locked
Domain Join operation was not successful. Access Denied ! RRS feed

  • Question

  • Hello,

    I am facing a weired problem while adding a Server to our domain.

    I get following following error message:

    "The join operation was not successful. The could be because an existing computer account having the name xxxx was previously created using a different set of credentials. Use a different computer name or contact your administrator to remove any stale conflicting raccount. The error was: Access is denied."

    Environment: Windows Server 2008 Ent 64 bit SP2.

    Though I am not the Domain Admin, I do have Account Operator rights across the forest/domain.

    I tried following things but in vain:

    Disabled firewall and tried to join server to the domain, no luck.

    Changed the host name of the server, took a reboot and tried to join the machine to the domain however, I still get same error.

    I could see a machine account created in AD with the host name specified by me ( I am damn sure, it wasn't there before), deleted the account from domain and made sure that any dns records existed in all our GCs are removed. When I repeated the procedure, account got created in AD but I got aforementioned error.

    Later on, I recreated a machine account in AD and gave rights to my domain account to join on to the domain and tried adding the machine to the domain however, issue still persists.

    This Server is a VM and it was deployed from a VM template. Initially I thought it could be due to SID duplication, I ran sysprep on the problematic server and rebooted but I still get same error message.

    Finally, I requested my domain admin to join this server to the domain however, no luck at all, we are back at square one !

    The only option I have is to rebuild the server but I don't wish to do that at present.

    Any inputs on this issue would be really appreciated.

    Thanks


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”
    Thursday, June 2, 2011 7:30 AM

Answers

  • Meinolf- The KB article is really helpful. Thanks.

    But, when my domain admin tried to join this server even he received the "access denied error". 

    Finally, I and my team came to a conclusion that, we need to recreate the VM template discarding existing one. Surprisingly, we have been using the existing VM template since long time but never came across such an issue before.

    STRANGE but TRUE !


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”
    Friday, June 3, 2011 9:20 AM

All replies

  • Refer to http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx regarding delegating the right (and setting appropriate permissions) when precreating computer accounts and joining them to the domain

    hth
    Marcin

    Thursday, June 2, 2011 11:05 AM
  • Can you check the Event logs on both the server and dc to see if you are getting any specific errors?

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, June 2, 2011 11:46 AM
  • Did you pre-create this account? It seems like you have assigned “joined this computer” rights to some other accounts other than the default value.  Delete the exiting pre-created object and try joining the server.   Or pre-create this account assign “joined this computer” rights to your account. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Thursday, June 2, 2011 1:39 PM
  • @Marcin - I reverified on Account Operator Rights as suggested, my domain account has rights to create, modify and delete user/computer/groups /OU across the forest/domain. I am pretty sure about it.

    @Paul - I could see some errors and a warning however I assume that, those wouldn't be the bottlenecks. Following are the event details:

    56      Error       TermDD

    1111   Error       TerminalServices-Printers

    7024   Error       Service Control Manager Eventlog Provider

    134    Warning   Time-Service

    @Santhosh - I followed your suggestion but no luck :-(

    I even verified DNS settings, they all are correct,  I can ping my nearest GC's as well.


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”

    Thursday, June 2, 2011 6:28 PM
  • Post

    - output of IPCONFIG /ALL from the computer you are trying to domain join
    - output of IPCONFIG /ALL from its primary DNS server (assuming you are using AD-integrated DNS)
    - content of NetSetup.log (%windir%\debug) from the computer you are trying to domain join

    hth
    Marcin

    Friday, June 3, 2011 12:08 AM
  • IPCONFIG /ALL from Problematic Server

    C:\Users\Administrator>ipconfig /all




    Windows IP Configuration




       Host Name . . . . . . . . . . . . : PL1VW253


       Primary Dns Suffix  . . . . . . . :


       Node Type . . . . . . . . . . . . : Hybrid


       IP Routing Enabled. . . . . . . . : No


       WINS Proxy Enabled. . . . . . . . : No




    Ethernet adapter CFN:




