Announcement

Collapse
No announcement yet.

Changing the Primary Domain DNS name of this computer to “ ” failed.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Changing the Primary Domain DNS name of this computer to “ ” failed.

    Hi all,

    I face below error message of joining PCs to domain.

    __________________________________________________ _______
    Changing the Primary Domain DNS name of this computer to “ ” failed.
    The name will remain “ABC.com”.
    The error was:

    The specified server cannot perform the requested operation.
    __________________________________________________ _______


    The computer object was successfully created in [Computers] OU.
    PCs restarted and able to logon domain with Domain user account.
    It seem like PCs are successful join Domain but it shown same error for every PCs.

    Domain Environment
    Root DC: Windows Server 2012 R2
    Site’s DC: Windows Server 2003
    Functional level: Windows Server 2003

    I tried below steps to disjoin and rejoin domain.
    1. Disable Firewall
    2. Disable Firewall service
    3. Disable antivirus
    Result: Still failure.

    I check online and know there have a log file can see the joining domain log called netsetup.txt.
    I manage to found some log as below:

    04/07/2014 13:50:54:407 NetpChangeMachineName: from 'MMMTEST-01' to 'MMMTEST-01' using 'ABC.COM\administrator' [0x1000]
    04/07/2014 13:50:54:407 NetpDsGetDcName: trying to find DC in domain 'ABC', flags: 0x1010
    04/07/2014 13:50:54:407 NetpDsGetDcName: found DC '\\SITEA-AD01' in the specified domain
    04/07/2014 13:50:54:407 NetpGetLsaPrimaryDomain: status: 0x0
    04/07/2014 13:50:54:407 NetpGetDnsHostName: Read NV Domain: ABC.com
    04/07/2014 13:50:57:028 NetpLdapBind: ldap_bind failed on SITEA-AD01: 81: Server Down
    04/07/2014 13:50:57:028 NetpSetDnsHostNameAndSpn: NetpLdapBind failed: 0x3a
    04/07/2014 13:50:57:028 NetpChangeMachineName: status of setting DnsHostName and SPN: 0x3a

    Kindly advise me what can I do to resolve this issue.

  • #2
    Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

    Are any of the PCs trying to join the domain from inside the same subnet as the servers, or are all joins crossing from one subnet into another? If it works when there's no routing between client and server but fails when there is routing between them, then your PC subnet(s) probably wants an 'ip helper-address' set. If there's already helper-address, is there an ACL blocking any specific ports of traffic?
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

      Hi RicklesP,

      Thanks for your help and reply.

      Regarding join Domain via different subnet, I have perform some test.

      DC = 192.168.20.20

      Same PC = 192.168.20.100 = successful join without error prompt
      Same PC = 192.168.35.200 = Join Domain with error prompt.

      Below are the error log for ntsetup


      _________________________________________________
      VLAN 35 join error

      04/10/2014 14:43:26:914 NetpChangeMachineName: from 'MMMTEST-01' to 'MMMTEST-01' using 'ABC.com\administrator' [0x1000]
      04/10/2014 14:43:26:914 NetpDsGetDcName: trying to find DC in domain 'ABC', flags: 0x1010
      04/10/2014 14:43:27:928 NetpDsGetDcName: found DC '\\SITEA-AD01' in the specified domain
      04/10/2014 14:43:27:928 NetpGetLsaPrimaryDomain: status: 0x0
      04/10/2014 14:43:27:928 NetpGetDnsHostName: Read NV Domain: ABC.com
      04/10/2014 14:43:28:193 [00000a50] NetpGetLsaPrimaryDomain: status: 0x0
      04/10/2014 14:43:28:723 [000006e4] NetpGetLsaPrimaryDomain: status: 0x0
      04/10/2014 14:43:31:204 [0000029c] NetpGetLsaPrimaryDomain: status: 0x0
      04/10/2014 14:43:31:734 [0000029c] NetpGetLsaPrimaryDomain: status: 0x0
      04/10/2014 14:43:31:765 NetpLdapBind: ldap_bind failed on SITEA-AD01: 81: Server Down
      04/10/2014 14:43:31:765 NetpSetDnsHostNameAndSpn: NetpLdapBind failed: 0x3a
      04/10/2014 14:43:31:765 NetpChangeMachineName: status of setting DnsHostName and SPN: 0x3a




