none
Join domain error RRS feed

  • Pertanyaan

  • saya mempunyai kendala dengan join domain clientnya server, sudah saya install ulang tetap gagal join domain.

    errornya :

    DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "ijb.com":

    The query was for the SRV record for _ldap._tcp.dc._msdcs.nyria1.com

    The following domain controllers were identified by the query:
    serverijb.ijb.com


    However no domain controllers could be contacted.

    Common causes of this error include:

    - Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

    - Domain controllers registered in DNS are not connected to the network or are not running.

    mohon pencerahannya, terima kasih

    Jumat, 21 Agustus 2015 10.00

Jawaban

  • Hi arief_IJB

    Berdasarkan hasil terakhir, coba cek

    https://support.microsoft.com/en-us/kb/938449

    https://support.microsoft.com/en-us/kb/949048

    Cek troubleshooting dibawah

    1. Verify network connectivity by checking the Network Interface Card (NIC) link lights on the rear of the server and ensure they are blinking.

    2. Verify the server can ping the domain controller by both computer name and IP address.

    3. Ensure the TCP/IPv4 DNS Preferred DNS server is the IP address of the domain controller.

    4. This error can be safely ignored if steps 1-3 are successful as the Netlogon service may started prior to the networking being in a ready state. This condition causes the operating system to generate Event ID 5719 because the computer cannot contact a domain controller. However, the computer will be able to successfully contact a domain controller once the network is ready. This error is common when the computer is connected to the network using a virtual private network (VPN) and the VPN connection times out causing the computer to disconnect from the VPN.

    Atau jika masih belum berhasil. bisa kamu coba lagi untuk hapus nama domain, disjoin kemudian restart server dan client dan re-join domain kembali

    Sepertinya memang ada metadata yang masih tertinggal di server atau masalah dari sisi DNS setting

    Saya sarankan untuk cek kembali setting DNS

    Contoh kasus

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/22c1c571-72ab-4a92-b9cc-5f0361cb5486/join-windows-server-2008-in-to-a-domain?forum=winserverDS


    Andy Nugraha

    TechNet Community Support

    Senin, 07 September 2015 02.06
    Moderator

Semua Balasan

  • Hi arief_IJB

    Bisa di share versi Server operating system dan clientnya?

    Cek PC client apakah PC tersebut menunjuk pada DNS yang dituju

    Pastikan DNS Server memiliki record di domain controller, jadi kamu bisa ping menggunakan nama dan nama domain

    Kita tunggu balasannya

    Terima kasih


    Andy Nugraha

    TechNet Community Support

    Selasa, 25 Agustus 2015 00.54
    Moderator
  • OS nya win server 2008 R2 sebagai domain, dan client yg error join domainnya merupakan server dengan OS yg sama, DNS sudah di set dan sudah benar, tetapi ip client dan domain itu dibuat berbeda, domain memakai level network segment 3 sedangkan client yg error ini memakai level segment 2, jika ping ip bisa, tetapi secara nama domain gagal.
    Selasa, 25 Agustus 2015 11.35
  • Hi arief_IJB

    Coba lakukan trik berikut

    pada PC Client hapus TCPIP V.6, lakukan Windows update, kemudian join ke domain, disable firewall dan antivirus untuk tes

    Masalah ini juga bisa terjadi karena Domain kamu adalah single layer domain

    Perhatikan KB berikut

    https://support.microsoft.com/en-us/kb/300684

    To enable an Active Directory domain member to use DNS to locate domain controllers in domains that have single-label DNS names that are in other forests, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    3. In the details pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, follow these steps:
      1. On the Edit menu, point to New, and then click DWORD Value.
      2. Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.
    4. Double-click the AllowSingleLabelDnsDomain entry.
    5. In the Value data box, type 1, and then click OK.
    6. Exit Registry Editor.
    By default, Windows-based DNS client computers do not attempt dynamic updates of the root zone "." or of single-label DNS zones. To enable Windows-based DNS client computers to try dynamic updates of a single-label DNS zone, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
    3. In the details pane, locate the UpdateTopLevelDomainZones entry. If the UpdateTopLevelDomainZones entry does not exist, follow these steps:
      1. On the Edit menu, point to New, and then click DWORD Value.
      2. Type UpdateTopLevelDomainZones as the entry name, and then press ENTER.
    4. Double-click the UpdateTopLevelDomainZones entry.
    5. In the Value data box, type 1, and then click OK.
    6. Exit Registry Editor.