       Connection-specific DNS Suffix  . :


       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2


       Physical Address. . . . . . . . . : 00-50-56-9C-01-03


       DHCP Enabled. . . . . . . . . . . : No


       Autoconfiguration Enabled . . . . : Yes


       IPv4 Address. . . . . . . . . . . : 8.19.83.107(Preferred)


       Subnet Mask . . . . . . . . . . . : 255.255.255.224


       Default Gateway . . . . . . . . . : 8.19.83.97


       DNS Servers . . . . . . . . . . . : 8.10.169.5


                                           8.10.169.6


       NetBIOS over Tcpip. . . . . . . . : Enabled




    Ethernet adapter BEAN:




       Connection-specific DNS Suffix  . :


       Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter


       Physical Address. . . . . . . . . : 00-50-56-9C-01-04


       DHCP Enabled. . . . . . . . . . . : No


       Autoconfiguration Enabled . . . . : Yes


       IPv4 Address. . . . . . . . . . . : 10.206.5.72(Preferred)


       Subnet Mask . . . . . . . . . . . : 255.255.240.0


       Default Gateway . . . . . . . . . :


       NetBIOS over Tcpip. . . . . . . . : Enabled




    Tunnel adapter Local Area Connection* 8:




       Media State . . . . . . . . . . . : Media disconnected


       Connection-specific DNS Suffix  . :


       Description . . . . . . . . . . . : isatap.{C29C0D93-A819-4015-99EC-5165EEB31


    B2E}


       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0


       DHCP Enabled. . . . . . . . . . . : No


       Autoconfiguration Enabled . . . . : Yes




    Tunnel adapter Local Area Connection* 9:




       Media State . . . . . . . . . . . : Media disconnected


       Connection-specific DNS Suffix  . :


       Description . . . . . . . . . . . : isatap.{606F8430-D647-4E50-BCFE-AC1851BD5


    45B}


       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0


       DHCP Enabled. . . . . . . . . . . : No


       Autoconfiguration Enabled . . . . : Yes




    Tunnel adapter Local Area Connection* 11:




       Connection-specific DNS Suffix  . :


       Description . . . . . . . . . . . : 6TO4 Adapter


       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0


       DHCP Enabled. . . . . . . . . . . : No


       Autoconfiguration Enabled . . . . : Yes


       IPv6 Address. . . . . . . . . . . : 2002:813:536b::813:536b(Preferred)


       Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301


       DNS Servers . . . . . . . . . . . : 8.10.169.5


                                           8.10.169.6


       NetBIOS over Tcpip. . . . . . . . : Disabled

     

    IPCONFIG /ALL from its primary DNS server

     

    C:\Documents and Settings\santosh>ipconfig /all




    Windows IP Configuration




       Host Name . . . . . . . . . . . . : pl1wk001


       Primary Dns Suffix  . . . . . . . : primary.company.com


       Node Type . . . . . . . . . . . . : Hybrid


       IP Routing Enabled. . . . . . . . : No


       WINS Proxy Enabled. . . . . . . . : No


       DNS Suffix Search List. . . . . . : primary.company.com


                                           nwp.primary.company.com


                                           ricoh.primary.company.com


                                           dairygold-aod.primary.company.com


                                           holly-aod.primary.company.com


                                           gfoundries-aod.primary.company.com


                                           company.com




    Ethernet adapter CFN Team:




       Connection-specific DNS Suffix  . : primary.company.com


       Description . . . . . . . . . . . : BASP Virtual Adapter


       Physical Address. . . . . . . . . : 00-10-18-14-F7-85


       DHCP Enabled. . . . . . . . . . . : No


       IP Address. . . . . . . . . . . . : 8.10.169.5


       Subnet Mask . . . . . . . . . . . : 255.255.255.224


       Default Gateway . . . . . . . . . : 8.10.169.1


       DNS Servers . . . . . . . . . . . : 8.10.169.5


                                           8.10.169.6

    NetSetup.log

    http://cid-552a7687a1b2c162.office.live.com/browse.aspx/Net%5E_Logs?uc=1

     

    P.S. I have replaced the actual domain name with equivalents i.e. abc.xyz.com to primary.company.com


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”
    Friday, June 3, 2011 1:34 AM
  • If you disable the Ethernet "Bean" adaptor (10.06.5.72), does it work?