      VLAN 20 join success

      04/10/2014 14:52:30:819 NetpChangeMachineName: from 'MMMTEST-01' to 'MMMTEST-01' using 'ABC.COM\administrator' [0x1000]
      04/10/2014 14:52:30:819 NetpDsGetDcName: trying to find DC in domain 'ABC', flags: 0x1010
      04/10/2014 14:52:32:223 NetpDsGetDcName: found DC '\\SITEA-AD01' in the specified domain
      04/10/2014 14:52:32:223 NetpGetLsaPrimaryDomain: status: 0x0
      04/10/2014 14:52:32:223 NetpGetDnsHostName: Read NV Domain: ABC.com
      04/10/2014 14:52:32:238 NetpGetComputerObjectDn: Cracking account name ABC\MMMTEST-01$ on \\MMMTEST-01
      04/10/2014 14:52:32:238 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=MMMTEST-01,CN=Computers,DC=ABC,DC=com
      04/10/2014 14:52:32:238 NetpModifyComputerObjectInDs: Initial attribute values:
      04/10/2014 14:52:32:238 DnsHostName = MMMTEST-01.ABC.com
      04/10/2014 14:52:32:238 ServicePrincipalName = HOST/MMMTEST-01.ABC.com RestrictedKrbHost/MMMTEST-01.ABC.com HOST/MMMTEST-01 RestrictedKrbHost/MMMTEST-01
      04/10/2014 14:52:32:238 NetpModifyComputerObjectInDs: Computer Object already exists in OU:
      04/10/2014 14:52:32:238 DnsHostName = MMMTEST-01.ABC.com
      04/10/2014 14:52:32:238 ServicePrincipalName = TERMSRV/MMMTEST-01 TERMSRV/MMMTEST-01.ABC.com RestrictedKrbHost/MMMTEST-01 HOST/MMMTEST-01 RestrictedKrbHost/MMMTEST-01.ABC.com HOST/MMMTEST-01.ABC.com
      04/10/2014 14:52:32:238 NetpModifyComputerObjectInDs: There are _NO_ modifications to do
      04/10/2014 14:52:32:238 ldap_unbind status: 0x0
      04/10/2014 14:52:32:238 NetpChangeMachineName: status of setting DnsHostName and SPN: 0x0

      __________________________________________________ _______________


      May I know "ip helper-address" and "ACL blocking" are configuration of CISCO router switch?

      May I know what is the port require for joining domain?

      Kindly advise.

      Comment


      • #4
        Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

        On your VLAN configuration.

        What is the differences between VLAN 20 and 35? from the logs, its seem like there is some config on VLAN35 that prevent the authentication to the AD.

        Is the VLAN20 and 35 in the same physical location? meaning is it in the same building with a different department? or is it in a different location and is there a router/firewall sitting in the between the switch?

        From your VLAN35, can you do a traceroute to your DC?

        HN

        Comment


        • #5
          Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

          I've seen this so many times; there's not just one port used for domain joins, it's several things in sequence. And despite any claims otherwise, NetBIOS is part of it, which is why you need the helper addresses, since DNS doesn't help here since it's not part of every step of the process.

          The term 'ip helper-address' is an entry you put on your VLAN's vritual interface in the switch/router which is the gateway for that vlan. The entry is a single-line with the ip address of a DC to send requests to. Assuming you have more than 1 DC, you put an additional line in for each DC you want clients to be able to find for a join action.

          Like this: say you have 3 DCs at 192.168.20.20 and .20.21 and .20.22 in your VLAN 20. Your clients in VLAN 35 have been given their default gateway as 192.168.35.1, which is in your router. The router config will have this line in it:
          interface Vlan35
          ip address 192.168.35.1 255.255.255.0
          end

          You want to add these lines:
          ip helper-address 192.168.20.20
          ip helper-address 192.168.20.21
          ip helper-address 192.168.20.22

          Save the config and try another join from that vlan.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

            Hi RicklesP,

            Thanks again for your reply and advise.

