Trying to join computer to domain returnrs error "cannot perform the requested operation"


Here is my environment:
10.1.1.x - Servers and support subnet (including DC and DNS)
10.1.2.x - Desktops
10.1.3.x - Desktops

All subnets uses 24bit netmask.

When I'm trying to join a XP client to the domain, I got the following message:  "cannot perform the requested operation".
I checked IP configurations and everything looks fine.

The thing is: When I plug the same client machine in the 10.1.1.x subnet, I'm able to join it to the domain.

Things to consider:
1- My domain FQDN is only MI. Not or mi.local... Only MI. Is this a problem?!
2- DC is running Windows Server 2000 SP4. I have 3 DCs running...
3- XP client have SP2 and all patches available installed.

Who is Participating?
ncronesConnect With a Mentor Commented:
lol if it isn't one thing it's another!

re WINS static entry for - did you create this once on one server and it replicated across or did you create it manually on both servers seperately?

All DCs should be listed on all name servers - sometimes exceptions to this rule - don't know enough about your environment to comment properly. given you are using push/pull wins replication on both best practice is to set each wins server as its own primary wins server in IP properties and then the other as secondary - i spotted in your server ip details above you have it pointed to the other server (ie .4 points to .6 as primary). also re how clients get WINS server details i take it these come down via DHCP? do you have a DHCP server in each subnet? is each set to push the local WINS server IP down in its additional details?
Does the client have a static or dynamic IP?  Make sure the subnet is  If the subnet and DNS servers are correct can you ping the server by name and IP.  If that is working and you are still having issues please post an IPCONFIG /ALL of the workstation and server.
hi there

a few things to check

1) do you have IP connectivity between the subnets? can you ping from the pc subnet to the server subnet? how are the subnets set up - what connects them - a router? is this filtering ports? may be blocking ports required to connect with AD? assuming all of this is ok see 2)

2) in AD sites and services - what have you got set up in terms of sites and subnets? have you set up 3 subnets - 1 for each range - and then associated them all with the default site that the DC(s) is in?

re domain name some single named domains can cause issues with replication and trusts etc but don't think that's relevant here for just adding a workstation
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

rafaelbnAuthor Commented:
Client have dynamic IP. All subnets have as netmasks. From the client, I can ping DC, DNS gateway and even open a share on a file server (providing correct credentials)

Yes... Connections between subnets are good. From the client I can ping the server, dns server, gateway. The subnets are connected by a firewall (checkpoint) BUT the firewall is configured for making all these subnets flat (no rules between them). I first thought it was that, but I sniffed the connection when I was trying to join that client to the domain and nothing was blocked.
I will answer number 2 tomorrow morning because i'm at home right now. What I can tell right now is that we have 3 other sub-domains, but i'm having this problem at the top-domain and thoose subnets are all local subnets.

Thank you all!
yes worth checking the sites and services set up and how subnets are mapped to the default site and dc server objects placement within these - if subnets not there manually add them in and then asociate with one or more sites - eg the default. a site can have 1 or more subnets associated. DC server objects should be placed in the appropriate site if not already.

another thought you mentioned you can ping the DC, gateway etc - are you pinging an IP address in this test and/or netbios (eg server1) and/or a FQDN? (fully qualified domain name eg just to confirm name res is working you need replies from all - if that isn't working you will have issues.

one more the user acct you are attempting to join with has sufficient rights/permissions?
rafaelbnAuthor Commented:

I have all the subnets associated with the correct site and all local DCs are associated too.
I'm trying to join the client with the administrator account...

Here the ipconfig from the server and the client.

C:\WINNT\system32>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : rjadw2k02
        Primary DNS Suffix  . . . . . . . : mi
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : mi

Ethernet adapter Rede MI (

        Connection-specific DNS Suffix  . : mi
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Com
plete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-02-1B-F2-08-22
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        Primary WINS Server . . . . . . . :
        Secondary WINS Server . . . . . . :

C:\Documents and Settings\Administrador>ipconfig /all

Configuração de IP do Windows

        Nome do host . . . . . . . . . . . : rjfsoft-04733
        Sufixo DNS primário. . . . . . . . : mi
        Tipo de nó . . . . . . . . . . . . : híbrido
        Roteamento de IP ativado . . . . . : não
        Proxy WINS ativado . . . . . . . . : não
        Lista de pesquisa de sufixo DNS. . : mi

Adaptador Ethernet Conexão local:

        Sufixo DNS específico de conexão  . : mi
        Descrição . . . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Et
hernet NIC
        Endereço físico . . . . . . . . . . : 00-17-31-50-5C-FA
        DHCP ativado. . . . . . . . . . . . : Sim
        Configuração automática ativada . . : Sim
        Endereço IP . . . . . . . . . . . . :
        Máscara de sub-rede . . . . . . . . :
        Gateway padrão. . . . . . . . . . . :
        Servidor DHCP . . . . . . . . . . . :
        Servidores DNS. . . . . . . . . . . :
        Servidor WINS primário. . . . . . . :
        Concessão obtida. . . . . . . . . . : quarta-feira, 14 de novembro de 20
07 11:07:06
        Concessão expira. . . . . . . . . . : segunda-feira, 19 de novembro de 2
007 11:07:06

And yes... I can ping the server from client using netbios, fqdn and ip.

hmm another few things to check

have you got a reverse lookup zone(s) set in your internal DNS ?

another thing you could try is prestage the computer in AD - ie add the computer object in AD Users and Computers interface and then try joining again with the same name - because it is already there in AD it may make a difference...
rafaelbnAuthor Commented:

Yes... reverse lookup zones are configured.
I have already done that. Manually created that account, but same error agian...

