Ldap Bind Failure for workstation join to Win2K domain

[MikeyDL]

Have this Win2K domain which has been active for years. However,
recently I haven't been able to join any workstations to the domain.
When I try to join the workstation to the domain I get the domain
logon box for account/pass and then the following dialog error message
"The following error occurred attempting to join the domain. The
specified server cannot perform teh requestion action."

I've been researching the problem for a couple of days and discovered
that there is a NetSetup log in %windows%/debug which has some more
specific info on joining the domain. During the joindomain process it
finds my domain but then give the following error: "NetpLdapBind:
ldap_bind failed on \\domain.com: 81: Server Down"

It then rolls back the join domain process and outputs the above error
message. This is a total Win2K setup with DNS, DHCP and user
validation on the Win2K server. Been researching for a couple of days
with no luck.

Thanks!

 

[Jason Robarts [MSFT]]

I'd try nltest.exe /dsgetdc:domain.com /FORCE and verify the client can use
the DC locator to find a DC. If that doesn't work I expect the ldap_bind
wouldn't work.

Per Q216393:
"The Netdom.exe and Nltest.exe tools are located on the Windows Server
CD-ROM in the Support\Tools folder. To install these tools, run Setup.exe or
extract the files from the Support.cab file."

Jason

 

[Jason Robarts [MSFT]]

Doh - I told you how to check but not what to do about it. If this doesn't
work then check the IP settings of the client and make sure it is pointed to
the DNS server that has the SRV records for the domain. Also make sure the
DCs are up and have registered their SRV records. Failing that, run dcdiag
on the DCs to see if there is an error.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

[MikeyDL]

Hi,

Thanks for the advice. I did get the server tools installed and try
the nltest. This was the output:

C:\Documents and Settings\mikeydl>nltest /dsgetdc:domain.org
DC: \\locutus.domain.org
Address: \\192.168.1.10
Dom Guid: caab8e81-5e6e-4760-936d-7b3ae8030bbb
Dom Name: domain.org
Forest Name: domain.org
Dc Site Name: DOMAIN
Our Site Name: DOMAIN
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
CLOSE_SITE
The command completed successfully

I'm not sure how to read the output but I assume this was a sucessful
domain check. When I try to add the workstation on the domain after
loggin on it does make a computer account but I notice that it is
disabled after creating it. I have tried enabling the acocunt and
then adding workstation or creating the computer account first but
with no luck. I'm able to ping the domain, dns servers and the who
bit. Was reading the Win2K DNS is dynamic by default and checked to
make sure non of the disable registry settings were added as mentioned
in some DNS ldap error postings I've seen. Still no luck!

 

[Jason Robarts [MSFT]]

Just to be sure - you have domain.com in your netlogon output and domain.org
in your nltest output. You didn't a typo when joining right? That would
explain the server down issue.

Just want to confirm before I investigate this further.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Hi,

Thanks for the advice. I did get the server tools installed and try
the nltest. This was the output:

C:\Documents and Settings\mikeydl>nltest /dsgetdc:domain.org
DC: \\locutus.domain.org
Address: \\192.168.1.10
Dom Guid: caab8e81-5e6e-4760-936d-7b3ae8030bbb
Dom Name: domain.org
Forest Name: domain.org
Dc Site Name: DOMAIN
Our Site Name: DOMAIN
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
CLOSE_SITE
The command completed successfully

I'm not sure how to read the output but I assume this was a sucessful
domain check. When I try to add the workstation on the domain after
loggin on it does make a computer account but I notice that it is
disabled after creating it. I have tried enabling the acocunt and
then adding workstation or creating the computer account first but
with no luck. I'm able to ping the domain, dns servers and the who
bit. Was reading the Win2K DNS is dynamic by default and checked to
make sure non of the disable registry settings were added as mentioned
in some DNS ldap error postings I've seen. Still no luck!