    You mentioned that you've Sysprepped the image thinking the template was a dupe. Did the Sysprep run correctly? Did you set it for "Out of Box Experience?" If you were to install it from scratch, does it work?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, June 3, 2011 4:01 AM
  • I disabled BEAN NIC and tried to join the server on to the domain, operation fails again.

    Sysprep went on smoothly without any errors. Yes, I did set Sysprep for " OOBE", "Generalise" and "Reboot".

    It seems, the only option I have now is to reinstall the OS from ISO rather than using the VM template.

     

     


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”
    Friday, June 3, 2011 5:38 AM
  • Did you sysprep the image properly ? There may be SID issue...

    Did you try addidng any other machine to the domain with the same credentials ?

    Another thing you might try is to keep the time and timezone of the client machine same as of the domain controller

    Did you try changing the computer name to something new ?

     


    Regards Rahul A
    Friday, June 3, 2011 5:48 AM
  • As I mentioned, Sysprep was done properly and I could not see any errors.

    Yes, I did try adding couple a new machines on to the domain and everything went fine.

    I even tried keeping timezone same same as domain controller but no luck at all.

    I changed the host name of the machine to something new and tried joining on to the domain but still I get the error message.


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”
    Friday, June 3, 2011 6:42 AM
  • I still think that this might be a SID issue. You may try to create a new SID using NewSid or would need to sysprep again... (New Sid is no longer supported by microsoft but you could try it for verification)

    Some more questions,

    Are you trying to add the machine without creating and AD account ?

    Are you getting the welcome to the new domain messgae or and error before that ?

    Are you getting a new computer account created after adding it ? If yes, try resetting it and readding it.

    If you are trying to add the machine after creating the account try the other way ?

     


    Regards Rahul A
    Friday, June 3, 2011 7:36 AM
  • Sysprep throws error message this time as it was executed once before on the same machine.

    Are you trying to add the machine without creating and AD account ? Yes. I tried both the options pre-created account and joining machine without existing machine account.

    Are you getting the welcome to the new domain messgae or and error before that ?  I get only error  and not "welcome message" but surprisingly machine acount shows in in AD Users and Computers ( this is when I try to join a machine with new host name )

    Are you getting a new computer account created after adding it ? If yes, try resetting it and readding it. Tried everything but no use.

    If you are trying to add the machine after creating the account try the other way ? Tried everything but no use.

    I am done on this... I am going ahead and rebuilding this problematic Server as I need to release this server for production on priority.

    Anyways, Thanks All for your inputs.

     


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”
    Friday, June 3, 2011 8:22 AM
  • Hello,

    please have a look into: http://support.microsoft.com/kb/932455


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, June 3, 2011 9:00 AM
  • Meinolf- The KB article is really helpful. Thanks.

    But, when my domain admin tried to join this server even he received the "access denied error". 

    Finally, I and my team came to a conclusion that, we need to recreate the VM template discarding existing one. Surprisingly, we have been using the existing VM template since long time but never came across such an issue before.

    STRANGE but TRUE !


    Thanks, Santosh (MCTS W2K8 AD and SCCM) “ To Infinity and Beyond… ”
    Friday, June 3, 2011 9:20 AM
  • I'm having the same issue , Please check the permissions you are trying to add ..that fixed my problem.

    http://networkadminkb.com/KB/a238/how-to-overcome-issues-related-to-specific-users-

    adding.aspx

    http://networkadminkb.com/KB/a75/how-to-allow-specific-users-to-add-workstations-to-

    domain.aspx#

    Tuesday, February 21, 2012 11:01 PM
  • Pradeep, it was a long gone issue ! Thanks for the suggestion though :)


    Most of the downtime's are caused because of SysAdmin's curiosity ! - Santosh

    Tuesday, February 21, 2012 11:34 PM
  • I know this is an old post - but I am having this issue about 50% of the time when joining clients to the domain.

