgroup 'WORKGROUP' with following error message: An internal error occurred.
At line:1 char:1
Add-Computer -DomainName dev.domain.com -OUPath "OU=$OU,dc=dev,dc=domain,dc=com" ...

CategorvInfo :Operation5topped: (server2019:5tring) [Add-Computer]
. InvalidoperationException
+ FullvOualifiedErrorId:FailToJoinDomainFromworkgroup,Microsoft.PowerShell.Commands.AddComputerCommand

Here is the part of my script that does the join:

     [String]$OU,
     [PSCredential]$Credential
     )
    
 $ErrorActionPreference="SilentlyContinue"
 Stop-Transcript | out-null
 $ErrorActionPreference = "Continue"
    
    
 if ([Environment]::UserInteractive) {
     if (!$OU) { $OU = Read-Host "Enter Resource Pool Name (exactly as appears in vCenter inventory)" }
     if (!$Credential) { $Credential = Get-Credential -Message "Enter dev domain credentials" }
 }
    
 # Add Computer to Dev domain
    
 try {
     Add-Computer -DomainName dev.domain.com -OUPath "OU=$OU,dc=dev,dc=domain,dc=com" -ErrorAction stop -Credential $Credential
     }
 catch {
     Write-Warning "Failed to join to domain."
         Read-Host -Prompt "Press Enter to exit"
     Throw $_
     }

PS C:\Windows\ system32> nltest.exe/dsgetdc:dev.domain.com
DC: \\devad02.dev.domain.com
Address: \\10.1.214.29
Do Guid: ae3bef55-dd18-4598-b809-2058516e6abl
Dom Name: dev.domain.com
Forest Name: dev.domain.com
De Site Name: SITE
Our Site Name: SITE
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRE
TWS D5_8 D5_9 D5_10 0x20000
The command completed successfully

Edit: Server Manager showed an error Event for NetJoin that gave error code 1359 I tried running:

nltest /dclist:MYDOMAIN and got: You don't have access to DsBind to dev.domain.com

I also tried running: nltest /server:UserSyncServer /sc_reset:domain\devdc and got: I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

116
0 + 0
djdomi avatar
za flag
djdomi
most commands accept -verbose try that
0
Reply
cn flag
Greg Askew
`nltest /dsgetdc:dev.domain.com`
3
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
It just says VERBOSE: Performing the operation Join in domain 'dev.domain.com'' on target "server2019" and then the rest of the error from the post.
0
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
@GregAskew i do get a successful result from that. it shows the dc, address, dom name and guid, site name and flags
1
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
@GregAskew posted in question
1
Reply
in flag
Evan Anderson
Silly question, but is the clock on the joining machine sync'd to your domain's time?
1
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
@EvanAnderson it wasn't. I set the time by running a w32tm config. The source was originally microsoft but I still get the same results after restarting
1
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
@GregAskew I added some more detail from some other nltest commands
0
Reply
cn flag
Greg Askew
Where is the PDC? Try `netdom query fsmo` from the DC or a command prompt on the endpoint that has network credentials for the domain.
0
Reply
in flag
Evan Anderson
At this point I'd run a packet capture from the joining computer and whatever it talks to during the join attempt. Odds are good the answer is in there, sadly.
0
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
Not sure if it's relevant, but a domain admin account can join to the dev domain, but a regular user account that used to be able to cannot.
0
Reply
in flag
Evan Anderson
@rumplesmyboy - *That's* an interesting observation. By default non-Administrator users can add up to 10 computers to the domain (counted by using the ms-DS-CreatorSID attribute on computer obects). This can be changed (see https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain). Increase the limit and see if you can join the domain. If so we found your issue's cause. The GUI domain join returns a helpful error message for this. I don't know what 'Add-Computer' does. I could setup a lab to test this, admittedly, but I'm lazy.
0
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
Unfortunately the attribute was set to 10000, so well below what my cloned user account has done. I am going to try capturing traffic as the error logs also indicate the same thing with Error 1359 trying to join.
1
Reply
in flag
Evan Anderson
@rumplesmyboy - Dang! I was feeling good about that one. Is there anything showing up in the Security Event Log on the DC servicing the join attempt? I'd turn on failure and success Directory Service access auditing and see what might hit the logs there too.
0
Reply
rumplesmyboy avatar
ng flag
rumplesmyboy
@EvanAnderson Microsoft support recommended changing MsDS-SupportedEncryptionTypes to AES from RC4 on the domain controllers, but what worked for me was removing and re-adding the trust between DCs that was outgoing and forward transitive. Still not sure the actual cause but that seemed to work. Also not sure why an admin account would work but regular accounts wouldn't. Far cry from my usual Linux issues.
1
Reply
Score:1
rumplesmyboy avatar Server
ng flag
rumplesmyboy

Microsoft suggested changing the MsDS-SupportedEncryptionTypes to AES from RC4 on the domain controllers, but What worked for me was removing and re-adding the trust between DCs that was outgoing and forward transitive.

0 + 0
Score:1
Gustavo avatar Server
US flag
Gustavo

This solution works for me. Disable AllwNt4Crypto in register of DC https://learn.microsoft.com/es-mx/services-hub/health/remediation-steps-ad/disable-the-allownt4crypto-setting-on-all-affected-domain-controllers

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.