"Jason Robarts [MSFT]" <[email protected]> wrote in message

I'd try nltest.exe /dsgetdc:domain.com /FORCE and verify the client can use
the DC locator to find a DC. If that doesn't work I expect the ldap_bind
wouldn't work.

Per Q216393:
"The Netdom.exe and Nltest.exe tools are located on the Windows Server
CD-ROM in the Support\Tools folder. To install these tools, run Setup.exe or
extract the files from the Support.cab file."

Jason

 

[MikeyDL]

Thanks for the help. Yes I didn't do a typo. Was trying to keep the
domain private but that is kind of dumb wiht my e-mail address giving
it away. I tested for hibh.org with nltest and tried joinging to the
same domain. No typo's as far as I know.

I also took my laptop off the domain and tried to join it to make sure
it wasn't just a NIC/or NIC driver issue. Had the same problem with
the laptop as the desktop.

Thanks

Michael

Just to be sure - you have domain.com in your netlogon output and domain.org
in your nltest output. You didn't a typo when joining right? That would
explain the server down issue.

Just want to confirm before I investigate this further.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Hi,

Thanks for the advice. I did get the server tools installed and try
the nltest. This was the output:

C:\Documents and Settings\mikeydl>nltest /dsgetdc:domain.org
DC: \\locutus.domain.org
Address: \\192.168.1.10
Dom Guid: caab8e81-5e6e-4760-936d-7b3ae8030bbb
Dom Name: domain.org
Forest Name: domain.org
Dc Site Name: DOMAIN
Our Site Name: DOMAIN
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
CLOSE_SITE
The command completed successfully

I'm not sure how to read the output but I assume this was a sucessful
domain check. When I try to add the workstation on the domain after
loggin on it does make a computer account but I notice that it is
disabled after creating it. I have tried enabling the acocunt and
then adding workstation or creating the computer account first but
with no luck. I'm able to ping the domain, dns servers and the who
bit. Was reading the Win2K DNS is dynamic by default and checked to
make sure non of the disable registry settings were added as mentioned
in some DNS ldap error postings I've seen. Still no luck!



"Jason Robarts [MSFT]" <[email protected]> wrote in message

I'd try nltest.exe /dsgetdc:domain.com /FORCE and verify the client can use
the DC locator to find a DC. If that doesn't work I expect the ldap_bind
wouldn't work.

Per Q216393:
"The Netdom.exe and Nltest.exe tools are located on the Windows Server
CD-ROM in the Support\Tools folder. To install these tools, run Setup.exe or
extract the files from the Support.cab file."

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Have this Win2K domain which has been active for years. However,
recently I haven't been able to join any workstations to the domain.
When I try to join the workstation to the domain I get the domain
logon box for account/pass and then the following dialog error message
"The following error occurred attempting to join the domain. The
specified server cannot perform teh requestion action."

I've been researching the problem for a couple of days and discovered
that there is a NetSetup log in %windows%/debug which has some more
specific info on joining the domain. During the joindomain process it
finds my domain but then give the following error: "NetpLdapBind:
ldap_bind failed on \\domain.com: 81: Server Down"

It then rolls back the join domain process and outputs the above error
message. This is a total Win2K setup with DNS, DHCP and user
validation on the Win2K server. Been researching for a couple of days
with no luck.

Thanks!

 

[Jason Robarts [MSFT]]

I don't know if a join requires Kerberos but if the time between the two
machines is out of sync that could cause a ldap bind problem. I would
expect it to fail over to NTLM but I believe the failover can be turned off.
I'd expect the time sync to be done automatically but you could try it.

I'd also run dcdiag on the DC returned by the nltest /dsgetdc command and
look at the event log on that DC and verify neither has any errors.

Jason

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Thanks for the help. Yes I didn't do a typo. Was trying to keep the
domain private but that is kind of dumb wiht my e-mail address giving
it away. I tested for hibh.org with nltest and tried joinging to the
same domain. No typo's as far as I know.

