cant connect new pc to my domain

Question

we are trying to replace pc in the domain, and we can't join the to the domain

Answer 1

Hi Jesse,

This issue usually happens when replacing a PC in the domain and something is not aligned between DNS, Active Directory, or the existing computer account.

First, please check DNS settings on the new PC. Make sure it is pointing to your Domain Controller and not to a public DNS server.

Run the following command to verify:

ipconfig /all

Next, confirm the PC can reach the Domain Controller and resolve the domain name correctly:

ping yourdomain.local

nslookup yourdomain.local

If these fail, the issue is most likely DNS or network related. Also, if you are reusing the same computer name, check Active Directory. The old computer object might still exist and block the join process. You can delete or reset it before trying again.

Another common cause is time synchronization. If the system time is not aligned with the domain, the join will fail:

w32tm /resync

If the issue still persists, please share the exact error message you receive during the domain join. That will help narrow down the root cause.

I hope you can solve your problem.

TV

Answer 2

Use the following checks and steps to troubleshoot joining the new PC to the Active Directory domain.

1. Verify the user is allowed to join computers to the domain
   • If the error in NetSetup.log or on screen indicates exceeding the maximum number of computer accounts, the user may have hit the default limit (10 computers per user) or be blocked by Group Policy.
   • In Active Directory, verify:
     • The default limit on the number of workstations a user can join to the domain.
     • The user account is included in the Add workstations to domain user right in the effective GPO:
       • Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Add workstations to domain.
   • If needed, add the appropriate admin or service account to that policy or use a domain admin account to join the PC.
2. Confirm network and DNS configuration
   • Ensure the new PC:
     • Can reach a domain controller (ping DC name and IP).
     • Uses only the domain DNS servers (no public DNS) so it can resolve _ldap._tcp.dc._msdcs.<domain> records.
3. Join the computer to the domain again
   • From System → About → Domain or workgroup (or via sysdm.cpl), attempt to join the domain using a domain account that has the right to add workstations.
   • If it fails, review C:\Windows\Debug\NetSetup.log for a status code such as 0x216d (indicates the account limit / GPO restriction described above).
4. If replacing an existing PC with the same name
   • In Active Directory Users and Computers, locate the old computer account.
   • Either reuse it (ensure it is enabled) or delete it before joining the new PC with the same name.
   • Then attempt the domain join again with a permitted account.

If the PC was previously joined and now shows “The trust relationship between this workstation and the primary domain failed” when logging in, repair the trust instead of doing a fresh join:

1. Sign in with a local administrator account on the PC.
2. Open an elevated Command Prompt and run (replace placeholders with real values):

      netdom verify ComputerName /domain:YourDomainName
   

3. Reset the machine password and secure channel:

      netdom resetpwd /server:DomainControllerName /userd:Domain\Username /passwordd:*
      netdom reset /domain:YourDomainName /userd:DomainUsername /passwordd:*
   

4. Restart the PC and rejoin the domain if required.

---

References:

• Status code 0x216d: Your computer could not be joined to the domain
• Join a computer to a domain (windows-client-10)
• Join a computer to a domain (windows-client-11)
• Join a computer to a domain (windows-server-2016)
• Join a computer to a domain (windows-server-2019)
• Join a computer to a domain (windows-server-2022)
• Join a computer to a domain (windows-server-2025)