MicrosoftDocs
diff --git a/‎support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md‎
Lines changed: 3 additions & 91 deletions b/‎support/windows-server/active-directory/active-directory-domain-join-troubleshooting-guidance.md‎
Lines changed: 3 additions & 91 deletions
diff --git a/‎support/windows-server/active-directory/domain-join-error-0x40-the-specified-network-name-is-no-longer-available.md‎
Lines changed: 82 additions & 0 deletions b/‎support/windows-server/active-directory/domain-join-error-0x40-the-specified-network-name-is-no-longer-available.md‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎support/windows-server/active-directory/domain-join-error-0x534-no-mapping-between-account-names-and-security-ids-was-done.md‎
Lines changed: 50 additions & 0 deletions b/‎support/windows-server/active-directory/domain-join-error-0x534-no-mapping-between-account-names-and-security-ids-was-done.md‎
Lines changed: 50 additions & 0 deletions
@@ -57,24 +57,7 @@ For more information, see [Error code 0x569: The user has not been granted the r
 
 ### Error code 0x534
 
-> No mapping between account names and security IDs was done.
-
-Here's an example from the *netsetup.log* file:
-
-```output
-mm/dd/yyyy hh:mm:ss:ms NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x534
-mm/dd/yyyy hh:mm:ss:ms NetpProvisionComputerAccount: LDAP creation failed: 0x534
-mm/dd/yyyy hh:mm:ss:ms ldap_unbind status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: Function exits with status of: 0x534
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: status of disconnecting from '\\<DC name>': 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDoDomainJoin: status: 0x534
-```
-  
-The domain join graphical user interface (GUI) can call the `NetJoinDomain` API twice to join a computer to a domain. The first call is made without the "create" flag being specified to locate a pre-created computer account in the target domain. If no account is found, a second `NetJoinDomain` API call may be made with the "create" flag specified.
-  
-In another scenario, the 0x534 error code is logged when you attempt to change the password for a machine account. However, the account can't be found on the targeted DC, likely because the account was not created or due to replication latency or a replication failure.
-
-The 0x534 error code is commonly logged as a transient error when domain join searches the target domain. The search determines whether a matching computer account was pre-created or the join operation needs to dynamically create a computer account on the target domain. Check the bit flags in the join options to see if the type of join being performed is relying on a pre-created or newly created computer account.
+See [Domain join error 0x534 "No mapping between account names and security IDs was done"](./domain-join-error-0x534-no-mapping-between-account-names-and-security-ids-was-done.md) for troubleshooting guide.
 
 ### Error code 0x6BF or 0xC002001C
 
@@ -100,86 +83,15 @@ Make sure of the following items:
 
 ### Error code 0x6D9
 
-> There are no more endpoints available from the endpoint mapper.
-
-Here's an example from the *netsetup.log* file:
-
-```output
-mm/dd/yyyy hh:mm:ss:ms NetpGetDnsHostName: Read NV Hostname: <hostname>
-mm/dd/yyyy hh:mm:ss:ms NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS domain name: <DNS domain>.<TLD>
-mm/dd/yyyy hh:mm:ss:ms NetpLsaOpenSecret: status: 0xc0000034
-mm/dd/yyyy hh:mm:ss:ms NetpGetLsaPrimaryDomain: status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpLsaOpenSecret: status: 0xc0000034
-mm/dd/yyyy hh:mm:ss:ms NetpManageMachineAccountWithSid: NetUserAdd on \\<hostname>.<domain> for <computername>$ failed: 0x8b0
-mm/dd/yyyy hh:mm:ss:ms NetpManageMachineAccountWithSid: status of attempting to set password on \\<DC name>.<domain>.<tld> for <hostname>$: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: status of creating account: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpGetComputerObjectDn: Unable to bind to DS on \\<DC name>.<domain>.<tld>: 0x6d9
-mm/dd/yyyy hh:mm:ss:ms NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x6d9
-mm/dd/yyyy hh:mm:ss:ms ldap_unbind status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: status of setting DnsHostName and SPN: 0x6d9
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: initiaing a rollback due to earlier errors
-mm/dd/yyyy hh:mm:ss:ms NetpGetLsaPrimaryDomain: status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpManageMachineAccountWithSid: status of disabling account <hostname>$ on \\<DC name>.<domain>.<tld>: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: rollback: status of deleting computer account: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpLsaOpenSecret: status: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: rollback: status of deleting secret: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomain: status of disconnecting from \\<DC name>.<domain>.<tld>: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDoDomainJoin: status: 0x6d9
-```
-  
-Error 0x6D9 is logged when network connectivity is blocked between the joining client and the helper DC. The network connectivity services the domain join operation over port 135 or a port in the ephemeral range between 1025 to 5000 or 49152 to 65535. For more information, see [Service overview and network port requirements for Windows](../networking/service-overview-and-network-port-requirements.md).  
-
-To resolve this error, follow these steps:
-
-1. On the joining client, open the *%systemroot%\\debug\\NETSETUP.LOG* file and determine the name of the helper DC selected by the joining client to perform the join operation.
-2. Verify that the joining client has network connectivity to the DC over the required ports and protocols used by the applicable operating system (OS) versions. Domain join clients connect a helper DC over TCP port 135 by the dynamically assigned port in the range between 49152 and 65535.
-3. Ensure that the OS, software and hardware routers, firewalls, and switches allow connectivity over the required ports and protocols.
+See [Domain join error 0x6D9 "There are no more endpoints available from the endpoint mapper"](./domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md) for troubleshooting guide. 
 
