8 out of 15 rated this helpful - Rate this topic If you cant !oin a co"puter to an Acti#e $irectory do"ain% or if a co"puter cant co""unicate &ith any other co"puter in the net&or'% the situation "i(ht )e the result of !oin and authentication pro)le"s* +his section discusses dia(nostic tools and (i#es exa"ples of possi)le authentication pro)le"s% alon( &ith su((ested solutions* +he first step to&ard identifyin( and dia(nosin( Acti#e $irectory !oin and authentication pro)le"s is to re#ie& ho& a ,indo&s -000.)ased co"puter !oins a do"ain% &hat per"issions are re/uired )y a user% and ho& a secure channel is esta)lished* Joinin( a 0o"puter to a $o"ain +o re#ie&% &hen you !oin either a ,indo&s 1+ 2*0.)ased or a ,indo&s -000.)ased client to a do"ain% the follo&in( occurs3 +he do"ain na"e is #alidated* A do"ain controller in the do"ain is located throu(h a call to $s4et$c1a"e* A session is esta)lished &ith the do"ain controller under the security context of the passed-in credentials that are supplied in the Network Identification ta) under System Properties in Control Panel * +he co"puter account is ena)led* If the fla(s are so specified (1E+5E+6P7A00+70REA+E)% the APIs create the 6nited 5tates (En(lish) 5i(n in 5earch +ech1et &ith 8in( 9o"e :i)rary ,i'i :earn 4allery $o&nloads 5upport ;oru"s 8lo(s +ech1et :i)rary +ech1et Archi#e ,indo&s -000 5er#er ,indo&s -000 5er#er Resource <its $istri)uted 5yste"s 4uide $es'top 0onfi(uration =ana(e"ent Acti#e $irectory Acti#e $irectory $ia(nostics% +rou)leshootin(% and Reco#ery $ia(nosin( and +rou)leshootin( Acti#e $irectory Pro)le"s 1et&or' 0onnecti#ity Join and Authentication Issues 1a"e Resolution $o"ain 0ontroller Issues Access 0ontrol Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 1 of 22 3/18/2014 10:47 PM co"puter account on the do"ain controller* +he local pass&ord for this account is created in the :ocal 5ecurity Authority (:5A)* +he local pri"ary do"ain infor"ation :5A policy is set to refer to the ne& do"ain* +his includes the do"ain na"e and the do"ain 5I$* Note ;or a ,indo&s -000.)ased client only% the :5A policy consists of the do"ain na"e% do"ain 5I$% $15 do"ain na"e% $15 forest na"e% and do"ain 46I$* +he na"e of the $15 na"e assi(ned to the local co"puter is updated* +he local (roup "e")ership is chan(ed to add "e")ers of the $o"ain Ad"ins (roup to the :ocal Accounts Ad"inistrators (roup* +he 1et :o(on trusted do"ain cache is initiali>ed to the trusted do"ains do"ain list* ;or ,indo&s -000.)ased clients only% the ,indo&s +i"e 5er#ice is ena)led and started* +he 1et :o(on ser#ice is started* +op ?f Pa(e 0han(es ?ccurrin( on $o"ain 0ontrollers in the $o"ain +hat the 0lient is Joinin( ,hen a client !oins a do"ain% the follo&in( chan(es occur on ,indo&s 1+ 2*0.)ased and ,indo&s -000.)ased do"ain controllers3 A co"puter o)!ect is created* +he na"e of this o)!ect is (enerated )y appendin( a dollar si(n (@) to the na"e (uppercase letters) of the client* ?n ,indo&s -000.)ased do"ain controllers only% the 1et :o(on ser#ice creates 5er#ice Principle 1a"es (5P1s) on the co"puter o)!ect* +op ?f Pa(e Identifyin( ,hether Aou 9a#e a Pro)le" Authenticatin( Aou can identify &hether you ha#e a pro)le" authenticatin( (or !oinin() a co"puter to a do"ain )y #erifyin( that the local &or'station is &or'in(* $o this )y runnin( the 1etdia( tool* Read the output fro" the top% and loo' for the &ords BERR?RB or B;A+A:*B (=any failures are not rele#ant to the do"ain itselfC )ut you should follo& up on the" )ecause they in#ol#e net&or' connecti#ity issues*) If you dont find these &ords in the output% continue as follo&s3 Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 2 of 22 3/18/2014 10:47 PM Run netdiag /v (#er)ose "ode)* $o you recei#e any specific error "essa(es or ;A+A: errorsD If the ans&er to the precedin( /uestion is B1o%B run netdiag /debug * $o you recei#e any specific error "essa(es or ;A+A: errorsD If 1etdia( displays an error or failure &ith the do"ain itself% chec' the E SystemRoot EFde)u(Fnetsetup*lo( file for !oin errors* Note If the local &or'station is functional% exa"ine the 1etsetup*lo( file that is