1

Since a few days (without any changes on the AD) it's impossible to join a computer in my domain. When I try to do it, after write the domain name, I'm prompted for an account who can join the domain, I complete it and nothing...

I've tried to wait a very long time and it never does anything.

It's a computer which was in the domain before, but I rejoin the domain because of an error on user logon (approbation between computer and domain not allowed, something like that).

I've checked my AD and it seems everything is ok. It runs on Win 2k12 r2.

Any ideas?

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
DSX
  • 385
  • 1
  • 4
  • 18
  • Firewalls and DNS are the most common sources for this. Check the event log of the machine. – Gerald Schneider Jul 10 '17 at 06:06
  • It's done and nothing wrong. Firewall are full open for my tests – DSX Jul 10 '17 at 06:44
  • How many NICS has the client? Can you confirm it's on the same subnet as the DC and that the DNS server in your NIC is the DC itself? And you don't have a secondary DNS in client's NIC? – Marco Jul 10 '17 at 08:04
  • Client has one NIC, not on the same subnet but routing is ok. Nslookup respond correctly. Just one DNS on the client. – DSX Jul 10 '17 at 08:26
  • I don't do anything but now the computer join the domain. But every action which need to verify domain credentials are very long. When i boot up the computer i see the "please wait" message before the login screen, and it never disappear. – DSX Jul 10 '17 at 08:44

4 Answers4

1

Is this just one machine, or all clients? Check your DNS. Make sure the service is running and stop/start netlogon on all DC's - this should ensure all the correct entries required for AD are present - see here

Is there anything in error logs on the DCs or client? It's strange that it hangs indefinitely. That smacks of it getting half way through the bind but not finishing correctly.

Also, do you have multiple sites? If you've deleted the computer account but it hasn't propagated round all sites, and now you are trying to re-add it, AD can get grumpy.

Jim ReesPotter
  • 308
  • 2
  • 10
0

if you have any anti-virus running, disable the agents or uninstall, then attempt to join the domain. I recently faced a similar issue where trend micro was causing the issue.

Amandeep Singh
  • 1
0

Have you replaced the domain master in the past? By default, that's the server the AD was created on.

It is possible that there's no domain controller in the RID master role - the RID master hands out stub addresses/pools to the subordinate domain controllers to create SIDs from. If no RIDs can be handed out and the subordinate controllers have exhausted their current pools, no SIDs can be generated and no computer can join the domain any more.

Check the event logs on the domain controller(s) for any hints on this. If confirmed, it is a very nasty situation. If you cannot restore/revive the original domain master you require an extensive AD repair. If you ever retire a domain controller you need to make sure it doesn't hold a vital role.

Zac67
  • 10,320
  • 2
  • 12
  • 32
-1

If you rejoin computer to domain you have to reset computer account in domain. Try this, and also show us what is in the Event Log.

mrc02_kr
  • 164
  • 7