update

Deland-Han · Deland-Han · commit 995ebab48caf · 2025-04-17T16:54:31.000+08:00
diff --git a/support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md b/support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md
@@ -129,50 +129,7 @@ The output indicates that the Kerberos Port TCP 88 is open between the client an
 
 ### Error code 0x54b
 
-:::image type="content" source="media/active-directory-domain-join-troubleshooting-guidance/error-0x54b-message.png" alt-text="Screenshot of the dialog box showing the error message for error code 0x54b.":::
-
-Here's an example of the error message:
-
-> Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
->
-> The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "<domain_name>":
->
-> The error was: "This operation returned because the timeout period expired."
-> (error code 0x000005B4 ERROR_TIMEOUT)
->
-> The query was for the SRV record for <srv_record>
->
-> The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
->
-> <ip_address>
->
-> Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
-
-Here's an example from the *netsetup.log* file:
-
-```output
-mm/dd/yyyy hh:mm:ss:ms NetpValidateName: checking to see if '<domain_name>' is valid as type 3 name
-mm/dd/yyyy hh:mm:ss:ms NetpCheckDomainNameIsValid for <domain_name> returned 0x54b, last error is 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpCheckDomainNameIsValid [ Exists ] for '<domain_name>' returned 0x54b
-```
-
-To resolve the 0x54b error, follow these steps:
-
-- Check the network connectivity between the client and the Domain controller.
-- Verify if the Preferred DNS Server is the correct DNS Server.
-- Run `nltest /dsgetdc` (DC Discovery) to verify if you can discover a DC.
-  
-  For example:
-
-  ```console
-  nltest /dsgetdc:<domain_name> /force
-  ```
-
-  Expected Output:
-
-  :::image type="content" source="media/active-directory-domain-join-troubleshooting-guidance/nltest-output.png" alt-text="Screenshot that shows the nltest command output.":::
-
-- Run `DCDiag /v` on the closest domain controller and verify if SRV records are registered. For example: `_ldap._tcp.dc._msdcs.<domain_name>.com`.
+For more information, see [Domain join error code 0x54b](error-code-0x54b.md).
 
