Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. How to troubleshoot errors that occur when you join Windows-based computers to a domain
In this articleThis article describes several common error messages that can occur when you join client computers that are running Windows to a domain. This article also provides troubleshooting suggestions for these errors. Applies to: Windows Server 2016, Windows Server 2012 R2 Where to find the Netsetup.log fileWindows clients log the details of domain join operations in the %windir%\debug\Netsetup.log file. Networking error messages and resolutionsError 1
ResolutionWhen you type the domain name, make sure that you type the Domain Name System (DNS) name and not the Network Basic Input/Output System (NetBIOS) name. For example, if the DNS name of the target domain is Additionally, verify that the computer can reach a DNS server that hosts the DNS zone of the target domain or can resolve DNS names in that domain. Make sure that the correct DNS server is configured on this client as the preferred DNS, and that the client has connectivity to that server. To verify this, you can run one of the following commands:
Error 2
ResolutionWhen you type the domain name, make sure that you type the DNS name and not the NetBIOS name. Additionally, verify that the computer can reach a DNS server that hosts the DNS zone of the target domain or can resolve DNS names in that domain. Make sure that the correct DNS server is configured on this client as the preferred DNS, and that the client has connectivity to that server. To verify this, you can run one of the following commands:
Error 3
ResolutionWhen you type the domain name, make sure that you type the DNS name and not the NetBIOS name. Additionally, restart the computer before you try to join the computer to the domain. Error 4
ResolutionRestart the computer that you are trying to join to the domain to make sure that there are no latent connections to any of the domain servers. When you type the domain name, make sure that you type the DNS name and not the NetBIOS name. Error 5
ResolutionVerify that the computer can reach a DNS server that hosts the DNS zone of the target domain or can resolve DNS names in that domain. Make sure that the correct DNS server has been configured on this client as the preferred DNS, and that the client has connectivity to that server. To verify this, you can run one of the following commands:
When you type the domain name, make sure that you type the DNS name and not the NetBIOS name. Additionally, you can update the network adapter driver. Error 6
ResolutionBefore joining the computer to the domain, make sure that you have cleared all mapped connections to any drives. Restart the computer that you are trying to join to the domain to make sure that there are no latent connections to any of the domain servers. When you type the domain name, make sure that you type the DNS name and not the NetBIOS name. The error may be transient. Try again later. If the issue persists, verify the status of the DC that the client is connecting to (active connections, network connectivity, and so on). You may want to restart the DC if the issue persists. Error 7
ResolutionVerify that the computer can reach a DNS server that hosts the DNS zone of the target domain or can resolve DNS names in that domain. Make sure that the correct DNS server has been configured on this client as the preferred DNS, and that the client has connectivity to that server. To verify this, you can run one of the following commands:
When you type the domain name, make sure that you type the DNS name and not the NetBIOS name. Make sure that you have the most up-to-date drivers installed for the client computer's network adapter. Verify connectivity between the client that is being joined and the target DC over the required ports and protocols. Disable the TCP Chimney offload feature and IP offloading. Error 8
ResolutionMake sure that the DC that hosts the relative ID (RID) operations master is online and functional. For more information, see Event ID 16650: The account-identifier allocator failed to initialize in Windows Server. Note You can use the Verify that Active Directory is replicating between all DCs. You can use the following command to detect any errors:
Error 9
ResolutionMake sure that you have the most up-to-date drivers installed for the client computer's network adapter. Verify connectivity between the client that is being joined and the target DC over the required ports and protocols. Disable the TCP Chimney offload feature and IP offloading. This problem can also be caused by one of the following conditions:
Error 10
ResolutionThis error occurs when you use the domain join UI to join a Windows 7 or Windows Server 2008 R2 workgroup computer to an Active Directory domain by specifying the target DNS domain. To fix this error, see 2018583 Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed....". Authentication error messages and resolutionsError 1
ResolutionMake sure that you have permissions to add computers to the domain, and that you have not exceeded the quota that is defined by your Domain Administrator. To join a computer to the domain, the user account must be granted Create computer object permissions in Active Directory. Note By default, a non-administrator user can join a maximum of 10 computers to an Active Directory domain. Error 2
ResolutionCheck that the domain controllers (DCs) are registered by using correct IP addresses on the DNS server, and that their Service Principal Names (SPNs) are registered correctly in their Active Directory accounts. Error 3
ResolutionMake sure that you have permissions to add computers to the domain. To join a computer to the domain, the user account must be granted the Create computer object permission in Active Directory. Additionally, make sure that the specified user account is allowed to log on locally to the client computer. To do this, configure the Allow log on locally setting in Group Policy under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Error 4
ResolutionMake sure that you use the correct user name and password combination of an existing Active Directory user account when you are prompted for credentials to add the computer to the domain. Error 5
ResolutionThis error is likely a transient error that is logged when a domain join searches the target domain to determine whether a matching computer account was already created or whether the join operation has to dynamically create a computer account on the target domain. Error 6
ResolutionThis error can occur when the Kerberos token size is larger than the maximum default size. If this situation, you have to increase the Kerberos token size of the computer that you try to join to the domain. For more information, see the following Knowledge Base articles: Error 7
ResolutionThis problem is related to mismatched SMB Signing settings
between the client computer and the DC that is being contacted for the domain join operation. Review the following documentation to further investigate the current and recommended values in your environment: Error 8
ResolutionMake sure that the DC through which you are trying to join the domain has the Windows Time service started. Which of the following is a utility for enumerating NetBIOS shares?SuperScan is a NetBIOS enumeration tool.
What network security tool usually included with Kali Linux allows a user to ping multiple IP addresses?Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification).
Which type of port scan sends a packet with all flags turned off?Other types of TCP port scans include NULL, FIN and Xmas. These three types of scans involve manipulating the TCP header flags. NULL scans send packets with no flags set in their headers, while FIN scans only have the FIN bit set.
Which of the following HTML tags is used to create a hyperlink to a remote website?The a href=" " tag defines a hyperlink, which is used to link from one page to another.
|