none
Certain machine names cannot join the domain - access denied

    Question

  • I have an unusual and rather annoying problem in our domain.  I have certain machine names which cannot join the domain.  When I try and join the domain it fails with access denied.  If I rename the machine to something else, I can join the domain just fine.  If I install a fresh copy of the OS and give the machine one of these names, the machine will fail to join the domain.  So there's nothing wrong with the machine, there's something wrong in AD.

    I suspect one or both of the follow is the problem.
    1) There are orphaned entries in our AD somewhere.  I've looked for any such entries but I can't find them.
    2) The account I'm using the join the machines to the domain lacks one or more privileges.  I suspect it lacks permissions to delete certain entries when readding a machine to the domain.

    So the questions are, how do I find orphaned entries and/or what privileges do I need to add.


    I found KB330095 (http://support.microsoft.com/kb/330095) which seems to describe my problem to a T.  The first workaround is to rename the machine, and while this works, this is avoiding the problem not solving it.  The second solution is to force an AD replication.  This had no effect.  The third solution is to use a domain admin for the domain join.  I've confirmed this works, but I can't bother the admin every time I need to add a machine to the domain (I reinstall approx. 10 machines per week).  The last solution is to add additional privileges into AD.  This did not work.


    Thanks for any help!

    Brian

    Thursday, July 3, 2008 2:54 PM

Answers

  • Hi Brian,

    it would appear that the account you are using to join the computers to the domain lack the necessary privileges to modify already existing computer objects. Also note that a computer object is not deleted and then recreated when you are joining a computer with a name that matches said computer object. You can verify this by comparing the objectGuid attribute on the computer object in question before and after a rejoin.

    My test environment for this was Active Directory running on Windows Server 2008 (2008 functional level)

    What happens when you rejoin a machine is the following

    • the password on the already existing computer object is reset (modified attributes: unicodepwd, ntpwdhistory, dbcspwd, lmpwdhistory, pwdlastset, supplementalcredentials)
    • the computer object is enabled (modified attributes: userAccountControl - disable account bit cleared)

    As for the exact privileges required I'm sad to say that I currently can't state them. The documentation I've found so far suggests the easy way out by allowing write operations to all attributes. The above mentioned list of modified attributes should serve as a decent hint as to what is actually required.

    ps: Orphaned objects can be found in the LostAndFound container for your naming context. Enabled the Advanded Features in Active Directory Users and Computers which can be found in the menu under View.

    Thursday, July 3, 2008 10:46 PM