 ### Error code 0x0000232A
 
diff --git a/support/windows-server/active-directory/error-code-0x54b.md b/support/windows-server/active-directory/error-code-0x54b.md
@@ -0,0 +1,163 @@
+---
+title: Domain join error code 0x54b
+description: Provides troubleshooting steps for resolving the error code 0x54b when you join a workgroup computer to a domain.
+ms.date: 04/17/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: eriw,dennhu,herbertm
+ms.custom:
+- sap:active directory\on-premises active directory domain join
+- pcy:WinComm Directory Services
+---
+# Domain join error code 0x54b
+
+This article provides troubleshooting steps for resolving the error code 0x54b when you join a workgroup computer to a domain.
+
+## Symptom
+
+When you join a workgroup computer to a domain, you receive the following error message:
+
+> **Error code 0x0000232A**
+>
+> Computer Name/Domain Changes
+>
+> An Active Directory Domain Controller (AD DC) for the domain "\<NetBIOS\\_name>" could not be contacted.
+>
+> Ensure that the domain name is typed correctly.
+>
+> If the name is correct, click Details for troubleshooting information.
+>
+> Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
+>
+> The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "\<domain\_name>":
+>
+> The error was: "This operation returned because the timeout period expired." (error code 0x000005B4 ERROR\_TIMEOUT)
+>
+> The query was for the SRV record for \<srv\_record>
+>
+> The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:  
+> \<ip\_address>
+>
+> Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
+
+Here's an example from the *netsetup.log* file:
+
+```output
+mm/dd/yyyy hh:mm:ss:ms NetpValidateName: checking to see if '<domain_name>' is valid as type 3 name
+mm/dd/yyyy hh:mm:ss:ms NetpCheckDomainNameIsValid for <domain_name> returned 0x54b, last error is 0x0
+mm/dd/yyyy hh:mm:ss:ms NetpCheckDomainNameIsValid [ Exists ] for '<domain_name>' returned 0x54b
+```
+
+## Cause
+
+Error code 0x54b means "ERROR\_NO\_SUCH\_DOMAIN". This error code indicates the specified domain couldn't be contacted, pointing to issues in locating domain controllers.
+
+* Domain Name System (DNS) time-outs and resolution failures when attempting to reach domain controllers.
+* Network connectivity to DC is blocked on TCP port 135,389,445, or RPC dynamic ports.
+
+## Troubleshooting steps
+
+To resolve the 0x54b error, follow these steps:
+
+### Step 1
+
+Check the network connectivity between the client and the Domain controller
+
+| Server Port     | Service             |
+| --------------- | ------------------- |
+| TCP 135         | RPC Endpoint Mapper |
+| TCP 49152-65535 | RPC Dynamic Ports   |
+| TCP 445         | SMB                 |
+| UDP/TCP 389     | LDAP                |
+
+* Refer to the list of required ports in [How to configure a firewall for Active Directory domains and trusts](config-firewall-for-ad-domains-and-trusts.md) .
+
+* Use Test-NetConnection command to test connection between DC.
+
+  ```powershell
+  Test-NetConnection <IP\_address\_of\_the\_DC> -Port 389
+
+  ComputerName: <computer_name>
+  RemoteAddress: <remote_address>
+  RemotePort: 389
+  InterfaceAlias: Ethernet 2
+  SourceAddress: <source_address>
+  TcpTestSucceeded : True
+
+  It indicates that the LDAP Port TCP 389 is open between the client and the DC.
+
+* [PortQry Command Line Port Scanner Version 2.0](https://www.microsoft.com/download/details.aspx?id=17148) can also be used to identify if a port(TCP/UDP) is blocked on DC. Example syntax:
+
+  ```console
+  portqry -n <problem_server> -e 135
+  portqry -n <problem_server> -e 445
+  portqry -n <problem_server> -e 389
+  portqry -n <problem_server> -p UDP -e 389
+  portqry -n <problem_server> -r 49152:65535
+  ```
+
+  Port query output examples:
+
+  * On connection to TCP Port 135 on DC is blocked, the following message is displayed:
+
+    ```console
+    portqry -n <dc_name> -e 135
+
+    Querying target system called:
+
+     <dc_name>
+
+    Attempting to resolve name to IP address...
+
+    Name resolved to <ip_address>
+
+    querying...
+
+    TCP port 135 (epmap service):FILTERED
+    ```
+
+  * On successful connection to TCP port 389 on DC, the following message is displayed:
+
+    ```console
+    portqry -n <dc_name> -e 389
+
+    Querying target system called:
+
+     <dc_name>
+
+    Attempting to resolve name to IP address...
+
+    Name resolved to 192.168.1.2
+
+    querying...
+
+    TCP port 389 (ldap service): LISTENING
+
+* Collect network monitor trace when reproducing the issue to confirm if there's any network connectivity issue if necessary.
+
+### Step 2
+
+Verify if the Preferred DNS Server is the correct DNS Server.
+
+### Step 3
+
+Run `nltest /dsgetdc` (DC Discovery) to verify if you can discover a DC. For example:
+
+```console
+nltest /dsgetdc:<domain_name> /force
+
+           DC: \\<dc_address>
+      Address: \\<dc_address>
+     Dom Guid: <dom_guid>
+     Dom Name: <dom_name>
+  Forest Name: <foreast_name>
+ Dc Site name: Default-First-site-Name
+Our Site Name: Default-First-site-Name
+        Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10 KEYLIST
+The command completed successfully
+```
+
+### Step 4
+
+Run `DCDiag /v` on the closest domain controller and verify if SRV records are registered. For example: **\_ldap.\_tcp.dc.\_msdcs.\<domain\_name>.com.**
diff --git a/support/windows-server/toc.yml b/support/windows-server/toc.yml
@@ -349,12 +349,14 @@ items:
       href: ./active-directory/cannot-connect-internet-domain.md
     - name: Default limit to workstation numbers
       href: ./active-directory/default-workstation-numbers-join-domain.md
-    - name: 'Error 0x6D9 "No more endpoints available from the endpoint mapper"'
+    - name: Error 0x6D9 "No more endpoints available from the endpoint mapper"
       href: ./active-directory/domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md
     - name: Failure when you use an existing computer account to join a domain
       href: ./active-directory/failure-when-you-use-an-existing-computer-account-to-join-a-domain.md
     - name: Error 0x5 Access Denied when you rename a computer
       href: ./active-directory/error-0x5-access-denied-rename-computer.md
+    - name: Error code 0x54b
+      href: active-directory/error-code-0x54b.md
     - name: Error code 0x569
       href: ./active-directory/error-0x569-not-granted-logon-type.md
     - name: Error code 0xa8b
