Active Directory: Inclusion in Active Directory not possible

by

The following situation arose at a customer: The inclusion of clients in the Active Directory was not possible at one location. It took some time to analyze the error. To make matters worse, there were other DNS problems that first had to be resolved.

A new site was to be added to the Active Directory. The new location was connected to the main location via a site-to-site VPN connection.

Active Directory

Location A contains a domain controller and is connected to location B via a VPN tunnel. The server in location B should first be added to the Active Directory and then upgraded to a domain controller.

After fixing some DNS and replication errors in location A, an attempt was made to add the server in location B to the AD. The attempt failed with the error message:

The server cannot execute the request

More than the message above was not available at first.

DCDIAG and NLTEST did not report any errors. NSLOOKUP was able to trigger all relevant DNS entries from location B to location A. All ports required for Active Directory were also open. Domain join in location A was still possible.

The Netsetup.log file then provided the decisive clue, the file is located under C:\Windows\Debug:

09/13/2012 11:26:50:672 NetpLdapBind: ldap_bind failed on DC.domain.local: 81: Server shut down
09/13/2012 11:26:50:672 NetpJoinDomainOnDs: Function exits with status of: 0x3a
09/13/2012 11:26:50:672 NetpJoinDomainOnDs: status of disconnecting from '\\DC.domain.local': 0x0
09/13/2012 11:26:50:672 NetpDoDomainJoin: status: 0x3a

A common cause of this error is an incorrectly configured routing topology. In this case, I have therefore sought the support of a Network specialists who was familiar with the customer's routing topology. Thanks to his support, the error was quickly found. In this case, there were 2 routers in the network, one router was responsible for the Internet connection, the other established the VPN connection. Ultimately, a route was missing on the domain controller in location A, which showed him the correct path to location B

At this point I can also recommend this link:

http://social.technet.microsoft.com/wiki/contents/articles/1935.troubleshooting-domain-join-error-messages-en-us.aspx

EDIT: Michel has summarized the problem with the 2 routers once again in a nice article. Many thanks at this point! http://networkguy.de/?p=409

1 thought on “Active Directory: Aufnahme in Active Directory nicht möglich”

  1. Pingback: The problems with asynchronous routing - Network Guy

Leave a Comment