I also took my laptop off the domain and tried to join it to make sure
it wasn't just a NIC/or NIC driver issue. Had the same problem with
the laptop as the desktop.

Thanks

Michael

"Jason Robarts [MSFT]" <[email protected]> wrote in message

Just to be sure - you have domain.com in your netlogon output and domain.org
in your nltest output. You didn't a typo when joining right? That would
explain the server down issue.

Just want to confirm before I investigate this further.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Hi,

Thanks for the advice. I did get the server tools installed and try
the nltest. This was the output:

C:\Documents and Settings\mikeydl>nltest /dsgetdc:domain.org
DC: \\locutus.domain.org
Address: \\192.168.1.10
Dom Guid: caab8e81-5e6e-4760-936d-7b3ae8030bbb
Dom Name: domain.org
Forest Name: domain.org
Dc Site Name: DOMAIN
Our Site Name: DOMAIN
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
CLOSE_SITE
The command completed successfully

I'm not sure how to read the output but I assume this was a sucessful
domain check. When I try to add the workstation on the domain after
loggin on it does make a computer account but I notice that it is
disabled after creating it. I have tried enabling the acocunt and
then adding workstation or creating the computer account first but
with no luck. I'm able to ping the domain, dns servers and the who
bit. Was reading the Win2K DNS is dynamic by default and checked to
make sure non of the disable registry settings were added as mentioned
in some DNS ldap error postings I've seen. Still no luck!



"Jason Robarts [MSFT]" <[email protected]> wrote in

message

I'd try nltest.exe /dsgetdc:domain.com /FORCE and verify the client

can
use

the DC locator to find a DC. If that doesn't work I expect the ldap_bind
wouldn't work.

Per Q216393:
"The Netdom.exe and Nltest.exe tools are located on the Windows Server
CD-ROM in the Support\Tools folder. To install these tools, run Setup.exe or
extract the files from the Support.cab file."

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Have this Win2K domain which has been active for years. However,
recently I haven't been able to join any workstations to the domain.
When I try to join the workstation to the domain I get the domain
logon box for account/pass and then the following dialog error message
"The following error occurred attempting to join the domain. The
specified server cannot perform teh requestion action."

I've been researching the problem for a couple of days and discovered
that there is a NetSetup log in %windows%/debug which has some more
specific info on joining the domain. During the joindomain process it
finds my domain but then give the following error: "NetpLdapBind:
ldap_bind failed on \\domain.com: 81: Server Down"

It then rolls back the join domain process and outputs the above error
message. This is a total Win2K setup with DNS, DHCP and user
validation on the Win2K server. Been researching for a couple of days
with no luck.

Thanks!

 

[MikeyDL]

Here is the output of the dcdiag.exe test on the dc....


C:\temp>dcdiag

DC Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial non skippeable tests

Testing server: HIBH\LOCUTUS
Starting test: Connectivity
......................... LOCUTUS passed test Connectivity

Doing primary tests

Testing server: HIBH\LOCUTUS
Starting test: Replications
......................... LOCUTUS passed test Replications
Starting test: NCSecDesc
......................... LOCUTUS passed test NCSecDesc
Starting test: NetLogons
......................... LOCUTUS passed test NetLogons
Starting test: Advertising
......................... LOCUTUS passed test Advertising
Starting test: KnowsOfRoleHolders
......................... LOCUTUS passed test
KnowsOfRoleHolders
Starting test: RidManager
......................... LOCUTUS passed test RidManager
Starting test: MachineAccount
......................... LOCUTUS passed test MachineAccount
Starting test: Services
......................... LOCUTUS passed test Services
Starting test: ObjectsReplicated
......................... LOCUTUS passed test
ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... LOCUTUS passed test frssysvol
Starting test: kccevent
......................... LOCUTUS passed test kccevent
Starting test: systemlog
......................... LOCUTUS passed test systemlog