located in the E SystemRoot EFde)u( folder* (+his is &here the !oin process is lo((ed*) Are any specific error "essa(es lo((edD +op ?f Pa(e ;or"at of 1etsetup*lo( ;ile A typical line in 1etsetup*lo( is for"atted as follo&s3 G time-stamp H G function-name H3 G description of operation H3 G status code in hexadecimal code H* An exa"ple is the follo&in(3 08/11 14:08:29 NetpJoinDomain: status of connecting to dc '\\DC9': 0x0 +he description of the !oin operation is usually self-explanatory* +he status code is 1E+ API75+A+65 or a ,inI- error code* A B0x0B code indicates successC any other code indicates an error* +op ?f Pa(e 5pecific Join Issues Aou "i(ht encounter pro)le"s &hen you !oin your co"puter to a do"ain* E#en thou(h these pro)le"s are reported as !oin pro)le"s% so"e of the "ost fre/uently reported ones are not related to the !oin process* :oo'in( at the 1etsetup*lo( is sufficient to /uic'ly spot such cases* +he follo&in( are so"e of the "ost co""on errors that relate to !oin issues3 ;ailure to find or to connect to a do"ain controller* +ransient net&or' conditions or ha#in( specified an incorrect do"ain na"e* ;ailure to create a co"puter account* Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 3 of 22 3/18/2014 10:47 PM +he error code sho&n in +a)le 10*J co"es under this cate(ory* able !"#$ B %ailure to find a domain controller B &rror Code 'escription Actual &rror &rror Code ;ailure to find or connect to a do"ain controller* ERR?R 1? 5609 $?=AI1 1I55 +he follo&in( is an exa"ple of this error3 07/20 16:51:10 NetpDsGetDcName: trying to find DC in domain 'verylongdomain1', flags: 0x1020 07/20 16:51:11 NetpDsGetDcName: failed to find a DC having account 'A-USHAS2-80C$': 0x525 07/20 16:51:11 NetpDsGetDcName: failed to find a DC in the specified domain: 0x54b 07/20 16:51:11 NetpDoDomainJoin: status: 0x54b +he !oin process usually tries to find a do"ain controller that already has a co"puter account for the co"puter that is currently )ein( !oined to the do"ain* If such a do"ain controller is not found% it tries to find another do"ain controller* +he precedin( exa"ple sho&s that the !oin do"ain operation failed )ecause a do"ain controller &as not located for the specified do"ain* +o in#esti(ate further% run nltest /dsgetdc() domain-name * and exa"ine the output* If you still recei#e errors% either the do"ain really does not exist or there is a transient net error that is pre#entin( do"ain controller disco#ery* 8y runnin( 1etdia(*exe and exa"inin( the output% you usually can deter"ine the cause* A B;ailure to connect to a do"ain controllerB "essa(e usually "eans that transient net errors or insufficient credentials are the cause* +a)le 10*K sho&s so"e error codes that co"e under this cate(ory* able !"#+ B %ailure to connect to a domain controller B &rror Codes 'escription Actual &rror &rror Code 8ad credentials* ERR?R7:?4?17;AI:6RE 1I-J +i"e s'e& that can cause failure of <er)eros authentication* ERR?R7+I=E75<E, 1IL8 ;ailure to connect to a do"ain controller* ERR?R7A0E557$E1IE$ 5 Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 4 of 22 3/18/2014 10:47 PM 1o do"ain controller found* ERR?R71?7:?4?175ERMER5 1I11 +he follo&in( is an exa"ple of this type of error code3 07/20 14:47:34 NetpDsGetDcName: trying to find DC in domain 'reskit', flags: 0x1020 07/20 14:47:50 NetpDsGetDcName: failed to find a DC having account 'TO_A$': 0x525 07/20 14:47:50 NetpDsGetDcName: found DC '\\reskit' in the specified domain 07/20 14:47:50 NetUseAdd to \\reskit\IPC$ returned 1326 07/20 14:47:50 NetpJoinDomain: status of connecting to dc '\\reskit: 0x52e 07/20 14:47:50 NetpDoDomainJoin: status: 0x52e +he pre#ious exa"ple sho&s a failed atte"pt to find a do"ain controller ha#in( the account B+?7A@B* +his is not a fatal error )ecause the code then tries to find any do"ain controller in the specified do"ain* After a do"ain controller is found% an atte"pt is "ade to connect to it )y usin( the credentials that are supplied* +his atte"pt failed &ith error 0x5-e (ERR?R7:?4?17;AI:6RE)* +his indicates that the credentials that &ere supplied do not ha#e sufficient access ri(hts