Look what i've tried...
The client was on that 10.1.2.x subnet. I changed the computer name to something else, restarted the computer.. And... same error...
So, I moved the computer to the 10.1.1.x subnet and reversed the name to what it was... restarted and them it worked like magic...

Any idea?!

Many thanks!
I found a solution that may help you out.  Verify that your routers are passing UDP ports 137 & 138.
UDP 137: Used for browsing, logon sequence, pass-thru validations, printing support, trust support, WinNT Secure Channel, and WINS registration.UDP 138: NETBIOS Datagram Service. A principle rqmt for NetBIOS services on MS hosts (Win9x/ME/NT/Win2000).

Very bottom of this thread.
rafaelbnAuthor Commented:

Actually the router is a firewall (checkpoint one) that is configured to treat and as flat networks (no filtering rules...)

I'm doing some tests and as soon as i finish, i'll post here.

Thank you all again!
rafaelbnAuthor Commented:
Ok... This is what I tried....

The domain that i'm having problems is MI.
But I have a subdomain, called RJ.MI
When I try to join that same xp client, no matter what subnet it is, I can successfully join to that domain using the same account credentials...

This one is hairy....
What domain can you join to and which can you not?  
rafaelbnAuthor Commented:

I can join to RJ.MI (subdomain)
I can't join to MI (top-level domain)
rafaelbnAuthor Commented:
Just some more info...

In my workstation, I executed nslookup and found something really strange...
Here's the output of the command

C:\Documents and Settings\rafael>nslookup
Default Server:  rjadw2k02.mi

> mi
Server:  rjadw2k02.mi

*** rjadw2k02.mi can't find mi: Non-existent domain
> rj.mi
Server:  rjadw2k02.mi

Name:    rj.mi

Did not like that non-existent domain...
Googloing for it!
heh again

right i finally found that kbase article i have been searching for for agews about single DNS named ADs - see this and let me know if it resolves the issues

you are basically having isses with authenticating to the root MI domain? this hopefully will solve it - i had a client years ago who had one of these configurations caused all sorts of problems!

rafaelbnAuthor Commented:

I will follow the instructions on that article and as soon as possible i'll post again!

Thank you very much!
rafaelbnAuthor Commented:

I'll put this problem on hold because our Exchange database just crashed...
As soon as I put it back up, i'll post again...

Many thanks!
rafaelbnAuthor Commented:
Exchange is up again and I can now carry on...

I was looking at my WINS enviroment and found this:

WINS server 1 (preferred server) (also a DC)
I have a static entry called MI, Type [1Ch] Domain Controller / IP / Active / Static / Owner

WINS server 2 (secondary server) (also a DC, Main server)
I have a static entry called MI, Type[1Ch] Domain Controller / IP / Active / Static / Owner

Funny thing is that this entry didn't replicate to each server, and they are configured as push/pull partners.

My question: Do I need to list all DCs on Wins? Just the main server? Just the server that holds PDC emulator?

Thanks again!
another way to test if it is a wins issue is to manually create a static entry for the DC in the affected workstation's LMhosts file and then do a netstat -RR to clear the local name cache and reregister with the wins server. try again after that.

lmhosts.sam file lives in %SystemRoot%\System32\Drivers\Etc
you need to delete the .sam part so it is just lmhosts and follow the syntax egs to enter server name and IP address.
rafaelbnAuthor Commented:

I can't answer if this static entry on was created or replicated, because i'm new in th company.
Yes... Clients get WINS configs through DHCP. Here we have a DHCP server with 4 NICs, one in each network. Both WINS are in the same network 10.1.1.x, and DHCP for all subnets is configured to give as the primary WINS and as secondary.

So I should manually create static for all DCs on the primary server and let it replicate right?

Thank you so much!!
rafaelbnAuthor Commented:

Just checked... had as its first WINS server. Corrected that... was right...

I'll create static entrys on for all DCs and let it replicate and see if it help me...
ahh a multihomed (ie more than one NIC/network card) name server and dhcp server adds complexity as traffic and requests can pass to different cards.

before we look at that did you do the lmhosts test from the affected client pc(s)? if not hard code the DCs and wins server details into the lmhosts file and flush name cache on pc and try connecting again.

rafaelbnAuthor Commented:

Only my DHCP server have more than one NIC. My name server have only one...
did u try the lmhosts tesf?
rafaelbnAuthor Commented:

After I corrected that problem on my WINS server, I created a domain entry containig the IP address of all DCs and that is it!
Thank you very much!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.