...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Active Directory
Domain Controller

Welcome to the domain. Just kidding.

Monday, August 21, 2017 in Active Directory (Views: 1486)
I ran across a strange issue recently in regards to joining a server to the domain, so I hope this helps someone else running into the issue.

Problem statement: A routine, run of the mill domain join of a server. The account was pre-populated (or not, wouldn't matter) in Active Directory. Upon joining the domain, the admin would see the following message that we've seen so many times: Welcome to the XXX domain.

Success, right? Wrong. Following that was another error:
Changing the Primary Domain DNS name of this computer to "" failed. The name will
remain ".".
The error was: The specified server cannot perform the required operation.

So, what's interesting is that the computer joined the domain, right? Well, yes and no. Our friend ADSIEdit will tell us what we need to know about the join in question

First, go to ADSIEdit and find the computer object, right click, and go to properties. In the Attribute Editor, you are looking for 2 things:

Stage 1: Computer just joined the domain
The fields whenCreated and lastLogonTimestamp will be the same. This makes sense as the computer account had to login to the domain in order to create/populate the computer account record and authenticate to the domain.

The kick was... Stage 2: Computer rebooted from the domain join
The fields whenCreated and lastLogonTimestamp should no longer be the same, as upon reboot, the computer account logs into the domain and contacts a DC for things like policy. After rebooting, these items remained the same, meaning that the process broke either right before or right after the reboot. I would bet on the former (where the error came from).

So, the root cause? It came out that RPC port 135 was being blocked to the domain controller. I was betting on 137, but a host of ports is required for domain joining, as documented here:

Hope this helps someone else - but definitely if you live in a world where port blocking and firewalls are heavily in use, this may be a good first step to solving your issue.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.