I have an Active Directory that is based on a primary domain controller as well as two additional domain controllers which are all Windows Server 2022 machines and are hardened according to the CIS benchmark. I wanted to test joining several different Server versions ranging from Windows Server 2012R2 to Windows Server 2022. I tried all of this while the different Server versions were unhardened (i.e. with the default settings) as well as after hardening them according to the CIS benchmarks. On the Windows Server 2012R2 as well as the Windows Server 2022 machines, joining the domain is not a problem. However, I’m not able to join the Windows Server 2016 and Windows Server 2019 VMs to the domain in any case. I am always getting the message Access is denied . The account used to join is the same on all machines. Some other things I have made sure before writing this question: DNS is setup properly and working NTP is configured correctly and all machines are in sync The machines that join the AD are able to contact the domain controllers on at least the following ports: 53/TCP 53/UDP 88/TCP 135/TCP 389/TCP 389/UDP 445/TCP 1024-65535/TCP Ensured that none of the listed points in this guide apply. For all the VMs that are working and not working I ran the command systeminfo and you’ll find the output below. Here the Windows Server 2016 and 2019 machines have not been hardened to rule out that this is the cause, yet the output in both cases is the same: pdc.txt win12.txt win16.txt win19.txt win22.txt Further, these are the logs produced in the NetSetup.log when trying to join as well as the EventLog entry that is generated: NetSetup.log eventlog.log Do you have any idea/hint what could be the cause of this and how I can resolve it? Thanks very much in advance!

Hi @[AndreBreuer-1699] By default a stantard account can join 10 machine. You can modify this value but I suggest to you to follow this solution: Try to create a computer account for impacted servers before the join. When you create the computer account you can specify which account can be used to join the machine. One done try to join again your machine. Please don't forget to accept helpful answer

The issue I faced here was related to the SMB protocols. In our hardening we only allowed the cipher suite AES-256-GCM. I found out that this was the issue here since it seems that Windows Server 2016 and Windows Server 2019 do not support AES-256-GCM, but only AES-128-GCM and AES-128-CCM. When adding AES-128-GCM to the list of allowed cipher suites with a preference to use AES-256-GCM everything worked well without any issues. However, I do believe that this might be a bug, since Windows Server 2012R2 could join in any case even when AES-256-GCM was the only cipher suite allowed. Does anyone have some further insights on this or knows why it would work with the 2012R2 version when it didn't work with 2016 and 2019?

Domain Join Failed Windows Server 2016 and 2019

AndreBreuer-1699 0

I have an Active Directory that is based on a primary domain controller as well as two additional domain controllers which are all Windows Server 2022 machines and are hardened according to the CIS benchmark.

I wanted to test joining several different Server versions ranging from Windows Server 2012R2 to Windows Server 2022. I tried all of this while the different Server versions were unhardened (i.e. with the default settings) as well as after hardening them according to the CIS benchmarks. On the Windows Server 2012R2 as well as the Windows Server 2022 machines, joining the domain is not a problem. However, I’m not able to join the Windows Server 2016 and Windows Server 2019 VMs to the domain in any case. I am always getting the message Access is denied. The account used to join is the same on all machines. Some other things I have made sure before writing this question:

DNS is setup properly and working
NTP is configured correctly and all machines are in sync
The machines that join the AD are able to contact the domain controllers on at least the following ports:
- 53/TCP
- 53/UDP
- 88/TCP
- 135/TCP
- 389/TCP
- 389/UDP
- 445/TCP
- 1024-65535/TCP
Ensured that none of the listed points in this guide apply.

For all the VMs that are working and not working I ran the command systeminfo and you’ll find the output below. Here the Windows Server 2016 and 2019 machines have not been hardened to rule out that this is the cause, yet the output in both cases is the same:

Further, these are the logs produced in the NetSetup.log when trying to join as well as the EventLog entry that is generated:

Do you have any idea/hint what could be the cause of this and how I can resolve it? Thanks very much in advance!

2 answers

Thameur-BOURBITA 32,641 Reputation points

2024-01-24T14:43:18.2166667+00:00

Hi @[AndreBreuer-1699]

By default a stantard account can join 10 machine.

You can modify this value but I suggest to you to follow this solution:

Try to create a computer account for impacted servers before the join.

When you create the computer account you can specify which account can be used to join the machine. One done try to join again your machine.

Please don't forget to accept helpful answer
Please sign in to rate this answer.
Daisy Zhou 21,361 Reputation points Microsoft Vendor

2024-01-25T06:54:34.8066667+00:00

Hello AndreBreuer-1699, Thank you for posting in Q&A forum. The problem could be that you have exceeded the maximum number of computer accounts allowed to be established for this domain. Make sure that you have the permission to add computers to the domain and that you are not exceeding the quota defined by your domain administrator. By default, non-admin users can join up to 10 computers to a domain. You can use the adsiedit.msc tool to change the upper limit of your domain computer account. To change the maximum number of computers that can join a domain, please refer to the link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain I hope the information above is helpful. If you have any question or concern, please feel free to let us know. Best Regards, Daisy Zhou

If the Answer is helpful, please click "Accept Answer" and upvote it.

Thameur-BOURBITA 32,641 Reputation points

2024-01-25T09:15:08.3133333+00:00

@AndreBreuer-1699

Just cheking if there is any progress.

Please don't forget to accept helpful answer

AndreBreuer-1699 0 Reputation points

2024-01-25T09:25:55.6033333+00:00

Thanks a lot for this response @Thameur-BOURBITA. Unfortunately this resulted in the same error. The only difference is now that the line

NetpDsGetDcName: failed to find a DC having account 'WIN16$': 0x525, last error is 0x0

disappeared from the logs, but the rest is exactly the same as before.