Running enterprise tests on : hibh.org
Starting test: Intersite
......................... hibh.org passed test Intersite
Starting test: FsmoCheck
......................... hibh.org passed test FsmoCheck

C:\temp>

Looks like the frssysvol test has some errors. Was doing a little bit
of research on this area. Maybe a DNS problem? Was researching
dynamic updating of DNS records but it sounds like that is activated
by default and that you can do some registry edits to stop it. From
some samples of dynamic DNS updating examples I looked in the registry
but didn't find any of those entries. Am I on the wrong track here?

Thanks,

Michael

I don't know if a join requires Kerberos but if the time between the two
machines is out of sync that could cause a ldap bind problem. I would
expect it to fail over to NTLM but I believe the failover can be turned off.
I'd expect the time sync to be done automatically but you could try it.

I'd also run dcdiag on the DC returned by the nltest /dsgetdc command and
look at the event log on that DC and verify neither has any errors.

Jason

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Thanks for the help. Yes I didn't do a typo. Was trying to keep the
domain private but that is kind of dumb wiht my e-mail address giving
it away. I tested for hibh.org with nltest and tried joinging to the
same domain. No typo's as far as I know.

I also took my laptop off the domain and tried to join it to make sure
it wasn't just a NIC/or NIC driver issue. Had the same problem with
the laptop as the desktop.

Thanks

Michael

"Jason Robarts [MSFT]" <[email protected]> wrote in message

Just to be sure - you have domain.com in your netlogon output and domain.org
in your nltest output. You didn't a typo when joining right? That would
explain the server down issue.

Just want to confirm before I investigate this further.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Hi,

Thanks for the advice. I did get the server tools installed and try
the nltest. This was the output:

C:\Documents and Settings\mikeydl>nltest /dsgetdc:domain.org
DC: \\locutus.domain.org
Address: \\192.168.1.10
Dom Guid: caab8e81-5e6e-4760-936d-7b3ae8030bbb
Dom Name: domain.org
Forest Name: domain.org
Dc Site Name: DOMAIN
Our Site Name: DOMAIN
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST
CLOSE_SITE
The command completed successfully

I'm not sure how to read the output but I assume this was a sucessful
domain check. When I try to add the workstation on the domain after
loggin on it does make a computer account but I notice that it is
disabled after creating it. I have tried enabling the acocunt and
then adding workstation or creating the computer account first but
with no luck. I'm able to ping the domain, dns servers and the who
bit. Was reading the Win2K DNS is dynamic by default and checked to
make sure non of the disable registry settings were added as mentioned
in some DNS ldap error postings I've seen. Still no luck!



"Jason Robarts [MSFT]" <[email protected]> wrote in

message

I'd try nltest.exe /dsgetdc:domain.com /FORCE and verify the client

can
use

the DC locator to find a DC. If that doesn't work I expect the ldap_bind
wouldn't work.

Per Q216393:
"The Netdom.exe and Nltest.exe tools are located on the Windows Server
CD-ROM in the Support\Tools folder. To install these tools, run Setup.exe or
extract the files from the Support.cab file."

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Have this Win2K domain which has been active for years. However,
recently I haven't been able to join any workstations to the domain.
When I try to join the workstation to the domain I get the domain
logon box for account/pass and then the following dialog error message
"The following error occurred attempting to join the domain. The
specified server cannot perform teh requestion action."

I've been researching the problem for a couple of days and discovered
that there is a NetSetup log in %windows%/debug which has some more
specific info on joining the domain. During the joindomain process it
finds my domain but then give the following error: "NetpLdapBind:
ldap_bind failed on \\domain.com: 81: Server Down"

It then rolls back the join domain process and outputs the above error
message. This is a total Win2K setup with DNS, DHCP and user
validation on the Win2K server. Been researching for a couple of days
with no luck.

Thanks!