    Andy Nugraha

    TechNet Community Support

    Rabu, 26 Agustus 2015 01.35
    Moderator
  • sy sudah lakukan edit registry, tetapi masih gagal, apakah ada metode lain? sy mencoba melakukan instalasi di fisik yg berbeda dan lakukan joint domain hasilnya tetap sama, nama server yg akan di join domain adalah APPSERVER, adakah indikasi kalau nama ini stuck di ADAC ??
    Kamis, 27 Agustus 2015 05.08
  • Hi arief_IJB

    Kamu sudah mencoba disable TCPIP IPv6 di PC client?

    https://support.microsoft.com/en-us/kb/929852

    Kamu bisa menggunakan nama lain untuk nama server untuk tes

    Sudah di cek sebelumnya apakah port semua sudah terbuka?

    telnet/portqry to 88, 389, 445, 3268

    https://technet.microsoft.com/en-us/library/bb727063.aspx

    Saya juga sarankan coba lakukan join domain menggunakan metode Offline Domain Join (Djoin.exe)

    https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    Andy Nugraha

    TechNet Community Support

    Kamis, 27 Agustus 2015 07.24
    Moderator
  • sebelumnya sy belum ceritakan kronologinya, kenapa join domain tetapi error, client ini adalah server utk retail store connect AX, kemudian tiba2 service utk retail store connect nya mati tidak start sy coba restart servernya jg sama tidak start, kemudian sy ke domain server hapus nama servernya dan lakukan lepas join domainnya, tetapi sy gagal lakukan join ulang, lalu sy melakukan install ulang server nya kemudian sy lakukan join lagi hasilnya bisa join tetapi dengan notif error seperti postingan sy diawal.

    nah sekarang sy sudah lakukan offline join domain, dan sudah bisa join domain, tetapi secara koneksi network domainnya masih belum muncul, skema networknya "appserver-network-internet" seharusnya "appserver-nyria1.com-internet" sy jg test register user remote jg sy tidak bisa memilih domainnya yg ada hanya domain local APPSERVER, apakah ada yg nyangkut tidak release saat di ADCD? jika sy coba menggunakan nama lain juga sama problemnya, tetapi jika sy lakukan di fisik yg berbeda join domainnya tidak ada masalah.

    Kamis, 27 Agustus 2015 12.10
  • Hi arief_IJB

    Bagaimana cara kamu menghapus nama server?

    Apakah kamu sudah coba menghapus metadata di server

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

    coba cek log di : %windir%\debug\Netsetup.log

    https://support.microsoft.com/en-us/kb/2008652

    Adakah error mengenai The trust relationship ketika kamu coba re-join server tersebut ke domain?

    https://support.microsoft.com/en-us/kb/162797


    Andy Nugraha

    TechNet Community Support

    Senin, 31 Agustus 2015 03.51
    Moderator
  • sy lakukan klik nama computernya dan pilih delete di active directory user & computer, serta di DNS manager nya, malahan sy jg hapus di ADSI.msc, sy juga cek di event viewer error yg berhubungan dengan appserver :

    The session setup from computer 'APPSERVER' failed because the security database does not contain a trust account 'APPSERVER$' referenced by the specified computer.  

    USER ACTION  
    If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'APPSERVER$' is a legitimate machine account for the computer 'APPSERVER' then 'APPSERVER' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  

    If 'APPSERVER$' is a legitimate machine account for the computer 'APPSERVER', then 'APPSERVER' should be rejoined to the domain.  

    If 'APPSERVER$' is a legitimate interdomain trust account, then the trust should be recreated.  

    Otherwise, assuming that 'APPSERVER$' is not a legitimate account, the following action should be taken on 'APPSERVER':  

    If 'APPSERVER' is a Domain Controller, then the trust associated with 'APPSERVER$' should be deleted.  

    If 'APPSERVER' is not a Domain Controller, it should be disjoined from the domain.


    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server appserver$. The target name used was cifs/APPSERVER.nyria1.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (NYRIA1.COM) is different from the client domain (NYRIA1.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    DCOM was unable to communicate with the computer APPSERVER using any of the configured protocols.
    The session setup from the computer APPSERVER failed to authenticate. The following error occurred:
    Access is denied.

    dan lognya:

    08/27/2015 17:01:42:951     OS Version: 6.1
    08/27/2015 17:01:42:951     Build number: 7601 (7601.win7sp1_rtm.101119-1850)
    08/27/2015 17:01:42:951     ServicePack: Service Pack 1
    08/27/2015 17:01:42:967     SKU: Windows Server 2008 R2 Standard
    08/27/2015 17:01:42:967 NetProvisionComputerAccount:
    08/27/2015 17:01:42:967     lpDomain: nyria1
    08/27/2015 17:01:42:967     lpMachineName: APPSERVER
    08/27/2015 17:01:42:967     lpMachineAccountOU: (NULL)
    08/27/2015 17:01:42:967     lpDcName: (NULL)
    08/27/2015 17:01:42:967     dwOptions: 0x0
    08/27/2015 17:01:42:967 NetProvisionComputerAccount: requesting text encoded blob
    08/27/2015 17:01:42:978 NetpDsGetDcName: trying to find DC in domain 'nyria1', flags: 0x40001010
    08/27/2015 17:01:57:983 NetpDsGetDcName: failed to find a DC having account 'APPSERVER$': 0x525, last error is 0x3e5
    08/27/2015 17:01:57:984 NetpDsGetDcName: found DC '\\NB-AXTemp.nyria1.com' in the specified domain
    08/27/2015 17:01:58:040 NetpLdapBind: Verified minimum encryption strength on NB-AXTemp.nyria1.com: 0x0
    08/27/2015 17:01:58:040 NetpLdapGetLsaPrimaryDomain: reading domain data
    08/27/2015 17:01:58:040 NetpGetNCData: Reading NC data
    08/27/2015 17:01:58:041 NetpGetDomainData: Lookup domain data for: DC=nyria1,DC=com
    08/27/2015 17:01:58:041 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=nyria1,DC=com
    08/27/2015 17:01:58:044 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
    08/27/2015 17:01:58:061 NetpGetComputerObjectDn: Cracking DNS domain name nyria1.com/ into Netbios on \\NB-AXTemp.nyria1.com
    08/27/2015 17:01:58:062 NetpGetComputerObjectDn: Crack results:     name = NYRIA1\
    08/27/2015 17:01:58:062 NetpGetComputerObjectDn: Cracking account name NYRIA1\APPSERVER$ on \\NB-AXTemp.nyria1.com
    08/27/2015 17:01:58:062 NetpGetComputerObjectDn: Crack results:     Account does not exist
    08/27/2015 17:01:58:062 NetpGetComputerObjectDn: Cracking Netbios domain name NYRIA1\ into root DN on \\NB-AXTemp.nyria1.com
    08/27/2015 17:01:58:062 NetpGetComputerObjectDn: Crack results:     name = DC=nyria1,DC=com
    08/27/2015 17:01:58:064 NetpGetComputerObjectDn: Got DN CN=APPSERVER,CN=Computers,DC=nyria1,DC=com from the default computer container
    08/27/2015 17:01:58:064 NetpModifyComputerObjectInDs: Initial attribute values:
    08/27/2015 17:01:58:064         objectClass  =  Computer
    08/27/2015 17:01:58:064         SamAccountName  =  APPSERVER$
    08/27/2015 17:01:58:064         userAccountControl  =  0x1000
    08/27/2015 17:01:58:064         DnsHostName  =  APPSERVER.nyria1.com
    08/27/2015 17:01:58:064         ServicePrincipalName  =  HOST/APPSERVER.nyria1.com  RestrictedKrbHost/APPSERVER.nyria1.com  HOST/APPSERVER  RestrictedKrbHost/APPSERVER
    08/27/2015 17:01:58:064         unicodePwd  =  <SomePassword>
    08/27/2015 17:01:58:065 NetpModifyComputerObjectInDs: Computer Object does not exist in OU
    08/27/2015 17:01:58:065 NetpModifyComputerObjectInDs: Attribute values to set:
    08/27/2015 17:01:58:065         objectClass  =  Computer
    08/27/2015 17:01:58:065         SamAccountName  =  APPSERVER$
    08/27/2015 17:01:58:065         userAccountControl  =  0x1000
    08/27/2015 17:01:58:065         DnsHostName  =  APPSERVER.nyria1.com
    08/27/2015 17:01:58:065         ServicePrincipalName  =  HOST/APPSERVER.nyria1.com  RestrictedKrbHost/APPSERVER.nyria1.com  HOST/APPSERVER  RestrictedKrbHost/APPSERVER
    08/27/2015 17:01:58:065         unicodePwd  =  <SomePassword>
    08/27/2015 17:01:58:235 NetpEncodeProvisioningBlob: Encoding provisioning data
    08/27/2015 17:01:58:236 NetpInitBlobWin7: Constructing blob...
    08/27/2015 17:01:58:236 Blob version: 1
    08/27/2015 17:01:58:236     lpDomain: nyria1
    08/27/2015 17:01:58:236     lpMachineName: APPSERVER
    08/27/2015 17:01:58:236     lpMachinePassword: <omitted from log>
    08/27/2015 17:01:58:236    DomainDnsPolicy:
    08/27/2015 17:01:58:236        Name: NYRIA1
    08/27/2015 17:01:58:236        DnsDomainName: nyria1.com
    08/27/2015 17:01:58:236        DnsForestName: nyria1.com
    08/27/2015 17:01:58:236        DomainGuid: b5d63064-5c50-41dd-a742-09ad3cdfecbd
    08/27/2015 17:01:58:236        Sid: S-1-5-21-122365211-851232625-720897731
    08/27/2015 17:01:58:236    DcInfo:
    08/27/2015 17:01:58:236        DomainControllerName: \\NB-AXTemp.nyria1.com
    08/27/2015 17:01:58:236        DomainControllerAddress: \\192.168.3.200
    08/27/2015 17:01:58:236        DomainControllerAddressType: 1
    08/27/2015 17:01:58:236        DomainGuid: b5d63064-5c50-41dd-a742-09ad3cdfecbd
    08/27/2015 17:01:58:236        DomainName: nyria1.com
    08/27/2015 17:01:58:236        DnsForestName: nyria1.com
    08/27/2015 17:01:58:236        Flags: 0xe00033fd
    08/27/2015 17:01:58:236        DcSiteName: Default-First-Site-Name
    08/27/2015 17:01:58:236        ClientSiteName: Default-First-Site-Name
    08/27/2015 17:01:58:236     Options: 0x0
    08/27/2015 17:01:58:236 NetpInitBlobWin7: Blob pickling result: 0
    08/27/2015 17:01:58:236 NetpEncodeProvisioningBlob: result: 0x0
    08/27/2015 17:01:58:236 NetpProvisionComputerAccount: Base64Encode returned ptr: 000000000038EE60 GLE: 0x0
    08/27/2015 17:01:58:236 ldap_unbind status: 0x0
    08/27/2015 17:01:58:236 NetProvisionComputerAccount: status: 0x0

