Unable to join Domain (Error 87)
-
Hello,
I’m trying to include a computer in my domain with FOG, but it’s not working. I have already updated the FOG server, the FOG Client, used different credentials, but nothing had any effect.The inclusion works when the manual process is done, or using the Netdom described in the Wiki, both using the credentials passed below.
There is no computer with this name in the domain, and I have changed its name several times to test the HostnameChanger.
In the Debugger log, the credentials are correct, but it still does not work.Below are the information for my environment and some logs that can help.
FOG Server Version: 1.5.2
FOG Client Version: 0.11.16
Computer: Windows 10 PRO 1803AD: Samba 4.5.12-Debian
Domain name: atleticopr.com.br
OU: Blank, i’m using default “Computers”
Domain Username: domainjoin
Domain Password: DomainJoin2018 (Don’t worry, only for test purpose)
Domain Password Legacy: Blank.Fog.txt
------------------------------------------------------------------------------ --------------------------------HostnameChanger------------------------------- ------------------------------------------------------------------------------ 28/05/2018 15:46 Client-Info Client Version: 0.11.16 28/05/2018 15:46 Client-Info Client OS: Windows 28/05/2018 15:46 Client-Info Server Version: 1.5.2 28/05/2018 15:46 Middleware::Response Success 28/05/2018 15:46 HostnameChanger Checking Hostname 28/05/2018 15:46 HostnameChanger Hostname is correct 28/05/2018 15:46 HostnameChanger Attempting to join domain 28/05/2018 15:46 HostnameChanger The parameter is incorrect, code = 87 ------------------------------------------------------------------------------Debugger Log
fog: dump cycle save 28/05/2018 15:46 Middleware::Communication URL: http://fogserver.atleticopr.com.br/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:A4:57:5D&newService&json 28/05/2018 15:46 Console::Dump Dumping decrypted response ------------------------------------------------------------------------------ {"autologout":{"error":"ng"},"displaymanager":{"error":"ng"},"hostnamechanger":{"enforce":true,"hostname":"6outracoisa","AD":true,"ADDom":"atleticopr.com.br","ADOU":"","ADUser":"atleticopr.com.br\\domainjoin","ADPass":"DomainJoin2018"},"powermanagement":{"onDemand":"","tasks":[]},"printermanager":{"error":"ng"},"snapinclient":{"error":"ns"},"taskreboot":{"job":false},"usertracker":{"":""}}Samba log (Some parts):
Allowed connection from 10.42.2.111 (10.42.2.111) user_ok_token: share IPC$ is ok for unix user ATLETICOPR\domainjoin set_conn_connectpath: service IPC$, connectpath = /tmp Connect path is '/tmp' for service [IPC$] user_ok_token: share IPC$ is ok for unix user ATLETICOPR\domainjoin [...] 10.42.2.111 (ipv4:10.42.2.111:49750) connect to service IPC$ initially as user ATLETICOPR\domainjoin (uid=3000060, gid=100) (pid 5646) [...] 10.42.2.111 (ipv4:10.42.2.111:49750) closed connection to service IPC$Edit:
I forgot the screenshots…“Sucesso da Auditoria” means “Audit Success”
-
I’m sorry for the delay in replying. I was doing some tests based on what you wrote and I have some great news.
As recommended, I switched to test in another OU and it worked. Thanks for the help, my problem solved.Here is a comment that might help:
I do not know if it occurs in Microsoft AD, but in Samba 4 it does not work if you leave the “Organizational Unit” field empty. You can set the default “CN = Computers” or any other OU and the FGO Client will be able to join the domain, but using this in a blank option will give the error 87 even if you use “redircmp” to save to another OU. -
Asking @joe-schmitt to look at this.
-
Thanks! Still awaiting.
One important information:
I do not have a log, but there was a moment the FOG Client was able to join. I had not changed anything, just restarted a few times.
After that, I removed it from the domain and rebooted to see if it happened again, but it did not. -
What OS is your domain controller running and what version/release of windows 10 is the image? (Just noticed that you put 1803 in your description, but I already wrote the rest of this, it still applies)
I ask because in 1709 and 1803 there are new smb version rules (it was an update released after 1709 was initially released, but I think it’s embedded in the latest version of the 1709 iso). SMB v1 isn’t super supported anymore as a patch to that wannacry ransomware. They also by default disabled being able to access public shares. I have also had some issues with needing to add *.mydomain.com as a trusted host before being able to mount any domain joined shares from a non domain joined 1803 install.
Point is, windows is trying to be more secure, but as security tends to, it’s created unintended inconveniences. For example if you have one of your domain controllers on windows server 2003, you pretty much have to make a new domain controller on 2012 R2 or newer, with 2016 being the preference. This would only be the problem though if you maybe have one older dc and a newer one and the manual process is getting the newer dc for the join task and the fog client is querying the older one. So it may be more of a long shot in this case.
However the problem may also be simpler than a network update issue.
Error 87 means parameter incorrect, so maybe we should check each paramter. Maybe make a test OU in your domain called ‘fogWorkstations’
then set the OU on your host to “OU=fogWorkstation,DC=atleticopr,DC=com,DC=br”Some other questions though,
Do other workstations join with the fog service?
Can you perform other tasks with the fog service? Maybe a rename without the domain joining, a simple reboot, queue a snapin, add a printer, or anything like that? -
I’m sorry for the delay in replying. I was doing some tests based on what you wrote and I have some great news.
As recommended, I switched to test in another OU and it worked. Thanks for the help, my problem solved.Here is a comment that might help:
I do not know if it occurs in Microsoft AD, but in Samba 4 it does not work if you leave the “Organizational Unit” field empty. You can set the default “CN = Computers” or any other OU and the FGO Client will be able to join the domain, but using this in a blank option will give the error 87 even if you use “redircmp” to save to another OU. -
@allan0027 Excellent! Glad to hear it worked and happy it was something simple.