for connectin( to the do"ain controller* +o in#esti(ate the pro)le" of failin( to find a do"ain controller% run an e/ui#alent co""and fro" the co""and pro"pt to confir" the precedin( analysis* net use ,,dcname,ipc- /u() domain\user * ) password * Note Aou need to perfor" the net use if you failed to connect to the do"ain controller* If you failed to find the do"ain controller% you should perfor" nltest /dsgetdc( to try to locate the do"ain controller* If this fails &ith the sa"e error% a 1et&or' =onitor sniffer trace of the !oin operation &ould )e helpful in dia(nosin( the failure* If you recei#e the error B;ailure to create a co"puter account%B it usually "eans that either the account already exists or that there are insufficient access ri(hts a#aila)le to the user &ho is tryin( to !oin* +a)le 10*8 sho&s the error codes that co"e under this cate(ory* able !"#. B %ailure to create a computer account B &rror Codes 'escription Actual &rror &rror Code Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 5 of 22 3/18/2014 10:47 PM 0o"puter account usually exists already% and security on that account does not allo& you to !oin N usually )ecause the co"puter &as !oined pre#iously )y usin( different co"puter account credentials* ERR?R7A00E557$E1IE$ 5 +he user has !oined so "any co"puters that he has exceeded the default per user co"puter /uota ()y default% 10)* ERR?R7$57=A09I1E7A00?61+7O6?+A7EP0EE$E$ 855K +he specified user already exists* ERR?R765ER7EPI5+5 ---2 +he follo&in( exa"ple indicates an access denied error* 08/11 14:08:30 NetpManageMachineAccountWithSid: NetUserAdd on '\\DC9' for 'A-ERINCO-TBCB$' failed: 0x5 +he follo&in( exa"ple indicates there is no error* 08/11 14:08:30 NetpManageMachineAccountWithSid: NetUserAdd on '\\DC9' for 'A-ERINCO-TBCB$' failed: 0x8b0 08/11 14:08:30 NetpManageMachineAccountWithSid: status of attempting to set password on '\\DC9' for 'A-ERINCO-TBCB$': 0x0 +his is not an error )ecause the 1et6serAdd operation fails &ith 0x8)0 (1ERR76serExists)% &hich indicates that the co"puter account already exists on that do"ain controller* Note ;ailure usually occurs &hen the account already exists* Error 5 occurs if the user does not ha#e access on the account% in &hich case an atte"pt is "ade to set a ne& pass&ord on the account that succeeds* +o in#esti(ate further% you ha#e to ac/uire the security descriptor and #ie& the per"issions on the co"puter account o)!ect* Aou can use either the Acti#e $irectory 6ser and 0o"puters ==0 console or the :dp tool* ;or "ore infor"ation a)out ho& to #ie& per"issions and access control entries on specific o)!ects &ith the Acti#e $irectory 6ser and 0o"puters console% see ,indo&s -000 5er#er 9elp* ;or "ore infor"ation a)out access control entries and security descriptors% see BAccess 0ontrolB in this )oo'* +o in#esti(ate further% connect to the do"ain controller )y usin( the :dp tool* Ac/uire the security descriptor on the co"puter account and deter"ine &hether the user tryin( to !oin has sufficient per"issions to (ain access to the co"puter account* o use /dp to ac0uire the security descriptor ;ro" the Start "enu% clic' 1un % and then type the follo&in(3 1* Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 6 of 22 3/18/2014 10:47 PM ldp 0onnect and )ind to a do"ain controller in the do"ain &hose security descriptor you are searchin( for* +o connect% on the Connection "enu% clic' Connect % and then type a ser#er na"e* +o )ind% on the Connection "enu% clic' 2ind % and then type an account na"e% pass&ord% and do"ain if you &ant to connect to a do"ain other than the do"ain to &hich you are currently lo((ed on* -* ?n the 2rowse "enu% point to Security % and clic' Security 'escriptor * I* Pro#ide distin(uished na"e of the co"puter o)!ect &hose security descriptor you are loo'in( for* 2* 9ere is a sa"ple output3 Revision: 1 Sbz1: 0 Control: (0x8c04) SE_DACL_PRESENT SE_DACL_AUTO_INHERITED SE_SACL_AUTO_INHERITED SE_SELF_RELATIVE Owner: S-1-0x000005--0x20-0x220 BUILTIN\Administrators Group: S-1-0x000005--0x20-0x220 Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 7 of 22 3/18/2014 10:47 PM