    Senin, 31 Agustus 2015 11.44
  • Hi

    Coba jalankan KB berikut

    https://support.microsoft.com/en-us/kb/810977

    kita tunggu balasannya


    Andy Nugraha

    TechNet Community Support

    Selasa, 01 September 2015 10.00
    Moderator
  • sy sudah lakukan di ADSI computernya mempunyai value = 130856382502408710, sy convert = 1D0E52F0 C3A61206, kemudian sy test tp tidak sama dengan yg ADSI:

    C:\Users\Administrator>nltest /time:01D0E52F C3A61206
    01d0e52f c3a61206 = 5/12/16097 1177:00:50
    The command completed successfully

    sedangkan di ADSI : 9/2/2015 10:30:50 AM

    sy coba dan sampai langkah ini:

    C:\Users\Administrator>nltest /server:appserver /sc_query:nyria1.com
    Flags: 0
    Trusted DC Name
    Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
    The command completed successfully

    tapi tidak sama hasilnya dengan yg di https://support.microsoft.com/en-us/kb/810977

    sy cek di event viewer di appserver :

    This computer could not authenticate with \\NB-AXTemp.nyria1.com, a Windows domain controller for domain NYRIA1, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

    Log Name:      System
    Source:        NETLOGON
    Date:          9/2/2015 12:24:59 PM
    Event ID:      5719
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      APPSERVER.nyria1.com
    Description:
    This computer was not able to set up a secure session with a domain controller in domain NYRIA1 due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

    • Diedit oleh arief_IJB Rabu, 02 September 2015 06.21 revisi
    Rabu, 02 September 2015 06.13
  • Hi arief_IJB

    Berdasarkan hasil terakhir, coba cek

    https://support.microsoft.com/en-us/kb/938449

    https://support.microsoft.com/en-us/kb/949048

    Cek troubleshooting dibawah

    1. Verify network connectivity by checking the Network Interface Card (NIC) link lights on the rear of the server and ensure they are blinking.

    2. Verify the server can ping the domain controller by both computer name and IP address.

    3. Ensure the TCP/IPv4 DNS Preferred DNS server is the IP address of the domain controller.

    4. This error can be safely ignored if steps 1-3 are successful as the Netlogon service may started prior to the networking being in a ready state. This condition causes the operating system to generate Event ID 5719 because the computer cannot contact a domain controller. However, the computer will be able to successfully contact a domain controller once the network is ready. This error is common when the computer is connected to the network using a virtual private network (VPN) and the VPN connection times out causing the computer to disconnect from the VPN.

    Atau jika masih belum berhasil. bisa kamu coba lagi untuk hapus nama domain, disjoin kemudian restart server dan client dan re-join domain kembali

    Sepertinya memang ada metadata yang masih tertinggal di server atau masalah dari sisi DNS setting

    Saya sarankan untuk cek kembali setting DNS

    Contoh kasus

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/22c1c571-72ab-4a92-b9cc-5f0361cb5486/join-windows-server-2008-in-to-a-domain?forum=winserverDS


    Andy Nugraha

    TechNet Community Support

    Senin, 07 September 2015 02.06
    Moderator
  • Hi arief_IJB

    Ada update untuk masalah ini?


    Andy Nugraha

    TechNet Community Support

    Kamis, 10 September 2015 02.21
    Moderator
  • P'Andy

    utk case ini masih belum terpecahkan, walaupun sudah di setup ulang DNS di server AD, sy sudah nyerah utk trouble ini, terima kasih atas bantuannya P'Andy

    Senin, 14 September 2015 08.08