            I will further check with Network Team on the router configuration then will try to test it later.

            ^_^

            Comment


            • #7
              Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

              Hi guys
              I have similar problem after I upgraded my domain controllers from 2008 to 2012R2. I have root domain and child domains. I upgraded 2 child domains (DC's) and raised its domain functional level to 2012 R2 and now I am experiencing this. Root domain is for the head office and child domains are for our company office branches.
              e.g if head office is New York the root domain is called NY (NY.lightglobe.com) and the office branch created as child domains is in Texas (TX.lightglobe.com), California (CA.lightglobe.com), Miami (MI.lightglobe.com), etc

              Previously before the upgrade I would successfully join computers for the branches but doing this from the head office e.g pc is in NY branch I could join it to the CA domain before I send it to the branch. Now after the upgrades I get that error as I join it while the pc is at the head office. Ok now when the pc restart completes I get to the log in screen, I enter login details, I get the error " The security database on the server does not have a computer account for this workstation trust relationship". Then it does not log in to the domain which I am forced to log in locally to remove the computer from the domain, delete the computer object from the AD. Then I confirmed a success to join the same pc to the domain which I didn't upgrade. I need help. I cant keep flying across the country every week to join machines from local branch. And its stopping me to proceed with my project to upgrade the remaining DC's.

              Comment


              • #8
                Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

                Hi guys

                correction of my problems. I cant join computers to all my child domains from the head office. But I can join them from their locally location. Any ideas guys.

                Comment


                • #9
                  Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

                  I managed to have a work around this. but I don't know why this changes. If I join machines to the domain with FQDN it fails with this errors. But if I join it with just a Domain name then it works successfully. Strange thing!

                  Comment


                  • #10
                    Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

                    Originally posted by Kani View Post
                    Hi guys
                    I have similar problem after I upgraded my domain controllers from 2008 to 2012R2. I have root domain and child domains. I upgraded 2 child domains (DC's) and raised its domain functional level to 2012 R2 and now I am experiencing this. Root domain is for the head office and child domains are for our company office branches.
                    e.g if head office is New York the root domain is called NY (NY.lightglobe.com) and the office branch created as child domains is in Texas (TX.lightglobe.com), California (CA.lightglobe.com), Miami (MI.lightglobe.com), etc

                    Previously before the upgrade I would successfully join computers for the branches but doing this from the head office e.g pc is in NY branch I could join it to the CA domain before I send it to the branch. Now after the upgrades I get that error as I join it while the pc is at the head office. Ok now when the pc restart completes I get to the log in screen, I enter login details, I get the error " The security database on the server does not have a computer account for this workstation trust relationship". Then it does not log in to the domain which I am forced to log in locally to remove the computer from the domain, delete the computer object from the AD. Then I confirmed a success to join the same pc to the domain which I didn't upgrade. I need help. I cant keep flying across the country every week to join machines from local branch. And its stopping me to proceed with my project to upgrade the remaining DC's.
                    Hope the following help !
                    i got the same situation and resolved as below.
                    1. Change the machine name to a new testing name
                    2. Join it to workgroup
                    3. Reboot
                    4. Join to domain (in Domain tab in computer properties, write domain only without any suffix)
                    5. try to login- if you can login

                    I didn't received any error, i was able to login, in simple words, just change your client computer name if it is throwing issue with the current name, as the record exist there.

                    Comment


                    • #11
                      Re: Changing the Primary Domain DNS name of this computer to “ ” failed.

                      I got crazy with that same error , but this did the trick:

                      http://blogs.technet.com/b/instan/ar...ot-failed.aspx

                      Specifically: "...A workaround that removes the error message is to populate the Primary DNS suffix of the machine before attempting the domain join...."

                      The image attached may help.
                      Attached Files
                      -
                      Madrid (Spain).

                      Comment

                      Working...
                      X