 ### Error code 0xa8b
 
 For more information, see [Error code 0xa8b: An attempt to resolve the DNS name of a DC in the domain being joined has failed](error-0xa8b-resolve-dns-fail.md).
 
 ### Error code 0x40
 
-The following error messages occur when you try to join the computer to the domain:
-
-> The specified network name is no longer available
-
-:::image type="content" source="media/active-directory-domain-join-troubleshooting-guidance/domain-join-error-message.png" alt-text="Screenshot of the dialog box showing the error message for error code 0x40.":::
-
-Here's an example from the *netsetup.log* file:
-
-```output
-mm/dd/yyyy hh:mm:ss:ms NetpValidateName: checking to see if '<domain_name>' is valid as type 3 name
-mm/dd/yyyy hh:mm:ss:ms NetpCheckDomainNameIsValid [ Exists ] for '<domain_name>' returned 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpValidateName: name '<domain_name>' is valid for type 3
-mm/dd/yyyy hh:mm:ss:ms NetpDsGetDcName: trying to find DC in domain '<domain_name>', flags: 0x40001010
-mm/dd/yyyy hh:mm:ss:ms NetpDsGetDcName: failed to find a DC having account 'CLIENT1$': 0x525, last error is 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDsGetDcName: status of verifying DNS A record name resolution for 'DCA.<domain_name>': 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDsGetDcName: found DC '\\<dc_fqdn>' in the specified domain
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDisableIDNEncoding: using FQDN <domain_name> from dcinfo
-mm/dd/yyyy hh:mm:ss:ms NetpDisableIDNEncoding: DnsDisableIdnEncoding(UNTILREBOOT) on '<domain_name>' succeeded
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0
-mm/dd/yyyy hh:mm:ss:ms NetUseAdd to \\<dc_fqdn>\IPC$ returned 64
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: status of connecting to dc '\\<dc_fqdn>': 0x40
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: Function exits with status of: 0x40
-mm/dd/yyyy hh:mm:ss:ms NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on '<domain_name>' returned 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpJoinDomainOnDs: NetpResetIDNEncoding on '<domain_name>': 0x0
-mm/dd/yyyy hh:mm:ss:ms NetpDoDomainJoin: status: 0x40
-```
-
-This error is logged when the client computer lacks network connectivity on TCP port 88 between the client machine and the DC. To troubleshoot this issue, you can run the following command to test the connection:
-
-```PowerShell
-Test-NetConnection <IP_address_of_the_DC> -Port 88
-```
-
-Expected Output:
-
-:::image type="content" source="media/active-directory-domain-join-troubleshooting-guidance/test-netconnection-output-88.png" alt-text="Screenshot that shows the Test-NetConnection command for TCP port 88 output.":::
-
-The output indicates that the Kerberos Port TCP 88 is open between the client and the DC.
+See [Domain join error 0x40 "The specified network name is no longer available"](./domain-join-error-0x40-the-specified-network-name-is-no-longer-available.md) for troubleshooting guide.
 
