Unable to Join Windows Client to Microsoft Entra Domain Services (Error: “The specified network name is no longer available”)

Question

Unable to Join Windows Client to Microsoft Entra Domain Services (Error: “The specified network name is no longer available”)

Bartender admin 0

Hello,

I am unable to join a Windows 11 client to my managed domain in Microsoft Entra Domain Services (domainname.org).

The domain join consistently fails with:

“The specified network name is no longer available.”

Here is an excerpt from C:\Windows\Debug\NetSetup.log:

NetpJoinDomainOnDs: found DC '\XR7FTQ2Y4FKGXN0.domainname.org'

NetUseAdd to \XR7FTQ2Y4FKGXN0.domainname.org\IPC$ returned 64

NetpJoinDomainOnDs: status of connecting to dc '\XR7FTQ2Y4FKGXN0.domainname.org': 0x40

NetpDoDomainJoin: status: 0x40

All required ports are open and verified:

SMB (445), Kerberos (88/464), LDAP (389/636), GC (3268/3269), RPC (135) – all return TcpTestSucceeded = True for both DCs (10.100.7.4, 10.100.7.5).

Other details:

The domain’s Secure LDAP certificate (*.domainname.org) is valid, issued for both *.domainname.org and domainname.org, and configured in Entra Domain Services.
The root CA certificate is trusted on the client.
DNS SRV records resolve correctly (_ldap._tcp.dc._msdcs.domainname.org → XR7FTQ2Y4FKGXN0.domainname.org, RI7MB5ZO9KW0SN2.domainname.org).
Time synchronization is working (w32tm synced to time.windows.com).
The client is in the same network, with DNS set to the AAD DS IPs.

Despite this, domain join fails at the SMB stage with error 0x40.

Best regards,

Bengt Nilsson

Luis Arias 9,536 Reputation points Volunteer Moderator

2025-10-10T09:59:54.21+00:00

Hi Bengt, Can you share some additional information of your network setup?, because your test it looks OK so far, the unique possible issue on my mind it's a device (FW,VPN, etc) that is the breaking the SMB session on Kerberos response from the DC.

Cheers Luis
Bartender admin 0 Reputation points

2025-10-13T07:44:20.0766667+00:00

Hi Luis,
The client (Windows 11) is connect to a network at the customer office.
The AD server is located at Azure.

The office site has a hardware firewall that has a VPN tunnel (connection) to Azure.

The following tests work fine on the client.
Test-NetConnection 10.100.7.4 -Port 389 # LDAP

Test-NetConnection 10.100.7.4 -Port 636 # LDAPS

Test-NetConnection 10.100.7.4 -Port 88 # Kerberos

Test-NetConnection 10.100.7.4 -Port 445 # SMB

A Windows 2022 server on the same network as the AD server was able to join the domain.

Answer recommended by moderator

Bartender admin 0

Hi Luis,

I got contact with a person that has worked a lot with Azure.

The answer is that what i tried to do will never work!

"Azure AD Domain Services is intended for use by virtual machines in Azure virtual networks. It isn't designed to be used by client devices that are located outside of Azure, such as workstations in an on-premises network or home network."

https://learn.microsoft.com/en-us/entra/identity/domain-services/overview

Thanks for you help!

Bengt

0 comments

2 additional answers

Your answer

Luis Arias 9,536 Reputation points Volunteer Moderator

2025-10-10T09:59:54.21+00:00

Hi Bengt, Can you share some additional information of your network setup?, because your test it looks OK so far, the unique possible issue on my mind it's a device (FW,VPN, etc) that is the breaking the SMB session on Kerberos response from the DC.

Cheers Luis
Bartender admin 0 Reputation points

2025-10-13T07:44:20.0766667+00:00

Hi Luis,
The client (Windows 11) is connect to a network at the customer office.
The AD server is located at Azure.

The office site has a hardware firewall that has a VPN tunnel (connection) to Azure.

The following tests work fine on the client.
Test-NetConnection 10.100.7.4 -Port 389 # LDAP

Test-NetConnection 10.100.7.4 -Port 636 # LDAPS

Test-NetConnection 10.100.7.4 -Port 88 # Kerberos

Test-NetConnection 10.100.7.4 -Port 445 # SMB

A Windows 2022 server on the same network as the AD server was able to join the domain.

Answer 1

Bartender admin 0

Hi Luis,

Thanks for your help!

I will contact the person that setup the firewall and ask them to check the packages sent.

Bengt

0 comments

Answer 2

Hello Bartender,

I understood that a Windows 11 client located in a customer office fails to join Microsoft Entra Domain Services with error 0x40 , despite successful port connectivity tests over a VPN tunnel to Azure where the AD servers reside; meanwhile, a Windows Server 2022 in the same Azure network joins successfully, suggesting the issue lies in mid-path interference likely caused by the office firewall or VPN device disrupting SMB/Kerberos packet negotiation during the domain join process.

User's image

I summarized the case on this diagram from the information provided, Since all required ports (389, 636, 88, 445) are reachable from the Windows 11 client over the VPN tunnel, and a Windows Server 2022 in Azure joins successfully, the issue likely stems from mid-path interference most often caused by firewall or VPN devices silently dropping or altering Kerberos or SMB packets during negotiation.

I would suggest to perform a packet capture directly on the firewall or VPN appliance during the domain join attempt. Look specifically for:

Missing or dropped Kerberos TGS-REP packets (UDP/TCP 88)
SMB session setup failures (TCP 445)
Asymmetric routing or TTL inconsistencies

This will help verify if the device is modifying or blocking critical packets even when port tests pass.

References:

If this resolves your question, please accept the answer.

Luis

Share via

Unable to Join Windows Client to Microsoft Entra Domain Services (Error: “The specified network name is no longer available”)

2 additional answers

Your answer