Domain Join Failed Windows Server 2016 and 2019

AndreBreuer-1699 0 Reputation points
2024-01-24T13:09:58.7666667+00:00

I have an Active Directory that is based on a primary domain controller as well as two additional domain controllers which are all Windows Server 2022 machines and are hardened according to the CIS benchmark.

I wanted to test joining several different Server versions ranging from Windows Server 2012R2 to Windows Server 2022. I tried all of this while the different Server versions were unhardened (i.e. with the default settings) as well as after hardening them according to the CIS benchmarks. On the Windows Server 2012R2 as well as the Windows Server 2022 machines, joining the domain is not a problem. However, I’m not able to join the Windows Server 2016 and Windows Server 2019 VMs to the domain in any case. I am always getting the message Access is denied. The account used to join is the same on all machines. Some other things I have made sure before writing this question:

  • DNS is setup properly and working
  • NTP is configured correctly and all machines are in sync
  • The machines that join the AD are able to contact the domain controllers on at least the following ports:
    • 53/TCP
    • 53/UDP
    • 88/TCP
    • 135/TCP
    • 389/TCP
    • 389/UDP
    • 445/TCP
    • 1024-65535/TCP
  • Ensured that none of the listed points in this guide apply.

For all the VMs that are working and not working I ran the command systeminfo and you’ll find the output below. Here the Windows Server 2016 and 2019 machines have not been hardened to rule out that this is the cause, yet the output in both cases is the same: 

Further, these are the logs produced in the NetSetup.log when trying to join as well as the EventLog entry that is generated: 

Do you have any idea/hint what could be the cause of this and how I can resolve it?  Thanks very much in advance!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,351 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,716 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 33,976 Reputation points
    2024-01-24T14:43:18.2166667+00:00

    Hi @[AndreBreuer-1699]

    By default a stantard account can join 10 machine.

    You can modify this value but I suggest to you to follow this solution:

    Try to create a computer account for impacted servers before the join.

    When you create the computer account you can specify which account can be used to join the machine. One done try to join again your machine.

    Please don't forget to accept helpful answer


  2. AndreBreuer-1699 0 Reputation points
    2024-04-15T11:36:05.5133333+00:00

    The issue I faced here was related to the SMB protocols. In our hardening we only allowed the cipher suite AES-256-GCM. I found out that this was the issue here since it seems that Windows Server 2016 and Windows Server 2019 do not support AES-256-GCM, but only AES-128-GCM and AES-128-CCM.

    When adding AES-128-GCM to the list of allowed cipher suites with a preference to use AES-256-GCM everything worked well without any issues.

    However, I do believe that this might be a bug, since Windows Server 2012R2 could join in any case even when AES-256-GCM was the only cipher suite allowed.

    Does anyone have some further insights on this or knows why it would work with the 2012R2 version when it didn't work with 2016 and 2019?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.