AndreBreuer-1699 0 Reputation points

2024-01-25T09:30:58.6366667+00:00

@Daisy Zhou Thanks a lot for this response. This unfortunately also didn't help in resolving the problem. What I did is that I changed the setting and rebooted the domain controllers and retried afterwards. The error is still the same.

Maybe some further information that I didn't mention before:

The number of computers didn't impact it. When considering the current state of joined machines and I replace the Windows Server 2016 or 2019 machine by any other Windows Server 2022 or 2012R2 VM and try to join, this works without any issue.

In order to rule out that the issue is caused by the account trying to join I also tried joining the computer with a domain admin account. This resulted in the same error as well as the same logs.

I tried joining via the UI as well as PowerShell and both resulted in the same.

Thameur-BOURBITA 32,641 Reputation points

2024-01-25T11:15:30.1133333+00:00

@AndreBreuer-1699

It seems that the omputer account you created is not replicated on the DC where the server try to join the domain.

Did you check the replication health on your domain controller ?

dcdiag Repadmin .showrepl

Please don't forget to accept helpful answer

Thameur-BOURBITA 32,641 Reputation points

2024-01-25T11:24:56.8133333+00:00

@AndreBreuer-1699

Following to the error , it can be a network flows issue. You mentioned TCP but there there is also UDP port required between server and domain controllers.

Below a similar thread talking about the same error: [Unable to join domain] (https://learn.microsoft.com/en-us/answers/questions/224533/unable-to-join-domain-the-network-path-was-not-fou?page=2)

Please don't forget to accept helpful answer

AndreBreuer-1699 0 Reputation points

2024-01-25T12:45:53.4933333+00:00

Hey, thanks for the further Answer @Thameur-BOURBITA, when I run the repadmin /showrepl or dcdiag it is telling me that the last attempt was successful. Even when forcing the sync with repadmin /syncall /AdeP it works without issues telling me the replication was successful.

I also tried to temporarly completely disable the firewall within my network which didn't change a thing. Yet, if it would be a replication error or a network error, would it then not affect other machines trying to join (remember doing the same right now with a Windows Server 2012R2 or Windows Server 2022 VM works seamlessly)?

Thameur-BOURBITA 32,641 Reputation points

2024-01-25T12:59:50.2333333+00:00

@AndreBreuer-1699 •

Please check the file %windir%\debug\Netsetup.log when you try to join the machine ? If you find a error message can you share it with us ? Please take a look at this link: How to troubleshoot errors that occur when you join Windows-based computers to a domain

Please don't forget to accept helpful answer

AndreBreuer-1699 0 Reputation points

2024-01-25T13:33:53.12+00:00

@Thameur-BOURBITA I already shared the NetSetup.log with you in my initial post. Except of timestamp there is nothing that has changed in the logs during the last runs. Here is the link again:

NetSetup.log

Thameur-BOURBITA 32,641 Reputation points

2024-01-25T14:57:52.5633333+00:00

@AndreBreuer-1699

Thank you for the log. Did you try to reset computer account you created and try to join it.

I fount this Microsoft article talking about the same error:

Join and Authentication Issues

Please don't forget to accept helpful answer

AndreBreuer-1699 0 Reputation points

2024-01-25T15:05:34.37+00:00

@Thameur-BOURBITA I have already tried setting up a completely fresh AD environment having no computer accounts previously just to test this and still ran into the same error.

Thameur-BOURBITA 32,641 Reputation points

2024-01-25T15:25:29.9366667+00:00

@AndreBreuer-1699

It may be a network issue Reverbed for example. Try to launch network capture during the server join to get more details about the communication btween the server and domain controllers.

Please don't forget to accept helpful answer

Thameur-BOURBITA 32,641 Reputation points

2024-01-25T15:29:59.1433333+00:00

@AndreBreuer-1699 • Can you take a look at this Microsoft article talking about the same error:

Common issues and solutions

Please don't forget to accept helpful answer

AndreBreuer-1699 0 Reputation points

2024-01-29T08:24:27.44+00:00

Thank you @Thameur-BOURBITA, unfortunately the Microsoft article is not talking about the same error. When you have a closer look at the NetSetup.log, you'll discover that the NetUseAdd operation returns the code 5 and the NetpDoDomainJoin operation returns status: 0x5 instead of status: 0x569. Anyways I checked the points described in the article and the user account performing the domain join operation has been granted the Access this computer from the network right and the other GPOs are also applied successfully. Maybe I am missing something here, but if this wouldn't be applied correctly a domain join wouldn't be possible with any Windows Server or Desktop version I am trying to join, would it?

Thameur-BOURBITA 32,641 Reputation points

2024-01-29T08:37:02.6566667+00:00

@AndreBreuer-1699

I confirm that Domain join is possible with any profession version of windows server and desktop. In my envirement I have many server Windows 2016 and Windows 2019 joined to domain without any issue. Did you try with domain admins account just to be sure that's not a permission issue ?

Please don't forget to accept helpful answer
Sign in to comment
AndreBreuer-1699 0 Reputation points

2024-04-15T11:36:05.5133333+00:00

The issue I faced here was related to the SMB protocols. In our hardening we only allowed the cipher suite AES-256-GCM. I found out that this was the issue here since it seems that Windows Server 2016 and Windows Server 2019 do not support AES-256-GCM, but only AES-128-GCM and AES-128-CCM.

When adding AES-128-GCM to the list of allowed cipher suites with a preference to use AES-256-GCM everything worked well without any issues.

However, I do believe that this might be a bug, since Windows Server 2012R2 could join in any case even when AES-256-GCM was the only cipher suite allowed.

Does anyone have some further insights on this or knows why it would work with the 2012R2 version when it didn't work with 2016 and 2019?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Domain Join Failed Windows Server 2016 and 2019

2 answers