 ### Error code 0x54b
 
 
@@ -0,0 +1,82 @@
+---
+title: Error 0x40 The Specified Network Name Is No Longer Available
+description: Addresses the error The specified network name is no longer available encountered during domain join operations.
+ms.date: 03/28/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: raviks, eriw, dennhu
+ms.custom:
+- sap:active directory\on-premises active directory domain join
+- pcy:WinComm Directory Services
+---
+# Domain join error 0x40 "The specified network name is no longer available"
+
+This article addresses the error code 0x40 encountered during domain join operations.
+
+## Symptoms
+
+When you try to join a computer to a domain, you receive the following error message:
+
+> The specified network name is no longer available.
+
+When you review the **netsetup.log** file, you find error messages that resemble the following entries:
+
+```output
+NetUseAdd to \\dc1.adatum.com\IPC$ returned 64
+NetpJoinDomain: status of connecting to dc '\\dc1.adatum.com': 0x40
+NetpJoinDomainOnDs: Function exits with status of: 0x40
+```
+
+### Error detail
+
+|Hexadecimal error|Decimal error|Symbolic error string|Friendly error|
+|---|---|---|---|
+|0x40|64|ERROR_NETNAME_DELETED|The specified network name is no longer available.|
+
+## Cause
+
+This issue occurs when either of the following conditions is met:
+
+- A WAN accelerator device responds to acknowledge the TGS request package, but the response does not arrives at the Key Distribution Center (KDC). Generally, IP Time to Live (TTL) frame fields have values of 64 or lower because this is the TTL used by Unix-like devices, and WAN accelerators are generally based on Linux.
+- A network device such as a firewall between the client and the DC dropped the KDC response. You can find more details in the concurrent network trace of the DC traffic.
+
+## Troubleshooting
+
+The issue is related to getting Kerberos Tickets for a Server Message Block (SMB) session. Troubleshoot this issue based on the network trace:
+
+1. Use the `net use` command to access the same Universal Naming Convention (UNC) path and reproduce the issue.
+2. Collect a network trace of the `net use` command execution.
+
+### Example
+
+Here's an example of a network trace:
+
+```output
+1534 CLIENT1         DC1.ADATUM.COM  TCP        TCP:Flags=......S., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=0, Seq=1299628969, Ack=0, Win=8192 (  ) = 8192           {TCP:267, IPv4:5}
+1537 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785282675, Ack=1299628970, Win=8192 ( Scale factor not supported ) = 8192           {TCP:267, IPv4:5}
+1538 CLIENT1         DC1.ADATUM.COM  TCP        TCP:Flags=...A...., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=0, Seq=1299628970, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1539 CLIENT1         DC1.ADATUM.COM  KerberosV5 KerberosV5:TGS Request Realm: ADATUM.COM Sname: cifs/DC1.ADATUM.COM {TCP:267, IPv4:5}
+1540 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785282676, Ack=1299628970, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1541 CLIENT1         DC1.ADATUM.COM  TCP        TCP:[ReTransmit #1539]Flags=...A...., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=1460, Seq=1299628970 - 1299630430, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1542 CLIENT1         DC1.ADATUM.COM  TCP        TCP:[ReTransmit #1539]Flags=...A...., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=1460, Seq=1299628970 - 1299630430, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1545 CLIENT1         DC1.ADATUM.COM  TCP        TCP:[ReTransmit #1539]Flags=...A...., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=536, Seq=1299628970 - 1299629506, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1546 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785282676, Ack=1299629506, Win=63704 (scale factor 0x0) = 63704   {TCP:267, IPv4:5}
+1547 CLIENT1         DC1.ADATUM.COM  TCP        TCP:[Continuation to #0]Flags=...A...., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=536, Seq=1299629506 - 1299630042, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1548 CLIENT1         DC1.ADATUM.COM  TCP        TCP:[Continuation to #0]Flags=...A...., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=536, Seq=1299630042 - 1299630578, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1549 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785282676, Ack=1299630042, Win=63168 (scale factor 0x0) = 63168   {TCP:267, IPv4:5}