BUILTIN\Administrators Dacl: Revision: 4 Sbz1: 0 Size: 972 No of Aces: 24 Sbz2: 0 Ace[0]: Type: (0) ACCESS_ALLOWED_ACE_TYPE AceSize: 0x24 AceFlags: (0x0) Mask: 0x000f01ff Sid: S-1-0x000005--0x15-0x3bdcf4dc-0x64495118-0x500cebdb-0x200 DDS\Domain Admins Ace[1]: Type: (5) ACCESS_ALLOWED_OBJECT_ACE_TYPE Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 8 of 22 3/18/2014 10:47 PM AceSize: 0x28 AceFlags: (0x0) Mask: 0x00000010 Flags: 0x1 ACE_OBJECT_TYPE_PRESENT Object Type: (in HEX)(59ba2f42-79a2-11d0-90-20-00-c0-4f-c2-d3-cf) GUID_PS_GENERAL_INFO Sid: S-1-0x000005--0xb NT AUTHORITY\Authenticated Users ;or "ore infor"ation a)out interpretin( "as'% A0E types and fla(s% see the =icrosoft Platfor" 5$< lin' on the ,e) Resources pa(e at http3QQ&indo&s*"icrosoft*co" Q&indo&s-000Qres'itQ&e)resources * ;ollo& the lin's to ntsa"*h* +he follo&in( exa"ple sho&s a successful atte"pt to !oin a co"puter to a do"ain in the 1etsetup*lo( file3 1E+5E+6P*lo( file 0KQI0 1I3583I5 1etp$o$o"ainJoin 0KQI0 1I3583I5 1etp=achineMalid+oJoin3 65ER1 0KQI0 1I3583I5 1etp4et:saPri"ary$o"ain3 status3 0x0 0KQI0 1I3583I5 1etp=achineMalid+oJoin3 status3 0x0 0KQI0 1I3583I5 1etpJoin$o"ain Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 9 of 22 3/18/2014 10:47 PM 0KQI0 1I3583I5 =achine3 65ER1 0KQI0 1I3583I5 $o"ain3 RE5<I+ 0KQI0 1I3583I5 =achineAccount?63 (16::) 0KQI0 1I3583I5 Account3 RE5<I+Fres'it 0KQI0 1I3583I5 ?ptions3 0x20001 0KQI0 1I3583I5 ?5 Mersion3 5*0 0KQI0 1I3583I5 8uild nu")er3 -08L 0KQI0 1I3583I5 1etp0hec'$o"ain1a"eIsMalid R Exists S for RE5<I+ returned 0x0 0KQI0 1I3583I5 1etpMalidate1a"e3 na"e RE5<I+ is #alid for type I 0KQI0 1I3583I5 1etp$s4et$c1a"e3 tryin( to find $0 in do"ain RE5<I+% fla(s3 0x10-0 "+/3" !3(4.(4" Netp's5et'cName( failed to find a 'C having account 67S&1!-6( "8494 0KQI0 1I358350 1etp$s4et$c1a"e3 found $0 FFRE5<I+-$0-08 in the specified do"ain 0KQI0 1I358351 1etpJoin$o"ain3 status of connectin( to dc FFRE5<I+-$0-083 0x0 0KQI0 1I358351 1etp4et:saPri"ary$o"ain3 status3 0x0 0KQI0 1I358351 1etp:sa?pen5ecret3 status3 0xc00000I2 0KQI0 1I35835- 1etpJoin$o"ain3 status of settin( "achine pass&ord3 0x0 0KQI0 1I35835- 1etpJoin$o"ain3 status of settin( netlo(on cache3 0x0 0KQI0 1I35835- 1etp4et:saPri"ary$o"ain3 status3 0x0 0KQI0 1I35835- 1etp5et:saPri"ary$o"ain3 for RE5<I+ status3 0x0 0KQI0 1I35835- 1etpJoin$o"ain3 status of settin( :5A pri* do"ain3 0x0 0KQI0 1I35835I 1etpJoin$o"ain3 status of "ana(in( local (roups3 0x0 Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 10 of 22 3/18/2014 10:47 PM 0KQI0 1I358352 1etpJoin$o"ain3 status of startin( 1etlo(on3 0x0 0KQI0 -0358355 1etpJoin$o"ain3 status of settin( 0o"puter1a"ePhysical$ns$o"ain res'it*res'it*co"3 0x0 0KQI0 -0358355 1etp$s5et5P13 5ettin( $ns9ost1a"e 65ER1*res'it*res'it*co" on 01T65ER1%01T0o"puters%$0Tres'it%$0T"icrosoft%$0Tco" 0KQI0 -0358355 1etp$s5et5P13 5ettin( 5P1 9?5+Q65ER1*res'it*res'it*co" on 01T65ER1%01T0o"puters%$0Tres'it%$0T"icrosoft%$0Tco" 0KQI0 -0358355 1etpJoin$o"ain3 status of disconnectin( fro" FFRE5<I+-$0-083 0x0 0KQI0 -0358355 1etp$o$o"ainJoin3 status3 0x0 +op ?f Pa(e Per"issions on 0o"puter Account ?)!ects +his section descri)es the security on do"ain co"puter accounts )efore and after an up(rade to ,indo&s -000 5er#er* +his infor"ation can )e used in trou)leshootin( per"issions on co"puter account o)!ects in Acti#e $irectory and in deter"inin( &hich user created the co"puter account )efore the up(rade* +he $iscretionary A0: ($A0:) contains access control entries (A0Es) that define per"issions on a specific o)!ect* In ,indo&s 1+ 2*0% &hen a co"puter account is created% the $o"ain Ad"inistrators local (roup )eco"es the o&ner of the co"puter account* +he user &ho created the co"puter account is stored as part of its data% and the $A0: on the co"puter account includes li"ited ri(hts for the user (such as deletin( the account)* ,hen you up(rade a ,indo&s -000.)ased ser#er% the follo&in( chan(es occur on each co"puter account3 A co"puter account o)!ect is created in the default 0o"puters container* +he ori(inal o&ner (for exa"ple% ad"inistrator) of the co"puter account re"ains the sa"e* +he pri#ile(es that the ori(inal o&ner had on the co"puter o)!ect in ,indo&s 1+ 2*0 are retained as part of the up(rade* +he $A0: on the co"puter account is reset to the default that is defined for o)!ects of the computer class in the sche"a* +his $A0: includes an entry for 0reator ?