Workstation Can't Join the Domain
Posted by Mont Rothstein on 08 September 2007 02:16 AM
Do not connect both NICs on a server, particularly where one is using DHCP, until the server has been identified on the network via its static IP. You should be able to use ping, nbtstat -a, or joining a workstation to the domain, and accessing a samba share on the server via ther servername to cause the server's name and domain name to be associated with the static IP.

The following steps were followed in debugging a machine where both NICs had been connected and a workstation could not be joined to the domain.

The error message telling you that the join failed appears after the domain name has been entered and after the username and password have been entered.

The error message either says that the domain can not be located or that the user name or password are incorrect.

When joining a Windows XP computer to the domain the domain is first looked up based off of the name entered. This happens before the login panel appears. If is can't find the domain at all you will get an error before the login panel.

Assuming the domain is found then the login panel appears, the user enters the login info, and then the join attempt beings.

This time the computer uses other means to find the domain controller. It does a reverse lookup from the name to the IP. The exact protocols are unknown and may be a mix of several.

On the server:

Make sure that smb and fedora-ds services are running fine using the "service servicename status" command.

Run "smbclient -L //servername" just hit enter at the password prompt. It should tell you all of the info about the shares on the server.

On the workstation:

Check that you can ping the domain controller by its name, and that it pings using the correct IP address.

If you can't ping by the servers name then it is possible that the domain controller has been forcibly removed from DNS. In this case you will need to add an entry to C:\Windows\system32\drivers\etc\hosts

Try connecting to the repository share. Enter "\\servername\\repository" into the Windows Explorer address bar. When prompted enter the samba admin username and password. This will ensure that samba is running and that you have the correct username and password.

Use "nbtstat -c" to see the workstation's Netbios cache. There should be an entry for the domain name. If there isn't then for a lookup using "nbtstat -a domainname"

If there is an entry make sure it has the correct IP address. If it does not have the correct IP address use "netstat -R" to clear the Netbios cache and then re-do the "nbtstat -a" and "nbtstat -c" commands.

If the IP is still wrong then some piece of network gear has probably got it wrong. If that network gear can't be corrected then try changing the domain name on the server.

To change the domain name:
  1. In a terminal session as root
  2. service fedora-ds stop
  3. rpm -e fedora-ds
  4. rm -rf /opt/fedora-ds
  5. Edit the values.conf for the server to have the new short and long domain name
  6. Re-run configall and reboot
If none of this works cry.

In trying to debug this editing the lmhosts file did not successfully override the bad setting in the network gear. However it may be useful in other situations, particularly if you have to join a domain controller on a different subdomain.

Some useful links:

nbtstat
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nbtstat.mspx?mfr=true

How to write an Lmhosts file for domain validation and other name resolution issues
http://support.microsoft.com/kb/180094

NetBIOS Suffixes (16th Character of the NetBIOS Name)
http://support.microsoft.com/kb/163409/

Troubleshooting LMHOSTS Name Resolution Issues
http://support.microsoft.com/kb/180099/


Comments (0)