You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md
+13-9Lines changed: 13 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Active Directory domain join troubleshooting guidance
3
3
description: Provides guidance to troubleshoot domain join issues.
4
-
ms.date: 05/14/2025
4
+
ms.date: 01/26/2026
5
5
manager: dcscontentpm
6
6
audience: itpro
7
7
ms.topic: troubleshooting
@@ -14,11 +14,15 @@ appliesto:
14
14
---
15
15
# Active Directory domain join troubleshooting guidance
16
16
17
+
## Summary
18
+
19
+
20
+
17
21
This guide provides the fundamental concepts used when troubleshooting Active Directory domain join issues.
18
22
19
23
## Troubleshooting checklist
20
24
21
-
- Domain Name System (DNS): Anytime you have an issue joining a domain, one of the first things to check is DNS. DNS is the heart of Active Directory (AD) and makes things work correctly, including domain join. Make sure of the following items:
25
+
-**Domain Name System (DNS):** Anytime you have an issue joining a domain, one of the first things to check is DNS. DNS is the heart of Active Directory (AD) and makes things work correctly, including domain join. Make sure of the following items:
22
26
23
27
- DNS server addresses are correct.
24
28
- DNS suffix search order is correct if multiple DNS domains are in play.
@@ -27,9 +31,9 @@ This guide provides the fundamental concepts used when troubleshooting Active Di
27
31
- The domain name, domain controllers (DCs), and DNS servers can be pinged.
28
32
- Check for DNS record conflicts for the specific server.
29
33
30
-
-*Netsetup.log*: The *Netsetup.log* file is a valuable resource when you troubleshoot a domain join issue. The *netsetup.log* file is located at *C:\\Windows\\Debug\\netsetup.log*.
31
-
- Network trace: During an AD domain join, multiple types of traffic occur between the client and some DNS servers and then between the client and some DCs. If you see an error in any of the above traffic, follow the corresponding troubleshooting steps of that protocol or component to narrow it down. For more information, see [Using Netsh to Manage Traces](/windows/win32/ndf/using-netsh-to-manage-traces).
32
-
- Domain join hardening changes: Windows updates released on and after October 11, 2022, contain additional protections introduced by [CVE-2022-38042](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38042). These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless one of the following conditions exist:
34
+
-**Netsetup.log:** The Netsetup.log file is a valuable resource when you troubleshoot a domain join issue. The netsetup.log file is located at C:\\Windows\\Debug\\netsetup.log.
35
+
- Network trace: During an AD domain join, multiple types of traffic occur between the client and some DNS servers and then between the client and some DCs. If you see an error in any of this traffic, follow the corresponding troubleshooting steps of that protocol or component to narrow it down. For more information, see [Using Netsh to Manage Traces](/windows/win32/ndf/using-netsh-to-manage-traces).
36
+
-**Domain join hardening changes:** Windows updates released on and after October 11, 2022, contain additional protections introduced by [CVE-2022-38042](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38042). These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless one of the following conditions exist:
33
37
34
38
- The user attempting the operation is the creator of the existing account.
35
39
- The computer was created by a member of domain administrators.
@@ -49,7 +53,7 @@ The following table lists the ports required to be open between the client compu
49
53
|88|TCP|Kerberos|Kerberos Key Distribution Server|
50
54
|135|TCP|RPC|RPC Endpoint Mapper|
51
55
|445|TCP|SMB|LanmanServer|
52
-
|1024-65535|TCP|RPC|RPC Endpoint Mapper for DSCrackNames, SAMR and Netlogon calls between Client and Domain Controller|
56
+
|1024-65535|TCP|RPC|RPC Endpoint Mapper for DSCrackNames, SAMR, and Netlogon calls between Client and Domain Controller|
53
57
54
58
## Common issues and solutions
55
59
@@ -64,7 +68,7 @@ The following table lists the ports required to be open between the client compu
64
68
|0x54b|This error occurs because the specified domain can't be contacted, pointing to issues locating domain controllers (DCs).|[Troubleshooting error code 0x54b](error-code-0x54b.md)|
65
69
|0x0000232A|This error indicates that the Domain Name System (DNS) name can't be resolved.|[Troubleshooting error code 0x0000232A](error-code-0x0000232a.md)|
66
70
|0x3a|This error occurs when the client computer lacks reliable network connectivity on Transmission Control Protocol (TCP) 389 port between the client computer and the domain controller (DC).|[Troubleshooting status code 0x3a: The specified server cannot perform the requested operation](status-code-0x3a-server-not-perform-operation.md)|
67
-
|0x216d|This error occurs when the user account has exceeded the limit of 10 computers that can be joined to the domain, or when a Group Policy restricts users from joining computers to the domain.|[Troubleshooting status code 0x216d: Your computer could not be joined to the domain](status-code-0x216d-not-joined-domain.md)|
71
+
|0x216d|This error occurs when the user account exceeds the limit of 10 computers that can be joined to the domain, or when a Group Policy restricts users from joining computers to the domain.|[Troubleshooting status code 0x216d: Your computer could not be joined to the domain](status-code-0x216d-not-joined-domain.md)|
68
72
69
73
### Other errors that occur when you join Windows-based computers to a domain
70
74
@@ -78,11 +82,11 @@ For more information, see:
78
82
To troubleshoot domain join issues, the following logs could help:
79
83
80
84
- Netsetup log
81
-
This log file contains most information about domain join activities. The file is located on the client machine at `%windir%\debug\netsetup.log`.
85
+
This log file contains most information about domain join activities. The file is located on the client machine at %windir%\debug\netsetup.log.
82
86
This log file is enabled by default. No need to explicitly enable it.
83
87
84
88
- Network trace
85
-
The network trace contains the communication between the client computer and relative servers, such as DNS servers and domain controllers over the network. It should be collected at the client computer. Multiple tools can collect network traces, such as Wireshark, netsh.exe which is included in all Windows editions.
89
+
The network trace contains the communication between the client computer and relative servers, such as DNS servers and domain controllers over the network. It should be collected at the client computer. Multiple tools can collect network traces, such as Wireshark or netsh.exe. All Windows editions include netsh.exe.
86
90
87
91
You can collect each log separately. Alternatively, you can use some tools provided by Microsoft to collect them all together. To do so, follow the steps in the following sections.
0 commit comments