&ner and% &hen #ie&ed &ith A0: Editor% displays the na"e of the appropriate user* Note 1ote that other A0Es can )e present if users or (roups are added or if per"issions are chan(ed on parent containers in Acti#e $irectory% &hich results in additional inherited per"issions +he follo&in( default $A0:s apply to ne& co"puter accounts3 5elf3 Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 11 of 22 3/18/2014 10:47 PM 0reate All 0hild ?)!ects $elete All 0hild ?)!ects Authenticated 6sers3 Read Read Pu)lic Infor"ation 5yste"3 (;ull 0ontrol) 0reator ?&ner3 (;ull 0ontrol) $o"ain Ad"inistrators3 (;ull 0ontrol) 0ert Pu)lishers3 (no per"issions) Enterprise Ad"inistrators (inherited per"issions)3 Read ,rite 0reate All 0hild ?)!ects 0han(e Pass&ord Recei#e As Reset Pass&ord 5end As Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 12 of 22 3/18/2014 10:47 PM Read Pu)lic Infor"ation ,rite Pu)lic Infor"ation Account ?perators3 (;ull 0ontrol) Print ?perators3 (no per"issions) E#eryone3 0han(e Pass&ord Note If the account is created )y usin( the pri#ile(e add workstations to the domain, then the ri(hts of the 0reator ?&ner are li"ited* 5pecifically% the 0reator ?&ner is not allo&ed to chan(e the $A0: nor to delete the account* In addition% a /uota chec' li"its the nu")er of o)!ects that can )e created )y the person &ho is usin( the /uota* ;or "ore infor"ation a)out $efault $A0:s% see BAccess 0ontrolB in this )oo'* +op ?f Pa(e 5ecure 0hannel Issues ;or each ,indo&s -000.)ased client or ser#er that is a "e")er of a do"ain% there is a discrete co""unication channel% 'no&n as the secure channel* +his secure channel is used )y the 1et :o(on ser#ice on the client and on the do"ain controller to co""unicate &ith each other* +he 1etdo" tool is used to reset the secure channel* If the co"puter accounts pass&ord and the local pass&ord are not synchroni>ed% the 1et :o(on ser#ice lo(s one or )oth of the follo&in( errors "essa(es3 The session setup from the computer DOMAINMEMBER failed to authenticate. The name of the account referenced in the security database is DOMAINMEMBER$. The following error occurred: Access is denied. NETLOGON Event ID 3210: Failed to authenticate with \\DOMAINDC, a Windows NT domain controller for domain DOMAIN. Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 13 of 22 3/18/2014 10:47 PM +he 1et :o(on ser#ice on the do"ain controller lo(s the follo&in( error "essa(e &hen the pass&ord is not synchroni>ed3 NETLOGON Event 5722: The session setup from the computer % 1 failed to authenticate. The name of the account referenced in the security database is %2. The following error occurred: % n % 3 +op ?f Pa(e Resettin( 5ecure 0hannels and 0o"puter Accounts +he follo&in( tools are a#aila)le to reset the secure channel and the co"puter account3 Resource <it tools3 1etdo"*exe 1ltest*exe Acti#e $irectory 6sers and 0o"puters console +op ?f Pa(e 6sin( 1etdo" to Reset the 5ecure 0hannel 8y usin( the 1etdo"*exe co""and-line tool% &hich is pro#ided in the ,indo&s -000 Resource <it% you can reset the secure channel )et&een the do"ains "e")er &or'station and the do"ain controller* ;or exa"ple% suppose you ha#e a do"ain "e")er na"ed $?=AI1=E=8ER* Aou can reset the "e")ers secure channel )y runnin( the follo&in( co""and3 netdom reset member /domain:domain Aou can run this co""and on the "e")er $?=AI1=E=8ER* +o run this co""and on any other "e")er or do"ain controller in the do"ain% you "ust pro#ide an account that has ad"inistrator access to $?