    They are always reimaged machines and deleting them from ad resolves the issue but would like to find the real cause and fix.


    GO TEAM VENTURE!!!

    Wednesday, March 19, 2014 3:20 PM
  • I know this is an old post - but I am having this issue about 50% of the time when joining clients to the domain.

    They are always reimaged machines and deleting them from ad resolves the issue but would like to find the real cause and fix.


    GO TEAM VENTURE!!!

    Are you using templates like Santosh Bhandarkar was using but found that he had to delete and recreate the template?

    Are the admins that are having this error, Domain Administrators, or admins that have been delegated rights to join a machine, but can't delete computer accounts in the domain? If yes, see Meinolf's Microsoft KB link he posted Friday, June 03, 2011 9:00 AM EST.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, March 20, 2014 3:45 AM
  • Hi Venture Bros,

    I understand that you have the similar issue as Santosh posted on June 03, 2011. And as you said, this is an old post. I suggest you create a new post to get the most qualified responses not only from us but also from other experienced partners or MVP:

     http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS

    Regards,

    Lany Zhang

    Thursday, March 20, 2014 6:56 AM
  • I had a similar issue with the Access Denied when trying to join a domain.  There were some local security settings that were preventing me from adding the computer.

    I ran secedit /configure /cfg %windir%\repair\secsetup.inf /db /secsetup.sdb /verbose

    to clear those settings and was able to join the domain.

    Tuesday, May 6, 2014 5:31 PM
  • I know this is a REALLY old thread, but I've encountered this issue before, and an easy way I've resolved the problem was to create/add the computer object to the domain (using ADUC in RSAT) BEFORE joining it, and then when you try the join again, it should succeed. Hopefully this will help others in the future.  
    Thursday, February 26, 2015 3:15 PM
  • If the fix were that simple we wouldn't all be here.
    Monday, May 11, 2015 8:53 PM
  • I know this is a REALLY old thread, but I've encountered this issue before, and an easy way I've resolved the problem was to create/add the computer object to the domain (using ADUC in RSAT) BEFORE joining it, and then when you try the join again, it should succeed. Hopefully this will help others in the future.  
    This worked for me :)
    Thursday, May 21, 2015 10:08 AM
  • Old microsoft bugs never die I guess.  Hah.

    I have this same issue happening sporadically.  Our helpdesk removes the machines from the domain, re-images, and then joins and they get this error.  There is no object in AD.  Pre-staging didn't help.  No one can add the machine.

    However if we wait, it eventually works.  My DFSr AD replication SEEMS to be fine.  The following link has an intriguing process to determine the solution, which I will try soon.

    https://chentiangemalc.wordpress.com/2012/07/27/case-of-the-domain-join-failure/

    Wednesday, July 22, 2015 5:20 PM

  • I resolved the problem by simply doing these steps in my Windows7 virtual machine copied from a virtual machine template repository...

    Step One:

    You will need to execute the command below prior to starting the following two steps as tasks below after you first received the message ‘Access Denied’ when trying to join your company’s domain. There were some local security settings that were prevent you from adding the computer to domain. You can run the command…

    secedit /configure /cfg %windir%\repair\secsetup.inf /db /secsetup.sdb /verbose

    ... to help clear old settings from the copied virtual machine image.


    Step Two:

    Also remember to first rename your virtual machine to something other than the old virtual machine name registered in your Active Directory (AD). You can rename it in the System Properties then by clicking on the ‘Change’ button after words in Step 3 below. For example if old image machine name was called COMPUTER1 then change it to COMPUTER2. Leave the domain name to Workgroup at first as you will change it to join the domain as described above. Reboot your virtual machine.