+1550 CLIENT1         DC1.ADATUM.COM  TCP        TCP:[Continuation to #0]Flags=...AP..., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=536, Seq=1299630578 - 1299631114, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1551 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785282676, Ack=1299630738, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1552 CLIENT1         DC1.ADATUM.COM  KerberosV5 KerberosV5:     {TCP:267, IPv4:5}
+1553 DC1.ADATUM.COM         CLIENT1  TCP        TCP:[Continuation to #0]Flags=...AP..., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=290, Seq=2785284136 - 2785284426, Ack=1299630738, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1554 CLIENT1         DC1.ADATUM.COM  TCP        TCP:Flags=...A...., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=0, Seq=1299632186, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1555 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785284426, Ack=1299631114, Win=63864 (scale factor 0x0) = 63864   {TCP:267, IPv4:5}
+1556 CLIENT1         DC1.ADATUM.COM  TCP        TCP:[Continuation to #1552]Flags=...AP..., SrcPort=59259, DstPort=Kerberos(88), PayloadLen=320, Seq=1299632186 - 1299632506, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240     {TCP:267, IPv4:5}
+1557 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785284426, Ack=1299632186, Win=62792 (scale factor 0x0) = 62792   {TCP:267, IPv4:5}
+1558 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785284426, Ack=1299632506, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1559 CLIENT1         DC1.ADATUM.COM  TCP        TCP:Flags=...A...F, SrcPort=59259, DstPort=Kerberos(88), PayloadLen=0, Seq=1299632506, Ack=2785282676, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1563 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785284136, Ack=1299632507, Win=64240 (scale factor 0x0) = 64240   {TCP:267, IPv4:5}
+1564 DC1.ADATUM.COM         CLIENT1  TCP        TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=59259, PayloadLen=0, Seq=2785284136, Ack=1299632507, Win=0 (scale factor 0x0) = 0           {TCP:267, IPv4:5}
+```
+
+From the trace, you can find the DC doesn't respond to the Ticket Granting Service (TGS) request from the client for the Service Principal Name (SPN) `CIFS/DC1.ADATUM.COM`. It sends back a TCP acknowledgment, which suggests the DC received the TGS request. However, it doesn't reply with a valid TGS response. Finally, the client terminates the TCP connection.
@@ -0,0 +1,50 @@
+---
+title: Error 0x534 No Mapping Between Account Names and Security IDs Was Done
+description: Addresses the error No mapping between account names and security IDs was done encountered during domain join operations.
+ms.date: 03/28/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: raviks, eriw, dennhu
+ms.custom:
+- sap:active directory\on-premises active directory domain join
+- pcy:WinComm Directory Services
+---
+# Domain join error 0x534 "No mapping between account names and security IDs was done"
+
+This article addresses the error code 0x534 encountered during domain join operations.
+
+## Symptoms
+
+When you try to join a computer to a domain, you receive the following error message:
+
+> No mapping between account names and security IDs was done.
+
+When you review the **netsetup.log** file, you find error messages that resemble the following entries:
+
+```output
+NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x534
+NetpProvisionComputerAccount: LDAP creation failed: 0x534
+ldap_unbind status: 0x0
+NetpJoinDomainOnDs: Function exits with status of: 0x534
+NetpJoinDomainOnDs: status of disconnecting from '\\<DC name>': 0x0
+NetpDoDomainJoin: status: 0x534
+```
+
+### Error detail
+
+|Hexadecimal error|Decimal error|Symbolic error string|
+|---|---|---|
+|0x534|1332|ERROR_NONE_MAPPED|
+
+## Cause
+
+The domain-join graphical user interface (GUI) or user interface (UI) can call the `NetJoinDomain` API twice to join a computer to a domain. The first call is made without specifying the "create" flag to locate a pre-created computer account in the target domain. If no account is found, a second `NetJoinDomain` API call might be made with the "create" flag specified.
+
+The 0x534 error code or status is commonly logged as a transient error when a domain join searches for the target domain or when the domain join UI is used and certain values are present in the options bit (values of 25, 27, 425, or 427 are common).
+
+In another scenario, this error occurs when you try to change the password for a machine account. However, the account can't be found on the targeted domain controller (DC), likely because the account wasn't created or due to replication latency or a replication failure.
+
+## Resolution
+
+To fix the issue, focus on the bits in the options flag. Check whether the type of join being performed relies on preexisting accounts or requires creating new ones.