=AI1=E=8ER* ;or exa"ple3 Netdom reset member /domain:domain /usero:member-admin /passwordo:member-pw +op ?f Pa(e Addin( a ,or'station or =e")er 5er#er to a $o"ain Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 14 of 22 3/18/2014 10:47 PM +o add a &or'station or "e")er ser#er to a do"ain% do the follo&in(3 Add the &or'station ,or'1 to the ,indo&s 1+ 2*0 do"ain $o"ain1* 1* 1etdo" add Qd3do"ain1 &or'1Q ud3do"ain1Fad"in Qpd3pass&ord* -* Add the &or'station ,or'1 to the ,indo&s -000 do"ain res'it*co" in the or(ani>ational unit "y-co"puter% as sho&n here3 I* 1etdo" add Q&or'1 Qd3res'it*co" Q?63?6T"y-co"puters%$0Tres'it%$0Tco" Note +he Q?6 para"eter re/uires a co"plete distin(uished na"e as specified )y R;0 1KKL* If the Q?6 para"eter is not specified% the co"puter account is created in the 0o"puters container* +op ?f Pa(e Joinin( a ,or'station or =e")er 5er#er to a $o"ain +o !oin a &or'station or "e")er ser#er to a do"ain% you can use the 1etdo" tool* ;or exa"ple% to !oin a &or'station called ,or'1 to the res'it*co" do"ain in the "y-co"puters or(ani>ational unit% carry out the follo&in(3 Netdom join /d:reskit.com /OU:OU=my-computers,DC=reskit,DC=com /reboot:120. In addition to addin( the co"puter account to the do"ain% the &or'station is "odified to contain the appropriate shared secret to co"plete the Join procedure* If the Join procedure can )e co"pleted% the Qre)oot s&itch causes the co"puter to )e auto"atically shut do&n and restarted after (i#in( the user t&o "inutes to sa#e &or' in pro(ress* +op ?f Pa(e 6sin( 1ltest to Reset the 0o"puter 5ecure 0hannel 8y usin( the 1ltest*exe co""and-line tool% you can reset secure channels that co"puters ha#e &ith do"ain controllers in their do"ains* 1ltest*exe can )e used to test the trust relationship )et&een a co"puter that is runnin( ,indo&s -000 and is a "e")er of a do"ain and a do"ain controller on &hich its co"puter account resides% as sho&n in the follo&in( exa"ple3 C:\Ntreskit\Nltest.exe Usage: nltest [/OPTIONS] Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 15 of 22 3/18/2014 10:47 PM /SC_QUERY:<DomainName> - Query secure channel for <domain> on <ServerName> /SERVER:<ServerName> /SC_RESET:<DomainName> - Renegotiates the secure channel in the specified domain for a local or remote workstation, server, or domain controller An example to reset the secure channel: nltest /sc_query:reskit /server:Server22 Flags: 30 Connection Status = 0 0x0 NERR_Success Trusted DC Name \\Server1.reskit.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully nltest /sc_reset:reskit /server:Server2 Flags: 30 Connection Status = 0 0x0 NERR_Success Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\server.reskit.com Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully +op ?f Pa(e Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 16 of 22 3/18/2014 10:47 PM 6sin( the Acti#e $irectory 6sers and 0o"puters 0onsole to Reset 0o"puter Account Pass&ords 8y usin( ,indo&s -000% you can also reset the co"puter account pass&ord in the Acti#e $irectory 6sers and 0o"puters console* Ri(ht-clic' the co"puter o)!ect in the Computers folder or other appropriate container% and then clic' 1eset Account * +he 1eset Account context "enu resets the co"puter account pass&ord )ac' to a startin( pass&ord* +his is used only if the co"puter has )een ta'en offline and )een co"pletely reinstalled* Resettin( the account pass&ord allo&s the (re)uilt) co"puter to re!oin the do"ain usin( the sa"e na"e* If this co""and is carried out &hen the co"puter has not )een reinstalled% the co"puter cannot authenticate in the do"ain* Note Resettin( the pass&ord for do"ain controllers )y usin( this "ethod is not allo&ed* +op ?f Pa(e 6sin( 1ltest to Mie& +rusted $o"ains $ifferent data a)out the trust relationship is 'ept in se#eral 'ey attri)utes of each trustedDomain o)!ect* +he follo&in( are the 'ey attri)utes3 flatName * 0ontains the 1et8I?5 na"e of the do"ain for this trust relationship* trustDirection * 0ontains the direction of the esta)lished trust relationship3 0T$isa)led 1TIn)ound (+rustin( do"ain) -T?ut)ound (+rusted do"ain) IT8oth (+rusted and trustin( do"ains) trustPartner * 0ontains a strin( that represents the $15-style na"e of the do"ain if it is a ,indo&s -000 do"ain or the 1et8I?5 na"e of the do"ain if it is trust relationship )et&een a ,indo&s -000 do"ain and a non-,indo&s -000 do"ain* trustType * 0ontains the type of trust relationship that has )een esta)lished to the do"ain* 1TA trust relationship )et&een a ,indo&s -000 do"ain and a ,indo&s 1+ 2*0 or earlier do"ain* -TA ,indo&s -000 trust relationship* ITA trust relationship )et&een a ,indo&s -000 do"ain and a non-,indo&s <er)eros real"* Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 17 of 22 3/18/2014 10:47 PM 8y usin( the 1ltest co""and-line tool% you can display the current list of trusted do"ains 'no&n )y a specified ser#er* 1ltest*exe is a#aila)le &ith ,indo&s -000 5er#er 5upport +ools* (+o use 1ltest% install the tools that are located in the 5upportF+ools folder on the ,indo&s -000 5er#er operatin( syste" 0$* +o install the tools% dou)le-clic' the Setup icon in that folder* ;or "ore infor"ation a)out usin( 1ltest% see ,indo&s -000 5upport +ools 9elp*) 6se the /domains:trusts option to list the do"ains that ha#e trust relationships &ith the current do"ain* ;or each do"ain listed in the results% the follo&in( data is displayed3 +rust Index (a nu")er that identifies an entry in the enu"erated list of trusts)* 1et8I?5 do"ain na"e of the trusted do"ain (for exa"ple% res'it)* $15 do"ain na"e of the trusted do"ain (for exa"ple% res'it*co")* +rust type (1+ 2 for trust relationship &ith a ,indo&s 1+ do"ain)% 1+ 5 (for a trust relationship &ith a ,indo&s -000 do"ain)% or =I+ (for a trust relationship &ith a non-,indo&s <er)eros real")* ;or "ore infor"ation a)out types of trust relationships% see BActi#e $irectory :o(ical 5tructureB in this )oo'* In addition% the follo&in( #alues are reported &here applica)le3 ;orest +ree Root3 Identifies the forest root do"ain* ;orest +rust Index3 Indicates the do"ain that is the forest root* Pri"ary $o"ain3 Identifies the do"ain in &hich the contacted ser#er is located* $irect ?ut)ound3 Identifies the do"ain as )ein( directly trusted )y the pri"ary do"ain* $irect In)ound3 Identifies the do"ain as directly trustin( the pri"ary do"ain* Attr3 Returns the )its specifyin( the #alue in the trustAttributes attri)ute on the trusted$o"ain o)!ect* +his #alue deter"ines% for exa"ple% &hether the trust relationship is transiti#e or nontransiti#e* 1ati#e3 Identifies a pri"ary do"ain that is runnin( in nati#e "ode* ,here no #alue is displayed for pri"ary do"ain% the pri"ary do"ain is runnin( in "ixed "ode* ;or exa"ple% the follo&in( 1ltest co""and is executed on a co"puter that is a "e")er of the noa"*res'it*co" do"ain returns* D:\>nltest /domain_trusts Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 18 of 22 3/18/2014 10:47 PM List of domain trusts: 0: RESKIT reskit.com (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: 0x400000 ) 1: AVIONICS avionics.reskit.com (NT 5) (Forest: 0) 2: EUROPE europe.reskit.com (NT 5) (Forest: 0) 3: NOAM noam.reskit.com (NT 5) (Forest: 0) (Primary Domain) (Native) The command completed successfully +his output indicates the follo&in(3 Res'it*co" is the forest root do"ain* All of the do"ains are in the sa"e forest as res'it*co" (identified )y the index nu")er 0)* All of the trust relationships are ,indo&s -000 trust relationships (indicated )y B1+ 5B)* 1oa"*res'it*co" is the do"ain of the ser#er that is runnin( 1ltest* 1oa"*res'it*co"% &hich is a pri"ary do"ain% is runnin( in nati#e "ode* +o run a /uery on a specific ser#er% type nltest /server( <servername> domain trusts * ;or exa"ple% the Bdo"ain that is trustedB list "i(ht )e displayed if a /uery is run on a do"ain controller in the root do"ain of the forest* (+his exa"ple sho&s root*co" as the root do"ain*) 0: TESTDOMAIN testdomain.root.com (NT 5) (Forest: 3) (Direct Outbound) 1: CHILD child.root.com (NT 5) (Forest: 3) (Direct Outbound) 2: GRANDCHILD grandchild.child.root.com (NT 5) (Forest: 1) 3: ROOT root.com (NT 5) (Forest Tree Root) (Primary Domain) 4: NT4DOMAIN (NT 4) (Direct Outbound) 5: NEWROOT newroot.com (NT 5) (Forest Tree Root) (Direct Outbound) ( Attr: Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 19 of 22 3/18/2014 10:47 PM 0x800000 ) Note 1ote that 1ltest sho&s trusted do"ains &ith transiti#e trust relationships as ,indo&s -000 trust relationships &ithout the $irect ?ut)ound ta(* Another &ay to #ie& do"ains and trust relationships is )y usin( A$5I Edit* o