Active Directory

[Lexluethar]

Currently i'm working on a certification in Server 2008. I'm working on managing and joining workstations in the server that I have running 2008.

My question is for whatever reason, every time I try to join my laptop to the AD, i get an error that reads:
The join operation was not successful. This could be because an existing computer account having name "MIKELAPTOP" was previously created using a different set of credentials. Use a different computer name, or contact your administrator to remove any stale conflicting account. The error was: Access Denied.

I have a computer setup in the AD named MIKELAPTOP, I have a user setup with the correct persmissions to log onto that computer, yet I keep getting the error. I've deleted the computer in the AD and recreated it, yet I get the same error.

It is almost as if I have to use another name, and MIKELAPTOP is being used in the AD, which is isn't YET because i haven't joined MIKELAPTOP to the AD. The computer is created, but hasn't been joined yet...

Any insite would be awesome.

 

[Osiris]

Dont create the computer name manually, when you join the laptop to the AD, it will automatically create it.

So delete the computer again, then try to join the laptop back to the domain.

 

[Lexluethar]

Do you mean don't create it manually in the AD on the server? If so I tried that and i get the error message of: the following error occurred attempting to join the domain 'contoso', an attempt to resolve the DNS name of the DC is the domain being joined has failed. Please verify this client is configured to reach DNS server that can resolve DNS names in the target domain.

i've tried a few different thinks like:
-deleting and recreating both the user accounts and computer in the AD
-tried multiple accounts that i've created (both admin and normal users)
-it is communicating with the AD because if i mess something up, like a password, user name or times when the user can log it it will through out the corresponding error message
-disabling preauthentication kerbos
-deleting the computer in the AD and then joining
-tried changing the name of the computer joining the AD
-rebooted both machines
-tried moving the AD computer name from clients to another OU, like computers or servers, still no go.
-made sure both the user logging in and the computer are in the same group, in this case help desk.

Thank god someone is up, thank you Osiris.

Update: OKay i'm a tardmo, if you go to the user account that is trying to log in, i've updated the user logon name (it was blank before because i created the account using a script). Now i get the error of 'the specified server cannot perform the requested operation.'

WHich kinda leaves me hanging because it gives no detail.

 

[Osiris]

I'm assuming this isnt on a real production environment network correct?

I think something isnt setup correctly but not sure what exactly.....

Do you have a generic account with admin privs to join to domain?

Have you tried adding the DNS suffix in the network adapter?

And you have tried names other than the username you are using right now?

Are there any other accounts already joined to the domain?

Have you tried using nslookup for any DNS errors such as name resolution?

On the AD server, does it resolve the correct IP address?

Is the AD server IP address Static or DHCP?

On the AD server does it show in the Event Viewer a computer trying to reach the server but failing?

What is the client OS?

Is NetBios over TCP/IP enabled?

Have you tried joining to the domain using the FQDN or IP address?

 

[Lexluethar]

Haha ya, this is just out of a textbook that i've been studying on AD. The contoso is a madeup diretory. I've followed the book up to this point, and for whatever reason can't get any accounts to log into this laptop no matter what I name the laptop.

I agree with you, it definately isn't setup correctly because the communication is there, just something isn't correct.

1. I have a generic account and other accounts that i've mae up because of other exercises. At first i tried the account that was supposed to log into this PC onto the AD. Once that didn't work i created my own account that is an admin and gave all priviledges, still doesn't work. I get the same error.

2. I have not tried to add the DNS suffix, would that mean like contoso.com? If so i've tried that and it can't find that , although contoso.com is the domain that is setup. I have to use contoso as the domain name on the computer to get it to recognize and prompt for a user name and PW. What should I put in the DNS suffix?

3. Yup, tried many. All with different priviledges and what not, all get the same error with the exception of those who don't have access (which i know how to change at this point, changed it and still no go).

4. No other accounts have joined. I've created users, OU's and Containers (for the computers). First time i've tried to log in from another computer (i can log in locally with any account that is setup with the proper permissions). So i guess i'm doing two things at once, joining a computer to the OU (container?) AND logging in using another user account. Maybe should I log off the computer (i was trying the same user account, but i tried others as well and couldn't log in).

5. I have not looked at any DNS errors

6. Can communicate fine with the PC. Both are pingable back and forth. It communicates fine, b/c i've tried to log in with incorrect credentials and i get an 'invalid user name/password' error. Tried logging in when the user didn't have permission to log on from this PC and got a 'permissions' error. So communication is fine, i believe it is a setup error.

7. Static IP, i can ping the IP and sever name

8. I just started looking there, but haven't found any error reports yet.

9. Vista Ultimate

10.Not sure, where do i check

11.I have not done that yet, but i've tried a few different combinations to see if perhaps contoso isn't the correct name.

Forgive me, i'm still learning a lot of this so i'm not 100% on where to search for some of information you've asked. What is FQDN?


Edit: Tried logging off, still no go, get the error An attempt to resolve the DNS name of the DC in the domain being joined has failed. Tried multiple users when logged off the server, still no go. Get same error. I also log onto the server as Administrator, which is NOT what i've using to log onto the domain from the workstation.

Its weird, seems like now i'm getting the consistent error of DNS name of the DC, when before I was getting a different error (one mension previously).

 

[Osiris]

FQDN = Fully qualified domain name or absolute name. Sometimes its needed to resolve correctly. An example - for my domain I use NA but when something isnt correct I use na.autoedir.com, which tells the computer exactly where it is in the domain.

I remember the contoso stuff

When I did this, I used a VM, are you able to create a VM to test?

 

[Lexluethar]

No, reason being is my computer is a POS. I can barely run 2008 as it is. Running the minimul requrirements (1 gig ram being the issue).

So get this, i checked the server logs and it seems as if the user logs in successfully (audit successful) and then logs off 30 seconds later. So while the workstation is 'thinking', the server sees it as a successfull login, but then when i get the error message that is when i get a loggoff security log. Looking into if it gives any errors or reasons...

Ya, i really enjoy this stuff. It takes it beyond hardware / software, and into an architecture or how to setup something. Now if i could just join the darn domain...

Edit: I do have to other desktops I could use, but they would only be able to run XP, maybe to see if it is the users that are setup incorrectly or if the Vista workstation is configured incorrectly.

Edit Edit: I'm going to bed Osiris, i'll be back on tomorrow afternoon. Thanks again and i'll keep you posted.

 

[Osiris]

When you get around to it, try the XP machine.

 

[Osiris]

Here is where you add the DNS Helper Statement

 

[Lexluethar]

I'll try both the XP machine and adding the DNS suffix to the vista workstation today.

Thanks again Osiris. I'll keep you posted.