    Step Three:

    Go to your problem Virtual guest machine you copied from a template, and in the Windows O/S to Control Panel -> System and Security -> System -> Advanced system settings. The System

    Properties window will appear. Click on ‘Network ID’. Select the first option which is ‘ This computer is part of a business network; I use it to connect to other computers at work ‘ .

    Click on Next. On the next screen choose the first option, which is ‘My company uses a network with a domain’ then click on the next button. You will need to enter your user name, logon password, your company’s account domain name, your guest virtual machine name and most importantly your company’s domain names.  Remember to enter the new Machine name other than the old machine of the previous virtual machine image. For example If the old image or template image machine name was COMPUTER1 enter COMPUTER2. 

    Make sure that your AD account has enough privileges to add a new computer to the domain otherwise contact your network administrator if you do not have these information or enough AD account privileges. Enter all these information in the subsequent screens. You will then get a message after your virtual machine authenticates with the AD that it found an old machine name in your AD. Click on next to continue and then reboot your virtual machine. Once your virtual machine reboots, you can then login to the domain successfully.

    Login to the your virtual machine and do enter in the cmd prompt IPCONFIG /ALL to make sure that your new computer is now named COMPUTER2. If not then repeat all the steps above. Also in the cmd prompt enter NSLOOKUP COMPUTER2 and make sure that your DNS server has registered your virtual machine named COMPUTER2. Ask your Network administrator to delete COMPUTER1 in the Active Directory (AD). Go back to Control Panel -> System and Security -> System -> Advanced system -> General tab settings and click on CHANGE to change your computer name from COMPUTER2 to COMPUTER1 (your old original or desired computer name).  make sure you enter your domain name here or leave it if it is populated. Reboot your virtual machine again. Once your virtual machine reboots then login with your DOMAIN account. All your login scripts should populate. Also find your copy of Windows-Easy-Transfer-from-Win7-to-WinXP_x86 if you did an upgrade of the virtual machine image from an older version of windows.

    There is NO NEED to reinstall a fresh after copying from a virtual machine client template or upgrade of the virtual machine image from older version of windows, and you are getting a hard time changing the machine because your Active Directory denies you to do so.






    Thursday, August 13, 2015 4:32 PM
  • This is wayy to many instructions for a simple fix .... the access denied error is a windows permission error and it can be fixed in less than 5 minutes by simply changing the permissions on the Windows\system32\config  folder!    I followed the steps here and it worked like a charm 

    http://nerdynerdnerdz.com/4192/solved-windows-domain-join-operation-was-not-successful-access-denied/

    Friday, April 1, 2016 1:33 PM
  • But I think solution is different , first thing u have to check in the AD that computer object is created with exactly same name this should resolve your issue.

    Nexustoday

    Thursday, April 27, 2017 11:57 AM
  • Obviously since this is a vague error there are many possible causes and solutions. We found it was the permissions or delegate access on the default OU that computers get joined into. Since we adjusted GPO to make all new domain joined machines default to a NEW OU instead of the "Computers" OU, we needed to also adjust the permissions on the new OU.
    Monday, April 16, 2018 6:47 AM
  • Here is my solution to this problem:

    1. Go open ADUC and open the properties of the computer account in there.
    2. Go to securities tab
    3. Add your own account and grant it full control
    4. Go back to the computer and add it, this time put the credentials of the account you just gave full control over the computer account, in the step above.
    5. Done

    Assumptions:

    You already  had created a computer account in AD (aka pre-staged)

    Or you formatted and re-installed the OS (like what I did) and the old computer's account was already there in AD


    -Rajeev rajdude.com

    • Proposed as answer by vescobar Tuesday, April 14, 2020 5:14 PM
    • Unproposed as answer by vescobar Tuesday, April 14, 2020 5:14 PM
    Tuesday, March 5, 2019 7:30 PM