1

I've enabled winrm, disabled firewall, enable remoting, GPOs for winrm, enabled SMBv1 and completed updates first as troubleshooting but I still get the error. I can ping the DC as well.

The error I get is:

Add-Computer: Computer "server2019' failed to join domain 'dev.domain.com' from its current workgroup 'WORKGROUP' with following error message: An internal error occurred.
At line:1 char:1
Add-Computer -DomainName dev.domain.com -OUPath "OU=$OU,dc=dev,dc=domain,dc=com" ...

CategorvInfo :Operation5topped: (server2019:5tring) [Add-Computer]
. InvalidoperationException
+ FullvOualifiedErrorId:FailToJoinDomainFromworkgroup,Microsoft.PowerShell.Commands.AddComputerCommand

Here is the part of my script that does the join:

     [String]$OU,
     [PSCredential]$Credential
     )
    
 $ErrorActionPreference="SilentlyContinue"
 Stop-Transcript | out-null
 $ErrorActionPreference = "Continue"
    
    
 if ([Environment]::UserInteractive) {
     if (!$OU) { $OU = Read-Host "Enter Resource Pool Name (exactly as appears in vCenter inventory)" }
     if (!$Credential) { $Credential = Get-Credential -Message "Enter dev domain credentials" }
 }
    
 # Add Computer to Dev domain
    
 try {
     Add-Computer -DomainName dev.domain.com -OUPath "OU=$OU,dc=dev,dc=domain,dc=com" -ErrorAction stop -Credential $Credential
     }
 catch {
     Write-Warning "Failed to join to domain."
         Read-Host -Prompt "Press Enter to exit"
     Throw $_
     }

PS C:\Windows\ system32> nltest.exe/dsgetdc:dev.domain.com
DC: \\devad02.dev.domain.com
Address: \\10.1.214.29
Do Guid: ae3bef55-dd18-4598-b809-2058516e6abl
Dom Name: dev.domain.com
Forest Name: dev.domain.com
De Site Name: SITE
Our Site Name: SITE
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRE
TWS D5_8 D5_9 D5_10 0x20000
The command completed successfully

Edit: Server Manager showed an error Event for NetJoin that gave error code 1359 I tried running:

nltest /dclist:MYDOMAIN and got: You don't have access to DsBind to dev.domain.com

I also tried running: nltest /server:UserSyncServer /sc_reset:domain\devdc and got: I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

rumplesmyboy
  • 189
  • 1
  • 10
  • most commands accept -verbose try that – djdomi Apr 08 '22 at 16:51
  • 3
    `nltest /dsgetdc:dev.domain.com` – Greg Askew Apr 08 '22 at 17:10
  • It just says VERBOSE: Performing the operation Join in domain 'dev.domain.com'' on target "server2019" and then the rest of the error from the post. – rumplesmyboy Apr 08 '22 at 17:11
  • 1
    @GregAskew i do get a successful result from that. it shows the dc, address, dom name and guid, site name and flags – rumplesmyboy Apr 08 '22 at 17:13
  • 1
    @GregAskew posted in question – rumplesmyboy Apr 08 '22 at 17:20
  • 1
    Silly question, but is the clock on the joining machine sync'd to your domain's time? – Evan Anderson Apr 08 '22 at 17:26
  • 1
    @EvanAnderson it wasn't. I set the time by running a w32tm config. The source was originally microsoft but I still get the same results after restarting – rumplesmyboy Apr 08 '22 at 18:16
  • @GregAskew I added some more detail from some other nltest commands – rumplesmyboy Apr 08 '22 at 20:51
  • Where is the PDC? Try `netdom query fsmo` from the DC or a command prompt on the endpoint that has network credentials for the domain. – Greg Askew Apr 08 '22 at 21:01
  • At this point I'd run a packet capture from the joining computer and whatever it talks to during the join attempt. Odds are good the answer is in there, sadly. – Evan Anderson Apr 09 '22 at 10:21
  • Not sure if it's relevant, but a domain admin account can join to the dev domain, but a regular user account that used to be able to cannot. – rumplesmyboy Apr 12 '22 at 20:43
  • @rumplesmyboy - *That's* an interesting observation. By default non-Administrator users can add up to 10 computers to the domain (counted by using the ms-DS-CreatorSID attribute on computer obects). This can be changed (see https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain). Increase the limit and see if you can join the domain. If so we found your issue's cause. The GUI domain join returns a helpful error message for this. I don't know what 'Add-Computer' does. I could setup a lab to test this, admittedly, but I'm lazy. – Evan Anderson Apr 15 '22 at 19:55
  • 1
    Unfortunately the attribute was set to 10000, so well below what my cloned user account has done. I am going to try capturing traffic as the error logs also indicate the same thing with Error 1359 trying to join. – rumplesmyboy Apr 16 '22 at 16:28
  • @rumplesmyboy - Dang! I was feeling good about that one. Is there anything showing up in the Security Event Log on the DC servicing the join attempt? I'd turn on failure and success Directory Service access auditing and see what might hit the logs there too. – Evan Anderson Apr 17 '22 at 00:08
  • 1
    @EvanAnderson Microsoft support recommended changing MsDS-SupportedEncryptionTypes to AES from RC4 on the domain controllers, but what worked for me was removing and re-adding the trust between DCs that was outgoing and forward transitive. Still not sure the actual cause but that seemed to work. Also not sure why an admin account would work but regular accounts wouldn't. Far cry from my usual Linux issues. – rumplesmyboy May 20 '22 at 15:48

2 Answers2

1

Microsoft suggested changing the MsDS-SupportedEncryptionTypes to AES from RC4 on the domain controllers, but What worked for me was removing and re-adding the trust between DCs that was outgoing and forward transitive.

rumplesmyboy
  • 189
  • 1
  • 10
1

This solution works for me. Disable AllwNt4Crypto in register of DC https://learn.microsoft.com/es-mx/services-hub/health/remediation-steps-ad/disable-the-allownt4crypto-setting-on-all-affected-domain-controllers

Gustavo
  • 11
  • 1