view trusted domains and trust relationship properties by using A'SI &dit In A$5I Edit% expand the do"ain directory partition node and na#i(ate to the 5yste" container* 1* In the console details pane% use the Class colu"n to identify all o)!ects &ith the type trustedDomain * -* +o #ie& properties% ri(ht-clic' the trustedDomain o)!ect% and then clic' Properties * I* In the Select which properties to view )ox% clic' 2oth to #ie& )oth optional and "andatory attri)utes* 2* In the Select a property to view )ox% select a property* Its #alue is displayed in the ;alue<s= )ox* 5* +op ?f Pa(e 0hec'in( +rust Relationships Authenticated 8y the <er)eros #5 Protocol 6se the 1etdo" tool to #erify the <er)eros #5 authentication protocol )et&een a client and a tar(et do"ain* +he 1etdo" tool trust #erification option &ith the !erberos s&itch allo&s you to o)tain a session tic'et fro" the <er)eros authentication ser#ice in the tar(et do"ain* If successful% the conclusion is that <er)eros operations such as <ey $istri)ution 0enter (<$0) referrals% are operatin( correctly )et&een the &or'station and the tar(et do"ain* 6pon failure% the list of referral tic'ets currently cached% are displayed* If you do not recei#e the session tic'et% the cause of failure can )e deter"ined )y tracin( the list of referral tic'ets fro" the <$0s located on the path to&ard the tar(et do"ain* +o #erify the <er)eros authentication protocol issue the follo&in( co""and3 NETDOM TRUST <trusting_domain_name> /d: <name of the trusted domain> /Kerberos /UserO :<User account for making the connection with the trusted domain> /PasswordO: <Password of the user account specified by /UserO > /UserD: <User account used to make the connection with the domain specified by the /domain argument > /PasswordD: <trusted_domain_user_password> Note 8oth users "ust )e specified )ecause the co""and &ill atte"pt a <er)eros #5 authentication of those users* Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 20 of 22 3/18/2014 10:47 PM $id you find this helpfulD +he a)o#e co""and &ill #erify the follo&in(3 +he trust pass&ords are correct (for exa"ple% deter"ine if the pass&ords "atch)* +he users can )e located in Acti#e $irectory* +he users can )e authenticated throu(h the issuance of <er)eros #5 tic'ets* ;or "ore infor"ation on the 1etdo" tool% see ,indo&s -000 5upport +ools 9elp* ;or "ore infor"ation on <er)eros #5 authentication% see B Authentication B in this )oo'* +op ?f Pa(e ;ail :o(ons in A)sence of 4lo)al 0atalo( 5er#ers ;or ,indo&s -000 in nati#e "ode a 4lo)al 0atalo( is re/uired for the lo(on process* If the do"ain controller cannot contact a 4lo)al 0atalo( ser#er% the user is not )e a)le to lo( on* An exception is "ade only for the ad"inistrator account in the do"ain (RI$ 0x1;2)* +his account is allo&ed to lo( on e#en &ithout a 4lo)al 0atalo(% so that in an e"er(ency situation a 4lo)al 0atalo( can )e confi(ured* 5pecifically% (roup expansion durin( to'en creation &hen the user is lo((in( onto a &or'station is as follo&s3 Add the users 5I$ in the to'en* 1* Add the (lo)al (roups that the user is part of in the to'en* -* Add the uni#ersal (roups to &hich the users 5I$ and the (lo)al (roups )elon( in the to'en* I* Add the do"ain local (roups to &hich the precedin( accounts )elon( to the to'en* +his step is perfor"ed at a do"ain controller for the do"ain to &hich the &or'station)elon(s* $o"ain local (roups are not added to the to'en% if this do"ain is in "ixed "ode* 2* Add the local and )uilt-in local (roup "e")erships for the (roups in the &or'station of the set co"puted in steps 1 throu(h 2* If the user is connectin( to or lo((in( on to a do"ain controller% this step addresses only the )uilt-in local (roupsC if the do"ain local (roups &ere e#aluated in step 2* 5* +op ?f Pa(e Aes 1o Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 21 of 22 3/18/2014 10:47 PM U -012 =icrosoft =ana(e Aour Profile 1e&sletter V 0ontact 6s V Pri#acy 5tate"ent V +er"s of 6se V +rade"ar's V 5ite ;eed)ac' Join and Authentication Issues http://technet.microsoft.com/en-us/library/cc961817(d=printer).aspx 22 of 22 3/18/2014 10:47 PM